feat: implement attachment business logic layer

- Add AttachmentInterface to main model interface - Implement attachment CRUD operations with permission checking - Add GetTransaction method for secure attachment access validation - Add accountsContainReadAccess for permission verification - Ensure users can only access attachments for authorized transactions 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-07-01 11:04:01 +12:00
parent 04653f2f02
commit f5f0853040
4 changed files with 199 additions and 0 deletions
--- a/core/model/transaction.go
+++ b/core/model/transaction.go
@@ -169,6 +169,31 @@ func (model *Model) getTransactionById(id string) (*types.Transaction, error) {
 	return model.db.GetTransactionById(id)
 }

+func (model *Model) GetTransaction(transactionId, orgId, userId string) (*types.Transaction, error) {
+	transaction, err := model.getTransactionById(transactionId)
+	if err != nil {
+		return nil, err
+	}
+
+	if transaction == nil || transaction.OrgId != orgId {
+		return nil, nil
+	}
+
+	// Check if user has access to all accounts in the transaction
+	userAccounts, err := model.GetAccounts(orgId, userId, "")
+	if err != nil {
+		return nil, err
+	}
+
+	for _, split := range transaction.Splits {
+		if !model.accountsContainReadAccess(userAccounts, split.AccountId) {
+			return nil, fmt.Errorf("user does not have permission to access account %s", split.AccountId)
+		}
+	}
+
+	return transaction, nil
+}
+
 func (model *Model) checkSplits(transaction *types.Transaction) (err error) {
 	if len(transaction.Splits) < 2 {
 		return errors.New("at least 2 splits are required")