mirror of
https://github.com/we-promise/sure.git
synced 2026-06-06 11:19:02 +00:00
74f811c334
* fix(accounts): honor stored return_to after subtype account creation Closes #1766. The savings-goals empty-state "Add an account" CTA passes ?return_to, which StoreLocation captures into session[:return_to], but account-creation flows didn't always consume it: - AccountableResource#create honored a form-carried return_to but not the session value, so if the param wasn't threaded through the multi-step new-account flow the user still landed on the account page. Added a session[:return_to] fallback (the form param still wins). - PropertiesController is a 3-step wizard (create → balances → address) that never threaded return_to as a form param, and its final redirect went straight to account_path. It now honors session[:return_to] on completion. Rails blocks external-host redirects, so return_to can't open-redirect. valuations#create uses redirect_back_or_to (referer-based) — different flow, left as-is. Tests: depository create prefers the form return_to and falls back to the session value; property wizard completion honors the stored return_to. * fix(accounts): block open-redirect via return_to; consume session value Two AI-review findings on #2109: - Open-redirect (codex): the property wizard's turbo_stream completion uses stream_redirect_to, which the client resolves with Turbo.visit — that full-navigates cross-origin, bypassing Rails' redirect host-guard. A crafted ?return_to=https://evil could walk the user off-site. Filter return_to at the StoreLocation choke point (store time) to internal absolute paths only, and sanitize the separate form-param channel, so an unsafe value can't reach redirect_to / stream_redirect_to. - Stale session (coderabbit): session[:return_to] was read but never consumed. Consume it with delete at redirect time so it can't leak into a later flow. Adds guard tests (external return_to falls back to the account page). * fix(security): guard safe_return_to against non-String return_to A crafted `?return_to[]=foo` makes params[:return_to] an Array, and Array#match? doesn't exist, so safe_return_to raised NoMethodError before the open-redirect hardening could reject it. Add an is_a?(String) check as the first gate. Other CodeRabbit/Codex return_to findings on this PR were already addressed (consume-side re-validation + session.delete).
119 lines
3.9 KiB
Ruby
119 lines
3.9 KiB
Ruby
module AccountableResource
|
|
extend ActiveSupport::Concern
|
|
|
|
included do
|
|
include Periodable, StreamExtensions
|
|
|
|
before_action :set_account, only: [ :show ]
|
|
before_action :set_manageable_account, only: [ :edit, :update ]
|
|
before_action :set_link_options, only: :new
|
|
end
|
|
|
|
class_methods do
|
|
def permitted_accountable_attributes(*attrs)
|
|
@permitted_accountable_attributes = attrs if attrs.any?
|
|
@permitted_accountable_attributes ||= [ :id ]
|
|
end
|
|
end
|
|
|
|
def new
|
|
@account = Current.family.accounts.build(
|
|
currency: Current.family.currency,
|
|
accountable: accountable_type.new
|
|
)
|
|
end
|
|
|
|
def show
|
|
@chart_view = params[:chart_view] || "balance"
|
|
@q = params.fetch(:q, {}).permit(:search)
|
|
entries = @account.entries.search(@q).reverse_chronological
|
|
|
|
@pagy, @entries = pagy(entries, limit: safe_per_page(10))
|
|
end
|
|
|
|
def edit
|
|
end
|
|
|
|
def create
|
|
opening_balance_date = begin
|
|
account_params[:opening_balance_date].presence&.to_date
|
|
rescue Date::Error
|
|
nil
|
|
end || (Time.zone.today - 2.years)
|
|
Account.transaction do
|
|
@account = Current.family.accounts.create_and_sync(
|
|
account_params.except(:return_to, :opening_balance_date).merge(owner: Current.user),
|
|
opening_balance_date: opening_balance_date
|
|
)
|
|
@account.lock_saved_attributes!
|
|
end
|
|
|
|
# Prefer the form-carried return_to, then the session value StoreLocation
|
|
# captured from `?return_to=` (survives multi-step flows where the param
|
|
# isn't threaded), then the account page. The form param is sanitized here
|
|
# (the session value is already filtered at store time); the session is
|
|
# consumed with delete so a stale value can't leak into a later flow.
|
|
return_path = safe_return_to(account_params[:return_to]) || session.delete(:return_to).presence || @account
|
|
redirect_to return_path,
|
|
notice: t("accounts.create.success", type: accountable_type.name.underscore.humanize)
|
|
end
|
|
|
|
def update
|
|
# Handle balance update if the value actually changed
|
|
if account_params[:balance].present? && account_params[:balance].to_d != @account.balance
|
|
result = @account.set_current_balance(account_params[:balance].to_d)
|
|
unless result.success?
|
|
@error_message = result.error_message
|
|
render :edit, status: :unprocessable_entity
|
|
return
|
|
end
|
|
end
|
|
|
|
# Update remaining account attributes. Note: currency is intentionally allowed
|
|
# here so all account types (depositories, credit cards, loans, etc.) can
|
|
# have their currency changed via this shared update path.
|
|
update_params = account_params.except(:return_to, :balance, :opening_balance_date)
|
|
unless @account.update(update_params)
|
|
@error_message = @account.errors.full_messages.join(", ")
|
|
render :edit, status: :unprocessable_entity
|
|
return
|
|
end
|
|
|
|
@account.lock_saved_attributes!
|
|
redirect_back_or_to account_path(@account), notice: t("accounts.update.success", type: accountable_type.name.underscore.humanize)
|
|
end
|
|
|
|
private
|
|
def set_link_options
|
|
account_type_name = accountable_type.name
|
|
|
|
# Get all available provider configs dynamically for this account type
|
|
@provider_configs = Provider::Factory.connection_configs_for_account_type(
|
|
account_type: account_type_name,
|
|
family: Current.family
|
|
)
|
|
end
|
|
|
|
def accountable_type
|
|
controller_name.classify.constantize
|
|
end
|
|
|
|
def set_account
|
|
@account = Current.user.accessible_accounts.find(params[:id])
|
|
end
|
|
|
|
def set_manageable_account
|
|
@account = Current.user.accessible_accounts.find(params[:id])
|
|
require_account_permission!(@account)
|
|
end
|
|
|
|
def account_params
|
|
params.require(:account).permit(
|
|
:name, :balance, :subtype, :currency, :accountable_type, :return_to,
|
|
:opening_balance_date,
|
|
:institution_name, :institution_domain, :notes,
|
|
accountable_attributes: self.class.permitted_accountable_attributes
|
|
)
|
|
end
|
|
end
|