otwcode · brianjaustin · Mar 28, 2026 · Feb 18, 2026 · Feb 18, 2026 · Feb 18, 2026
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -335,14 +335,36 @@
     @collection = Collection.find_by(name: params[:collection_id]) if params[:collection_id]
   end
 
+  def privileged_collection_admin?
+    policy(Collection).access?
+  end
+
+  def users_or_privileged_collection_admins_only
+    return if logged_in? || privileged_collection_admin?
+
+    logged_in_as_admin? ? admin_only_access_denied : access_denied
+  end
+
   def collection_maintainers_only
     logged_in? && @collection && @collection.user_is_maintainer?(current_user) || access_denied
   end
 
+  def collection_maintainers_or_privileged_admins_only
+    return if (logged_in? && @collection && @collection.user_is_maintainer?(current_user)) || privileged_collection_admin?
+
+    logged_in_as_admin? ? admin_only_access_denied : access_denied
+  end
+
   def collection_owners_only
     logged_in? && @collection && @collection.user_is_owner?(current_user) || access_denied
   end
 
+  def collection_owners_or_privileged_admins_only
+    return if (logged_in? && @collection && @collection.user_is_owner?(current_user)) || privileged_collection_admin?
+
+    logged_in_as_admin? ? admin_only_access_denied : access_denied
+  end
+
   def not_allowed(fallback=nil)
     flash[:error] = ts("Sorry, you're not allowed to do that.")
     redirect_to (fallback || root_path) rescue redirect_to '/'

diff --git a/app/controllers/challenge/gift_exchange_controller.rb b/app/controllers/challenge/gift_exchange_controller.rb
@@ -1,9 +1,10 @@
 class Challenge::GiftExchangeController < ChallengesController
 
-  before_action :users_only
+  before_action :users_only, except: [:edit]
   before_action :load_collection
   before_action :load_challenge, except: [:new, :create]
-  before_action :collection_owners_only, only: [:new, :create, :edit, :update, :destroy]
+  before_action :collection_owners_or_privileged_admins_only, only: [:edit]
+  before_action :collection_owners_only, only: [:new, :create, :update, :destroy]
 
   # ACTIONS
 

diff --git a/app/controllers/challenge/prompt_meme_controller.rb b/app/controllers/challenge/prompt_meme_controller.rb
@@ -1,9 +1,10 @@
 class Challenge::PromptMemeController < ChallengesController
 
-  before_action :users_only
+  before_action :users_only, except: [:edit]
   before_action :load_collection
   before_action :load_challenge, except: [:new, :create]
-  before_action :collection_owners_only, only: [:new, :create, :edit, :update, :destroy]
+  before_action :collection_owners_or_privileged_admins_only, only: [:edit]
+  before_action :collection_owners_only, only: [:new, :create, :update, :destroy]
 
   # ACTIONS
 

diff --git a/app/controllers/challenge_assignments_controller.rb b/app/controllers/challenge_assignments_controller.rb
@@ -1,5 +1,6 @@
 class ChallengeAssignmentsController < ApplicationController
-  before_action :users_only
+  before_action :users_only, except: [:index, :show]
+  before_action :users_or_privileged_collection_admins_only, only: [:index, :show]
 
   before_action :load_collection, except: [:index]
   before_action :load_challenge, except: [:index]
@@ -89,7 +90,7 @@ def index
       return unless load_collection
       @challenge = @collection.challenge if @collection
       signup_open and return unless !@challenge.signup_open
-      access_denied and return unless @challenge.user_allowed_to_see_assignments?(current_user)
+      access_denied and return unless @challenge.user_allowed_to_see_assignments?(current_user) || privileged_collection_admin?
 
       # we temporarily are ordering by requesting pseud to avoid left join
       @assignments = case
@@ -108,7 +109,7 @@ def index
   end
 
   def show
-    unless @challenge.user_allowed_to_see_assignments?(current_user) || @challenge_assignment.offering_pseud.user == current_user
+    unless @challenge.user_allowed_to_see_assignments?(current_user) || @challenge_assignment.offering_pseud.user == current_user || privileged_collection_admin?
       flash[:error] = ts("You aren't allowed to see that assignment!")
       redirect_to "/" and return
     end

diff --git a/app/controllers/challenge_claims_controller.rb b/app/controllers/challenge_claims_controller.rb
@@ -1,6 +1,7 @@
 class ChallengeClaimsController < ApplicationController
 
