otwcode · not-varram · Feb 18, 2026 · Feb 18, 2026 · Feb 18, 2026 · Feb 18, 2026
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -335,14 +335,30 @@ def load_collection
     @collection = Collection.find_by(name: params[:collection_id]) if params[:collection_id]
   end
 
+  def privileged_collection_admin?
+    logged_in_as_admin? && (current_admin.roles & %w[support policy_and_abuse superadmin]).present?
+  end
+
+  def users_or_privileged_collection_admin_only
+    logged_in? || privileged_collection_admin? || access_denied
+  end
+
   def collection_maintainers_only
     logged_in? && @collection && @collection.user_is_maintainer?(current_user) || access_denied
   end
 
+  def collection_maintainers_or_privileged_admins_only
+    (logged_in? && @collection && @collection.user_is_maintainer?(current_user)) || privileged_collection_admin? || access_denied
+  end
+
   def collection_owners_only
     logged_in? && @collection && @collection.user_is_owner?(current_user) || access_denied
   end
 
+  def collection_owners_or_privileged_admins_only
+    (logged_in? && @collection && @collection.user_is_owner?(current_user)) || privileged_collection_admin? || access_denied
+  end
+
   def not_allowed(fallback=nil)
     flash[:error] = ts("Sorry, you're not allowed to do that.")
     redirect_to (fallback || root_path) rescue redirect_to '/'

diff --git a/app/controllers/challenge/gift_exchange_controller.rb b/app/controllers/challenge/gift_exchange_controller.rb
@@ -1,19 +1,20 @@
 class Challenge::GiftExchangeController < ChallengesController
-
-  before_action :users_only
+  before_action :users_only, except: [:edit]
+  before_action :users_or_privileged_collection_admin_only, only: [:edit]
   before_action :load_collection
   before_action :load_challenge, except: [:new, :create]
-  before_action :collection_owners_only, only: [:new, :create, :edit, :update, :destroy]
+  before_action :collection_owners_or_privileged_admins_only, only: [:edit]
+  before_action :collection_owners_only, only: [:new, :create, :update, :destroy]
 
   # ACTIONS
 
   def show
   end
 
   def new
-    if (@collection.challenge)
-      flash[:notice] = ts("There is already a challenge set up for this collection.")
-      # TODO this will break if the challenge isn't a gift exchange
+    if @collection.challenge
+      flash[:notice] = t("challenge.gift_exchange.already_set_up")
+      # TODO: this will break if the challenge isn't a gift exchange
       redirect_to edit_collection_gift_exchange_path(@collection)
     else
       @challenge = GiftExchange.new
@@ -28,7 +29,7 @@ def create
     if @challenge.save
       @collection.challenge = @challenge
       @collection.save
-      flash[:notice] = ts('Challenge was successfully created.')
+      flash[:notice] = t("challenge.gift_exchange.create.success")
       redirect_to collection_profile_path(@collection)
     else
       render action: :new
@@ -37,10 +38,10 @@ def create
 
   def update
     if @challenge.update(gift_exchange_params)
-      flash[:notice] = ts('Challenge was successfully updated.')
+      flash[:notice] = t("challenge.gift_exchange.update.success")
 
       # expire the cache on the signup form
-      ActionController::Base.new.expire_fragment('challenge_signups/new')
+      ActionController::Base.new.expire_fragment("challenge_signups/new")
 
       # see if we initialized the tag set
       redirect_to collection_profile_path(@collection)
@@ -51,7 +52,7 @@ def update
 
   def destroy
     @challenge.destroy
-    flash[:notice] = 'Challenge settings were deleted.'
+    flash[:notice] = "Challenge settings were deleted."
     redirect_to @collection
   end
 
@@ -94,7 +95,7 @@ def gift_exchange_params
         :tag_sets_to_add, :character_restrict_to_fandom,
         :character_restrict_to_tag_set, :relationship_restrict_to_fandom,
         :relationship_restrict_to_tag_set,
-        tag_sets_to_remove: []
+        { tag_sets_to_remove: [] }
       ],
       potential_match_settings_attributes: [
         :id, :num_required_prompts, :num_required_fandoms, :num_required_characters,

diff --git a/app/controllers/challenge/prompt_meme_controller.rb b/app/controllers/challenge/prompt_meme_controller.rb
@@ -1,9 +1,10 @@
 class Challenge::PromptMemeController < ChallengesController
-
-  before_action :users_only
+  before_action :users_only, except: [:edit]
+  before_action :users_or_privileged_collection_admin_only, only: [:edit]
   before_action :load_collection
   before_action :load_challenge, except: [:new, :create]
-  before_action :collection_owners_only, only: [:new, :create, :edit, :update, :destroy]
+  before_action :collection_owners_or_privileged_admins_only, only: [:edit]
+  before_action :collection_owners_only, only: [:new, :create, :update, :destroy]
 
