CitizenLabDotCo · adessy · Jan 7, 2026 · Nov 26, 2025 · Nov 27, 2025 · Nov 27, 2025
diff --git a/back/.rubocop.yml b/back/.rubocop.yml
@@ -87,6 +87,11 @@ Layout/EndAlignment:
 Layout/TrailingWhitespace:
   AllowInHeredoc: true
 
+# rspec-parameterized uses a DSL that overrides the `|` operator.
+Lint/BinaryOperatorWithIdenticalOperands:
+  Exclude:
+    - 'spec/**/*'
+
 Lint/AmbiguousBlockAssociation:
   AllowedPatterns:
     - change

diff --git a/back/app/controllers/web_api/v1/email_bans_controller.rb b/back/app/controllers/web_api/v1/email_bans_controller.rb
@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+class WebApi::V1::EmailBansController < ApplicationController
+  def count
+    authorize(:email_ban)
+    render json: raw_json({ count: EmailBan.count })
+  end
+
+  # GET /email_bans/:email
+  def show
+    authorize(:email_ban)
+    ban = EmailBan.find_for(params[:email])
+    return head :not_found unless ban
+
+    render json: WebApi::V1::EmailBanSerializer
+      .new(ban, params: jsonapi_serializer_params)
+      .serializable_hash
+  end
+
+  # DELETE /email_bans/:email
+  def destroy
+    authorize(:email_ban)
+    ban = EmailBan.find_for(params[:email])
+    return head :not_found unless ban
+
+    ban.destroy!
+    head :ok
+  end
+end
diff --git a/back/app/controllers/web_api/v1/users_controller.rb b/back/app/controllers/web_api/v1/users_controller.rb
@@ -3,7 +3,7 @@
 class WebApi::V1::UsersController < ApplicationController
   include BlockingProfanity
 
-  before_action :set_user, only: %i[show update destroy ideas_count comments_count block unblock]
+  before_action :set_user, only: %i[show update destroy ideas_count comments_count block unblock participation_stats]
   skip_before_action :authenticate_user, only: %i[create show check by_slug by_invite ideas_count comments_count]
 
   rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
@@ -184,7 +184,16 @@ def update
   end
 
   def destroy
-    DeleteUserJob.perform_now(@user.id, current_user)
+    delete_participation_data = ActiveModel::Type::Boolean.new.cast(params[:delete_participation_data])
+    ban_email = ActiveModel::Type::Boolean.new.cast(params[:ban_email])
+
+    DeleteUserJob.perform_now(
+      @user.id,
+      current_user,
+      delete_participation_data:,
+      ban_email:,
+      ban_reason: params[:ban_reason]
+    )
     head :ok
   end
 
@@ -231,6 +240,11 @@ def comments_count
     render json: raw_json({ count: count }), status: :ok
   end
 
+  def participation_stats
+    stats = ParticipantsService.new.user_participation_stats(@user)
+    render json: raw_json(stats)
+  end
+
   def update_password
     @user = current_user
     authorize @user

diff --git a/back/app/jobs/delete_user_job.rb b/back/app/jobs/delete_user_job.rb
@@ -5,9 +5,29 @@ class DeleteUserJob < ApplicationJob
 
