Add shadowban mechanism for closet lists

Simple enough to start! If `shadowbanned: true` gets set on a user,
then we show a 404 instead of the actual list page, *unless* you're
logged in as that user, or coming from a known IP of that user.

This isn't a very strong mechanism! Just something to hopefully
increase the costs of messing around with list spam.

app/controllers/application_controller.rb

@@ -1,6 +1,5 @@
 require 'async'
 require 'async/container'
-require 'ipaddr'
 
 class ApplicationController < ActionController::Base
   include FragmentLocalization

app/controllers/closet_hangers_controller.rb

@@ -2,6 +2,7 @@ class ClosetHangersController < ApplicationController
   before_action :authorize_user!, :only => [:destroy, :create, :update, :update_quantities, :petpage]
   before_action :find_item, :only => [:create, :update_quantities]
   before_action :find_user, :only => [:index, :petpage, :update_quantities]
+  before_action :enforce_shadowban, only: [:index]
 
   def destroy
     if params[:list_id]
@@ -214,6 +215,14 @@ class ClosetHangersController < ApplicationController
     end
   end
 
+  def enforce_shadowban
+    # If this user is shadowbanned, and this *doesn't* seem to be a request
+    # from that user, render the 404 page.
+    if @user.shadowbanned? && !@user.likely_is?(current_user, request.remote_ip)
+      render file: "public/404.html", layout: false, status: :not_found
+    end
+  end
+
   def find_item
     @item = Item.find params[:item_id]
   end

app/models/user.rb

@@ -46,6 +46,12 @@ class User < ApplicationRecord
     serializable_hash only: [:id, :name]
   end
 
+  # Given info about a request, return whether that request is likely to be
+  # coming from the same person who owns this account.
+  def likely_is?(current_user, remote_ip)
+    current_user == self || auth_user.current_sign_in_ip == remote_ip
+  end
+
   def unowned_items
     # Join all items against our owned closet hangers, group by item ID, then
     # only return those with zero matching hangers.

db/migrate/20240421033509_add_shadowbanned_to_users.rb

@@ -0,0 +1,5 @@
+class AddShadowbannedToUsers < ActiveRecord::Migration[7.1]
+  def change
+    add_column :users, :shadowbanned, :boolean, default: false, null: false
+  end
+end

db/schema.rb

@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[7.1].define(version: 2024_04_01_124200) do
+ActiveRecord::Schema[7.1].define(version: 2024_04_21_033509) do
   create_table "alt_styles", charset: "utf8mb4", collation: "utf8mb4_unicode_520_ci", force: :cascade do |t|
     t.integer "species_id", null: false
     t.integer "color_id", null: false
@@ -266,6 +266,7 @@ ActiveRecord::Schema[7.1].define(version: 2024_04_01_124200) do
     t.integer "contact_neopets_connection_id"
     t.timestamp "last_trade_activity_at"
     t.boolean "support_staff", default: false, null: false
+    t.boolean "shadowbanned", default: false, null: false
   end
 
   create_table "zones", id: :integer, charset: "utf8mb4", collation: "utf8mb4_unicode_520_ci", force: :cascade do |t|