Check registrar existence prior to verifying access

This way the error messages are more sensible when a registrar doesn't exist (which realistically shouldn't happen in the typical case anyway). ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=240376239
2025-05-19 10:49:35 +02:00 · 2019-03-26 10:30:39 -07:00 · 2019-03-26 10:30:39 -07:00 · 4240be268a
commit 4240be268a
parent bb09f259b3
3 changed files with 6 additions and 8 deletions
--- a/java/google/registry/request/auth/AuthenticatedRegistrarAccessor.java
+++ b/java/google/registry/request/auth/AuthenticatedRegistrarAccessor.java
@ -220,16 +220,13 @@ public class AuthenticatedRegistrarAccessor {
   * @param clientId ID of the registrar we request
   */
  public Registrar getRegistrar(String clientId) throws RegistrarAccessDeniedException {
-    // Verify access before checking if the registrar exists, in order to not leak information
-    // about objects in the system the user doesn't have permissions on.
-    verifyAccess(clientId);
-
    Registrar registrar =
        Registrar.loadByClientId(clientId)
            .orElseThrow(
                () ->
                    new RegistrarAccessDeniedException(
-                        String.format("Registrar %s not found", clientId)));
+                        String.format("Registrar %s does not exist", clientId)));
+    verifyAccess(clientId);

    if (!clientId.equals(registrar.getClientId())) {
      logger.atSevere().log(
--- a/javatests/google/registry/request/auth/AuthenticatedRegistrarAccessorTest.java
+++ b/javatests/google/registry/request/auth/AuthenticatedRegistrarAccessorTest.java
@ -349,7 +349,7 @@ public class AuthenticatedRegistrarAccessorTest {
    expectGetRegistrarFailure(
        "BadClientId",
        GAE_ADMIN,
-        "admin admin@gmail.com doesn't have access to registrar BadClientId");
+        "Registrar BadClientId does not exist");
    verifyZeroInteractions(lazyGroupsConnection);
  }

--- a/javatests/google/registry/ui/server/registrar/OteStatusActionTest.java
+++ b/javatests/google/registry/ui/server/registrar/OteStatusActionTest.java
@ -113,14 +113,15 @@ public final class OteStatusActionTest {
  }

  @Test
-  public void testFailure_noRegistrar() {
+  public void testFailure_registrarDoesntExist() {
    assertThat(action.handleJsonRequest(ImmutableMap.of("clientId", "nonexistent-3")))
        .containsExactlyEntriesIn(
-            errorResultWithMessage("TestUserId doesn't have access to registrar nonexistent-3"));
+            errorResultWithMessage("Registrar nonexistent-3 does not exist"));
  }

  @Test
  public void testFailure_notAuthorized() {
+    persistNewRegistrar(CLIENT_ID, "blobio-1", Type.REAL, 1L);
    action.registrarAccessor =
        AuthenticatedRegistrarAccessor.createForTesting(ImmutableSetMultimap.of());
    assertThat(action.handleJsonRequest(ImmutableMap.of("clientId", CLIENT_ID)))