   # @param [User,String] user user or user identifier
   # @param [User,NilClass] current_user
-  def run(user, current_user = nil)
+  # @param [Boolean] delete_participation_data When true, permanently deletes all user
+  #   content instead of anonymizing it
+  # @param [Boolean] ban_email When true, bans the user's email from future registration
+  # @param [String,NilClass] ban_reason Optional reason for the email ban
+  def run(
+    user,
+    current_user = nil,
+    delete_participation_data: false,
+    ban_email: false,
+    ban_reason: nil
+  )
     user = User.find(user) unless user.respond_to?(:id)
-    user.destroy!
-    SideFxUserService.new.after_destroy(user, current_user)
+    email_to_ban = user.email if ban_email
+
+    ActiveRecord::Base.transaction do
+      ParticipantsService.new.destroy_user_participation_data(user) if delete_participation_data
+      user.destroy!
+      EmailBan.ban!(email_to_ban, reason: ban_reason, banned_by: current_user) if email_to_ban.present?
+    end
+
+    SideFxUserService.new.after_destroy(
+      user, current_user,
+      participation_data_deleted: delete_participation_data
+    )
   end
 end
diff --git a/back/app/models/email_ban.rb b/back/app/models/email_ban.rb
@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+# == Schema Information
+#
+# Table name: email_bans
+#
+#  id                    :uuid             not null, primary key
+#  normalized_email_hash :string           not null
+#  reason                :text
+#  banned_by_id          :uuid
+#  created_at            :datetime         not null
+#
+# Indexes
+#
+#  index_email_bans_on_banned_by_id           (banned_by_id)
+#  index_email_bans_on_normalized_email_hash  (normalized_email_hash) UNIQUE
+#
+# Foreign Keys
+#
+#  fk_rails_...  (banned_by_id => users.id)
+#
+
+# Following the principle of data minimization, we store email hashes instead of the
+# actual emails. This keeps things simpler for GDPR compliance and avoids issues with
+# banned users objecting to their email being stored.
+class EmailBan < ApplicationRecord
+  belongs_to :banned_by, class_name: 'User', optional: true
+
+  validates :normalized_email_hash, presence: true, uniqueness: true
+
+  class << self
+    def banned?(email)
+      normalized = EmailNormalizationService.normalize(email)
+      exists?(normalized_email_hash: sha256(normalized))
+    end
+
+    def ban!(email, reason: nil, banned_by: nil)
+      normalized = EmailNormalizationService.normalize(email)
+      hash = sha256(normalized)
+
+      record = find_or_initialize_by(normalized_email_hash: hash)
+      record.update!(reason: reason, banned_by: banned_by)
+      record
+    end
+
+    def find_for(email)
+      normalized = EmailNormalizationService.normalize(email)
+      find_by(normalized_email_hash: sha256(normalized))
+    end
+
+    private
+
+    def sha256(string)
+      Digest::SHA256.hexdigest(string)
+    end
+  end
+end
diff --git a/back/app/models/files/restricted_file.rb b/back/app/models/files/restricted_file.rb
@@ -1,5 +1,36 @@
 # frozen_string_literal: true
 
+# == Schema Information
+#
+# Table name: files
+#
+#  id                                                                           :uuid             not null, primary key
+#  name                                                                         :string
+#  content                                                                      :string
+#  uploader_id(the user who uploaded the file)                                  :uuid
+#  created_at                                                                   :datetime         not null
+#  updated_at                                                                   :datetime         not null
+#  size(in bytes)                                                               :integer
+#  mime_type                                                                    :string
+#  category                                                                     :string           default("other"), not null
+#  description_multiloc                                                         :jsonb
+#  tsvector                                                                     :tsvector
+#  ai_processing_allowed(whether consent was given to process the file with AI) :boolean          default(FALSE), not null
+#
+# Indexes
+#
+#  index_files_on_category                                (category)
+#  index_files_on_description_multiloc_text_gin_trgm_ops  (((description_multiloc)::text) gin_trgm_ops) USING gin
+#  index_files_on_mime_type                               (mime_type)
+#  index_files_on_name_gin_trgm                           (name) USING gin
+#  index_files_on_size                                    (size)
+#  index_files_on_tsvector                                (tsvector) USING gin
+#  index_files_on_uploader_id                             (uploader_id)
+#
+# Foreign Keys
+#
+#  fk_rails_...  (uploader_id => users.id)
+#
 # temporary-fix-for-vienna-svg-security-issue
 module Files
   class RestrictedFile < File

diff --git a/back/app/models/user.rb b/back/app/models/user.rb
@@ -197,6 +197,7 @@ def oldest_admin
   validate :validate_not_duplicate_new_email
   validate :validate_can_update_email, on: :form_submission # only called if `save` is called w/ `context: :form_submission`
   validate :validate_email_domains_blacklist, if: :email_or_new_email_changed?
+  validate :validate_emails_not_banned, if: :email_or_new_email_changed?
 
   before_destroy :remove_initiated_notifications # Must occur before has_many :notifications (see https://github.com/rails/rails/issues/5205)
   has_many :notifications, foreign_key: :recipient_id, dependent: :destroy
@@ -387,6 +388,20 @@ def validate_email_domain_blacklist(email_field)
     end
   end
 