   # ACTIONS
 
@@ -13,7 +14,7 @@ def show
 
   # The new form for prompt memes is actually the challenge settings page because challenges are always created in the context of a collection.
   def new
-    if (@collection.challenge)
+    if @collection.challenge
       flash[:notice] = ts("There is already a challenge set up for this collection.")
       redirect_to edit_collection_prompt_meme_path(@collection)
     else
@@ -76,5 +77,4 @@ def prompt_meme_params
       ]
     )
   end
-
 end
diff --git a/app/controllers/challenge_assignments_controller.rb b/app/controllers/challenge_assignments_controller.rb
@@ -1,5 +1,6 @@
 class ChallengeAssignmentsController < ApplicationController
-  before_action :users_only
+  before_action :users_only, except: [:index, :show]
+  before_action :users_or_privileged_collection_admin_only, only: [:index, :show]
 
   before_action :load_collection, except: [:index]
   before_action :load_challenge, except: [:index]
@@ -89,7 +90,7 @@ def index
       return unless load_collection
       @challenge = @collection.challenge if @collection
       signup_open and return unless !@challenge.signup_open
-      access_denied and return unless @challenge.user_allowed_to_see_assignments?(current_user)
+      access_denied and return unless @challenge.user_allowed_to_see_assignments?(current_user) || privileged_collection_admin?
 
       # we temporarily are ordering by requesting pseud to avoid left join
       @assignments = case
@@ -108,7 +109,7 @@ def index
   end
 
   def show
-    unless @challenge.user_allowed_to_see_assignments?(current_user) || @challenge_assignment.offering_pseud.user == current_user
+    unless @challenge.user_allowed_to_see_assignments?(current_user) || @challenge_assignment.offering_pseud.user == current_user || privileged_collection_admin?
       flash[:error] = ts("You aren't allowed to see that assignment!")
       redirect_to "/" and return
     end

diff --git a/app/controllers/challenge_claims_controller.rb b/app/controllers/challenge_claims_controller.rb
@@ -1,6 +1,6 @@
 class ChallengeClaimsController < ApplicationController
-
-  before_action :users_only
+  before_action :users_only, except: [:index]
+  before_action :users_or_privileged_collection_admin_only, only: [:index]
   before_action :load_collection, except: [:index]
   before_action :collection_owners_only, except: [:index, :show, :create, :destroy]
   before_action :load_claim_from_id, only: [:show, :destroy]
@@ -9,7 +9,6 @@ class ChallengeClaimsController < ApplicationController
 
   before_action :allowed_to_destroy, only: [:destroy]
 
-
   # PERMISSIONS AND STATUS CHECKING
 
   def load_challenge
@@ -22,8 +21,12 @@ def load_challenge
   end
 
   def no_challenge
-    flash[:error] = ts("What challenge did you want to work with?")
-    redirect_to collection_path(@collection) rescue redirect_to '/'
+    flash[:error] = t("challenge_claims.no_challenge")
+    begin
+      redirect_to collection_path(@collection)
+    rescue StandardError
+      redirect_to "/"
+    end
     false
   end
 
@@ -33,11 +36,19 @@ def load_claim_from_id
   end
 
   def no_claim
-    flash[:error] = ts("What claim did you want to work on?")
+    flash[:error] = t("challenge_claims.no_claim")
     if @collection
-      redirect_to collection_path(@collection) rescue redirect_to '/'
+      begin
+        redirect_to collection_path(@collection)
+      rescue StandardError
+        redirect_to "/"
+      end
     else
-      redirect_to user_path(@user) rescue redirect_to '/'
+      begin
+        redirect_to user_path(@user)
+      rescue StandardError
+        redirect_to "/"
+      end
     end
     false
   end
@@ -48,58 +59,51 @@ def load_user
   end
 
   def no_user
-    flash[:error] = ts("What user were you trying to work with?")
+    flash[:error] = t("challenge_claims.no_user")
     redirect_to "/" and return
     false
   end
 
   def owner_only
-    unless @user == @challenge_claim.claiming_user
-      flash[:error] = ts("You aren't the claimer of that prompt.")
-      redirect_to "/" and return false
-    end
+    return if @user == @challenge_claim.claiming_user
+
+    flash[:error] = t("challenge_claims.owner_only")
+    redirect_to "/" and return false
   end
 
   def allowed_to_destroy
     @challenge_claim.user_allowed_to_destroy?(current_user) || not_allowed(@collection)
   end
 
-
   # ACTIONS
 
   def index
-    if !(@collection = Collection.find_by(name: params[:collection_id])).nil? && @collection.closed? && !@collection.user_is_maintainer?(current_user)
-      flash[:notice] = ts("This challenge is currently closed to new posts.")
-    end
+    flash[:notice] = t("challenge_claims.index.challenge_closed") if !(@collection = Collection.find_by(name: params[:collection_id])).nil? && @collection.closed? && !@collection.user_is_maintainer?(current_user) && !privileged_collection_admin?
     if params[:collection_id]
       return unless load_collection
 
       @challenge = @collection.challenge
-      not_allowed(@collection) unless user_scoped? || @challenge.user_allowed_to_see_assignments?(current_user)
+      not_allowed(@collection) unless user_scoped? || @challenge.user_allowed_to_see_assignments?(current_user) || privileged_collection_admin?
 
