Restrict contact info commands to owning registrars

Superuser can also execute contact info commands. AuthInfo is no longer checked in the input and always displayed in the output as the only ones who can get a response are the sponsoring registrar and super user. Also corrected a Javadoc in which '@' should have been escaped (see https://reflectoring.io/howto-format-code-snippets-in-javadoc/) ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=199521153
2025-06-06 04:27:27 +02:00 · 2018-06-06 13:40:24 -07:00 · 2018-06-06 13:40:24 -07:00 · 27fce55654
commit 27fce55654
parent 19f58f5557
3 changed files with 49 additions and 23 deletions
--- a/java/google/registry/flows/contact/ContactInfoFlow.java
+++ b/java/google/registry/flows/contact/ContactInfoFlow.java
@ -16,7 +16,7 @@ package google.registry.flows.contact;

 import static google.registry.flows.FlowUtils.validateClientIsLoggedIn;
 import static google.registry.flows.ResourceFlowUtils.loadAndVerifyExistence;
-import static google.registry.flows.ResourceFlowUtils.verifyOptionalAuthInfo;
+import static google.registry.flows.ResourceFlowUtils.verifyResourceOwnership;
 import static google.registry.model.EppResourceUtils.isLinked;

 import com.google.common.collect.ImmutableSet;
@ -25,6 +25,7 @@ import google.registry.flows.EppException;
 import google.registry.flows.ExtensionManager;
 import google.registry.flows.Flow;
 import google.registry.flows.FlowModule.ClientId;
+import google.registry.flows.FlowModule.Superuser;
 import google.registry.flows.FlowModule.TargetId;
 import google.registry.flows.annotations.ReportingSpec;
 import google.registry.model.contact.ContactInfoData;
@ -47,6 +48,7 @@ import org.joda.time.DateTime;
 * visible to the registrar that owns the contact or to a registrar that already supplied it.
 *
 * @error {@link google.registry.flows.ResourceFlowUtils.ResourceDoesNotExistException}
+ * @error {@link google.registry.flows.ResourceFlowUtils.ResourceNotOwnedException}
 */
@ReportingSpec(ActivityReportField.CONTACT_INFO)
 public final class ContactInfoFlow implements Flow {
@ -56,16 +58,21 @@ public final class ContactInfoFlow implements Flow {
  @Inject @ClientId String clientId;
  @Inject @TargetId String targetId;
  @Inject Optional<AuthInfo> authInfo;
+  @Inject @Superuser boolean isSuperuser;
  @Inject EppResponse.Builder responseBuilder;
-  @Inject ContactInfoFlow() {}
+
+  @Inject
+  ContactInfoFlow() {}

  @Override
  public final EppResponse run() throws EppException {
    DateTime now = clock.nowUtc();
-    extensionManager.validate();  // There are no legal extensions for this flow.
+    extensionManager.validate(); // There are no legal extensions for this flow.
    validateClientIsLoggedIn(clientId);
    ContactResource contact = loadAndVerifyExistence(ContactResource.class, targetId, now);
-    verifyOptionalAuthInfo(authInfo, contact);
+    if (!isSuperuser) {
+      verifyResourceOwnership(clientId, contact);
+    }
    boolean includeAuthInfo =
        clientId.equals(contact.getCurrentSponsorClientId()) || authInfo.isPresent();
    ImmutableSet.Builder<StatusValue> statusValues = new ImmutableSet.Builder<>();
@ -74,23 +81,24 @@ public final class ContactInfoFlow implements Flow {
      statusValues.add(StatusValue.LINKED);
    }
    return responseBuilder
-        .setResData(ContactInfoData.newBuilder()
-            .setContactId(contact.getContactId())
-            .setRepoId(contact.getRepoId())
-            .setStatusValues(statusValues.build())
-            .setPostalInfos(contact.getPostalInfosAsList())
-            .setVoiceNumber(contact.getVoiceNumber())
-            .setFaxNumber(contact.getFaxNumber())
-            .setEmailAddress(contact.getEmailAddress())
-            .setCurrentSponsorClientId(contact.getCurrentSponsorClientId())
-            .setCreationClientId(contact.getCreationClientId())
-            .setCreationTime(contact.getCreationTime())
-            .setLastEppUpdateClientId(contact.getLastEppUpdateClientId())
-            .setLastEppUpdateTime(contact.getLastEppUpdateTime())
-            .setLastTransferTime(contact.getLastTransferTime())
-            .setAuthInfo(includeAuthInfo ? contact.getAuthInfo() : null)
-            .setDisclose(contact.getDisclose())
-            .build())
+        .setResData(
+            ContactInfoData.newBuilder()
+                .setContactId(contact.getContactId())
+                .setRepoId(contact.getRepoId())
+                .setStatusValues(statusValues.build())
+                .setPostalInfos(contact.getPostalInfosAsList())
+                .setVoiceNumber(contact.getVoiceNumber())
+                .setFaxNumber(contact.getFaxNumber())
+                .setEmailAddress(contact.getEmailAddress())
+                .setCurrentSponsorClientId(contact.getCurrentSponsorClientId())
+                .setCreationClientId(contact.getCreationClientId())
+                .setCreationTime(contact.getCreationTime())
+                .setLastEppUpdateClientId(contact.getLastEppUpdateClientId())
+                .setLastEppUpdateTime(contact.getLastEppUpdateTime())
+                .setLastTransferTime(contact.getLastTransferTime())
+                .setAuthInfo(includeAuthInfo ? contact.getAuthInfo() : null)
+                .setDisclose(contact.getDisclose())
+                .build())
        .build();
  }
 }