Improve guest account security

app/controllers/application_controller.rb

@@ -18,14 +18,18 @@ class ApplicationController < ActionController::Base
 private
 
   def current_account
-    @current_account ||=
-      current_user&.account ||
-      Account.guests.find_by(id: session[:guest_account_id])
+    @current_account ||= current_user&.account
+  end
+
+  def guest_account
+    @guest_account ||= current_account
+    @guest_account ||= Account.guests.find_by(id: session[:guest_account_id])
   end
 
   def pundit_user
     @pundit_user ||= ApplicationPolicy::Context.new(
-      account: current_account,
+      account:       current_account,
+      guest_account: guest_account,
     )
   end
 

app/controllers/membership_applications_controller.rb

@@ -20,7 +20,7 @@ class MembershipApplicationsController < ApplicationController
     @membership_application =
       MembershipApplication.new permitted_attributes MembershipApplication
 
-    @membership_application.account = current_account || Account.new
+    @membership_application.account = guest_account || Account.new
 
     authorize @membership_application
 

app/policies/application_policy.rb

@@ -62,10 +62,11 @@ class ApplicationPolicy
   end
 
   class Context
-    attr_reader :account
+    attr_reader :account, :guest_account
 
-    def initialize(account:)
+    def initialize(account:, guest_account:)
       @account = account
+      @guest_account = guest_account
     end
   end
 end

app/policies/membership_application_policy.rb

@@ -2,7 +2,7 @@
 
 class MembershipApplicationPolicy < ApplicationPolicy
   def show?
-    record.account == context.account
+    record.account.in? [context.account, context.guest_account]
   end
 
   def create?