Block ability to remove allowed TLDs from the registrar console

This is a temporary measure until we implement access control for Support.

Once we implement access control, we will only block Support from removing TLDs
on production.

-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=222180321

java/google/registry/ui/server/registrar/RegistrarSettingsAction.java

@@ -29,6 +29,7 @@ import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Multimap;
+import com.google.common.collect.Sets;
 import com.google.common.collect.Streams;
 import com.google.common.flogger.FluentLogger;
 import google.registry.config.RegistryConfig.Config;
@@ -298,11 +299,19 @@ public class RegistrarSettingsAction implements Runnable, JsonActionRunner.JsonA
         RegistrarFormFields.ALLOWED_TLDS_FIELD.extractUntyped(args).orElse(ImmutableSet.of());
     if (!updatedAllowedTlds.equals(existingRegistrarObj.getAllowedTlds())) {
       // Only admin is allowed to update allowed TLDs
-      if (roles.contains(Role.ADMIN)) {
-        builder.setAllowedTlds(updatedAllowedTlds);
-      } else {
+      if (!roles.contains(Role.ADMIN)) {
         throw new ForbiddenException("Only admin can update allowed TLDs.");
       }
+      // Temporarily block anyone from removing an allowed TLD.
+      // This is so we can start having Support users use the console in production before we finish
+      // implementing configurable access control.
+      // TODO(b/119549884): remove this code once configurable access control is implemented.
+      Set<String> removedTlds =
+          Sets.difference(existingRegistrarObj.getAllowedTlds(), updatedAllowedTlds);
+      if (!removedTlds.isEmpty()) {
+        throw new ForbiddenException("Can't remove allowed TLDs using the console.");
+      }
+      builder.setAllowedTlds(updatedAllowedTlds);
     }
   }
 

javatests/google/registry/ui/server/registrar/RegistrarSettingsActionTest.java

@@ -302,7 +302,7 @@ public class RegistrarSettingsActionTest extends RegistrarSettingsActionTestCase
     setUserAdmin();
     doTestUpdate(
         Registrar::getAllowedTlds,
-        ImmutableSet.of("newtld"),
+        ImmutableSet.of("newtld", "currenttld"),
         (builder, s) -> builder.setAllowedTlds(s));
     assertMetric(CLIENT_ID, "update", "[ADMIN]", "SUCCESS");
   }
@@ -340,7 +340,7 @@ public class RegistrarSettingsActionTest extends RegistrarSettingsActionTestCase
                 ImmutableMap.of(
                     "lastUpdateTime", getLastUpdateTime(),
                     "emailAddress", "abc@def.com",
-                    "allowedTlds", ImmutableList.of("invalidtld"))));
+                    "allowedTlds", ImmutableList.of("invalidtld", "currenttld"))));
     assertThat(response)
         .containsExactly(
             "status", "ERROR",
@@ -350,6 +350,28 @@ public class RegistrarSettingsActionTest extends RegistrarSettingsActionTestCase
     assertNoTasksEnqueued("sheet");
   }
 
+  @Test
+  public void testUpdate_allowedTlds_failedWhenRemovingTld() {
+    setUserAdmin();
+    Map<String, Object> response =
+        action.handleJsonRequest(
+            ImmutableMap.of(
+                "op", "update",
+                "id", CLIENT_ID,
+                "args",
+                ImmutableMap.of(
+                    "lastUpdateTime", getLastUpdateTime(),
+                    "emailAddress", "abc@def.com",
+                    "allowedTlds", ImmutableList.of("newTld"))));
+    assertThat(response)
+        .containsExactly(
+            "status", "ERROR",
+            "results", ImmutableList.of(),
+            "message", "Can't remove allowed TLDs using the console.");
+    assertMetric(CLIENT_ID, "update", "[ADMIN]", "ERROR: ForbiddenException");
+    assertNoTasksEnqueued("sheet");
+  }
+
   @Test
   public void testUpdate_allowedTlds_noChange_successWhenUserIsNotAdmin() {
     Map<String, Object> response =