Add voting locks for fraud dept

app/controllers/admin/suspicious_votes_controller.rb

@@ -0,0 +1,26 @@
+module Admin
+  class SuspiciousVotesController < Admin::ApplicationController
+    def index
+      authorize :admin, :access_suspicious_votes?
+
+      @users = User
+        .joins(:votes)
+        .where(votes: { suspicious: true })
+        .group("users.id")
+        .select("users.id, users.display_name, users.voting_locked, COUNT(votes.id) AS suspicious_votes_count")
+        .order("suspicious_votes_count DESC")
+        .limit(100)
+
+      user_ids = @users.map(&:id)
+
+      raw_timestamps = PaperTrail::Version
+        .where(item_type: "User", item_id: user_ids, event: "voting_lock_toggled")
+        .group(:item_id)
+        .pluck("item_id, MAX(created_at)")
+
+      @voting_lock_timestamps = raw_timestamps.each_with_object({}) do |(id, time), hash|
+        hash[id.to_i] = time
+      end
+    end
+  end
+end

app/controllers/admin/users_controller.rb

@@ -318,6 +318,22 @@ def unshadow_ban
     redirect_to admin_user_path(@user)
   end
 
+  def toggle_voting_lock
+    authorize :admin, :ban_users?
+    @user = User.find(params[:id])
+    @user.toggle!(:voting_locked)
+
+    PaperTrail::Version.create!(
+      item_type: "User",
+      item_id: @user.id,
+      event: "voting_lock_toggled",
+      whodunnit: current_user.id.to_s,
+      object_changes: { voting_locked: [ [email protected]_locked, @user.voting_locked ] }.to_json
+    )
+
+    redirect_back(fallback_location: admin_user_path(@user), notice: "Voting lock has been #{@user.voting_locked ? 'enabled' : 'disabled'} for #{@user.display_name}.")
+  end
+
   def refresh_verification
     authorize :admin, :manage_users?
     @user = User.find(params[:id])

app/controllers/votes_controller.rb

@@ -71,6 +71,11 @@ def create
   private
 
   def check_voting_enabled
+    if current_user&.voting_locked?
+      redirect_to root_path, alert: "Your voting has been locked temporarily. Please contact @Fraud Squad for more information."
+      return
+    end
+
     return if current_user && Flipper.enabled?(:voting, current_user)
 
     redirect_to root_path, alert: "Voting is currently disabled."

app/models/user.rb

@@ -42,6 +42,7 @@
 #  vote_anonymously                        :boolean          default(FALSE), not null
 #  vote_balance                            :integer          default(0), not null
 #  votes_count                             :integer
+#  voting_locked                           :boolean          default(FALSE), not null
 #  ysws_eligible                           :boolean          default(FALSE), not null
 #  created_at                              :datetime         not null
 #  updated_at                              :datetime         not null

app/policies/admin_policy.rb

@@ -94,4 +94,8 @@ def access_voting_dashboard?
   def access_shop_suggestions?
     user.admin?
   end
+
+  def access_suspicious_votes?
+    user.admin? || user.fraud_dept?
+  end
 end

app/views/admin/application/index.html.erb

@@ -84,31 +84,39 @@
   <% end %>
   <% if policy(:admin).manage_user_roles? %>
   <%= link_to "Manage users w/ perms", "/admin/user-perms", class: button_class %>
-<% end %>
-<% if policy(:admin).access_jobs? %>
-<%= link_to "Job queue", "/admin/jobs", class: button_class %>
-<% end %>
-  <% if policy(:admin).access_super_mega_dashboard? %>
-  <%= link_to "Super Mega Dashboard", "/admin/super_mega_dashboard", class: button_class %>
-<% end %>
-  <% if policy(:admin).access_payouts_dashboard? %>
-  <%= link_to "Payouts Dashboard", "/admin/payouts_dashboard", class: button_class %>
-<% end %>
-<% if policy(:admin).access_fraud_dashboard? %>
-  <%= link_to "Fraud Dashboard", "/admin/fraud_dashboard", class: button_class %>
-<% end %>
-<% if policy(:admin).access_admin_endpoints? %>
-  <%= link_to "Ship Event Scores", "/admin/ship_event_scores", class: button_class %>
-<% end %>
-<% if policy(:admin).access_fulfillment_dashboard? %>
-  <%= link_to "Fulfillment Dashboard", admin_fulfillment_dashboard_index_path, class: button_class %>
-<% end %>
-<% if policy(:admin).access_voting_dashboard? %>
-  <%= link_to "Voting Dashboard", "/admin/voting_dashboard", class: button_class %>
-<% end %>
+  <% end %>
+  <% if policy(:admin).access_jobs? %>
+  <%= link_to "Job queue", "/admin/jobs", class: button_class %>
+  <% end %>
+    <% if policy(:admin).access_super_mega_dashboard? %>
+    <%= link_to "Super Mega Dashboard", "/admin/super_mega_dashboard", class: button_class %>
+  <% end %>
+    <% if policy(:admin).access_payouts_dashboard? %>
+    <%= link_to "Payouts Dashboard", "/admin/payouts_dashboard", class: button_class %>
+  <% end %>
+  <% if policy(:admin).access_fraud_dashboard? %>
+    <%= link_to "Fraud Dashboard", "/admin/fraud_dashboard", class: button_class %>
+  <% end %>
+  <% if policy(:admin).access_admin_endpoints? %>
+    <%= link_to "Ship Event Scores", "/admin/ship_event_scores", class: button_class %>
+  <% end %>
+  <% if policy(:admin).access_fulfillment_dashboard? %>
+    <%= link_to "Fulfillment Dashboard", admin_fulfillment_dashboard_index_path, class: button_class %>
+  <% end %>
+  <% if policy(:admin).access_voting_dashboard? %>
+    <%= link_to "Voting Dashboard", "/admin/voting_dashboard", class: button_class %>
+  <% end %>
   <%= link_to "Help bot", "slack://app?team=T0266FRGM&id=A09NP19R7FX&tab=home", class: "btn-primary" %>
   <%= link_to "Ship Cert & YSWS Dashboards", "https://review.hackclub.com/", class: "btn-primary", target: "_blank" %>
-<% if policy(:admin).access_shop_suggestions? %>
-  <%= link_to "Shop suggestions", "/admin/shop_suggestions", class: button_class %>
-<% end %>
+</div>
+
+<h2>other stuff</h2>
+<div class="button-grid">
+  <% button_class = Flipper.enabled?(:admin_dark_brown_buttons, current_user) ? "btn-primary-dark" : "btn-primary" %>
+  <% if policy(:admin).access_shop_suggestions? %>
+    <%= link_to "Shop suggestions", "/admin/shop_suggestions", class: button_class %>
+  <% end %>
+  <% if policy(:admin).access_suspicious_votes? %>
+    <%= link_to "Suspicious Votes", "/admin/suspicious_votes", class: button_class %>
+  <% end %>
 </div>

