impactoss · tmfrnz · Jul 28, 2025 · Jun 2, 2025 · Jun 23, 2025 · Jul 2, 2025
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -6,6 +6,9 @@ on:
       - master
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   test:
     strategy:

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -92,7 +92,7 @@ GEM
     brakeman (6.1.1)
       racc
     builder (3.3.0)
-    bundler-audit (0.9.1)
+    bundler-audit (0.9.2)
       bundler (>= 1.2.0, < 3)
       thor (~> 1.0)
     byebug (11.1.3)
@@ -250,9 +250,9 @@ GEM
     net-smtp (0.5.1)
       net-protocol
     nio4r (2.7.4)
-    nokogiri (1.18.8-arm64-darwin)
+    nokogiri (1.18.9-arm64-darwin)
       racc (~> 1.4)
-    nokogiri (1.18.8-x86_64-linux-gnu)
+    nokogiri (1.18.9-x86_64-linux-gnu)
       racc (~> 1.4)
     oauth2 (2.0.9)
       faraday (>= 0.17.3, < 3.0)
@@ -301,7 +301,7 @@ GEM
     pundit (2.3.1)
       activesupport (>= 3.0.0)
     racc (1.8.1)
-    rack (3.1.14)
+    rack (3.1.16)
     rack-cors (2.0.2)
       rack (>= 2.0.0)
     rack-protection (4.1.1)
@@ -429,7 +429,7 @@ GEM
     stringio (3.1.6)
     terminal-table (4.0.0)
       unicode-display_width (>= 1.1.1, < 4)
-    thor (1.3.2)
+    thor (1.4.0)
     timecop (0.9.8)
     timeout (0.4.3)
     tzinfo (2.0.6)

diff --git a/app/controllers/measure_categories_controller.rb b/app/controllers/measure_categories_controller.rb
@@ -1,5 +1,6 @@
 class MeasureCategoriesController < ApplicationController
-  before_action :set_and_authorize_measure_category, only: [:show, :update, :destroy]
+  before_action :set_and_authorize_measure_category, only: [:show, :destroy]
+  skip_before_action :authenticate_user!, only: [:update]
 
   # GET /measure_categories
   def index
@@ -27,28 +28,35 @@ def create
     end
   end
 
-  # PATCH/PUT /measure_categories/1
-  def update
-    if @measure_category.update!(permitted_attributes(@measure_category))
-      set_and_authorize_measure_category
-      render json: serialize(@measure_category)
-    end
-  end
-
   # DELETE /measure_categories/1
   def destroy
     @measure_category.destroy
   end
 
+  def update
+    head :not_implemented
+  end
+
   private
 
   # Use callbacks to share common setup or constraints between actions.
   def set_and_authorize_measure_category
     @measure_category = policy_scope(base_object).find(params[:id])
     authorize @measure_category
   rescue ActiveRecord::RecordNotFound
-    raise unless action_name == "destroy"
-    head :no_content
+    if action_name == "destroy"
+      record = base_object.find_by(id: params[:id])
+
+      if record.present?
+        # Record exists but is out of scope — test authorization anyway
+        authorize record
+      end
+
+      # If we got here, it's okay to respond as deleted
+      head :no_content
+    else
+      raise
+    end
   end
 
   def base_object

diff --git a/app/controllers/measure_indicators_controller.rb b/app/controllers/measure_indicators_controller.rb
@@ -1,5 +1,6 @@
 class MeasureIndicatorsController < ApplicationController
-  before_action :set_and_authorize_measure_indicator, only: [:show, :update, :destroy]
+  before_action :set_and_authorize_measure_indicator, only: [:show, :destroy]
+  skip_before_action :authenticate_user!, only: [:update]
 
   # GET /measure_indicators
   def index
@@ -27,25 +28,35 @@ def create
     end
   end
 
-  # PATCH/PUT /measure_indicators/1
-  def update
-    if @measure_indicator.update!(permitted_attributes(@measure_indicator))
-      set_and_authorize_measure_indicator
-      render json: serialize(@measure_indicator)
-    end
-  end
-
   # DELETE /measure_indicators/1
   def destroy
     @measure_indicator.destroy
   end
 
