#63

backend/app/controllers/application_controller.rb

@@ -1,16 +1,14 @@
 class ApplicationController < ActionController::API
-  before_action :reject_banned_ip_address!
   before_action :authenticate_user
-  before_action :reject_banned_user!
 
-  def current_user = @current_user
+  def current_user
+    @current_user
+  end
 
   private
 
   def authenticate_user
     code = request.headers['X-Transfer-Code'] || request.headers['HTTP_X_TRANSFER_CODE']
-    return if code.blank?
-
     @current_user = User.find_by(inheritance_code: code)
   end
 
@@ -24,17 +22,4 @@ class ApplicationController < ActionController::API
       s.in?(['', '1', 'true', 'on', 'yes'])
     end
   end
-
-  def reject_banned_ip_address!
-    ip_address = IpAddress.find_by(ip_address: IPAddr.new(request.remote_ip).hton)
-    return unless ip_address&.banned?
-
-    head :forbidden
-  end
-
-  def reject_banned_user!
-    return unless current_user&.banned?
-
-    head :forbidden
-  end
 end

backend/app/controllers/users_controller.rb

@@ -1,6 +1,9 @@
 class UsersController < ApplicationController
   def create
+    return head :unprocessable_entity if request.remote_ip.blank?
+
     user = nil
+
     User.transaction do
       user = User.create!(inheritance_code: SecureRandom.uuid, role: :guest)
       attach_ip_address!(user)
@@ -14,7 +17,8 @@ class UsersController < ApplicationController
   def verify
     user = User.find_by(inheritance_code: params[:code])
     return render json: { valid: false } unless user
-    return head :forbidden if user.banned?
+
+    return head :unprocessable_entity if request.remote_ip.blank?
 
     attach_ip_address!(user)
 

backend/app/models/ip_address.rb

@@ -1,10 +1,7 @@
 class IpAddress < ApplicationRecord
   validates :ip_address, presence: true, length: { maximum: 16 }
+  validates :banned, inclusion: { in: [true, false] }
 
   has_many :user_ips, dependent: :destroy
   has_many :users, through: :user_ips
-
-  def banned? = banned_at.present?
-  def ban! = banned? || update!(banned_at: Time.current)
-  def unban! = update!(banned_at: nil)
 end

backend/app/models/user.rb

@@ -4,6 +4,7 @@ class User < ApplicationRecord
   validates :name, length: { maximum: 255 }
   validates :inheritance_code, presence: true, length: { maximum: 64 }
   validates :role, presence: true, inclusion: { in: roles.keys }
+  validates :banned, inclusion: { in: [true, false] }
 
   has_many :created_posts,
            class_name: 'Post', foreign_key: :uploaded_user_id, dependent: :nullify
@@ -18,10 +19,5 @@ class User < ApplicationRecord
            class_name: 'WikiPage', foreign_key: :updated_user_id, dependent: :nullify
 
   def viewed?(post) = user_post_views.exists?(post_id: post.id)
-
   def gte_member? = member? || admin?
-
-  def banned? = banned_at.present?
-  def ban! = banned? || update!(banned_at: Time.current)
-  def unban! = update!(banned_at: nil)
 end

backend/db/migrate/20260501153900_rename_banned_to_banned_at_in_users_and_ip_addresses.rb

@@ -1,16 +0,0 @@
-class RenameBannedToBannedAtInUsersAndIpAddresses < ActiveRecord::Migration[8.0]
-  def up
-    [:users, :ip_addresses].each do
-      add_column _1, :banned_at, :datetime, after: :banned
-      add_index _1, :banned_at
-      remove_column _1, :banned
-    end
-  end
-
-  def down
-    [:ip_addresses, :users].each do
-      add_column _1, :banned, :boolean, null: false, default: false, after: :banned_at
-      remove_column _1, :banned_at
-    end
-  end
-end

backend/db/schema.rb

@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[8.0].define(version: 2026_05_01_153900) do
+ActiveRecord::Schema[8.0].define(version: 2026_04_27_214800) do
   create_table "active_storage_attachments", charset: "utf8mb4", collation: "utf8mb4_0900_ai_ci", force: :cascade do |t|
     t.string "name", null: false
     t.string "record_type", null: false
@@ -50,10 +50,9 @@ ActiveRecord::Schema[8.0].define(version: 2026_05_01_153900) do
 
   create_table "ip_addresses", charset: "utf8mb4", collation: "utf8mb4_0900_ai_ci", force: :cascade do |t|
     t.binary "ip_address", limit: 16, null: false
-    t.datetime "banned_at"
+    t.boolean "banned", default: false, null: false
     t.datetime "created_at", null: false
     t.datetime "updated_at", null: false
-    t.index ["banned_at"], name: "index_ip_addresses_on_banned_at"
     t.index ["ip_address"], name: "index_ip_addresses_on_ip_address", unique: true
   end
 