-  before_action :users_only
+  before_action :users_only, except: [:index]
+  before_action :users_or_privileged_collection_admins_only, only: [:index]
   before_action :load_collection, except: [:index]
   before_action :collection_owners_only, except: [:index, :show, :create, :destroy]
   before_action :load_claim_from_id, only: [:show, :destroy]
@@ -68,17 +69,17 @@
   # ACTIONS
 
   def index
-    if !(@collection = Collection.find_by(name: params[:collection_id])).nil? && @collection.closed? && !@collection.user_is_maintainer?(current_user)
+    if !(@collection = Collection.find_by(name: params[:collection_id])).nil? && @collection.closed? && !@collection.user_is_maintainer?(current_user) && !privileged_collection_admin?
       flash[:notice] = ts("This challenge is currently closed to new posts.")
     end
     if params[:collection_id]
       return unless load_collection
 
       @challenge = @collection.challenge
-      not_allowed(@collection) unless user_scoped? || @challenge.user_allowed_to_see_assignments?(current_user)
+      not_allowed(@collection) unless user_scoped? || @challenge.user_allowed_to_see_assignments?(current_user) || privileged_collection_admin?
 
       @claims = ChallengeClaim.unposted_in_collection(@collection)
-      @claims = @claims.where(claiming_user_id: current_user.id) if user_scoped?
+      @claims = @claims.where(claiming_user_id: current_user.id) if user_scoped? && current_user
 
       # sorting
       set_sort_order

diff --git a/app/controllers/challenge_requests_controller.rb b/app/controllers/challenge_requests_controller.rb
@@ -7,10 +7,14 @@
       flash.now[:notice] = ts("Collection could not be found")
       redirect_to "/" and return
     end
-    unless @collection.challenge_type == "PromptMeme" || (@collection.challenge_type == "GiftExchange" && @collection.challenge.user_allowed_to_see_requests_summary?(current_user))
-      flash.now[:notice] = ts("You are not allowed to view the requests summary!")
-      redirect_to collection_path(@collection) and return
-    end
+
+    return if @collection.challenge_type == "PromptMeme" || privileged_collection_admin?
+    return if @collection.challenge_type == "GiftExchange" && @collection.challenge.user_allowed_to_see_requests_summary?(current_user)
+
+    return admin_only_access_denied if logged_in_as_admin?
+
+    flash.now[:notice] = ts("You are not allowed to view the requests summary!")
+    redirect_to collection_path(@collection) and return
   end
 
   def index

diff --git a/app/controllers/challenge_signups_controller.rb b/app/controllers/challenge_signups_controller.rb
@@ -4,7 +4,8 @@
 class ChallengeSignupsController < ApplicationController
   include ExportsHelper
 
-  before_action :users_only, except: [:summary]
+  before_action :users_only, except: [:summary, :index, :show]
+  before_action :users_or_privileged_collection_admins_only, only: [:index, :show]
   before_action :load_collection, except: [:index]
   before_action :load_challenge, except: [:index]
   before_action :load_signup_from_id, only: [:show, :edit, :update, :destroy, :confirm_delete]
@@ -45,7 +46,7 @@
   end
 
   def maintainer_or_signup_owner_only
-    not_allowed(@collection) and return unless (@challenge_signup.pseud.user == current_user || @collection.user_is_maintainer?(current_user))
+    not_allowed(@collection) and return unless (@challenge_signup.pseud.user == current_user || @collection.user_is_maintainer?(current_user) || privileged_collection_admin?)
   end
 
   def not_signup_owner
@@ -100,7 +101,7 @@
     # see ExportsHelper for export_csv method
     respond_to do |format|
       format.html {
-          if @challenge.user_allowed_to_see_signups?(current_user)
+          if @challenge.user_allowed_to_see_signups?(current_user) || privileged_collection_admin?
             @challenge_signups = @collection.signups.joins(:pseud)
             if params[:query]
               @query = params[:query]
@@ -114,7 +115,8 @@
           end
       }
       format.csv {
-        if (@collection.gift_exchange? && @challenge.user_allowed_to_see_signups?(current_user)) ||
+        if privileged_collection_admin? ||
+           (@collection.gift_exchange? && @challenge.user_allowed_to_see_signups?(current_user)) ||
         (@collection.prompt_meme? && @collection.user_is_maintainer?(current_user))
           csv_data = self.send("#{@challenge.class.name.underscore}_to_csv")
           filename = "#{@collection.name}_signups_#{Time.now.strftime('%Y-%m-%d-%H%M')}.csv"

diff --git a/app/controllers/collection_items_controller.rb b/app/controllers/collection_items_controller.rb
@@ -10,7 +10,7 @@ class CollectionItemsController < ApplicationController
   def index
 