+  def update
+    head :not_implemented
+  end
+
   private
 
   # Use callbacks to share common setup or constraints between actions.
   def set_and_authorize_measure_indicator
     @measure_indicator = policy_scope(base_object).find(params[:id])
     authorize @measure_indicator
+  rescue ActiveRecord::RecordNotFound
+    if action_name == "destroy"
+      record = base_object.find_by(id: params[:id])
+
+      if record.present?
+        # Record exists but is out of scope — test authorization anyway
+        authorize record
+      end
+
+      # If we got here, it's okay to respond as deleted
+      head :no_content
+    else
+      raise
+    end
   end
 
   def base_object

diff --git a/app/controllers/recommendation_categories_controller.rb b/app/controllers/recommendation_categories_controller.rb
@@ -1,5 +1,6 @@
 class RecommendationCategoriesController < ApplicationController
-  before_action :set_and_authorize_recommendation_category, only: [:show, :update, :destroy]
+  before_action :set_and_authorize_recommendation_category, only: [:show, :destroy]
+  skip_before_action :authenticate_user!, only: [:update]
 
   # GET /recommendation_categories
   def index
@@ -27,27 +28,35 @@ def create
     end
   end
 
-  # PATCH/PUT /recommendation_categories/1
-  def update
-    if @recommendation_category.update!(permitted_attributes(@recommendation_category))
-      render json: serialize(@recommendation_category)
-    end
-  end
-
   # DELETE /recommendation_categories/1
   def destroy
     @recommendation_category.destroy
   end
 
+  def update
+    head :not_implemented
+  end
+
   private
 
   # Use callbacks to share common setup or constraints between actions.
   def set_and_authorize_recommendation_category
     @recommendation_category = policy_scope(base_object).find(params[:id])
     authorize @recommendation_category
   rescue ActiveRecord::RecordNotFound
-    raise unless action_name == "destroy"
-    head :no_content
+    if action_name == "destroy"
+      record = base_object.find_by(id: params[:id])
+
+      if record.present?
+        # Record exists but is out of scope — test authorization anyway
+        authorize record
+      end
+
+      # If we got here, it's okay to respond as deleted
+      head :no_content
+    else
+      raise
+    end
   end
 
   def base_object

diff --git a/app/controllers/recommendation_indicators_controller.rb b/app/controllers/recommendation_indicators_controller.rb
@@ -1,5 +1,6 @@
 class RecommendationIndicatorsController < ApplicationController
   before_action :set_and_authorize_recommendation_indicator, only: [:show, :destroy]
+  skip_before_action :authenticate_user!, only: [:update]
 
   def index
     @recommendation_indicators = policy_scope(base_object).order(created_at: :desc).page(params[:page])
@@ -37,6 +38,20 @@ def update
   def set_and_authorize_recommendation_indicator
     @recommendation_indicator = policy_scope(base_object).find(params[:id])
     authorize @recommendation_indicator
+  rescue ActiveRecord::RecordNotFound
+    if action_name == "destroy"
+      record = base_object.find_by(id: params[:id])
+
+      if record.present?
+        # Record exists but is out of scope — test authorization anyway
+        authorize record
+      end
+
+      # If we got here, it's okay to respond as deleted
+      head :no_content
+    else
+      raise
+    end
   end
 
   def base_object

diff --git a/app/controllers/recommendation_measures_controller.rb b/app/controllers/recommendation_measures_controller.rb
@@ -1,5 +1,6 @@
 class RecommendationMeasuresController < ApplicationController
-  before_action :set_and_authorize_recommendation_measure, only: [:show, :update, :destroy]
+  before_action :set_and_authorize_recommendation_measure, only: [:show, :destroy]
+  skip_before_action :authenticate_user!, only: [:update]
 
