Prevent AccountRequest and Audit status changes from happening when they shouldn't be changed

[stefannibrasil]

Resolves #5569

Description

A finalized audit, and rejected or closed account requests are final states that you shouldn't be able to change.

Adding these two validations make the app interaction consistent with other prevented status changes (a cancelled request cannot have its status changed, for example).

For that reason, adding a model validation prevents that from happening from the UI and from other interactions (API, console, etc.)

Type of change

• Bug fix (non-breaking change which fixes an issue)

How Has This Been Tested?

• unit tests have been added
• performed tests on the console and verified the validation errors are raised when applicable

Artifacts

Both AccountRequests and Audits UI already prevent rejected/closed and finalized items from having their status changed.

Console testing:

=> #<Audit:0x0000000126b05f00
 id: 4,
 user_id: 2,
 organization_id: 1,
 adjustment_id: nil,
 storage_location_id: 1,
 status: "finalized",
 created_at: "2026-06-02 21:46:00.890268000 +0000",
 updated_at: "2026-06-02 21:46:27.211359000 +0000">
[4] pry(main)> Audit.last.update!(status: :confirmed)
TRANSACTION (0.6ms)  ROLLBACK
ActiveRecord::RecordInvalid: Validation failed: Status cannot be changed once finalized


=> #<AccountRequest:0x0000000127ca8e88
 id: 2,
 name: "BOb CAt",
 email: "bob@example.com",
 organization_name: "Cats 2",
 organization_website: "",
 confirmed_at: nil,
 request_details: "I am testing account requests, and I need some exa...",
 created_at: "2026-06-02 20:55:38.524854000 +0000",
 updated_at: "2026-06-02 21:48:14.770615000 +0000",
 rejection_reason: "rejecting account request",
 status: "rejected",
 ndbn_member_id: 20000>

AccountRequest.find(2).confirm!
  TRANSACTION (0.2ms)  ROLLBACK
ActiveRecord::RecordInvalid: Validation failed: Status cannot be changed once rejected

[dorner]

Passes tech review - over to manual QA.

[stefannibrasil]

cc @janeewheatley @ruestitch who are responsible for QA? 👀

[janeewheatley]

@stefannibrasil Thank you so much for taking this issue on! Sorry for the delay in reviewing. We realized that we want this to not only be about status, but to not allow any edits at all.

We tested this for audits and found the following steps to edit a finalized audit:

• Made a new audit
• Entered the necessary data
• Saved Progress
• Resumed Audit
• Duplicated the tab (two browser tabs with /audits/6/edit)
• In tab 1, Confirm Audit, then Finalize Audit
• In tab 2, make changes to the same audit and notice that you can confirm this edited version and still finalize it as well

We should get an error in this last step when we try to confirm an edited audit that has already been finalized.

We noticed in the audits controller it prevents destroy of finalized audits, but approach you are using in the model when generalized should catch all cases of editing a finalized audit. Though, it does make us nervous in the controller that edit does a destroy.all. I don't know if the model validation will prevent that.

The account request seems fine.

Thanks so much!

[janeewheatley]

Please see comments above