       @claims = ChallengeClaim.unposted_in_collection(@collection)
       @claims = @claims.where(claiming_user_id: current_user.id) if user_scoped?
 
       # sorting
       set_sort_order
 
-      if params[:sort] == "claimer"
-        @claims = @claims.order_by_offering_pseud(@sort_direction)
-      else
-        @claims = @claims.order(@sort_order)
-      end
+      @claims = if params[:sort] == "claimer"
+                  @claims.order_by_offering_pseud(@sort_direction)
+                else
+                  @claims.order(@sort_order)
+                end
     elsif params[:user_id] && (@user = User.find_by(login: params[:user_id]))
       if current_user == @user
         @claims = @user.request_claims.order_by_date.unposted
-				if params[:posted]
-					@claims = @user.request_claims.order_by_date.posted
-				end
-        if params[:collection_id] && (@collection = Collection.find_by(name: params[:collection_id]))
-          @claims = @claims.in_collection(@collection)
-        end
+        @claims = @user.request_claims.order_by_date.posted if params[:posted]
+        @claims = @claims.in_collection(@collection) if params[:collection_id] && (@collection = Collection.find_by(name: params[:collection_id]))
       else
-        flash[:error] = ts("You aren't allowed to see that user's claims.")
-        redirect_to '/' and return
+        flash[:error] = t("challenge_claims.index.access_denied_user_claims")
+        redirect_to "/" and return
       end
     end
     @claims = @claims.paginate page: params[:page], per_page: ArchiveConfig.ITEMS_PER_PAGE
@@ -124,18 +128,18 @@ def create
 
   def destroy
     redirect_path = collection_claims_path(@collection)
-    flash[:notice] = ts("The claim was deleted.")
+    flash[:notice] = t("challenge_claims.destroy.claim_deleted")
 
     if @challenge_claim.claiming_user == current_user
       redirect_path = collection_claims_path(@collection, for_user: true)
-      flash[:notice] = ts("Your claim was deleted.")
+      flash[:notice] = t("challenge_claims.destroy.your_claim_deleted")
     end
 
     begin
       @challenge_claim.destroy
-    rescue
+    rescue StandardError
       flash.delete(:notice)
-      flash[:error] = ts("We couldn't delete that right now, sorry! Please try again later.")
+      flash[:error] = t("challenge_claims.destroy.delete_failed")
     end
     redirect_to redirect_path
   end

diff --git a/app/controllers/challenge_requests_controller.rb b/app/controllers/challenge_requests_controller.rb
@@ -4,13 +4,13 @@ class ChallengeRequestsController < ApplicationController
 
   def check_visibility
     unless @collection
-      flash.now[:notice] = ts("Collection could not be found")
+      flash.now[:notice] = t("challenge_requests.check_visibility.collection_not_found")
       redirect_to "/" and return
     end
-    unless @collection.challenge_type == "PromptMeme" || (@collection.challenge_type == "GiftExchange" && @collection.challenge.user_allowed_to_see_requests_summary?(current_user))
-      flash.now[:notice] = ts("You are not allowed to view the requests summary!")
-      redirect_to collection_path(@collection) and return
-    end
+    return if @collection.challenge_type == "PromptMeme" || privileged_collection_admin? || (@collection.challenge_type == "GiftExchange" && @collection.challenge.user_allowed_to_see_requests_summary?(current_user))
+
+    flash.now[:notice] = t("challenge_requests.check_visibility.access_denied")
+    redirect_to collection_path(@collection) and return
   end
 
   def index
@@ -23,9 +23,10 @@ def index
     # actual content, do the efficient method unless we need the full query
 
     if @sort_column == "fandom"
-      query = "SELECT prompts.*, GROUP_CONCAT(tags.name) AS tagnames FROM prompts INNER JOIN set_taggings ON prompts.tag_set_id = set_taggings.tag_set_id 
-      INNER JOIN tags ON tags.id = set_taggings.tag_id 
-      WHERE prompts.type = 'Request' AND tags.type = 'Fandom' AND prompts.collection_id = " + @collection.id.to_s + " GROUP BY prompts.id ORDER BY tagnames " + @sort_direction
+      query = "SELECT prompts.*, GROUP_CONCAT(tags.name) AS tagnames FROM prompts INNER JOIN set_taggings ON prompts.tag_set_id = set_taggings.tag_set_id " \
+              "INNER JOIN tags ON tags.id = set_taggings.tag_id " \
+              "WHERE prompts.type = 'Request' AND tags.type = 'Fandom' AND prompts.collection_id = #{@collection.id} " \
+              "GROUP BY prompts.id ORDER BY tagnames #{@sort_direction}"
       @requests = Prompt.paginate_by_sql(query, page: params[:page], per_page: ArchiveConfig.ITEMS_PER_PAGE)
     elsif @sort_column == "prompter" && !@collection.prompts.exists?(anonymous: true)
       @requests = @collection.prompts.where(type: "Request")