Restrict ended events to registered users and grey out cards

maebeale · claude · maebeale · commit 3f77f253b9ce · 2026-03-03T09:23:13.000-05:00
Ended events were visible to all users regardless of registration
status. Now only admins and actively registered users can see them
in the index and via direct URL. Ended event cards render with
reduced opacity and muted styling.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/app/policies/event_policy.rb b/app/policies/event_policy.rb
@@ -8,7 +8,13 @@ def index?
   end
 
   def show?
-    admin? || record.publicly_visible? || (authenticated? && record.published?)
+    return true if admin?
+
+    if record.ended?
+      authenticated? && record.published? && record.actively_registered?(user.person)
+    else
+      record.publicly_visible? || (authenticated? && record.published?)
+    end
   end
 
   def register?
@@ -39,15 +45,30 @@ def owner?
 
   relation_scope do |relation|
     next relation if admin?
-    if authenticated? # logged in users can see events they are registered for even if registration is closed
-      relation.left_outer_joins(:registrants)
-              .published
-              .where("registration_close_date IS NULL OR registration_close_date >= ? OR people.id = ?", Time.current, user.person_id)
-              .distinct
+
+    if authenticated?
+      active_statuses = EventRegistration::ACTIVE_STATUSES.map { |s| relation.connection.quote(s) }.join(", ")
+      relation
+        .joins(
+          "LEFT OUTER JOIN event_registrations
+             ON event_registrations.event_id = events.id
+             AND event_registrations.status IN (#{active_statuses})
+           LEFT OUTER JOIN people
+             ON people.id = event_registrations.registrant_id"
+        )
+        .published
+        .where(
+          "(events.end_date >= :now AND (events.registration_close_date IS NULL OR events.registration_close_date >= :now))
+           OR people.id = :person_id",
+          now: Time.current,
+          person_id: user.person_id
+        )
+        .distinct
     else
       relation.publicly_visible
               .published
-              .where("registration_close_date IS NULL OR registration_close_date >= ?", Time.current)
+              .where("events.end_date >= ?", Time.current)
+              .where("events.registration_close_date IS NULL OR events.registration_close_date >= ?", Time.current)
     end
   end
 end
diff --git a/app/views/events/_card.html.erb b/app/views/events/_card.html.erb
@@ -1,8 +1,12 @@
 <% event = event.decorate %>
+<% ended = event.ended? %>
 
 <%= tag.div id: dom_id(event, :card),
-            class: "relative bg-white border border-gray-200 rounded-2xl shadow-sm hover:shadow-md
-  transition p-4 flex flex-col gap-4 h-full" do %>
+            class: class_names(
+              "relative rounded-2xl shadow-sm transition p-4 flex flex-col gap-4 h-full",
+              "bg-gray-100 border border-gray-300 opacity-60": ended,
+              "bg-white border border-gray-200 hover:shadow-md": !ended
+            ) do %>
   <!-- Bookmark -->
   <div class="absolute top-3 right-3 z-20">
     <%= render "bookmarks/editable_bookmark_icon", resource: event.object %>
diff --git a/spec/factories/events.rb b/spec/factories/events.rb
@@ -29,6 +29,12 @@
       publicly_featured { true }
     end
 
+    trait :ended do
+      start_date { 14.days.ago }
+      end_date { 12.days.ago }
+      registration_close_date { 13.days.ago }
+    end
+
     trait :registration_closed do
       registration_close_date { 13.days.ago }
     end
diff --git a/spec/policies/event_policy_spec.rb b/spec/policies/event_policy_spec.rb
@@ -6,6 +6,7 @@
   let(:published_event) { build_stubbed :event, :published }
   let(:public_event) { build_stubbed :event, publicly_visible: true  }
   let(:unpublished_event) { build_stubbed :event, :unpublished }
+  let(:ended_event) { build_stubbed :event, :published, :ended }
   let(:open_registration_event) { build_stubbed :event, registration_close_date: 1.day.from_now }
   let(:closed_registration_event) { build_stubbed :event, registration_close_date: 1.day.ago }
 
@@ -54,6 +55,36 @@ def policy_for(record: nil, user:)
       end
     end
 
+    context "when event has ended" do
+      context "with admin user" do
+        subject { policy_for(record: ended_event, user: admin_user) }
+
+        it { is_expected.to be_allowed_to(:show?) }
+      end
+
+      context "with registered user" do
+        subject { policy_for(record: ended_event, user: regular_user) }
+
+        before { allow(ended_event).to receive(:actively_registered?).with(regular_user.person).and_return(true) }
+
+        it { is_expected.to be_allowed_to(:show?) }
+      end
+
+      context "with unregistered user" do
+        subject { policy_for(record: ended_event, user: regular_user) }
+
+        before { allow(ended_event).to receive(:actively_registered?).with(regular_user.person).and_return(false) }
+
+        it { is_expected.not_to be_allowed_to(:show?) }
+      end
+
+      context "with no user" do
+        subject { policy_for(record: ended_event, user: nil) }
+
+        it { is_expected.not_to be_allowed_to(:show?) }
+      end
+    end
+
     context "when event is not visible" do
       context "with admin user" do
         subject { policy_for(record: unpublished_event, user: admin_user) }
@@ -175,22 +206,27 @@ def policy_for(record: nil, user:)
     context "with regular user" do
       let(:policy) { policy_for(record: Event, user: regular_user) }
 
-      it "returns only visible events with open registration" do
+      it "returns only visible events with open registration or active registrations" do
         scope = policy.apply_scope(Event.all, type: :active_record_relation)
-        expect(scope.to_sql).to include('`events`.`published` = TRUE')
-        expect(scope.to_sql).to include('registration_close_date IS NULL OR registration_close_date >=')
-        expect(scope.to_sql).to include('LEFT OUTER JOIN `event_registrations`')
+        sql = scope.to_sql
+        expect(sql).to include('`events`.`published` = TRUE')
+        expect(sql).to include("events.end_date >=")
+        expect(sql).to include("events.registration_close_date IS NULL OR events.registration_close_date >=")
+        expect(sql).to include("LEFT OUTER JOIN event_registrations")
+        expect(sql).to include("event_registrations.status IN")
       end
     end
 
     context "with no user" do
       let(:policy) { policy_for(record: Event, user: nil) }
 
-      it "returns only visible events with open registration" do
+      it "excludes ended events and events with closed registration" do
         scope = policy.apply_scope(Event.all, type: :active_record_relation)
-        expect(scope.to_sql).to include('`events`.`published` = TRUE')
-        expect(scope.to_sql).to include('registration_close_date IS NULL OR registration_close_date >=')
-        expect(scope.to_sql).not_to include('LEFT OUTER JOIN `registrants`')
+        sql = scope.to_sql
+        expect(sql).to include('`events`.`published` = TRUE')
+        expect(sql).to include("events.end_date >=")
+        expect(sql).to include("events.registration_close_date IS NULL OR events.registration_close_date >=")
+        expect(sql).not_to include("LEFT OUTER JOIN")
       end
     end
   end
