Code Review

Review this code focusing on:

1. **Correctness** — Does it work as intended? Any logical errors?
2. **Security** — Any vulnerabilities (XSS, SQL injection, mass assignment)?
3. **Performance** — N+1 queries, unnecessary iterations, missing indexes?
4. **Readability** — Clear naming, proper structure, DRY?
5. **Rails conventions** — Following best practices?
6. **Edge cases** — What could break? Missing validations?

For each issue found, provide:
- File and line number
- What's wrong
- How to fix it (with code example)
- Severity: 🔴 Critical / 🟡 Warning / 🔵 Suggestion