Updated contact commands authorization

app/helpers/epp/contacts_helper.rb

@@ -10,7 +10,7 @@ module Epp::ContactsHelper
     # FIXME: Update returns 2303 update multiple times
     code = params_hash['epp']['command']['update']['update'][:id]
     @contact = Contact.where(code: code).first
-    if rights? && stamp(@contact) && @contact.update_attributes(contact_and_address_attributes(:update))
+    if owner? && stamp(@contact) && @contact.update_attributes(contact_and_address_attributes(:update))
       render 'epp/contacts/update'
     else
       contact_exists?(code)
@@ -21,6 +21,7 @@ module Epp::ContactsHelper
   def delete_contact
     Contact.transaction do
       @contact = find_contact
+      handle_errors(@contact) and return unless owner?
       handle_errors(@contact) and return unless @contact
       handle_errors(@contact) and return unless @contact.destroy_and_clean
 
@@ -111,8 +112,15 @@ module Epp::ContactsHelper
     contact
   end
 
+  def owner?
+    return false unless find_contact
+    return true if current_epp_user.registrar == find_contact.created_by.try(:registrar)
+    epp_errors << { code: '2201', msg: t('errors.messages.epp_authorization_error') }
+    false
+  end
+
   def rights?
-    pw = @ph.try(:[], :authInfo).try(:[], :pw) || @ph.try(:[], :chg).try(:[], :authInfo).try(:[], :pw) || []
+    pw = @ph.try(:[], :authInfo).try(:[], :pw)
 
     return true if  !find_contact.nil? && find_contact.auth_info_matches(pw)
 

spec/epp/contact_spec.rb

@@ -102,7 +102,7 @@ describe 'EPP Contact', epp: true do
       end
 
       it 'stamps updated_by succesfully' do
-        Fabricate(:contact, code: 'sh8013')
+        Fabricate(:contact, code: 'sh8013', created_by_id: EppUser.first.id)
 
         expect(Contact.first.updated_by_id).to be nil
 
@@ -135,8 +135,8 @@ describe 'EPP Contact', epp: true do
       end
 
       it 'updates disclosure items' do
-        Fabricate(:contact, code: 'sh8013', auth_info: '2fooBAR',
+        Fabricate(:contact, code: 'sh8013', auth_info: '2fooBAR', created_by_id: EppUser.first.id,
-                  disclosure: Fabricate(:contact_disclosure, phone:true, email:true))
+                  disclosure: Fabricate(:contact_disclosure, phone: true, email: true))
         epp_request('contacts/update.xml')
 
         expect(Contact.last.disclosure.phone).to eq(false)
@@ -155,7 +155,7 @@ describe 'EPP Contact', epp: true do
       end
 
       it 'deletes contact' do
-        Fabricate(:contact, code: 'dwa1234')
+        Fabricate(:contact, code: 'dwa1234', created_by_id: EppUser.first.id)
         response = epp_request('contacts/delete.xml')
         expect(response[:result_code]).to eq('1000')
         expect(response[:msg]).to eq('Command completed successfully')
@@ -171,7 +171,7 @@ describe 'EPP Contact', epp: true do
       end
 
       it 'fails if contact has associated domain' do
-        Fabricate(:domain, owner_contact: Fabricate(:contact, code: 'dwa1234'))
+        Fabricate(:domain, owner_contact: Fabricate(:contact, code: 'dwa1234', created_by_id: EppUser.first.id))
         expect(Domain.first.owner_contact.address.present?).to be true
         response = epp_request('contacts/delete.xml')