From 3df0fe3f072e9811beb4d005dcb8815ed2dc9b75 Mon Sep 17 00:00:00 2001
From: Stefanni Brasil <stefannibrasil@proton.me>
Date: Tue, 2 Jun 2026 15:14:02 -0600
Subject: [PATCH 1/2] Prevent status change for rejected and closed account
 requests

A rejected or closed account request is a final
state that you shouldn't be able to change.

For that reason, adding a model validation prevents
that from happening.
---
 app/models/account_request.rb       | 14 ++++++++++++++
 spec/models/account_request_spec.rb | 24 ++++++++++++++++++++++++
 2 files changed, 38 insertions(+)

diff --git a/app/models/account_request.rb b/app/models/account_request.rb
index bd48ee6956..75c0ef40c0 100644
--- a/app/models/account_request.rb
+++ b/app/models/account_request.rb
@@ -25,6 +25,8 @@ class AccountRequest < ApplicationRecord
 
   validate :email_not_already_used_by_organization
   validate :email_not_already_used_by_user
+  validate :cannot_change_status_once_rejected,
+    :cannot_change_status_once_closed, on: :update
 
   belongs_to :ndbn_member, class_name: 'NDBNMember', optional: true
 
@@ -100,4 +102,16 @@ def email_not_already_used_by_user
       errors.add(:email, 'already used by an existing User')
     end
   end
+
+  def cannot_change_status_once_rejected
+    if status_changed? && status_was == "rejected"
+      errors.add(:status, "cannot be changed once rejected")
+    end
+  end
+
+  def cannot_change_status_once_closed
+    if status_changed? && status_was == "admin_closed"
+      errors.add(:status, "cannot be changed once closed by an admin")
+    end
+  end
 end
diff --git a/spec/models/account_request_spec.rb b/spec/models/account_request_spec.rb
index b03c5b834b..cf984183e9 100644
--- a/spec/models/account_request_spec.rb
+++ b/spec/models/account_request_spec.rb
@@ -74,6 +74,30 @@
     end
   end
 
+  describe '#status' do
+    it "does not regress from rejected to another status" do
+      rejected_request = create(:account_request, status: 'rejected')
+
+      expect { rejected_request.confirm! }
+        .to raise_error(ActiveRecord::RecordInvalid, /cannot be changed once rejected/)
+    end
+
+    it "does not regress from admin_closed to another status" do
+      rejected_request = create(:account_request, status: 'admin_closed')
+
+      expect { rejected_request.confirm! }
+        .to raise_error(ActiveRecord::RecordInvalid, /cannot be changed once closed by an admin/)
+    end
+
+    it "allows normal transitions" do
+      started_request = create(:account_request, status: 'started')
+      user_confirmed_request = create(:account_request, status: 'user_confirmed')
+
+      expect { started_request.confirm! }.not_to raise_error
+      expect { user_confirmed_request.reject!('rejectable request') }.not_to raise_error
+    end
+  end
+
   describe '.get_by_identity_token' do
     subject { described_class.get_by_identity_token(identity_token) }
 

From db8fefb7b76114e9d0a0fcafd9e837dbebbdef09 Mon Sep 17 00:00:00 2001
From: Stefanni Brasil <stefannibrasil@proton.me>
Date: Tue, 2 Jun 2026 15:35:34 -0600
Subject: [PATCH 2/2] Prevent status change for finalized audits

A finalized audit is a final state that you
shouldn't be able to change.

For that reason, adding a model validation prevents
that from happening from the UI and from other
interactions.
---
 app/models/audit.rb       |  7 +++++++
 spec/models/audit_spec.rb | 17 +++++++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/app/models/audit.rb b/app/models/audit.rb
index 5a669623ca..b387473663 100644
--- a/app/models/audit.rb
+++ b/app/models/audit.rb
@@ -32,6 +32,7 @@ class Audit < ApplicationRecord
   validate :line_items_quantity_is_not_negative
   validate :line_items_unique_by_item_id
   validate :user_is_organization_admin_of_the_organization
+  validate :cannot_change_status_once_finalized, on: :update
 
   def self.finalized_since?(itemizable, *location_ids)
     item_ids = itemizable.line_items.pluck(:item_id)
@@ -86,4 +87,10 @@ def line_items_unique_by_item_id
   def line_items_quantity_is_not_negative
     line_items_quantity_is_at_least(0)
   end
+
+  def cannot_change_status_once_finalized
+    if status_changed? && status_was == "finalized"
+      errors.add(:status, "cannot be changed once finalized")
+    end
+  end
 end
diff --git a/spec/models/audit_spec.rb b/spec/models/audit_spec.rb
index 10996b97fd..9da2621ab1 100644
--- a/spec/models/audit_spec.rb
+++ b/spec/models/audit_spec.rb
@@ -92,6 +92,23 @@
 
       expect(audit.save).to be_truthy
     end
+
+    describe '#status' do
+      it "does not regress from finalized to another status" do
+        finalized_audit = create(:audit, organization:, status: :finalized)
+
+        expect { finalized_audit.update!(status: :confirmed) }
+          .to raise_error(ActiveRecord::RecordInvalid, /cannot be changed once finalized/)
+      end
+
+      it "allows normal transitions" do
+        in_progress_audit = create(:audit, organization:, status: :in_progress)
+        confirmed_audit = create(:audit, organization:, status: :confirmed)
+
+        expect { in_progress_audit.update!(status: :confirmed) }.not_to raise_error
+        expect { confirmed_audit.update!(status: :finalized) }.not_to raise_error
+      end
+    end
   end
 
   context "Scopes >" do