From 4b586d6e9af20255c99503def33708f46cfc88e5 Mon Sep 17 00:00:00 2001
From: Samuel Fernandez <me@sfernandez.dev>
Date: Mon, 21 Jul 2025 20:07:55 +0000
Subject: [PATCH 1/7] Add validation for unauthorized HCB code block

---
 app/models/announcement/block/hcb_code.rb | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/app/models/announcement/block/hcb_code.rb b/app/models/announcement/block/hcb_code.rb
index c2eaa280a7..44c6457292 100644
--- a/app/models/announcement/block/hcb_code.rb
+++ b/app/models/announcement/block/hcb_code.rb
@@ -24,6 +24,8 @@
 class Announcement
   class Block
     class HcbCode < ::Announcement::Block
+      validate :hcb_code_in_event
+
       def render_html(is_email: false)
         hcb_code = ::HcbCode.find_by_hashid(parameters["hcb_code"])
 
@@ -34,6 +36,16 @@ def render_html(is_email: false)
         Announcements::BlocksController.renderer.render partial: "announcements/blocks/hcb_code", locals: { hcb_code:, event: announcement.event, is_email:, block: self }
       end
 
+      private
+
+      def hcb_code_in_event
+        hcb_code = ::HcbCode.find_by_hashid(parameters["hcb_code"])
+
+        unless hcb_code&.event == announcement.event
+          errors.add(:parameters, "links a transaction that is not included in this event")
+        end
+      end
+
     end
 
   end

From 409c983e761d5c4b7fe2e6510a3fed3979a4b152 Mon Sep 17 00:00:00 2001
From: Samuel Fernandez <me@sfernandez.dev>
Date: Mon, 21 Jul 2025 20:18:55 +0000
Subject: [PATCH 2/7] Render block errors in an alert to user

---
 .../announcements/blocks_controller.rb        |  6 ++++-
 .../controllers/tiptap_controller.js          | 24 +++++++++++++++----
 app/models/announcement/block/hcb_code.rb     |  2 +-
 3 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/app/controllers/announcements/blocks_controller.rb b/app/controllers/announcements/blocks_controller.rb
index 4086d6481c..be656592e0 100644
--- a/app/controllers/announcements/blocks_controller.rb
+++ b/app/controllers/announcements/blocks_controller.rb
@@ -9,7 +9,11 @@ def create
 
       authorize block, policy_class: Announcement::BlockPolicy
 
-      block.save!
+      begin
+        block.save!
+      rescue ActiveRecord::RecordInvalid
+        return render json: { errors: block.errors.map { |error| error.full_message } }
+      end
 
       render json: { id: block.id, html: block.rendered_html }
     end
diff --git a/app/javascript/controllers/tiptap_controller.js b/app/javascript/controllers/tiptap_controller.js
index 71097e329a..ed2821a1ba 100644
--- a/app/javascript/controllers/tiptap_controller.js
+++ b/app/javascript/controllers/tiptap_controller.js
@@ -166,7 +166,10 @@ export default class extends Controller {
 
   async donationGoal() {
     const attrs = await this.createBlock('Announcement::Block::DonationGoal')
-    this.editor.chain().focus().addDonationGoal(attrs).run()
+
+    if (attrs !== null) {
+      this.editor.chain().focus().addDonationGoal(attrs).run()
+    }
   }
 
   async hcbCode() {
@@ -182,12 +185,17 @@ export default class extends Controller {
       hcb_code: hcbCode,
     })
 
-    this.editor.chain().focus().addHcbCode(attrs).run()
+    if (attrs !== null) {
+      this.editor.chain().focus().addHcbCode(attrs).run()
+    }
   }
 
   async donationSummary() {
     const attrs = await this.createBlock('Announcement::Block::DonationSummary')
-    this.editor.chain().focus().addDonationSummary(attrs).run()
+
+    if (attrs !== null) {
+      this.editor.chain().focus().addDonationSummary(attrs).run()
+    }
   }
 
   async createBlock(type, parameters) {
@@ -204,6 +212,14 @@ export default class extends Controller {
       },
     }).then(r => r.json())
 
-    return res
+    if ("errors" in res) {
+      const message = `Could not insert block: ${res.errors.join(", ")}`;
+
+      alert(message)
+
+      return null;
+    } else {
+      return res
+    }
   }
 }
diff --git a/app/models/announcement/block/hcb_code.rb b/app/models/announcement/block/hcb_code.rb
index 44c6457292..a94af607d7 100644
--- a/app/models/announcement/block/hcb_code.rb
+++ b/app/models/announcement/block/hcb_code.rb
@@ -42,7 +42,7 @@ def hcb_code_in_event
         hcb_code = ::HcbCode.find_by_hashid(parameters["hcb_code"])
 
         unless hcb_code&.event == announcement.event
-          errors.add(:parameters, "links a transaction that is not included in this event")
+          errors.add(:base, "You are not authorized to insert this transaction")
         end
       end
 

From 9ebeec6490d2e462ef6211301f942ced37a02b38 Mon Sep 17 00:00:00 2001
From: Samuel Fernandez <me@sfernandez.dev>
Date: Mon, 21 Jul 2025 20:34:12 +0000
Subject: [PATCH 3/7] Fix JS formatting

