hackclub · YodaLightsabr · Oct 13, 2025 · Oct 13, 2025 · Oct 13, 2025 · Oct 13, 2025
diff --git a/app/assets/javascripts/ui.js b/app/assets/javascripts/ui.js
@@ -446,6 +446,17 @@ $(document).on('turbo:load', function () {
     BK.s('comment')[0].scrollIntoView()
   })
 
+  $('[data-behavior~=expand_inspector]').on('click', e => {
+    const inspector = $('#inspector-container')
+    if (inspector.parent().hasClass('inspector--expanded')) {
+      inspector.parent().removeClass('inspector--expanded')
+      inspector.slideUp()
+    } else {
+      inspector.parent().addClass('inspector--expanded')
+      inspector.slideDown()
+    }
+  })
+
   $('.input-group').on('click', e => {
     // focus on the input when clicking on the input-group
     e.currentTarget.querySelector('input').focus()

diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb
@@ -1420,6 +1420,36 @@ def referral_program_create
   def active_teenagers_leaderboard
   end
 
+  def inspect
+    redirect_to inspect_resource_admin_index_path(resource: params[:resource_type], id: params[:resource_id])
+  end
+
+  def inspect_resource
+    @resource_type = params[:resource]
+    @resource_id = params[:id]
+
+    Zeitwerk::Loader.eager_load_all
+
+    # get all named classes extending ApplicationRecord
+    @all_resource_types = ObjectSpace.each_object(Class).select { |c| c < ApplicationRecord }.select(&:name).map(&:name)
+    @associations = {}
+
+    begin
+      @resource = Inspector.find_object(@resource_type, @resource_id)
+
+      if @resource.nil?
+        flash.now[:error] = "Resource not found." and return
+      end
+
+    rescue NameError
+      flash.now[:error] = "Invalid resource type."
+    rescue ActiveRecord::RecordNotFound => e
+      flash.now[:error] = "Resource not found."
+    ensure
+      @associations = Inspector.find_relations(@resource) if @resource.present?
+    end
+  end
+
   private
 
   def stream_data(content_type, filename, data, download = true)

