Do not allow foreign domain renew #2629

app/controllers/epp/domains_controller.rb

@@ -77,7 +77,7 @@ class Epp::DomainsController < EppController
   end
 
   def renew
-    authorize! :renew, Epp::Domain
+    authorize! :renew, @domain
 
     handle_errors(@domain) and return unless @domain.renew(
       params[:parsed_frame].css('curExpDate').text,

app/models/ability.rb

@@ -28,7 +28,7 @@ class Ability
     can(:info,     Epp::Domain) { |d, pw| d.registrar_id == @user.registrar_id || pw.blank? ? true : d.auth_info == pw }
     can(:check,    Epp::Domain)
     can(:create,   Epp::Domain)
-    can(:renew,    Epp::Domain)
+    can(:renew,    Epp::Domain) { |d| d.registrar_id == @user.registrar_id }
     can(:update,   Epp::Domain) { |d, pw| d.registrar_id == @user.registrar_id || d.auth_info == pw }
     can(:transfer, Epp::Domain) { |d, pw| d.auth_info == pw }
     can(:view_password, Epp::Domain) { |d, pw| d.registrar_id == @user.registrar_id || d.auth_info == pw }

spec/epp/domain_spec.rb

@@ -1993,6 +1993,21 @@ describe 'EPP Domain', epp: true do
       response[:results][0][:value].should == '4'
     end
 
+    it 'does not renew foreign domain' do
+      login_as :registrar2 do
+        exp_date = 1.year.since.to_date
+        xml = @epp_xml.domain.renew(
+          name: { value: domain.name },
+          curExpDate: { value: exp_date.to_s },
+          period: { value: '1', attrs: { unit: 'y' } }
+        )
+
+        response = epp_plain_request(xml)
+        response[:results][0][:msg].should == 'Authorization error'
+        response[:results][0][:result_code].should == '2201'
+      end
+    end
+
     ### INFO ###
     it 'returns domain info' do
       domain.domain_statuses.build(value: DomainStatus::CLIENT_HOLD, description: 'Payment overdue.')