+  def validate_emails_not_banned
+    validate_email_not_banned(:email)
+    validate_email_not_banned(:new_email)
+  end
+
+  def validate_email_not_banned(field)
+    value = send(field)
+    return if value.blank?
+    return unless EmailBan.banned?(value)
+
+    errors.add(field, 'something_went_wrong', code: 'zrb-43')
+    Rails.logger.info "Validation error! Email banned: #{value.split('@')&.last}"
+  end
+
   def remove_initiated_notifications
     initiator_notifications.each do |notification|
       unless notification.update initiating_user: nil

diff --git a/back/app/policies/email_ban_policy.rb b/back/app/policies/email_ban_policy.rb
@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+class EmailBanPolicy < ApplicationPolicy
+  def count?
+    active_admin?
+  end
+
+  def show?
+    active_admin?
+  end
+
+  def destroy?
+    active_admin?
+  end
+end
diff --git a/back/app/policies/user_policy.rb b/back/app/policies/user_policy.rb
@@ -28,14 +28,12 @@ def seats?
   end
 
   def index_xlsx?
-    user&.active? && user.admin?
+    active_admin?
   end
 
   def create?
     app_config = AppConfiguration.instance
-
     allow_signup = app_config.feature_activated?('password_login') && app_config.settings('password_login', 'enable_signup')
-
     allow_signup || active_admin?
   end
 
@@ -60,15 +58,15 @@ def update?
   end
 
   def destroy?
-    record.id == user&.id || (user&.active? && user.admin?)
+    record.id == user&.id || active_admin?
   end
 
   def block?
-    user&.active? && user.admin?
+    active_admin?
   end
 
   def unblock?
-    user&.active? && user.admin?
+    active_admin?
   end
 
   def blocked_count?
@@ -83,6 +81,12 @@ def comments_count?
     true
   end
 
+  def participation_stats?
+    # Currently, participation_stats is only used in the delete user modal, so only admin
+    # users should have access (self is not even used).
+    record.id == user&.id || active_admin?
+  end
+
   def update_password?
     user&.active? && (record.id == user.id)
   end

diff --git a/back/app/serializers/web_api/v1/email_ban_serializer.rb b/back/app/serializers/web_api/v1/email_ban_serializer.rb
@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+class WebApi::V1::EmailBanSerializer < WebApi::V1::BaseSerializer
+  attributes :reason, :created_at
+
+  belongs_to :banned_by, serializer: WebApi::V1::UserSerializer
+end
diff --git a/back/app/services/email_normalization_service.rb b/back/app/services/email_normalization_service.rb
@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+class EmailNormalizationService
+  # Providers that support plus-addressing (user+tag@domain.com)
+  PLUS_ADDRESSING_DOMAINS = %w[
+    gmail.com googlemail.com
+    outlook.com hotmail.com live.com
+    yahoo.com
+    protonmail.com proton.me
+  ].freeze
+
+  # Gmail ignores dots in local part
+  GMAIL_DOMAINS = %w[gmail.com googlemail.com].freeze
+
+  # Be careful when changing this method. Removing a normalization rule could
+  # potentially unban emails that were previously banned.
+  def self.normalize(email)
+    return '' if email.blank?
+
+    local, domain = email.strip.downcase.split('@', 2)
+    return email.strip.downcase unless domain
+
+    local = local.delete('.') if GMAIL_DOMAINS.include?(domain)
+    local = local.split('+').first if PLUS_ADDRESSING_DOMAINS.include?(domain)
+    domain = 'gmail.com' if domain.in?(GMAIL_DOMAINS)
+
+    "#{local}@#{domain}"
+  end
+end
diff --git a/back/app/services/invites/error_storage.rb b/back/app/services/invites/error_storage.rb
@@ -14,7 +14,8 @@ class Invites::ErrorStorage
     invalid_row: 'invalid_row',
     email_already_invited: 'email_already_invited',
     email_already_active: 'email_already_active',
-    emails_duplicate: 'emails_duplicate'
+    emails_duplicate: 'emails_duplicate',
+    email_banned: 'email_banned'
   }
 
   def initialize

diff --git a/back/app/services/invites/service.rb b/back/app/services/invites/service.rb
@@ -148,6 +148,8 @@ def validate_invitee(invitee)
           add_error(:unknown_locale, row: @current_row, value: error_descriptor[:value], raw_error: e)
         elsif field == :email && error_descriptor[:error] == :invalid
           add_error(:invalid_email, row: @current_row, value: error_descriptor[:value], raw_error: e)
+        elsif field == :email && error_descriptor[:code] == 'zrb-43'
+          add_error(:email_banned, row: @current_row, value: error_descriptor[:value], raw_error: e)
         # :taken and :taken_by_invite should not happen after 662da0dc85
         # ToDo: remove these two elsif branches and the `ignore` option of `add_error`.
         elsif field == :email && error_descriptor[:error] == :taken