diff --git a/app/models/inspector.rb b/app/models/inspector.rb
@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+module Inspector
+  def self.resource_types
+    Zeitwerk::Loader.eager_load_all
+
+    descendants = ObjectSpace.each_object(Class).select { |c| c < ApplicationRecord }
+
+    descendants.filter_map(&:name)
+  end
+
+  def self.find_relations(object)
+    if object.class < ApplicationRecord
+      object = object.attributes
+    end
+
+    resource_type_keys = resource_types.index_by { |type| "#{type.underscore}_id" }
+
+    association_keys = object.keys.select do |key|
+      key.ends_with?("_id") && object[key].present? && resource_type_keys[key].present?
+    end
+
+    association_keys.map do |key|
+      [resource_type_keys[key], object[key]]
+    end.to_h
+  end
+
+  def self.find_object(resource, id)
+    return nil unless resource.in?(resource_types)
+
+    klass = resource.constantize
+
+    object = klass.find_by(id: id)
+    object ||= klass.try(:find_by_public_id, id)
+    object ||= klass.try(:find_by_hashid, id)
+    object ||= klass.find_by(hcb_code: id) if "hcb_code".in? klass.columns.collect(&:name)
+    object ||= klass.try(:friendly)&.find(id, allow_nil: true)
+    object ||= klass.try(:find_by_public_id, id)
+    object ||= klass.try(:search_name, id)
+    object ||= klass.try(:search_memo, id)
+    object ||= klass.try(:search_recipient, id)
+    object ||= klass.try(:search_description, id)
+
+    object = object.first if object.class < Enumerable
+
+    object
+  end
+
+  def self.object_for(path)
+    route = Rails.application.routes.recognize_path(path)
+    model_name = route[:controller].singularize.classify
+
+    if model_name.in?(resource_types)
+      find_object(model_name, route["#{model_name.underscore}_id".to_sym] || route[:id])
+    end
+  end
+end
diff --git a/app/views/admin/inspect_resource.html.erb b/app/views/admin/inspect_resource.html.erb
@@ -0,0 +1,21 @@
+<%= turbo_frame_tag "inspect_frame" do %>
+
+  <%= form_with url: inspect_admin_index_path, method: :get, local: true, data: { turbo_frame: "inspect_frame" }, class: "flex flex-row items-center gap-2 mb-3 border border-smoke border-b-1 rounded-xl" do |form| %>
+    <%= form.select :resource_type, options_for_select(@all_resource_types, @resource_type), {}, { class: "mb-0 !border-none !bg-transparent" } %>
+    <div class="flex-shrink-0 h-[30px] w-[1px] border-left border-smoke border-b-1"></div>
+    <%= form.text_field :resource_id, value: @resource_id, class: "mb-0 !border-none !bg-transparent flex-grow", style: "max-width: unset!important" %>
+    <div>
+      <%= form.submit "Inspect", class: "!bg-steel hover:!bg-slate !text-sm p-1 mr-0.5 !rounded-[9px] !transform-none", style: "background-image: none!important; box-shadow: none!important; transition: all 100ms!important;" %>
+    </div>
+  <% end %>
+
+  <div class="[&_pre]:m-0 [&_pre]:rounded-xl">
+    <%== ap @resource %>
+  </div>
+
+  <div class="flex flex-row gap-2">
+    <% @associations.map do |class_name, id| %>
+      <%= link_to "Inspect #{class_name} ##{id} →", inspect_resource_admin_index_path(resource: class_name, id: id), data: { turbo_frame: "inspect_frame" }, class: "btn !bg-steel hover:!bg-slate !text-sm p-2 mr-0.5 !rounded-[9px] !transform-none mt-3", style: "background-image: none!important; box-shadow: none!important; transition: all 100ms!important;" %>
+    <% end %>
+  </div>
+<% end %>
diff --git a/app/views/layouts/application.html.erb b/app/views/layouts/application.html.erb
@@ -257,5 +257,26 @@
         }
       </style>
     <% end %>
+
+    <% if current_user.auditor? %>
+      <div class="bg-black text-white fixed bottom-0 left-0 right-0 z-50 [&.inspector--expanded_.up-caret]:hidden [&:not(.inspector--expanded)_.down-caret]:hidden">
+        <div class="bg-black text-white p-2 flex items-center justify-between cursor-pointer hover:bg-steel hover:pb-3 transition-all transition-duration-100 border-bottom border-smoke border-b-1" data-behavior="expand_inspector">
+          <div class="flex flex-row items-center gap-4">
+            <%= inline_icon "explore", size: 20 %>
+            <p class="m-0 text-sm text-center">Inspector</p>
+            <% object = Inspector.object_for(request.path) %>
+            <% if object.present? %>
+              <p class="m-0 text-xs text-center opacity-50"><%= object.class.name %>#<%= object.id %> • Found on page</p>
+            <% end %>
+          </div>
+          <%= inline_icon "up-caret", size: 20, class: "up-caret" %>
+          <%= inline_icon "down-caret", size: 20, class: "down-caret" %>
+        </div>
+        <div class="h-[calc(100vh-200px)] p-4 overflow-y-scroll" id="inspector-container" style="display: none;">
+          <% path_arguments = object.present? ? { resource: object.class.name, id: object.id } : { resource: "User", id: current_user.id } %>
+          <%= turbo_frame_tag "inspect_frame", src: inspect_resource_admin_index_path(**path_arguments) %>
+        </div>
+      </div>
+    <% end %>
   </body>
 </html>
@@ -464,8 +464,42 @@
         89
       ],
       "note": ""
+    },
+    {
+      "warning_type": "Cross-Site Scripting",
+      "warning_code": 2,
+      "fingerprint": "ecbe561482618c695ecfd0475ccb9d510d259edd35da594a94adab706b1f5291",
+      "check_name": "CrossSiteScripting",
+      "message": "Unescaped parameter value",
+      "file": "app/views/admin/inspect_resource.html.erb",
+      "line": 13,
+      "link": "https://brakemanscanner.org/docs/warning_types/cross_site_scripting",
+      "code": "ap(Inspector.find_object(params[:resource], params[:id]))",
+      "render_path": [
+        {
+          "type": "controller",
+          "class": "AdminController",
+          "method": "inspect_resource",
+          "line": 1423,
+          "file": "app/controllers/admin_controller.rb",
+          "rendered": {
+            "name": "admin/inspect_resource",
+            "file": "app/views/admin/inspect_resource.html.erb"
+          }
+        }
+      ],
+      "location": {
+        "type": "template",
+        "template": "admin/inspect_resource"
+      },
+      "user_input": "params[:resource]",
+      "confidence": "Weak",
+      "cwe_id": [
+        79
+      ],
+      "note": "These are all safely handled and don't get directly rendered on the page"
     }
   ],
-  "updated": "2025-10-13 08:21:43 +0000",
+  "updated": "2025-10-13 15:31:23 -0700",
   "brakeman_version": "6.2.2"
 }
diff --git a/config/routes.rb b/config/routes.rb
@@ -209,6 +209,8 @@
 
   resources :admin, only: [] do
     collection do
+      get "inspect/:resource/:id", to: "admin#inspect_resource", as: :inspect_resource
+      get "inspect", to: "admin#inspect", as: :inspect
       get "bank_accounts", to: "admin#bank_accounts"
       get "hcb_codes", to: "admin#hcb_codes"
       get "bank_fees", to: "admin#bank_fees"

diff --git a/tailwind.config.js b/tailwind.config.js
@@ -56,6 +56,7 @@ module.exports = {
       },
       colors: {
         slate: '#3c4858',
+        steel: '#273444',
         smoke: '#e0e6ed',
         muted: '#8492a6',
         snow: '#f9fafc',