From 3e971dbcd0dad2e52cee75e3b9d645746d46d3ef Mon Sep 17 00:00:00 2001
From: ibtyog <piotrhirkyj@gmail.com>
Date: Wed, 24 Dec 2025 13:20:01 +0100
Subject: [PATCH 1/2] fix: additional validation to form update

---
 app/controllers/forms_controller.ts | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/app/controllers/forms_controller.ts b/app/controllers/forms_controller.ts
index 62beb7a..b02e44d 100644
--- a/app/controllers/forms_controller.ts
+++ b/app/controllers/forms_controller.ts
@@ -149,12 +149,14 @@ export default class FormsController {
     const event = await Event.query()
       .where("id", eventId)
       .preload("firstForm")
+      .preload("attributes")
       .firstOrFail();
 
     await bouncer.authorize("manage_form", event);
     const form = await Form.query()
       .where("event_id", eventId)
       .where("id", formId)
+      .preload("attributes")
       .firstOrFail();
 
     const { attributes, ...updates } =
@@ -171,10 +173,20 @@ export default class FormsController {
       });
     }
 
-    form.merge(updates);
-    await form.save();
-
     if (attributes !== undefined) {
+      const eventAttributesIdsSet = new Set(
+        event.attributes.map((attribute) => attribute.id),
+      );
+
+      const attributesFromDifferentEvent = attributes.filter(
+        (attribute) => !eventAttributesIdsSet.has(attribute.id),
+      );
+
+      if (attributesFromDifferentEvent.length > 0) {
+        return response.badRequest({
+          message: `Attributes with ids ${JSON.stringify(attributesFromDifferentEvent.map((attribute) => attribute.id))}, do not belong to this event`,
+        });
+      }
       await form.related("attributes").detach();
 
       await form.related("attributes").attach(
@@ -194,6 +206,8 @@ export default class FormsController {
         ),
       );
     }
+    form.merge(updates);
+    await form.save();
 
     const updatedForm = await Form.query()
       .where("event_id", eventId)

From 1e3012ba009a9093f359fd3808d8e8e81d9f8e88 Mon Sep 17 00:00:00 2001
From: ibtyog <piotrhirkyj@gmail.com>
Date: Mon, 29 Dec 2025 16:44:06 +0100
Subject: [PATCH 2/2] fix: change logic order

---
 app/controllers/forms_controller.ts | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/app/controllers/forms_controller.ts b/app/controllers/forms_controller.ts
index b02e44d..24b20bc 100644
--- a/app/controllers/forms_controller.ts
+++ b/app/controllers/forms_controller.ts
@@ -70,8 +70,6 @@ export default class FormsController {
       });
     }
 
-    const form = await event.related("forms").create(newFormData);
-
     const eventAttributesIdsSet = new Set(
       event.attributes.map((attribute) => attribute.id),
     );
@@ -85,6 +83,7 @@ export default class FormsController {
         message: `Attributes with ids ${JSON.stringify(attributesFromDifferentEvent.map((attribute) => attribute.id))}, do not belong to this event`,
       });
     }
+    const form = await event.related("forms").create(newFormData);
 
     await form.related("attributes").attach(
       attributes.reduce(