@@ -333,10 +332,9 @@ ActiveRecord::Schema[8.0].define(version: 2026_05_01_153900) do
     t.string "name"
     t.string "inheritance_code", limit: 64, null: false
     t.string "role", null: false
-    t.datetime "banned_at"
+    t.boolean "banned", default: false, null: false
     t.datetime "created_at", null: false
     t.datetime "updated_at", null: false
-    t.index ["banned_at"], name: "index_users_on_banned_at"
   end
 
   create_table "wiki_assets", charset: "utf8mb4", collation: "utf8mb4_0900_ai_ci", force: :cascade do |t|

backend/spec/factories/ip_addresses.rb

@@ -1,10 +0,0 @@
-FactoryBot.define do
-  factory :ip_address do
-    ip_address { IPAddr.new('203.0.113.10').hton }
-    banned_at { nil }
-
-    trait :banned do
-      banned_at { Time.current }
-    end
-  end
-end

backend/spec/factories/users.rb

@@ -1,24 +1,15 @@
 FactoryBot.define do
   factory :user do
-    name { nil }
+    name { "test-user" }
     inheritance_code { SecureRandom.uuid }
-    role { 'guest' }
+    role { "guest" }
-    banned_at { nil }
-
-    trait :guest do
-      role { 'guest' }
-    end
 
     trait :member do
-      role { 'member' }
+      role { "member" }
     end
 
     trait :admin do
       role { 'admin' }
     end
-
-    trait :banned do
-      banned_at { Time.current }
-    end
   end
 end

backend/spec/requests/users_spec.rb

@@ -1,266 +1,109 @@
-require 'rails_helper'
+require "rails_helper"
-
-RSpec.describe 'Users', type: :request do
-  let(:remote_ip) { '203.0.113.10' }
-
-  before do
-    allow_any_instance_of(ActionDispatch::Request)
-      .to receive(:remote_ip)
-      .and_return(remote_ip)
-  end
-
-  def auth_headers(user)
-    { 'X-Transfer-Code' => user.inheritance_code }
-  end
-
-  describe 'POST /users' do
-    it 'creates guest user, IpAddress and UserIp, and returns code' do
-      expect {
-        post '/users'
-      }.to change(User, :count).by(1)
-        .and change(IpAddress, :count).by(1)
-        .and change(UserIp, :count).by(1)
 
+RSpec.describe "Users", type: :request do
+  describe "POST /users" do
+    it "creates guest user and returns code" do
+      post "/users"
       expect(response).to have_http_status(:created)
-      expect(json['code']).to be_present
+      expect(json["code"]).to be_present
-      expect(json['user']['role']).to eq('guest')
+      expect(json["user"]["role"]).to eq("guest")
-
-      user = User.last
-      ip_address = IpAddress.find_by(ip_address: IPAddr.new(remote_ip).hton)
-
-      expect(user.role).to eq('guest')
-      expect(ip_address).to be_present
-      expect(UserIp.exists?(user:, ip_address:)).to eq(true)
-    end
-
-    it 'returns 403 and does not create user when current IP address is banned' do
-      IpAddress.create!(
-        ip_address: IPAddr.new(remote_ip).hton,
-        banned_at: Time.current
-      )
-
-      expect {
-        post '/users'
-      }.not_to change(User, :count)
-
-      expect(response).to have_http_status(:forbidden)
-      expect(UserIp.count).to eq(0)
     end
   end
 
-  describe 'POST /users/code/renew' do
+  describe "POST /users/code/renew" do
-    it 'returns 401 when not logged in' do
+    it "returns 401 when not logged in" do
-      post '/users/code/renew'
+      sign_out
+      post "/users/code/renew"
+      expect(response).to have_http_status(:unauthorized)
+    end
+  end
 
+  describe "PUT /users/:id" do
+    let(:user) { create(:user, name: "old-name", role: "guest") }
+
+    it "returns 401 when current_user id mismatch" do
+      sign_in_as(create(:user))
+      put "/users/#{user.id}", params: { name: "new-name" }
       expect(response).to have_http_status(:unauthorized)
     end
 