   # GET /recommendation_measures
   def index
@@ -27,24 +28,35 @@ def create
     end
   end
 
-  # PATCH/PUT /recommendation_measures/1
-  def update
-    if @recommendation_measure.update!(permitted_attributes(@recommendation_measure))
-      render json: serialize(@recommendation_measure)
-    end
-  end
-
   # DELETE /recommendation_measures/1
   def destroy
     @recommendation_measure.destroy
   end
 
+  def update
+    head :not_implemented
+  end
+
   private
 
   # Use callbacks to share common setup or constraints between actions.
   def set_and_authorize_recommendation_measure
     @recommendation_measure = policy_scope(base_object).find(params[:id])
     authorize @recommendation_measure
+  rescue ActiveRecord::RecordNotFound
+    if action_name == "destroy"
+      record = base_object.find_by(id: params[:id])
+
+      if record.present?
+        # Record exists but is out of scope — test authorization anyway
+        authorize record
+      end
+
+      # If we got here, it's okay to respond as deleted
+      head :no_content
+    else
+      raise
+    end
   end
 
   def base_object

diff --git a/app/controllers/recommendation_recommendations_controller.rb b/app/controllers/recommendation_recommendations_controller.rb
@@ -36,6 +36,20 @@ def update
   def set_and_authorize_recommendation_recommendation
     @recommendation_recommendation = policy_scope(base_object).find(params[:id])
     authorize @recommendation_recommendation
+  rescue ActiveRecord::RecordNotFound
+    if action_name == "destroy"
+      record = base_object.find_by(id: params[:id])
+
+      if record.present?
+        # Record exists but is out of scope — test authorization anyway
+        authorize record
+      end
+
+      # If we got here, it's okay to respond as deleted
+      head :no_content
+    else
+      raise
+    end
   end
 
   def base_object

diff --git a/app/controllers/s3_controller.rb b/app/controllers/s3_controller.rb
@@ -9,7 +9,10 @@ def sign
 
     object_path = "#{ENV["S3_ASSET_FOLDER"]}/#{params[:objectName]}"
     s3_url = ::FogStorage.put_object_url(ENV["S3_BUCKET_NAME"], object_path, 15.minutes.from_now.to_time.to_i, headers, options)
-    url = "#{ENV["CLIENT_URL"]}/#{object_path}?#{URI(s3_url).query}"
+    url = s3_url
+    if ENV["CLIENT_URL"].present?
+      url = "#{ENV["CLIENT_URL"]}/#{object_path}?#{URI(s3_url).query}"
+    end
 
     render json: {signedUrl: url}
   end

diff --git a/app/controllers/user_categories_controller.rb b/app/controllers/user_categories_controller.rb
@@ -1,5 +1,6 @@
 class UserCategoriesController < ApplicationController
-  before_action :set_and_authorize_user_category, only: [:show, :update, :destroy]
+  before_action :set_and_authorize_user_category, only: [:show, :destroy]
+  skip_before_action :authenticate_user!, only: [:update]
 
   # GET /user_categories
   def index
@@ -27,27 +28,35 @@ def create
     end
   end
 
-  # PATCH/PUT /user_categories/1
-  def update
-    if @user_category.update!(permitted_attributes(@user_category))
-      render json: serialize(@user_category)
-    end
-  end
-
   # DELETE /user_categories/1
   def destroy
     @user_category.destroy
   end
 
+  def update
+    head :not_implemented
+  end
+
   private
 
   # Use callbacks to share common setup or constraints between actions.
   def set_and_authorize_user_category
     @user_category = policy_scope(base_object).find(params[:id])
     authorize @user_category
   rescue ActiveRecord::RecordNotFound
-    raise unless action_name == "destroy"
-    head :no_content
+    if action_name == "destroy"
+      record = base_object.find_by(id: params[:id])
+
+      if record.present?
+        # Record exists but is out of scope — test authorization anyway
+        authorize record
+      end
+
+      # If we got here, it's okay to respond as deleted
+      head :no_content
+    else
+      raise
+    end
   end
 
   def base_object