Associations are not validated

[schovi]

Imagine following structure:

account (Account)
  -> posts (Post)
    -> owner (User)

And following malicious code that assigns the post to an owner from a different account:

account_malicious = Account.create
user_malicious = account_malicious.users.create!

account_1 = Account.create
ActsAsTenant.current_tenant = account_1

user_1 =  account_1.users.create!
post_1 = account_1.posts.create!(owner: user_1)

post_1.update!(owner_id: user_malicious.id) # passes

Expected behaviour: Acts as tenant will prevent such malicious update.

I understand this is not always possible, for example for raw sql updates, but when using ORM I would expect such validation.

The example above is quite artificial, but imagine a common controller update, where you can pass the params via curl

params = {
  post: {
    owner_id: malicious_id
  }
}