fix: scope ContactTypeGroup lookup to current organization to prevent cross-org access

Dockerfile

@@ -5,46 +5,46 @@ ARG ROOT=/usr/src/app/
 FROM node:24-alpine AS node-source
 
 FROM ruby:4.0.2-alpine AS build
-  ARG ROOT
-  WORKDIR $ROOT
+ARG ROOT
+WORKDIR $ROOT
 
-  RUN apk update && apk upgrade && apk add --update --no-cache \
-    build-base \
-    curl-dev \
-    libffi-dev \
-    yaml-dev \
-    linux-headers \
-    postgresql-dev \
-    tzdata
+RUN apk update && apk upgrade && apk add --update --no-cache \
+  build-base \
+  curl-dev \
+  libffi-dev \
+  yaml-dev \
+  linux-headers \
+  postgresql-dev \
+  tzdata
 
-  RUN bundle config set force_ruby_platform true
+RUN bundle config set force_ruby_platform true
 
-  COPY Gemfile* $ROOT
-  RUN bundle install
+COPY Gemfile* $ROOT
+RUN bundle install
 
 FROM ruby:4.0.2-alpine
-  ARG ROOT
-  WORKDIR $ROOT
-
-  RUN apk update && apk upgrade && apk add --update --no-cache \
-    bash \
-    build-base \
-    curl \
-    imagemagick \
-    postgresql-client \
-    tzdata \
-    vim \
-    && rm -rf /var/cache/apk/*
-
-  COPY . .
-  COPY --from=node-source /usr/local/bin/node /usr/local/bin/node
-  COPY --from=node-source /usr/local/lib/node_modules /usr/local/lib/node_modules
-  RUN ln -s /usr/local/lib/node_modules/npm/bin/npm-cli.js /usr/local/bin/npm
-  RUN npm ci
-
-  COPY --from=build /usr/local/bundle/ /usr/local/bundle/
-
-  EXPOSE 3000
-
-  ENTRYPOINT ["./docker-entrypoint.sh"]
-  CMD ["bin/rails", "s", "-b", "0.0.0.0"]
+ARG ROOT
+WORKDIR $ROOT
+
+RUN apk update && apk upgrade && apk add --update --no-cache \
+  bash \
+  build-base \
+  curl \
+  imagemagick \
+  postgresql-client \
+  tzdata \
+  vim \
+  && rm -rf /var/cache/apk/*
+
+COPY . .
+COPY --from=node-source /usr/local/bin/node /usr/local/bin/node
+COPY --from=node-source /usr/local/lib/node_modules /usr/local/lib/node_modules
+RUN ln -s /usr/local/lib/node_modules/npm/bin/npm-cli.js /usr/local/bin/npm
+RUN npm ci
+
+COPY --from=build /usr/local/bundle/ /usr/local/bundle/
+
+EXPOSE 3000
+
+ENTRYPOINT ["./docker-entrypoint.sh"]
+CMD ["bin/rails", "s", "-b", "0.0.0.0"]

app/controllers/contact_type_groups_controller.rb

@@ -2,6 +2,8 @@ class ContactTypeGroupsController < ApplicationController
   before_action :set_contact_type_group, except: [:new, :create]
   after_action :verify_authorized
 
+  rescue_from ActiveRecord::RecordNotFound, with: :record_not_found
+
   def new
     authorize ContactTypeGroup
     @contact_type_group = ContactTypeGroup.new
@@ -33,11 +35,18 @@ def update
 
   private
 
+  def record_not_found
+    respond_to do |format|
+      format.json { render json: {error: "Record not found"}, status: :not_found }
+      format.any { render file: Rails.public_path.join("404.html"), status: :not_found, layout: false }
+    end
+  end
+
   def contact_type_group_params
     params.require(:contact_type_group).permit(:name, :active)
   end
 
   def set_contact_type_group
-    @contact_type_group = ContactTypeGroup.find(params[:id])
+    @contact_type_group = current_organization.contact_type_groups.find(params[:id])
   end
 end

spec/requests/contact_type_groups_spec.rb

@@ -77,14 +77,31 @@
   describe "GET /contact_type_groups/:id/edit" do
     context "logged in as admin user" do
       it "can successfully access a contact type group edit page" do
-        sign_in_as_admin
+        casa_org = create(:casa_org)
+        sign_in create(:casa_admin, casa_org: casa_org)
+        group = create(:contact_type_group, casa_org: casa_org)
 
-        get edit_contact_type_group_path(create(:contact_type_group))
+        get edit_contact_type_group_path(group)
 
         expect(response).to be_successful
       end
     end
 
+    context "logged in as admin from a different organization" do
+      it "cannot access another organization's contact type group edit page" do
+        admin_org = create(:casa_org)
+        admin = create(:casa_admin, casa_org: admin_org)
+        other_org = create(:casa_org)
+        other_org_group = create(:contact_type_group, casa_org: other_org)
+
+        sign_in admin
+
+        get edit_contact_type_group_path(other_org_group)
+
+        expect(response).to have_http_status(:not_found)
+      end
+    end
+
     context "logged in as a non-admin user" do
       it "cannot access a contact type group edit page" do
         sign_in_as_volunteer
@@ -127,6 +144,22 @@
       end
     end
 
+    context "logged in as admin from a different organization" do
+      it "cannot update another organization's contact type group" do
+        admin_org = create(:casa_org)
+        admin = create(:casa_admin, casa_org: admin_org)
+        other_org = create(:casa_org)
+        other_org_group = create(:contact_type_group, casa_org: other_org)
+
+        sign_in admin
+
+        put contact_type_group_path(other_org_group), params: params
+
+        expect(response).to have_http_status(:not_found)
+        expect(other_org_group.reload.name).not_to eq("New Group Name")
+      end
+    end
+
     context "logged in as a non-admin user" do
       it "cannot update a update a contact type group" do
         sign_in_as_volunteer