Updated contact commands authorization

2025-05-19 02:39:37 +02:00 · 2014-09-01 11:48:07 +03:00 · 2014-09-01 11:48:07 +03:00 · 13dad4cfcb
commit 13dad4cfcb
parent a9df2c82b1
2 changed files with 15 additions and 7 deletions
--- a/app/helpers/epp/contacts_helper.rb
+++ b/app/helpers/epp/contacts_helper.rb
@ -10,7 +10,7 @@ module Epp::ContactsHelper
    # FIXME: Update returns 2303 update multiple times
    code = params_hash['epp']['command']['update']['update'][:id]
    @contact = Contact.where(code: code).first
-    if rights? && stamp(@contact) && @contact.update_attributes(contact_and_address_attributes(:update))
+    if owner? && stamp(@contact) && @contact.update_attributes(contact_and_address_attributes(:update))
      render 'epp/contacts/update'
    else
      contact_exists?(code)
@ -21,6 +21,7 @@ module Epp::ContactsHelper
  def delete_contact
    Contact.transaction do
      @contact = find_contact
+      handle_errors(@contact) and return unless owner?
      handle_errors(@contact) and return unless @contact
      handle_errors(@contact) and return unless @contact.destroy_and_clean

@ -111,8 +112,15 @@ module Epp::ContactsHelper
    contact
  end

+  def owner?
+    return false unless find_contact
+    return true if current_epp_user.registrar == find_contact.created_by.try(:registrar)
+    epp_errors << { code: '2201', msg: t('errors.messages.epp_authorization_error') }
+    false
+  end
+
  def rights?
-    pw = @ph.try(:[], :authInfo).try(:[], :pw) || @ph.try(:[], :chg).try(:[], :authInfo).try(:[], :pw) || []
+    pw = @ph.try(:[], :authInfo).try(:[], :pw)

    return true if  !find_contact.nil? && find_contact.auth_info_matches(pw)

--- a/spec/epp/contact_spec.rb
+++ b/spec/epp/contact_spec.rb
@ -102,7 +102,7 @@ describe 'EPP Contact', epp: true do
      end

      it 'stamps updated_by succesfully' do
-        Fabricate(:contact, code: 'sh8013')
+        Fabricate(:contact, code: 'sh8013', created_by_id: EppUser.first.id)

        expect(Contact.first.updated_by_id).to be nil

@ -135,8 +135,8 @@ describe 'EPP Contact', epp: true do
      end

      it 'updates disclosure items' do
-        Fabricate(:contact, code: 'sh8013', auth_info: '2fooBAR',
-                  disclosure: Fabricate(:contact_disclosure, phone:true, email:true))
+        Fabricate(:contact, code: 'sh8013', auth_info: '2fooBAR', created_by_id: EppUser.first.id,
+                  disclosure: Fabricate(:contact_disclosure, phone: true, email: true))
        epp_request('contacts/update.xml')

        expect(Contact.last.disclosure.phone).to eq(false)
@ -155,7 +155,7 @@ describe 'EPP Contact', epp: true do
      end

      it 'deletes contact' do
-        Fabricate(:contact, code: 'dwa1234')
+        Fabricate(:contact, code: 'dwa1234', created_by_id: EppUser.first.id)
        response = epp_request('contacts/delete.xml')
        expect(response[:result_code]).to eq('1000')
        expect(response[:msg]).to eq('Command completed successfully')
@ -171,7 +171,7 @@ describe 'EPP Contact', epp: true do
      end

      it 'fails if contact has associated domain' do
-        Fabricate(:domain, owner_contact: Fabricate(:contact, code: 'dwa1234'))
+        Fabricate(:domain, owner_contact: Fabricate(:contact, code: 'dwa1234', created_by_id: EppUser.first.id))
        expect(Domain.first.owner_contact.address.present?).to be true
        response = epp_request('contacts/delete.xml')