From 1333a4ffe4043b984b2c03167bf85365c2769071 Mon Sep 17 00:00:00 2001
From: Martin Lensment <mlensment@gmail.com>
Date: Thu, 2 Apr 2015 12:23:05 +0300
Subject: [PATCH] Allow registrar to see other registrars domains

---
 app/models/ability.rb                  |  3 ++-
 app/views/epp/domains/info.xml.builder |  6 ++++--
 spec/epp/domain_spec.rb                | 27 +++++++++++++++++++++++++-
 3 files changed, 32 insertions(+), 4 deletions(-)

diff --git a/app/models/ability.rb b/app/models/ability.rb
index 9098cb4e2..0d3dec170 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -22,12 +22,13 @@ class Ability
   # rubocop: disable Metrics/LineLength
   def epp
     # Epp::Domain
-    can(:info,     Epp::Domain) { |d, pw| d.registrar_id == @user.registrar_id || d.auth_info == pw }
+    can(:info,     Epp::Domain) { |d, pw| d.registrar_id == @user.registrar_id || pw.blank? ? true : d.auth_info == pw }
     can(:check,    Epp::Domain)
     can(:create,   Epp::Domain)
     can(:renew,    Epp::Domain)
     can(:update,   Epp::Domain) { |d, pw| d.registrar_id == @user.registrar_id || d.auth_info == pw }
     can(:transfer, Epp::Domain) { |d, pw| d.auth_info == pw }
+    can(:view_password, Epp::Domain) { |d, pw| d.registrar_id == @user.registrar_id || d.auth_info == pw }
 
     # Epp::Contact
     can(:info, Epp::Contact)           { |c, pw| c.registrar_id == @user.registrar_id || pw.blank? ? true : c.auth_info == pw }
diff --git a/app/views/epp/domains/info.xml.builder b/app/views/epp/domains/info.xml.builder
index 0e323adf2..70d1e46ad 100644
--- a/app/views/epp/domains/info.xml.builder
+++ b/app/views/epp/domains/info.xml.builder
@@ -52,8 +52,10 @@ xml.epp_head do
         # TODO Make domain transferrable
         #xml.tag!('domain:trDate', @domain.transferred_at) if @domain.transferred_at
 
-        xml.tag!('domain:authInfo') do
-          xml.tag!('domain:pw', @domain.auth_info)
+        if can? :view_password, @domain, @password
+          xml.tag!('domain:authInfo') do
+            xml.tag!('domain:pw', @domain.auth_info)
+          end
         end
       end
     end
diff --git a/spec/epp/domain_spec.rb b/spec/epp/domain_spec.rb
index 14e9a9111..366294e97 100644
--- a/spec/epp/domain_spec.rb
+++ b/spec/epp/domain_spec.rb
@@ -1857,7 +1857,7 @@ describe 'EPP Domain', epp: true do
       inf_data.css('status').first[:s].should == 'ok'
     end
 
-    it 'can not see other registrar domains' do
+    it 'can not see other registrar domains with invalid password' do
       login_as :registrar2 do
         response = epp_plain_request(domain_info_xml(name: { value: domain.name }), :xml)
         response[:result_code].should == '2201'
@@ -1865,6 +1865,31 @@ describe 'EPP Domain', epp: true do
       end
     end
 
+    it 'can see other registrar domains without password' do
+      login_as :registrar2 do
+        response = epp_plain_request(domain_info_xml(
+          name: { value: domain.name },
+          authInfo: nil
+        ), :xml)
+
+        response[:result_code].should == '1000'
+        response[:parsed].css('authInfo pw').first.should == nil
+      end
+    end
+
+    it 'can see other registrar domains with correct password' do
+      login_as :registrar2 do
+        pw = domain.auth_info
+        response = epp_plain_request(domain_info_xml(
+          name: { value: domain.name },
+          authInfo: { pw: { value: pw } }
+        ), :xml)
+
+        response[:result_code].should == '1000'
+        response[:parsed].css('authInfo pw').text.should == pw
+      end
+    end
+
     ### DELETE ###
     it 'deletes domain' do
       response = epp_plain_request(@epp_xml.domain.delete({