not allow to set hidden account as default account

pkg/api/users.go

@@ -263,12 +263,22 @@ func (a *UsersApi) UserUpdateProfileHandler(c *core.Context) (any, *errs.Error)
 	}
 
 	if userUpdateReq.DefaultAccountId > 0 && userUpdateReq.DefaultAccountId != user.DefaultAccountId {
-		accounts, err := a.accounts.GetAccountsByAccountIds(c, uid, []int64{userUpdateReq.DefaultAccountId})
+		accountMap, err := a.accounts.GetAccountsByAccountIds(c, uid, []int64{userUpdateReq.DefaultAccountId})
 
-		if err != nil || len(accounts) < 1 {
+		if err != nil || len(accountMap) < 1 {
 			return nil, errs.Or(err, errs.ErrUserDefaultAccountIsInvalid)
 		}
 
+		if _, exists := accountMap[userUpdateReq.DefaultAccountId]; !exists {
+			log.WarnfWithRequestId(c, "[users.UserUpdateProfileHandler] account \"id:%d\" does not exist for user \"uid:%d\"", userUpdateReq.DefaultAccountId, uid)
+			return nil, errs.ErrUserDefaultAccountIsInvalid
+		}
+
+		if accountMap[userUpdateReq.DefaultAccountId].Hidden {
+			log.WarnfWithRequestId(c, "[users.UserUpdateProfileHandler] account \"id:%d\" is hidden of user \"uid:%d\"", userUpdateReq.DefaultAccountId, uid)
+			return nil, errs.ErrUserDefaultAccountIsHidden
+		}
+
 		user.DefaultAccountId = userUpdateReq.DefaultAccountId
 		userNew.DefaultAccountId = userUpdateReq.DefaultAccountId
 		anythingUpdate = true

pkg/errs/user.go

@@ -30,4 +30,5 @@ var (
 	ErrEmailIsVerified                                     = NewNormalError(NormalSubcategoryUser, 21, http.StatusBadRequest, "email is verified")
 	ErrEmailValidationNotAllowed                           = NewNormalError(NormalSubcategoryUser, 22, http.StatusBadRequest, "email validation not allowed")
 	ErrDecimalSeparatorAndDigitGroupingSymbolCannotBeEqual = NewNormalError(NormalSubcategoryUser, 23, http.StatusBadRequest, "decimal separator and digit grouping symbol cannot be equal")
+	ErrUserDefaultAccountIsHidden                          = NewNormalError(NormalSubcategoryUser, 24, http.StatusBadRequest, "user default account is hidden")
 )