From 1a7ef04df5fd2a7cd65521ae9a459bf768314278 Mon Sep 17 00:00:00 2001
From: Zach Wolfenbarger <zach.wolfenbarger@gmail.com>
Date: Wed, 29 Nov 2023 17:27:39 -0600
Subject: [PATCH 1/3] db schema change

---
 .../20231107211623_add_confirmed_to_users.rb      | 15 +++++++++++++++
 db/schema.rb                                      |  2 +-
 lib/tasks/db.rake                                 |  6 ++++--
 3 files changed, 20 insertions(+), 3 deletions(-)
 create mode 100644 db/migrate/20231107211623_add_confirmed_to_users.rb

diff --git a/db/migrate/20231107211623_add_confirmed_to_users.rb b/db/migrate/20231107211623_add_confirmed_to_users.rb
new file mode 100644
index 00000000..5c566b29
--- /dev/null
+++ b/db/migrate/20231107211623_add_confirmed_to_users.rb
@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+class AddConfirmedToUsers < ActiveRecord::Migration
+  def up
+    execute <<-SQL
+      ALTER FOREIGN TABLE users ADD COLUMN confirmed_at TIMESTAMP DEFAULT NULL
+    SQL
+  end
+
+  def down
+    execute <<-SQL
+      ALTER FOREIGN TABLE users DROP COLUMN IF EXISTS confirmed_at;
+    SQL
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
index 0f456c40..c150aee2 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -11,7 +11,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20180518132406) do
+ActiveRecord::Schema.define(version: 20231107211623) do
 
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
diff --git a/lib/tasks/db.rake b/lib/tasks/db.rake
index 91fbbf28..a6905f44 100644
--- a/lib/tasks/db.rake
+++ b/lib/tasks/db.rake
@@ -79,7 +79,8 @@ namespace :panoptes do
           zooniverse_id varchar(255),
           credited_name varchar(255),
           admin bool,
-          banned bool
+          banned bool,
+          confirmed_at timestamp(6)
         ) server panoptes;
 
         create foreign table if not exists oauth_access_tokens (
@@ -232,7 +233,8 @@ namespace :panoptes do
           banned boolean default false not null,
           migrated boolean default false,
           valid_email boolean default true not null,
-          uploaded_subjects_count integer default 0
+          uploaded_subjects_count integer default 0,
+          confirmed_at timestamp(6) without time zone default null
         );
 
         drop table if exists oauth_access_tokens;

From 2dccd27112a3a1a9835297bacd05c6fc93fbeee1 Mon Sep 17 00:00:00 2001
From: Zach Wolfenbarger <zach.wolfenbarger@gmail.com>
Date: Wed, 29 Nov 2023 17:28:08 -0600
Subject: [PATCH 2/3] Policy updates

---
 app/policies/application_policy.rb  | 4 ++++
 app/policies/comment_policy.rb      | 8 ++++----
 app/policies/conversation_policy.rb | 8 ++++----
 app/policies/discussion_policy.rb   | 4 ++--
 app/policies/message_policy.rb      | 6 +++---
 5 files changed, 17 insertions(+), 13 deletions(-)

diff --git a/app/policies/application_policy.rb b/app/policies/application_policy.rb
index d7c898df..42ff6a7c 100644
--- a/app/policies/application_policy.rb
+++ b/app/policies/application_policy.rb
@@ -77,6 +77,10 @@ def has_role?(role)
       true
     end
 
+    def confirmed?
+      !!user.confirmed_at
+    end
+
     def of_posting_age?
       return true unless ENV['POSTING_AGE_REQUIREMENT']
 
diff --git a/app/policies/comment_policy.rb b/app/policies/comment_policy.rb
index acd9ff2d..62613917 100644
--- a/app/policies/comment_policy.rb
+++ b/app/policies/comment_policy.rb
@@ -11,18 +11,18 @@ def show?
 
   def create?
     if Array.wrap(record).compact.any? { |c| c.discussion.board.section == 'zooniverse' }
-      logged_in? && !locked? && writable? && of_posting_age?
+      logged_in? && !locked? && writable? && confirmed? && of_posting_age?
     else
-      logged_in? && !locked? && writable?
+      logged_in? && !locked? && writable? && confirmed?
     end
   end
 
   def update?
-    owner? && !deleted? && !locked? && writable?
+    owner? && !deleted? && !locked? && writable? && confirmed?
   end
 
   def destroy?
-    owner? && !deleted? && !locked? && writable?
+    owner? && !deleted? && !locked? && writable? && confirmed?
   end
 
   def move?
diff --git a/app/policies/conversation_policy.rb b/app/policies/conversation_policy.rb
index 522f9c4a..c8f9b6e0 100644
--- a/app/policies/conversation_policy.rb
+++ b/app/policies/conversation_policy.rb
@@ -1,14 +1,14 @@
 class ConversationPolicy < ApplicationPolicy
   def index?
-    logged_in?
+    logged_in? && confirmed?
   end
 
   def show?
-    moderator? || admin? || participant?
+    (moderator? || admin? || participant?) && confirmed?
   end
 
   def create?
-    logged_in?
+    logged_in? && confirmed?
   end
 
   def update?
@@ -16,7 +16,7 @@ def update?
   end
 
   def destroy?
-    participant?
+    participant? && confirmed?
   end
 
   class Scope < Scope
diff --git a/app/policies/discussion_policy.rb b/app/policies/discussion_policy.rb
index 47d1c1c5..2df8ba0a 100644
--- a/app/policies/discussion_policy.rb
+++ b/app/policies/discussion_policy.rb
@@ -11,9 +11,9 @@ def show?
 