-    it 'returns 403 when current user is banned' do
+    it "returns 400 when name is blank" do
-      user = create(:user, :banned)
+      sign_in_as(user)
-
+      put "/users/#{user.id}", params: { name: "   " }
-      post '/users/code/renew', headers: auth_headers(user)
-
-      expect(response).to have_http_status(:forbidden)
-    end
-
-    it 'returns 403 when current IP address is banned' do
-      user = create(:user)
-
-      IpAddress.create!(
-        ip_address: IPAddr.new(remote_ip).hton,
-        banned_at: Time.current
-      )
-
-      post '/users/code/renew', headers: auth_headers(user)
-
-      expect(response).to have_http_status(:forbidden)
-    end
-  end
-
-  describe 'PUT /users/:id' do
-    let(:user) { create(:user, name: 'old-name', role: 'guest') }
-
-    it 'returns 401 when current_user id mismatch' do
-      other_user = create(:user)
-
-      put "/users/#{user.id}",
-          params: { name: 'new-name' },
-          headers: auth_headers(other_user)
-
-      expect(response).to have_http_status(:unauthorized)
-    end
-
-    it 'returns 400 when name is blank' do
-      put "/users/#{user.id}",
-          params: { name: '   ' },
-          headers: auth_headers(user)
-
       expect(response).to have_http_status(:bad_request)
     end
 
-    it 'updates name and returns user slice' do
+    it "updates name and returns 201 with user slice" do
-      put "/users/#{user.id}",
+      sign_in_as(user)
-          params: { name: 'new-name' },
+      put "/users/#{user.id}", params: { name: "new-name" }
-          headers: auth_headers(user)
 
       expect(response).to have_http_status(:ok)
-      expect(json['id']).to eq(user.id)
+      expect(json["id"]).to eq(user.id)
-      expect(json['name']).to eq('new-name')
+      expect(json["name"]).to eq("new-name")
 
       user.reload
-      expect(user.name).to eq('new-name')
+      expect(user.name).to eq("new-name")
-    end
-
-    it 'returns 403 when current user is banned' do
-      user.update!(banned_at: Time.current)
-
-      put "/users/#{user.id}",
-          params: { name: 'new-name' },
-          headers: auth_headers(user)
-
-      expect(response).to have_http_status(:forbidden)
-
-      user.reload
-      expect(user.name).to eq('old-name')
-    end
-
-    it 'returns 403 when current IP address is banned' do
-      IpAddress.create!(
-        ip_address: IPAddr.new(remote_ip).hton,
-        banned_at: Time.current
-      )
-
-      put "/users/#{user.id}",
-          params: { name: 'new-name' },
-          headers: auth_headers(user)
-
-      expect(response).to have_http_status(:forbidden)
-
-      user.reload
-      expect(user.name).to eq('old-name')
     end
   end
 
-  describe 'POST /users/verify' do
+  describe "POST /users/verify" do
-    it 'returns valid:false when code not found' do
+    it "returns valid:false when code not found" do
-      post '/users/verify', params: { code: 'nope' }
+      post "/users/verify", params: { code: "nope" }
-
       expect(response).to have_http_status(:ok)
-      expect(json['valid']).to eq(false)
+      expect(json["valid"]).to eq(false)
     end
 
-    it 'returns 403 when current IP address is banned' do
+    it "creates IpAddress and UserIp, and returns valid:true with user slice" do
-      user = create(:user, inheritance_code: SecureRandom.uuid, role: 'guest')
+      user = create(:user, inheritance_code: SecureRandom.uuid, role: "guest")
 
-      IpAddress.create!(
+      # request.remote_ip を固定
-        ip_address: IPAddr.new(remote_ip).hton,
+      allow_any_instance_of(ActionDispatch::Request).to receive(:remote_ip).and_return("203.0.113.10")
-        banned_at: Time.current
-      )
 
