From 1db3486e654c8b50bc7c1ce3ea82d6e65608152e Mon Sep 17 00:00:00 2001
From: Martin Lensment <mlensment@gmail.com>
Date: Wed, 3 Jun 2015 15:14:52 +0300
Subject: [PATCH] Do not allow foreign domain renew #2629

---
 app/controllers/epp/domains_controller.rb |  2 +-
 app/models/ability.rb                     |  2 +-
 spec/epp/domain_spec.rb                   | 15 +++++++++++++++
 3 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/app/controllers/epp/domains_controller.rb b/app/controllers/epp/domains_controller.rb
index 94a077758..6ddab07a0 100644
--- a/app/controllers/epp/domains_controller.rb
+++ b/app/controllers/epp/domains_controller.rb
@@ -77,7 +77,7 @@ class Epp::DomainsController < EppController
   end
 
   def renew
-    authorize! :renew, Epp::Domain
+    authorize! :renew, @domain
 
     handle_errors(@domain) and return unless @domain.renew(
       params[:parsed_frame].css('curExpDate').text,
diff --git a/app/models/ability.rb b/app/models/ability.rb
index 067b89a37..79dcb991a 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -28,7 +28,7 @@ class Ability
     can(:info,     Epp::Domain) { |d, pw| d.registrar_id == @user.registrar_id || pw.blank? ? true : d.auth_info == pw }
     can(:check,    Epp::Domain)
     can(:create,   Epp::Domain)
-    can(:renew,    Epp::Domain)
+    can(:renew,    Epp::Domain) { |d| d.registrar_id == @user.registrar_id }
     can(:update,   Epp::Domain) { |d, pw| d.registrar_id == @user.registrar_id || d.auth_info == pw }
     can(:transfer, Epp::Domain) { |d, pw| d.auth_info == pw }
     can(:view_password, Epp::Domain) { |d, pw| d.registrar_id == @user.registrar_id || d.auth_info == pw }
diff --git a/spec/epp/domain_spec.rb b/spec/epp/domain_spec.rb
index 73ba344ae..f14c79915 100644
--- a/spec/epp/domain_spec.rb
+++ b/spec/epp/domain_spec.rb
@@ -1993,6 +1993,21 @@ describe 'EPP Domain', epp: true do
       response[:results][0][:value].should == '4'
     end
 
+    it 'does not renew foreign domain' do
+      login_as :registrar2 do
+        exp_date = 1.year.since.to_date
+        xml = @epp_xml.domain.renew(
+          name: { value: domain.name },
+          curExpDate: { value: exp_date.to_s },
+          period: { value: '1', attrs: { unit: 'y' } }
+        )
+
+        response = epp_plain_request(xml)
+        response[:results][0][:msg].should == 'Authorization error'
+        response[:results][0][:result_code].should == '2201'
+      end
+    end
+
     ### INFO ###
     it 'returns domain info' do
       domain.domain_statuses.build(value: DomainStatus::CLIENT_HOLD, description: 'Payment overdue.')