app/views/admin/suspicious_votes/index.html.erb

@@ -0,0 +1,42 @@
+<h1 style="text-align: center; margin: 0.5em;">Suspicious Votes</h1>
+
+<div class="card">
+  <table class="table-data">
+    <thead>
+      <tr>
+        <th>#</th>
+        <th>User</th>
+        <th>Suspicious Votes</th>
+        <th>Last Updated</th>
+        <th>Actions</th>
+      </tr>
+    </thead>
+    <tbody>
+      <% @users.each_with_index do |user, idx| %>
+        <tr>
+          <td><%= idx + 1 %></td>
+          <td><%= link_to user.display_name || "User ##{user.id}", admin_user_path(user) %></td>
+          <td><%= user.suspicious_votes_count %></td>
+          <td>
+            <% if timestamp = @voting_lock_timestamps[user.id] %>
+              <%= time_ago_in_words(timestamp) %> ago
+            <% else %>
+              <span class="text-muted">—</span>
+            <% end %>
+          </td>
+          <td>
+            <%= link_to "View Votes", votes_admin_user_path(user), class: "btn-primary slim" %>
+            <%= button_to toggle_voting_lock_admin_user_path(user),
+                  method: :post,
+                  class: "btn-secondary slim",
+                  title: user.voting_locked? ? "Unlock Voting" : "Lock Voting" do %>
+              <%= user.voting_locked? ? "Unlock" : "Lock" %>
+            <% end %>
+          </td>
+        </tr>
+      <% end %>
+    </tbody>
+  </table>
+</div>
+<br>
+<%= link_to "← Back to Admin", admin_root_path, class: "btn-secondary" %>

config/routes.rb

@@ -210,6 +210,7 @@ def self.matches?(request)
          post :impersonate
          post :refresh_verification
          get  :votes
+         post :toggle_voting_lock
        end
        collection do
          post :stop_impersonating
@@ -262,6 +263,7 @@ def self.matches?(request)
     get "voting_dashboard", to: "voting_dashboard#index"
     get "ship_event_scores", to: "ship_event_scores#index"
     get "super_mega_dashboard", to: "super_mega_dashboard#index"
+    get "suspicious_votes", to: "suspicious_votes#index"
     resources :fulfillment_dashboard, only: [ :index ] do
       collection do
         post :send_letter_mail

db/migrate/20260204053738_add_voting_locked_to_users.rb

@@ -0,0 +1,5 @@
+class AddVotingLockedToUsers < ActiveRecord::Migration[8.1]
+  def change
+    add_column :users, :voting_locked, :boolean, null: false, default: false
+  end
+end

test/fixtures/users.yml

@@ -44,6 +44,7 @@
 #  vote_anonymously                        :boolean          default(FALSE), not null
 #  vote_balance                            :integer          default(0), not null
 #  votes_count                             :integer
+#  voting_locked                           :boolean          default(FALSE), not null
 #  ysws_eligible                           :boolean          default(FALSE), not null
 #  created_at                              :datetime         not null
 #  updated_at                              :datetime         not null

test/models/user_test.rb

@@ -42,6 +42,7 @@
 #  vote_anonymously                        :boolean          default(FALSE), not null
 #  vote_balance                            :integer          default(0), not null
 #  votes_count                             :integer
+#  voting_locked                           :boolean          default(FALSE), not null
 #  ysws_eligible                           :boolean          default(FALSE), not null
 #  created_at                              :datetime         not null
 #  updated_at                              :datetime         not null