fix(authz): finance security hardening

joebon · joebon · commit 7294f66493dd · 2026-04-22T11:19:55.000+02:00
- AuthorizeFinanceRead/Write: use finance-specific scopes
- AccountPolicyGuard/PayoutAccountPolicyGuard: explicit scope requirements
- Blocked org filtering in get_by_account/get_by_payout_account
- Write endpoints re-fetch entities on write session
- Blocked org test
diff --git a/server/polar/account/endpoints.py b/server/polar/account/endpoints.py
@@ -3,6 +3,7 @@
 from polar.account_credit.repository import AccountCreditRepository
 from polar.account_credit.schemas import AccountCredit as AccountCreditSchema
 from polar.authz.dependencies import AuthorizeAccountRead, AuthorizeAccountWrite
+from polar.exceptions import ResourceNotFound
 from polar.openapi import APITag
 from polar.postgres import (
     AsyncReadSession,
@@ -32,7 +33,14 @@ async def patch(
     account_update: AccountUpdate,
     session: AsyncSession = Depends(get_db_session),
 ) -> AccountSchema:
-    updated = await account_service.update(session, authorized.account, account_update)
+    # Re-fetch on write session — the guard loaded on a read session
+    from polar.account.repository import AccountRepository
+
+    repository = AccountRepository.from_session(session)
+    account = await repository.get_by_id(authorized.account.id)
+    if account is None:
+        raise ResourceNotFound()
+    updated = await account_service.update(session, account, account_update)
     return AccountSchema.model_validate(updated)
 
 
diff --git a/server/polar/authz/dependencies.py b/server/polar/authz/dependencies.py
@@ -144,6 +144,8 @@ async def _always_allow(
         )
     ),
 ]
+
+
 # ---------------------------------------------------------------------------
 # Account-based policy guards
 # ---------------------------------------------------------------------------
diff --git a/server/polar/organization/endpoints.py b/server/polar/organization/endpoints.py
@@ -263,8 +263,16 @@ async def delete(
     If deletion cannot proceed immediately (has orders, subscriptions, or
     Stripe deletion fails), a support ticket will be created for manual handling.
     """
+    # Re-fetch on write session — the guard loaded on a read session
+    from polar.organization.repository import OrganizationRepository
+
+    org_repo = OrganizationRepository.from_session(session)
+    organization = await org_repo.get_by_id(authz.organization.id)
+    if organization is None:
+        raise ResourceNotFound()
+
     result = await organization_service.request_deletion(
-        session, authz.auth_subject, authz.organization
+        session, authz.auth_subject, organization
     )
 
     return OrganizationDeletionResponse(
@@ -354,7 +362,13 @@ async def invite_member(
     session: AsyncSession = Depends(get_db_session),
 ) -> OrganizationMember:
     """Invite a user to join an organization."""
-    organization = authz.organization
+    # Re-fetch on write session — the guard loaded on a read session
+    from polar.organization.repository import OrganizationRepository
+
+    org_repo = OrganizationRepository.from_session(session)
+    organization = await org_repo.get_by_id(authz.organization.id)
+    if organization is None:
+        raise ResourceNotFound()
 
     # Get or create user by email
     user, _ = await user_service.get_by_email_or_create(session, invite_body.email)
diff --git a/server/polar/organization/repository.py b/server/polar/organization/repository.py
@@ -66,7 +66,8 @@ async def get_by_id(
     async def get_by_account(self, account_id: UUID) -> Organization | None:
         """Get the organization that owns the given account."""
         statement = self.get_base_statement().where(
-            Organization.account_id == account_id
+            Organization.account_id == account_id,
+            Organization.status != OrganizationStatus.BLOCKED,
         )
         return await self.get_one_or_none(statement)
 
@@ -75,7 +76,8 @@ async def get_by_payout_account(
     ) -> Organization | None:
         """Get the organization that uses the given payout account."""
         statement = self.get_base_statement().where(
-            Organization.payout_account_id == payout_account_id
+            Organization.payout_account_id == payout_account_id,
+            Organization.status != OrganizationStatus.BLOCKED,
         )
         return await self.get_one_or_none(statement)
 
diff --git a/server/polar/payout_account/endpoints.py b/server/polar/payout_account/endpoints.py
@@ -7,6 +7,7 @@
     AuthorizePayoutAccountRead,
     AuthorizePayoutAccountWrite,
 )
+from polar.exceptions import ResourceNotFound
 from polar.kit.pagination import ListResource, Pagination
 from polar.models import PayoutAccount
 from polar.openapi import APITag
@@ -64,7 +65,14 @@ async def delete(
     authorized: AuthorizePayoutAccountWrite,
     session: AsyncSession = Depends(get_db_session),
 ) -> None:
-    await payout_account_service.delete(session, authorized.payout_account)
+    # Re-fetch on write session — the guard loaded on a read session
+    from polar.payout_account.repository import PayoutAccountRepository
+
+    repository = PayoutAccountRepository.from_session(session)
+    payout_account = await repository.get_by_id(authorized.payout_account.id)
+    if payout_account is None:
+        raise ResourceNotFound()
+    await payout_account_service.delete(session, payout_account)
 
 
 @router.post("/{id}/onboarding-link", response_model=PayoutAccountLink)
diff --git a/server/tests/authz/test_endpoints.py b/server/tests/authz/test_endpoints.py
@@ -4,6 +4,7 @@
 from httpx import AsyncClient
 
 from polar.models import Organization, User
+from polar.models.organization import OrganizationStatus
 from polar.models.user_organization import UserOrganization
 from tests.fixtures.database import SaveFixture
 from tests.fixtures.random_objects import create_account
@@ -66,6 +67,22 @@ async def test_admin_returns_200(
         response = await client.get(f"/v1/organizations/{organization.id}/account")
         assert response.status_code == 200
 
+    @pytest.mark.auth
+    async def test_blocked_org_returns_404(
+        self,
+        client: AsyncClient,
+        save_fixture: SaveFixture,
+        user: User,
+        organization: Organization,
+        user_organization: UserOrganization,
+    ) -> None:
+        organization.account = await create_account(save_fixture, user=user)
+        organization.status = OrganizationStatus.BLOCKED
+        await save_fixture(organization)
+
+        response = await client.get(f"/v1/organizations/{organization.id}/account")
+        assert response.status_code == 404
+
 
 @pytest.mark.asyncio
 class TestPolicyGuardDeleteOrganization:

Original file line number	Diff line number	Diff line change
`@@ -144,6 +144,8 @@ async def _always_allow(`
`144`	`144`	`)`
`145`	`145`	`),`
`146`	`146`	`]`
	`147`	`+`
	`148`	`+`
`147`	`149`	`# ---------------------------------------------------------------------------`
`148`	`150`	`# Account-based policy guards`
`149`	`151`	`# ---------------------------------------------------------------------------`