---
 app/javascript/controllers/tiptap_controller.js | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/javascript/controllers/tiptap_controller.js b/app/javascript/controllers/tiptap_controller.js
index ed2821a1ba..91444b96d6 100644
--- a/app/javascript/controllers/tiptap_controller.js
+++ b/app/javascript/controllers/tiptap_controller.js
@@ -212,12 +212,12 @@ export default class extends Controller {
       },
     }).then(r => r.json())
 
-    if ("errors" in res) {
-      const message = `Could not insert block: ${res.errors.join(", ")}`;
+    if ('errors' in res) {
+      const message = `Could not insert block: ${res.errors.join(', ')}`
 
       alert(message)
 
-      return null;
+      return null
     } else {
       return res
     }

From 3ff1c931116a253fa84b199e41c76f5e0fb6558d Mon Sep 17 00:00:00 2001
From: Samuel Fernandez <me@sfernandez.dev>
Date: Mon, 21 Jul 2025 20:55:42 +0000
Subject: [PATCH 4/7] Change status code to 400

---
 app/controllers/announcements/blocks_controller.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/controllers/announcements/blocks_controller.rb b/app/controllers/announcements/blocks_controller.rb
index be656592e0..d5add263ab 100644
--- a/app/controllers/announcements/blocks_controller.rb
+++ b/app/controllers/announcements/blocks_controller.rb
@@ -12,7 +12,7 @@ def create
       begin
         block.save!
       rescue ActiveRecord::RecordInvalid
-        return render json: { errors: block.errors.map { |error| error.full_message } }
+        return render json: { errors: block.errors.map { |error| error.full_message } }, status: :bad_request
       end
 
       render json: { id: block.id, html: block.rendered_html }

From e77e4473d2b1b9b59bb5482ab932333e4d91514d Mon Sep 17 00:00:00 2001
From: Samuel Fernandez <me@sfernandez.dev>
Date: Wed, 23 Jul 2025 15:55:09 -0400
Subject: [PATCH 5/7] Use .save instead of throwing error with save!

Co-authored-by: Gary Tou <gary@garytou.com>
---
 app/controllers/announcements/blocks_controller.rb | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/app/controllers/announcements/blocks_controller.rb b/app/controllers/announcements/blocks_controller.rb
index d5add263ab..9398bad762 100644
--- a/app/controllers/announcements/blocks_controller.rb
+++ b/app/controllers/announcements/blocks_controller.rb
@@ -9,10 +9,8 @@ def create
 
       authorize block, policy_class: Announcement::BlockPolicy
 
-      begin
-        block.save!
-      rescue ActiveRecord::RecordInvalid
-        return render json: { errors: block.errors.map { |error| error.full_message } }, status: :bad_request
+      unless block.save
+        return render json: { errors: block.errors.map(&:full_message) }, status: :bad_request
       end
 
       render json: { id: block.id, html: block.rendered_html }

From 329f7576266501f792d586c3ad22d6238e60b7a3 Mon Sep 17 00:00:00 2001
From: Samuel Fernandez <me@sfernandez.dev>
Date: Wed, 23 Jul 2025 15:55:41 -0400
Subject: [PATCH 6/7] Make validation check clearer

Co-authored-by: Gary Tou <gary@garytou.com>
---
 app/models/announcement/block/hcb_code.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/models/announcement/block/hcb_code.rb b/app/models/announcement/block/hcb_code.rb
index a94af607d7..032aa32823 100644
--- a/app/models/announcement/block/hcb_code.rb
+++ b/app/models/announcement/block/hcb_code.rb
@@ -41,7 +41,7 @@ def render_html(is_email: false)
       def hcb_code_in_event
         hcb_code = ::HcbCode.find_by_hashid(parameters["hcb_code"])
 
-        unless hcb_code&.event == announcement.event
+        if hcb_code.nil? || hcb_code.event != announcement.event
           errors.add(:base, "You are not authorized to insert this transaction")
         end
       end

From 1d41ecbc67a7365d7e22fda60918aa9fdff3b1ed Mon Sep 17 00:00:00 2001
From: Samuel Fernandez <me@sfernandez.dev>
Date: Wed, 23 Jul 2025 15:55:56 -0400
Subject: [PATCH 7/7] Adjust validation error message

Co-authored-by: Gary Tou <gary@garytou.com>
---
 app/models/announcement/block/hcb_code.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/models/announcement/block/hcb_code.rb b/app/models/announcement/block/hcb_code.rb
index 032aa32823..9f0413bdaa 100644
--- a/app/models/announcement/block/hcb_code.rb
+++ b/app/models/announcement/block/hcb_code.rb
@@ -42,7 +42,7 @@ def hcb_code_in_event
         hcb_code = ::HcbCode.find_by_hashid(parameters["hcb_code"])
 
         if hcb_code.nil? || hcb_code.event != announcement.event
-          errors.add(:base, "You are not authorized to insert this transaction")
+          errors.add(:base, "Transaction can not be found.")
         end
       end