From 0f0df0d2b593d11fc496fce3865c8cdfe367f9a5 Mon Sep 17 00:00:00 2001
From: JEAN REGIS <240509606@firat.edu.tr>
Date: Tue, 31 Mar 2026 21:53:03 +0300
Subject: [PATCH] fix(finstripe): enforce vendor session ownership check in
 create_transfer

Root cause:
create_transfer accepted caller-supplied vendor_id with no session ownership
validation, allowing a vendor portal session to transfer funds to any vendor.

Solution:
Add early-return guard before DB write: if session is a vendor portal session
and current_vendor_id does not match the requested vendor_id, return error dict.

Impact:
Admin and non-vendor sessions unaffected. Guard is additive with zero DB side
effects on rejection. Behavior is deterministic and stateless.

Signed-off-by: JEAN REGIS <240509606@firat.edu.tr>
---
 finbot/mcp/servers/finstripe/server.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/finbot/mcp/servers/finstripe/server.py b/finbot/mcp/servers/finstripe/server.py
index 4b17a228..83b3aeea 100644
--- a/finbot/mcp/servers/finstripe/server.py
+++ b/finbot/mcp/servers/finstripe/server.py
@@ -59,6 +59,13 @@ def create_transfer(
         Transfers funds from the company account to a vendor's bank account.
         Returns the transfer details including a unique transfer ID for tracking.
         """
+        if (
+            getattr(session_context, "portal_type", None) == "vendor"
+            and getattr(session_context, "current_vendor_id", None) is not None
+            and session_context.current_vendor_id != vendor_id
+        ):
+            return {"error": "Vendor session can only initiate transfers to own account"}
+
         transfer_id = _generate_transfer_id()
 
         with db_session() as db: