spree_cm_commissioner 2.8.2.pre.pre.2 → 2.8.2.pre.pre.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 902f245f53de7f894cef3c6187916474fc53222d0c60fd2713c131c5712816a7
-  data.tar.gz: c9c02081b81a4f5a88d639c149c59360daf931348d09e0bffcf2006dd10374c9
+  metadata.gz: d81921f1e2c71c3740ce4b4d0c933c5ecc1c1c1e008eacf01636e95c2d0078e3
+  data.tar.gz: 4b02d2667e7d5a441e37315ecb0c91de142b529a595ea14a350863e75b22bd0b
 SHA512:
-  metadata.gz: 745c769444dcf93d625e5cb5a3fa21979c79fd15fc38fe580cd35e537849308d6fd4d63cc8da3b65808b099eaa7fffbade7c5f65cfbcef6122feeeb99a34b93a
-  data.tar.gz: 29a3e784ab688a3f1348b57fc5c7df59cc659345e1d851f04be81ee1a662786466db70f25aec24d4712a422e4c1c4cbdac1078c1f0990fb8804a9f2f134b2f49
+  metadata.gz: 480b051b7f31a87059d9c6f396e6a6e0c2c48b0a38432c7c93d027cbf038263a500945afdb2c8d9c6dbbed92a2cc857a03eaff25bdb57f31b6e7f429dce6556f
+  data.tar.gz: bc516685858c51491db8801c3004f2f8c095c1b2727958877e911312dcb7039feccc8c318c9d88ff8b1c56f88c933478bd05a1664d480dd4a2e0c5dca0a64190

data/Gemfile.lock

@@ -34,7 +34,7 @@ GIT
 PATH
   remote: .
   specs:
-    spree_cm_commissioner (2.8.2.pre.pre.2)
+    spree_cm_commissioner (2.8.2.pre.pre.3)
       activerecord-multi-tenant
       activerecord_json_validator (~> 2.1, >= 2.1.3)
       aws-sdk-cloudfront

data/app/controllers/spree/api/v2/tenant/voting_contestants_controller.rb

@@ -9,7 +9,10 @@ module Spree
           def collection
             @collection ||= @voting_session
                             .voting_contestants
-                            .includes(show_contestant: :show_contestant_images)
+                            .includes(:voting_session, :show_contestant,
+                                      :show_contestant_images, :show_contestant_videos,
+                                      :advanced_to, :advanced_from
+                            )
                             .order(:id)
           end
 

data/app/models/spree_cm_commissioner/show.rb

@@ -75,7 +75,8 @@ module SpreeCmCommissioner
                    :max_votes_per_minute_per_user,
                    :max_votes_per_minute_per_ip,
                    :max_accounts_per_device,
-                   :block_vpn
+                   :block_vpn,
+                   :max_votes_per_contestant_per_user
 
     def show?
       depth == 1

data/app/models/spree_cm_commissioner/vote_fraud_event.rb

@@ -11,7 +11,8 @@ module SpreeCmCommissioner
       ip_cluster: 2,
       anomaly: 3,
       new_account: 4,
-      manual_flag: 5
+      manual_flag: 5,
+      vote_cap: 6
     }
     enum severity: { low: 0, medium: 1, high: 2, critical: 3 }
     enum action_taken: { allowed: 0, blocked: 1, flagged: 2, invalidated: 3 }

data/app/models/spree_cm_commissioner/voting_contestant.rb

@@ -42,5 +42,13 @@ module SpreeCmCommissioner
     def special_rule_type
       (special_rules || {})['type']
     end
+
+    def advanced_from_name
+      advanced_from&.name
+    end
+
+    def advanced_to_name
+      advanced_to&.name
+    end
   end
 end

data/app/models/spree_cm_commissioner/voting_session.rb

@@ -1,4 +1,5 @@
 module SpreeCmCommissioner
+  # rubocop:disable Metrics/ClassLength
   class VotingSession < SpreeCmCommissioner::Base
     include SpreeCmCommissioner::StoreMetadata
 
@@ -6,6 +7,8 @@ module SpreeCmCommissioner
     belongs_to :show, class_name: 'SpreeCmCommissioner::Show', optional: false
     belongs_to :episode, class_name: 'Spree::Product', optional: false
 
+    has_one :season, through: :episode, class_name: 'SpreeCmCommissioner::Show', source: :season
+
     has_many :voting_credits, class_name: 'SpreeCmCommissioner::VotingCredit', as: :votable, dependent: :destroy
     has_many :voting_contestants, class_name: 'SpreeCmCommissioner::VotingContestant', dependent: :destroy
     has_many :eliminated_voting_contestants, lambda {
@@ -20,6 +23,7 @@ module SpreeCmCommissioner
 
     enum status: { disabled: 0, enabled: 1, closed: 2, finalized: 3 }
     enum scoring_model: { manual: 0, geometric: 1, harmonic: 2, weighted_sum: 3, arithmetic: 4 }
+    enum session_type: { vote: 0, manual_advance: 1, save_vote: 2, pre_vote: 3 }
 
     self.whitelisted_ransackable_attributes = %w[name status]
 
@@ -67,7 +71,8 @@ module SpreeCmCommissioner
                    :max_votes_per_minute_per_user,
                    :max_votes_per_minute_per_ip,
                    :max_accounts_per_device,
-                   :block_vpn
+                   :block_vpn,
+                   :max_votes_per_contestant_per_user
 
     # Define standard voting configuration keys
     store_accessor :voting_config,
@@ -138,9 +143,9 @@ module SpreeCmCommissioner
     # Show contestants expected in this session but not yet assigned.
     # episode.season.show_contestants → all contestants on the season this episode belongs to.
     # show_contestants      → already assigned to this voting session.
-    # e.g. season has [Alice, Bob, Carol]; session only has [Alice] → returns [Bob, Carol]
+    # e.g. season has [Alice(active), Bob(active), Carol(eliminated)]; session only has [Alice] → returns [Bob]
     def missing_show_contestants
-      episode.season.show_contestants.where.not(id: show_contestants.select(:id)).ordered
+      episode.season.show_contestants.active.where.not(id: show_contestants.select(:id)).ordered
     end
 
     def max_votes_per_user
@@ -220,4 +225,5 @@ module SpreeCmCommissioner
       {}
     end
   end
+  # rubocop:enable Metrics/ClassLength
 end

data/app/serializers/spree/v2/tenant/show_serializer.rb

@@ -17,6 +17,9 @@ module Spree
           end
         end
 
+        has_many :episodes, serializer: Spree::V2::Tenant::ShowEpisodeSerializer
+        has_many :voting_sessions, serializer: Spree::V2::Tenant::VotingSessionSerializer
+
         has_one :current_episode, serializer: Spree::V2::Tenant::ShowEpisodeSerializer
         has_one :current_voting_session, serializer: Spree::V2::Tenant::VotingSessionSerializer
         has_one :app_banner, serializer: Spree::V2::Tenant::AssetSerializer

data/app/serializers/spree/v2/tenant/voting_contestant_serializer.rb

@@ -4,9 +4,9 @@ module Spree
       class VotingContestantSerializer < BaseSerializer
         set_type :voting_contestant
 
-        attributes :show_id, :show_contestant_id, :name, :contestant_number, :vote_number, :category, :gender,
-                   :vote_count, :eliminated, :eliminated_via, :eliminated_at, :advanced_to_type, :advanced_to_id, :special_rules,
-                   :created_at, :updated_at, :advanced_from_type, :advanced_from_id, :unique_voter_count, :preferences
+        attributes :show_contestant_id, :name, :contestant_number, :vote_number,
+                   :eliminated, :eliminated_via,
+                   :advanced_from_name, :advanced_to_name, :confirmed_rank
 
         attribute :voting_session_id, &:voting_session_id
 
@@ -16,6 +16,7 @@ module Spree
 
         has_many :show_contestant_images, serializer: ::Spree::V2::Tenant::AssetSerializer
         has_many :show_contestant_videos, serializer: ::Spree::V2::Tenant::VideoSerializer
+        belongs_to :voting_session, serializer: ::Spree::V2::Tenant::VotingSessionSerializer
       end
     end
   end

data/app/serializers/spree/v2/tenant/voting_session_serializer.rb

@@ -2,8 +2,8 @@ module Spree
   module V2
     module Tenant
       class VotingSessionSerializer < BaseSerializer
-        attributes :name, :opens_at, :closes_at, :status, :live_stream_enabled, :live_stream_thumbnail, :live_stream_title, :live_stream_description,
-                   :created_at
+        attributes :opens_at, :closes_at, :status, :session_type, :name, :public_metadata,
+                   :live_stream_enabled, :live_stream_thumbnail, :live_stream_title, :live_stream_description
 
         attribute :live_stream_url, &:embedded_live_stream_url
         attribute :can_vote, &:can_vote?

data/app/services/spree_cm_commissioner/fraud_check.rb

@@ -1,10 +1,11 @@
 # Real-time fraud detection for vote submissions.
 #
-# Runs four checks in order:
-#   1. User rate limit   – max votes per minute per user
-#   2. IP rate limit     – max votes per minute per IP
-#   3. Device account limit – max distinct accounts per device fingerprint
-#   4. VPN / proxy block – reject known VPN IPs (when enabled)
+# Runs five checks in order:
+#   1. User rate limit           – max votes per minute per user
+#   2. IP rate limit             – max votes per minute per IP
+#   3. Device account limit      – max distinct accounts per device fingerprint
+#   4. VPN / proxy block         – reject known VPN IPs (when enabled)
+#   5. Contestant vote cap       – max total votes per user per contestant for the session
 
 # On any violation, raises RuntimeError with an I18n user-facing message
 # and enqueues a VoteFraudEventJob asynchronously.
@@ -18,7 +19,8 @@ module SpreeCmCommissioner
       'max_votes_per_minute_per_user' => 5,
       'max_votes_per_minute_per_ip' => 10,
       'max_accounts_per_device' => 3,
-      'block_vpn' => false
+      'block_vpn' => false,
+      'max_votes_per_contestant_per_user' => 0 # 0 = disabled (opt-in)
     }.freeze
 
     RATE_WINDOW = 60 # seconds
@@ -39,6 +41,7 @@ module SpreeCmCommissioner
       check_ip_rate_limit!
       check_device_account_limit!
       check_vpn_block!
+      check_contestant_vote_cap!
 
       success(nil)
     rescue Redis::BaseError, ConnectionPool::TimeoutError => e
@@ -158,6 +161,23 @@ module SpreeCmCommissioner
       raise I18n.t('voting.errors.vpn_blocked')
     end
 
+    # --- Check 5: Contestant vote cap ---
+
+    def check_contestant_vote_cap!
+      return if contestant.nil?
+
+      threshold = config_value('max_votes_per_contestant_per_user')
+      return if threshold.nil? || threshold <= 0
+
+      key = "fraud:cap:contestant:#{session_id}:#{contestant.id}:#{user_identifier}"
+      count = increment_with_expiry(key, session_ttl, by: quantity)
+
+      return unless count > threshold
+
+      log_fraud_event(:vote_cap, :medium)
+      raise I18n.t('voting.errors.contestant_vote_cap_exceeded')
+    end
+
     # --- Redis helpers ---
 
     # Atomically increments a counter key and sets its TTL on the first write.

data/app/services/spree_cm_commissioner/oauth_access_tokens/cleanup_expired.rb

@@ -3,22 +3,28 @@ module SpreeCmCommissioner
     class CleanupExpired
       prepend ::Spree::ServiceModule::Base
 
-      BATCH_SIZE = 1000
+      BATCH_SIZE = 500
+
+      # The access tokens set by doorkeeper to expire in 1 day (cm-market-server/config/initializers/doorkeeper.rb),
+      # so we set the threshold to 90 days to make sure all expired tokens are cleaned up.
       EXPIRATION_THRESHOLD_DAYS = 90
 
       def call
-        cutoff_date = EXPIRATION_THRESHOLD_DAYS.days.ago
+        cutoff_time = EXPIRATION_THRESHOLD_DAYS.days.ago
         total_deleted = 0
 
+        # oauth_access_tokens is a standalone table with no foreign keys or associations
+        # pointing to it (checked cm-market-server/db/schema.rb), so it is safe to use
+        # delete_all here for faster bulk cleanup.
         Spree::OauthAccessToken
-          .where('revoked_at IS NOT NULL OR (expires_in IS NOT NULL AND created_at + make_interval(secs => expires_in) < ?)', cutoff_date)
+          .where('created_at < ?', cutoff_time)
           .in_batches(of: BATCH_SIZE) do |relation|
           deleted_count = relation.delete_all
           total_deleted += deleted_count
         end
 
-        log_cleanup_result(total_deleted, cutoff_date)
-        success(total_deleted: total_deleted, cutoff_date: cutoff_date, batch_size: BATCH_SIZE, expiration_threshold_days: EXPIRATION_THRESHOLD_DAYS)
+        log_cleanup_result(total_deleted, cutoff_time)
+        success(total_deleted: total_deleted, cutoff_time: cutoff_time, batch_size: BATCH_SIZE, expiration_threshold_days: EXPIRATION_THRESHOLD_DAYS)
       rescue StandardError => e
         log_error(e)
         failure(nil, e.message)
@@ -26,12 +32,12 @@ module SpreeCmCommissioner
 
       private
 
-      def log_cleanup_result(total_deleted, cutoff_date)
+      def log_cleanup_result(total_deleted, cutoff_time)
         CmAppLogger.log(
           label: 'SpreeCmCommissioner::OauthAccessTokens::CleanupExpired completed',
           data: {
             total_deleted: total_deleted,
-            cutoff_date: cutoff_date,
+            cutoff_time: cutoff_time,
             batch_size: BATCH_SIZE,
             expiration_threshold_days: EXPIRATION_THRESHOLD_DAYS
           }

data/app/services/spree_cm_commissioner/voting_contestants/assigner.rb

@@ -22,6 +22,11 @@ module SpreeCmCommissioner
         return if target_ids.empty?
 
         @episode.season.show_contestants.where(id: target_ids).find_each do |show_contestant|
+          if @voting_session.save_vote? && !show_contestant.eliminated?
+            raise 'Only eliminated contestants can be added to a Save Contestants session. ' \
+                  "#{show_contestant.name} is #{show_contestant.status}."
+          end
+
           @voting_session.voting_contestants.find_or_create_by!(show_contestant: show_contestant) do |voting_contestant|
             voting_contestant.show_id = @voting_session.show_id
           end

data/app/services/spree_cm_commissioner/voting_sessions/finalize.rb

@@ -3,10 +3,18 @@ module SpreeCmCommissioner
     class Finalize
       prepend ::Spree::ServiceModule::Base
 
-      def call(voting_session:)
+      def call(voting_session:, save_advance_to_session_id: nil)
+        @save_advance_to_session_id = save_advance_to_session_id
+
         ApplicationRecord.transaction do
           validate_confirmed_ranks!(voting_session)
-          advance_confirmed_winners(voting_session) if next_session?(voting_session)
+
+          if voting_session.save_vote?
+            restore_and_advance_saved_contestants(voting_session)
+          elsif next_session?(voting_session)
+            advance_confirmed_winners(voting_session)
+          end
+
           voting_session.update!(status: :finalized)
           success(voting_session: voting_session)
         end
@@ -17,7 +25,7 @@ module SpreeCmCommissioner
       private
 
       def validate_confirmed_ranks!(voting_session)
-        if next_session?(voting_session)
+        if voting_session.save_vote? || next_session?(voting_session)
           raise I18n.t('voting.errors.no_winners_confirmed') if voting_session.voting_contestants.where.not(confirmed_rank: nil).none?
         else
           unranked = voting_session.voting_contestants.where(eliminated: false, confirmed_rank: nil)
@@ -25,6 +33,27 @@ module SpreeCmCommissioner
         end
       end
 
+      def restore_and_advance_saved_contestants(voting_session)
+        target_session = SpreeCmCommissioner::VotingSession.find_by(id: @save_advance_to_session_id)
+        raise I18n.t('voting.errors.save_advance_to_session_required') if target_session.nil?
+
+        voting_session.voting_contestants.each do |vc|
+          if vc.confirmed_rank.present?
+            vc.show_contestant.update!(status: :active)
+            SpreeCmCommissioner::VotingContestants::Advancer.call(
+              voting_contestant: vc,
+              attributes: { advanced_to: target_session }
+            )
+          else
+            SpreeCmCommissioner::VotingContestants::Advancer.call(
+              voting_contestant: vc,
+              attributes: { eliminated: true, eliminated_via: :instant_save_lost, advanced_to_type: nil, advanced_to_id: nil }
+            )
+            # ShowContestant#status already :eliminated — no change needed
+          end
+        end
+      end
+
       # Re-syncs advancement on every call — handles first finalize and re-finalize.
       # Contestants without a confirmed_rank get their advanced_to cleared.
       def advance_confirmed_winners(voting_session)
@@ -48,6 +77,7 @@ module SpreeCmCommissioner
               voting_contestant: voting_contestant,
               attributes: { eliminated: true, eliminated_via: :public_vote, advanced_to_type: nil, advanced_to_id: nil }
             )
+            voting_contestant.show_contestant.update!(status: :eliminated)
           end
         end
       end

data/config/locales/en.yml

@@ -767,6 +767,8 @@ en:
       rate_limit_ip: "Too many votes from your network. Please try again shortly."
       device_account_limit: "This device has been used by too many accounts."
       vpn_blocked: "Voting is not allowed from VPN or proxy connections."
+      contestant_vote_cap_exceeded: "You have reached the maximum number of votes allowed for this contestant."
       no_winners_confirmed: "No winners confirmed"
       all_contestants_must_be_ranked: "All non-eliminated contestants must be ranked"
+      save_advance_to_session_required: "A target voting session must be selected to advance saved contestants"
 

data/config/locales/km.yml

@@ -609,4 +609,5 @@ km:
     errors:
       no_winners_confirmed: "មិនមានអ្នកឈ្នះត្រូវបានបញ្ជាក់"
       all_contestants_must_be_ranked: "អ្នកចូលរួមទាំងអស់ដែលមិនត្រូវបានលុបចោលត្រូវតែមានចំណាត់ថ្នាក់"
+      save_advance_to_session_required: "ត្រូវតែជ្រើសរើសសម័យបោះឆ្នោតគោលដៅដើម្បីជំរុញអ្នកចូលរួមដែលបានជ្រើស"
 

data/db/migrate/20260529000001_add_session_type_to_cm_voting_sessions.rb

@@ -0,0 +1,6 @@
+class AddSessionTypeToCmVotingSessions < ActiveRecord::Migration[7.0]
+  def change
+    add_column :cm_voting_sessions, :session_type, :integer, default: 0, null: false, if_not_exists: true
+    add_index  :cm_voting_sessions, :session_type, if_not_exists: true
+  end
+end

data/lib/spree_cm_commissioner/version.rb

@@ -1,5 +1,5 @@
 module SpreeCmCommissioner
-  VERSION = '2.8.2.pre.pre.2'.freeze
+  VERSION = '2.8.2.pre.pre.3'.freeze
 
   module_function
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: spree_cm_commissioner
 version: !ruby/object:Gem::Version
-  version: 2.8.2.pre.pre.2
+  version: 2.8.2.pre.pre.3
 platform: ruby
 authors:
 - You
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-05-31 00:00:00.000000000 Z
+date: 2026-06-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: spree
@@ -3275,6 +3275,7 @@ files:
 - db/migrate/20260525042257_add_vote_number_to_cm_voting_contestants.rb
 - db/migrate/20260527035430_add_confirmed_rank_to_cm_voting_contestants.rb
 - db/migrate/20260527062005_add_eliminated_at_to_cm_show_contestants.rb
+- db/migrate/20260529000001_add_session_type_to_cm_voting_sessions.rb
 - docker-compose.yml
 - docs/api/scoped-access-token-endpoints.md
 - docs/option_types/attr_types.md