     # TODO: AO3-6507 Refactor to use send instead of case statements.
-    if @collection && @collection.user_is_maintainer?(current_user)
+    if @collection && (@collection.user_is_maintainer?(current_user) || privileged_collection_admin?)
       @collection_items = @collection.collection_items.include_for_works
       @collection_items = case params[:status]
                           when "approved"
@@ -39,6 +39,8 @@ def index
                             @collection_items.unreviewed_by_user
                           end
     else
+      admin_only_access_denied and return if logged_in_as_admin?
+
       flash[:error] = ts("You don't have permission to see that, sorry!")
       redirect_to collections_path and return
     end

diff --git a/app/controllers/collection_participants_controller.rb b/app/controllers/collection_participants_controller.rb
@@ -1,11 +1,12 @@
 class CollectionParticipantsController < ApplicationController
-  before_action :users_only
+  before_action :users_only, except: [:index]
   before_action :load_collection
   before_action :load_participant, only: [:update, :destroy]
   before_action :allowed_to_promote, only: [:update]
   before_action :allowed_to_destroy, only: [:destroy]
   before_action :has_other_owners, only: [:update, :destroy]
-  before_action :collection_maintainers_only, only: [:index, :add, :update]
+  before_action :collection_maintainers_or_privileged_admins_only, only: [:index]
+  before_action :collection_maintainers_only, only: [:add, :update]
 
   cache_sweeper :collection_sweeper
 

diff --git a/app/controllers/collections_controller.rb b/app/controllers/collections_controller.rb
@@ -1,7 +1,8 @@
 class CollectionsController < ApplicationController
-  before_action :users_only, only: [:new, :edit, :create, :update]
+  before_action :users_only, only: [:new, :create]
   before_action :load_collection_from_id, only: [:show, :edit, :update, :destroy, :confirm_delete]
-  before_action :collection_owners_only, only: [:edit, :update, :destroy, :confirm_delete]
+  before_action :collection_owners_or_privileged_admins_only, only: [:edit]
+  before_action :collection_owners_only, only: [:update, :destroy, :confirm_delete]
   before_action :check_user_status, only: [:new, :create, :edit, :update, :destroy]
   before_action :validate_challenge_type
   before_action :check_parent_visible, only: [:index]

diff --git a/app/controllers/potential_matches_controller.rb b/app/controllers/potential_matches_controller.rb
@@ -1,8 +1,8 @@
 class PotentialMatchesController < ApplicationController
 
-  before_action :users_only
   before_action :load_collection
-  before_action :collection_maintainers_only
+  before_action :collection_maintainers_or_privileged_admins_only, only: [:index]
+  before_action :collection_maintainers_only, except: [:index]
   before_action :load_challenge
   before_action :check_assignments_not_sent
   before_action :check_signup_closed, only: [:generate]