       expect {
-        post '/users/verify', params: { code: user.inheritance_code }
+        post "/users/verify", params: { code: user.inheritance_code }
-      }.not_to change(UserIp, :count)
-
-      expect(response).to have_http_status(:forbidden)
-    end
-
-    it 'returns 403 when verified user is banned' do
-      user = create(
-        :user,
-        :banned,
-        inheritance_code: SecureRandom.uuid,
-        role: 'guest'
-      )
-
-      expect {
-        post '/users/verify', params: { code: user.inheritance_code }
-      }.not_to change(UserIp, :count)
-
-      expect(response).to have_http_status(:forbidden)
-    end
-
-    it 'creates IpAddress and UserIp, and returns valid:true with user slice' do
-      user = create(:user, inheritance_code: SecureRandom.uuid, role: 'guest')
-
-      expect {
-        post '/users/verify', params: { code: user.inheritance_code }
-      }.to change(UserIp, :count).by(1)
-        .and change(IpAddress, :count).by(1)
-
-      expect(response).to have_http_status(:ok)
-      expect(json['valid']).to eq(true)
-      expect(json['user']['id']).to eq(user.id)
-      expect(json['user']['inheritance_code']).to eq(user.inheritance_code)
-      expect(json['user']['role']).to eq('guest')
-
-      ip_address = IpAddress.find_by(ip_address: IPAddr.new(remote_ip).hton)
-      expect(ip_address).to be_present
-      expect(UserIp.exists?(user:, ip_address:)).to eq(true)
-    end
-
-    it 'is idempotent for same user and same IP address' do
-      user = create(:user, inheritance_code: SecureRandom.uuid, role: 'guest')
-
-      post '/users/verify', params: { code: user.inheritance_code }
-      expect(response).to have_http_status(:ok)
-
-      expect {
-        post '/users/verify', params: { code: user.inheritance_code }
-      }.not_to change(UserIp, :count)
-
-      expect(response).to have_http_status(:ok)
-      expect(json['valid']).to eq(true)
-    end
-
-    it 'creates another UserIp for same user and different IP address' do
-      user = create(:user, inheritance_code: SecureRandom.uuid, role: 'guest')
-
-      post '/users/verify', params: { code: user.inheritance_code }
-      expect(response).to have_http_status(:ok)
-
-      allow_any_instance_of(ActionDispatch::Request)
-        .to receive(:remote_ip)
-        .and_return('203.0.113.11')
-
-      expect {
-        post '/users/verify', params: { code: user.inheritance_code }
       }.to change(UserIp, :count).by(1)
 
       expect(response).to have_http_status(:ok)
-      expect(json['valid']).to eq(true)
+      expect(json["valid"]).to eq(true)
+      expect(json["user"]["id"]).to eq(user.id)
+      expect(json["user"]["inheritance_code"]).to eq(user.inheritance_code)
+      expect(json["user"]["role"]).to eq("guest")
+
+      # ついでに IpAddress もできてることを確認（ipの保存形式がバイナリでも count で見れる）
+      expect(IpAddress.count).to be >= 1
+    end
+
+    it "is idempotent for same user+ip (does not create duplicate UserIp)" do
+      user = create(:user, inheritance_code: SecureRandom.uuid, role: "guest")
+      allow_any_instance_of(ActionDispatch::Request).to receive(:remote_ip).and_return("203.0.113.10")
+
+      post "/users/verify", params: { code: user.inheritance_code }
+      expect(response).to have_http_status(:ok)
+
+      expect {
+        post "/users/verify", params: { code: user.inheritance_code }
+      }.not_to change(UserIp, :count)
+
+      expect(response).to have_http_status(:ok)
+      expect(json["valid"]).to eq(true)
     end
   end
 
-  describe 'GET /users/me' do
+  describe "GET /users/me" do
-    it 'returns 404 when code not found' do
+    it "returns 404 when code not found" do
-      get '/users/me', params: { code: 'nope' }
+      get "/users/me", params: { code: "nope" }
-
       expect(response).to have_http_status(:not_found)
     end
 
-    it 'returns user slice when found' do
+    it "returns user slice when found" do
-      user = create(:user, inheritance_code: SecureRandom.uuid, name: 'me', role: 'guest')
+      user = create(:user, inheritance_code: SecureRandom.uuid, name: "me", role: "guest")
-
+      get "/users/me", params: { code: user.inheritance_code }
-      get '/users/me', params: { code: user.inheritance_code }
 
       expect(response).to have_http_status(:ok)
-      expect(json['id']).to eq(user.id)
+      expect(json["id"]).to eq(user.id)
-      expect(json['name']).to eq('me')
+      expect(json["name"]).to eq("me")
-      expect(json['inheritance_code']).to eq(user.inheritance_code)
+      expect(json["inheritance_code"]).to eq(user.inheritance_code)
-      expect(json['role']).to eq('guest')
+      expect(json["role"]).to eq("guest")
-    end
-
-    it 'returns 403 when current IP address is banned' do
-      user = create(:user, inheritance_code: SecureRandom.uuid)
-
-      IpAddress.create!(
-        ip_address: IPAddr.new(remote_ip).hton,
-        banned_at: Time.current
-      )
-
-      get '/users/me', params: { code: user.inheritance_code }
-
-      expect(response).to have_http_status(:forbidden)
     end
   end
 end

backend/spec/support/test_records.rb

@@ -2,12 +2,14 @@ module TestRecords
   def create_member_user!
     User.create!(name: 'spec user',
                  inheritance_code: SecureRandom.hex(16),
-                 role: 'member')
+                 role: 'member',
+                 banned: false)
   end
 
   def create_admin_user!
     User.create!(name: 'spec admin',
                  inheritance_code: SecureRandom.hex(16),
-                 role: 'admin')
+                 role: 'admin',
+                 banned: false)
   end
 end