   def create?
     if Array.wrap(record).compact.any? { |d| d.board.section == 'zooniverse' }
-      writable? && of_posting_age?
+      writable? && confirmed? && of_posting_age?
     else
-      writable?
+      writable? && confirmed?
     end
   end
 
diff --git a/app/policies/message_policy.rb b/app/policies/message_policy.rb
index e97a871f..f1e52f56 100644
--- a/app/policies/message_policy.rb
+++ b/app/policies/message_policy.rb
@@ -1,14 +1,14 @@
 class MessagePolicy < ApplicationPolicy
   def index?
-    logged_in?
+    logged_in? && confirmed?
   end
 
   def show?
-    moderator? || admin? || participant?
+    (moderator? || admin? || participant?) && confirmed?
   end
 
   def create?
-    participant?
+    participant? && confirmed?
   end
 
   def update?

From 0599b0d2768b1c34e04c20940a548fa8a0c2ce4b Mon Sep 17 00:00:00 2001
From: Zach Wolfenbarger <zach.wolfenbarger@gmail.com>
Date: Wed, 29 Nov 2023 17:28:14 -0600
Subject: [PATCH 3/3] Specs

---
 spec/factories/users.rb                   | 1 +
 spec/policies/comment_policy_spec.rb      | 6 ++++++
 spec/policies/conversation_policy_spec.rb | 5 +++++
 spec/policies/discussion_policy_spec.rb   | 7 +++++++
 spec/policies/message_policy_spec.rb      | 5 +++++
 5 files changed, 24 insertions(+)

diff --git a/spec/factories/users.rb b/spec/factories/users.rb
index 8d32fef0..1c1e47f0 100644
--- a/spec/factories/users.rb
+++ b/spec/factories/users.rb
@@ -7,6 +7,7 @@
     admin false
     banned false
     created_at Time.now - 1.year
+    confirmed_at Time.now - 364.days
 
     factory :moderator do
       transient do
diff --git a/spec/policies/comment_policy_spec.rb b/spec/policies/comment_policy_spec.rb
index 54970db7..cf3aeec2 100644
--- a/spec/policies/comment_policy_spec.rb
+++ b/spec/policies/comment_policy_spec.rb
@@ -39,6 +39,12 @@
       it_behaves_like 'a policy forbidding', :update, :destroy
     end
 
+    context 'with an unconfirmed user' do
+      let(:user){ create :user, confirmed_at: nil }
+      it_behaves_like 'a policy permitting', :index, :show, :upvote, :remove_upvote
+      it_behaves_like 'a policy forbidding', :update, :destroy, :move
+    end
+
     context 'with a new account' do
       let(:user){ create :user, created_at: Time.now }
       ENV['POSTING_AGE_REQUIREMENT'] = '24'
diff --git a/spec/policies/conversation_policy_spec.rb b/spec/policies/conversation_policy_spec.rb
index abad31c9..77daa025 100644
--- a/spec/policies/conversation_policy_spec.rb
+++ b/spec/policies/conversation_policy_spec.rb
@@ -15,6 +15,11 @@
     it_behaves_like 'a policy forbidding', :show, :update, :destroy
   end
 
+  context 'with an unconfirmed user' do
+    let(:user){ create :user, confirmed_at: nil }
+    it_behaves_like 'a policy forbidding', :index, :show, :create, :destroy, :update
+  end
+
   context 'with a participant' do
     let(:user){ record.users.first }
     it_behaves_like 'a policy permitting', :index, :show, :create, :destroy
diff --git a/spec/policies/discussion_policy_spec.rb b/spec/policies/discussion_policy_spec.rb
index 9c200d4e..8cf0f93a 100644
--- a/spec/policies/discussion_policy_spec.rb
+++ b/spec/policies/discussion_policy_spec.rb
@@ -27,6 +27,13 @@
       it_behaves_like 'a policy forbidding', :create, :update, :destroy
     end
 
+    context 'with an unconfirmed user' do
+      let(:user){ create :user, confirmed_at: nil }
+      let(:board){ create :board, section: 'zooniverse', permissions: { read: 'all', write: 'all' } }
+      it_behaves_like 'a policy permitting', :index, :show
+      it_behaves_like 'a policy forbidding', :create, :update, :destroy
+    end
+
     context 'with the owner' do
       let(:user){ record.user }
       it_behaves_like 'a policy permitting', :index, :show, :create, :update
diff --git a/spec/policies/message_policy_spec.rb b/spec/policies/message_policy_spec.rb
index ed7bb597..0462e881 100644
--- a/spec/policies/message_policy_spec.rb
+++ b/spec/policies/message_policy_spec.rb
@@ -15,6 +15,11 @@
     it_behaves_like 'a policy forbidding', :show, :create, :update, :destroy
   end
 
+  context 'with an unconfirmed user' do
+    let(:user){ create :user, confirmed_at: nil }
+    it_behaves_like 'a policy forbidding', :index, :show, :create, :update, :destroy
+  end
+
   context 'with a participant' do
     let(:user){ record.user }
     it_behaves_like 'a policy permitting', :index, :show, :create