Add shadowban mechanism for closet lists

Simple enough to start! If `shadowbanned: true` gets set on a user, then we show a 404 instead of the actual list page, *unless* you're logged in as that user, or coming from a known IP of that user. This isn't a very strong mechanism! Just something to hopefully increase the costs of messing around with list spam.
2024-04-20 20:57:15 -07:00 · 2024-04-20 20:57:15 -07:00 · 156cabbab4
commit 156cabbab4
parent 4ae5acfdc3
5 changed files with 22 additions and 2 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -1,6 +1,5 @@
 require 'async'
 require 'async/container'
-require 'ipaddr'

 class ApplicationController < ActionController::Base
  include FragmentLocalization
--- a/app/controllers/closet_hangers_controller.rb
+++ b/app/controllers/closet_hangers_controller.rb
@ -2,6 +2,7 @@ class ClosetHangersController < ApplicationController
  before_action :authorize_user!, :only => [:destroy, :create, :update, :update_quantities, :petpage]
  before_action :find_item, :only => [:create, :update_quantities]
  before_action :find_user, :only => [:index, :petpage, :update_quantities]
+  before_action :enforce_shadowban, only: [:index]

  def destroy
    if params[:list_id]
@ -214,6 +215,14 @@ class ClosetHangersController < ApplicationController
    end
  end

+  def enforce_shadowban
+    # If this user is shadowbanned, and this *doesn't* seem to be a request
+    # from that user, render the 404 page.
+    if @user.shadowbanned? && !@user.likely_is?(current_user, request.remote_ip)
+      render file: "public/404.html", layout: false, status: :not_found
+    end
+  end
+
  def find_item
    @item = Item.find params[:item_id]
  end
--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -46,6 +46,12 @@ class User < ApplicationRecord
    serializable_hash only: [:id, :name]
  end

+  # Given info about a request, return whether that request is likely to be
+  # coming from the same person who owns this account.
+  def likely_is?(current_user, remote_ip)
+    current_user == self || auth_user.current_sign_in_ip == remote_ip
+  end
+
  def unowned_items
    # Join all items against our owned closet hangers, group by item ID, then
    # only return those with zero matching hangers.
--- a/db/migrate/20240421033509_add_shadowbanned_to_users.rb
+++ b/db/migrate/20240421033509_add_shadowbanned_to_users.rb
@ -0,0 +1,5 @@
+class AddShadowbannedToUsers < ActiveRecord::Migration[7.1]
+  def change
+    add_column :users, :shadowbanned, :boolean, default: false, null: false
+  end
+end
--- a/db/schema.rb
+++ b/db/schema.rb
@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.

-ActiveRecord::Schema[7.1].define(version: 2024_04_01_124200) do
+ActiveRecord::Schema[7.1].define(version: 2024_04_21_033509) do
  create_table "alt_styles", charset: "utf8mb4", collation: "utf8mb4_unicode_520_ci", force: :cascade do |t|
    t.integer "species_id", null: false
    t.integer "color_id", null: false
@ -266,6 +266,7 @@ ActiveRecord::Schema[7.1].define(version: 2024_04_01_124200) do
    t.integer "contact_neopets_connection_id"
    t.timestamp "last_trade_activity_at"
    t.boolean "support_staff", default: false, null: false
+    t.boolean "shadowbanned", default: false, null: false
  end

  create_table "zones", id: :integer, charset: "utf8mb4", collation: "utf8mb4_unicode_520_ci", force: :cascade do |t|