From 15ef3d0df47a76386025968976eda235c1be21c4 Mon Sep 17 00:00:00 2001
From: padreug <padreug@aiolabs.dev>
Date: Tue, 11 Nov 2025 01:59:18 +0100
Subject: [PATCH] Prevent permissions on inactive accounts

- Added validation in create_account_permission() to check account status
- Raises ValueError if account is inactive or doesn't exist
- Provides clear error message identifying the inactive account by name

This ensures users cannot be granted permissions on accounts that have
been marked as inactive (soft deleted).
---
 crud.py | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/crud.py b/crud.py
index a403924..7423c3c 100644
--- a/crud.py
+++ b/crud.py
@@ -920,9 +920,23 @@ async def get_all_equity_eligible_users() -> list["UserEquityStatus"]:
 async def create_account_permission(
     data: "CreateAccountPermission", granted_by: str
 ) -> "AccountPermission":
-    """Create a new account permission"""
+    """
+    Create a new account permission.
+
+    Raises:
+        ValueError: If account is inactive or doesn't exist
+    """
     from .models import AccountPermission
 
+    # Validate account exists and is active
+    account = await get_account(data.account_id)
+    if not account:
+        raise ValueError(f"Account {data.account_id} not found")
+    if not account.is_active:
+        raise ValueError(
+            f"Cannot grant permission on inactive account: {account.name}"
+        )
+
     permission_id = urlsafe_short_hash()
     permission = AccountPermission(
         id=permission_id,