diff --git a/app/policies/collection_policy.rb b/app/policies/collection_policy.rb
@@ -0,0 +1,7 @@
+class CollectionPolicy < ApplicationPolicy
+  ACCESS_ROLES = %w[support policy_and_abuse superadmin].freeze
+
+  def access?
+    user_has_roles?(ACCESS_ROLES)
+  end
+end
diff --git a/spec/controllers/challenge_assignments_controller_spec.rb b/spec/controllers/challenge_assignments_controller_spec.rb
@@ -452,4 +452,34 @@
       end
     end
   end
+
+  describe "admin access to assignments pages" do
+    authorized_roles = %w[support policy_and_abuse superadmin].freeze
+    let(:gift_exchange) { create(:gift_exchange, assignments_sent_at: Faker::Time.backward) }
+    let(:user) { other_user }
+
+    before { fake_logout }
+
+    describe "GET #index" do
+      subject { get :index, params: { collection_id: collection.name } }
+
+      let(:success) do
+        expect(response).to have_http_status(:success)
+        expect(response).to render_template(:index)
+      end
+
+      it_behaves_like "an action only authorized admins can access", authorized_roles: authorized_roles
+    end
+
+    describe "GET #show" do
+      subject { get :show, params: { id: assignment.id, collection_id: collection.name } }
+
+      let(:success) do
+        expect(response).to have_http_status(:success)
+        expect(response).to render_template(:show)
+      end
+
+      it_behaves_like "an action only authorized admins can access", authorized_roles: authorized_roles
+    end
+  end
 end
diff --git a/spec/controllers/challenge_claims_controller_spec.rb b/spec/controllers/challenge_claims_controller_spec.rb
@@ -154,4 +154,19 @@
       end
     end
   end
+
+  describe "admin access to claims index" do
+    authorized_roles = %w[support policy_and_abuse superadmin].freeze
+    let!(:claim_one) { create(:challenge_claim, collection: collection, claiming_user: create(:user)) }
+    let!(:claim_two) { create(:challenge_claim, collection: collection, claiming_user: create(:user)) }
+
+    subject { get :index, params: { collection_id: collection.name } }
+
+    let(:success) do
+      expect(response).to have_http_status(:success)
+      expect(assigns(:claims)).to include(claim_one, claim_two)
+    end
+
+    it_behaves_like "an action only authorized admins can access", authorized_roles: authorized_roles
+  end
 end
diff --git a/spec/controllers/challenge_requests_controller_spec.rb b/spec/controllers/challenge_requests_controller_spec.rb
@@ -1,11 +1,11 @@
 require "spec_helper"
 
-describe ChallengeRequestsController, bookmark_search: true, collection_search: true, work_search: true do 
+describe ChallengeRequestsController do
   include LoginMacros
   include RedirectExpectationHelper
 
   describe "index" do
-    context "when there are anonymous prompts" do
+    context "when there are anonymous prompts", bookmark_search: true, collection_search: true, work_search: true do
       render_views
 
       it "does not throw a 500 error if sorting by prompter with an anonymous prompt" do
@@ -16,5 +16,20 @@
         expect(response.status).not_to eq(500)
       end
     end
+
+    context "with gift exchanges where request summary is private" do
+      authorized_roles = %w[support policy_and_abuse superadmin].freeze
+      let(:challenge) { create(:gift_exchange, requests_summary_visible: false) }
+      let(:collection) { create(:collection, challenge: challenge) }
+
+      subject { get :index, params: { collection_id: collection.name } }
+
+      let(:success) do
+        expect(response).to have_http_status(:success)
+        expect(response).to render_template(:index)
+      end
+
+      it_behaves_like "an action only authorized admins can access", authorized_roles: authorized_roles
+    end
   end
 end
diff --git a/spec/controllers/challenge_signups_controller_spec.rb b/spec/controllers/challenge_signups_controller_spec.rb
@@ -272,4 +272,39 @@
       end
     end
   end
+
+  describe "admin access to signups pages" do
+    authorized_roles = %w[support policy_and_abuse superadmin].freeze
+
+    describe "GET #index" do
+      subject { get :index, params: { collection_id: closed_collection.name } }
+
+      let(:success) do
+        expect(response).to have_http_status(:success)
+        expect(response).to render_template(:index)
+      end
+
+      it_behaves_like "an action only authorized admins can access", authorized_roles: authorized_roles
+    end
+
+    describe "GET #show" do
+      subject { get :show, params: { id: closed_signup.id, collection_id: closed_collection.name } }
+
+      let(:success) do
+        expect(response).to have_http_status(:success)
+        expect(response).to render_template(:show)
+      end
+
+      it_behaves_like "an action only authorized admins can access", authorized_roles: authorized_roles
+    end
+
+    it "allows support admins to download CSV" do
+      fake_login_admin(create(:support_admin))
+
+      get :index, params: { collection_id: closed_collection.name, format: :csv }
+
+      expect(response).to have_http_status(:success)
+      expect(response.content_type).to include("text/csv")
+    end
+  end
 end
diff --git a/spec/controllers/collection_items_controller_spec.rb b/spec/controllers/collection_items_controller_spec.rb
@@ -626,4 +626,17 @@
       end
     end
   end
+
+  describe "admin access to manage items" do
+    authorized_roles = %w[support policy_and_abuse superadmin].freeze
+
+    subject { get :index, params: { collection_id: collection.name } }
+
+    let(:success) do
+      expect(response).to have_http_status(:success)
+      expect(response).to render_template(:index)
+    end
+
+    it_behaves_like "an action only authorized admins can access", authorized_roles: authorized_roles
+  end
 end