Skip to content

fix: fraud dept balance restrictions #676

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
3kh0 merged 3 commits into from
Jan 1, 2026
Merged

fix: fraud dept balance restrictions #676

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
9563e04
fix: cant reach higher then ya
NeonGamerBot-QK Dec 28, 2025
81484da
fix: cant give tickets > 1
NeonGamerBot-QK Dec 28, 2025
d4ad672
Merge branch 'main' into why-so-silly
3kh0 Jan 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 44 additions & 0 deletions app/controllers/admin/users_controller.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -228,9 +228,19 @@ def adjust_balance
authorize :admin, :manage_users?
@user = User.find(params[:id])

if cannot_adjust_balance_for?(@user)
flash[:alert] = "You cannot adjust the balance of another #{protected_role_name(@user)}."
return redirect_to admin_user_path(@user)
end

amount = params[:amount].to_i
reason = params[:reason].presence

if fraud_dept_cookie_limit_exceeded?(amount)
flash[:alert] = "Fraud department members can only grant up to 1 cookie without the grant_cookies permission."
return redirect_to admin_user_path(@user)
end

if amount.zero?
flash[:alert] = "Amount cannot be zero."
return redirect_to admin_user_path(@user)
Expand Down Expand Up @@ -311,4 +321,38 @@ def update
def user_params
params.require(:user).permit(regions: [])
end

def cannot_adjust_balance_for?(target_user)
return false if current_user.has_role?(:super_admin) || current_user.has_role?(:admin)

# Non-admins cannot adjust their own balance
return true if target_user == current_user

# Fraud dept cannot modify admin balances at all
if current_user.has_role?(:fraud_dept)
return true if target_user.has_role?(:admin) || target_user.has_role?(:super_admin)
end

protected_roles = [ :admin, :super_admin, :fraud_dept ]
shared_protected_roles = current_user.roles & protected_roles & target_user.roles
shared_protected_roles.any?
end

def fraud_dept_cookie_limit_exceeded?(amount)
return false unless current_user.has_role?(:fraud_dept)
return false if current_user.has_role?(:admin) || current_user.has_role?(:super_admin)
return false if Flipper.enabled?(:grant_cookies, current_user)

amount > 1
end

def protected_role_name(target_user)
if target_user.has_role?(:super_admin) || target_user.has_role?(:admin)
"admin"
elsif target_user.has_role?(:fraud_dept)
"fraud department member"
else
"user"
end
end
end
1 change: 1 addition & 0 deletions app/models/user.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -416,6 +416,7 @@ def track_identity_verified
end

def notify_role_granted(role)
return if Rails.env.development?
return unless slack_id.present?

role_info = User::Role.find(role)
Expand Down
Loading