Bug: Weak authorization in enforce_admin raises bare exception

[philipithomas]

Description

In app/controllers/subscribers_imports_controller.rb:42-44:

def enforce_admin
  current_account&.admin? || raise
end

• Uses bare raise which produces a 500 Internal Server Error instead of a 403 Forbidden
• Only applied to the update action, not create

Recommendation

Return a proper 403 response and apply the check to all appropriate actions.

Severity

Medium