diff --git a/app/controllers/epp/sessions_controller.rb b/app/controllers/epp/sessions_controller.rb index 975d3cab5..c4b66e411 100644 --- a/app/controllers/epp/sessions_controller.rb +++ b/app/controllers/epp/sessions_controller.rb @@ -56,6 +56,15 @@ class Epp::SessionsController < EppController success = false end + if success && @api_user.cannot?(:create, :epp_login) + epp_errors << { + msg: 'Authentication error; server closing connection (API user does not have epp role)', + code: '2501' + } + + success = false + end + if success && !ip_white? epp_errors << { msg: 'Authentication error; server closing connection (IP is not whitelisted)', diff --git a/app/controllers/registrar/sessions_controller.rb b/app/controllers/registrar/sessions_controller.rb index a2310a0d1..03d440514 100644 --- a/app/controllers/registrar/sessions_controller.rb +++ b/app/controllers/registrar/sessions_controller.rb @@ -71,7 +71,7 @@ class Registrar::SessionsController < Devise::SessionsController redirect_to :back and return end - if @api_user.can_make_api_calls? + if @api_user.can(:create, :epp_login) unless @api_user.registrar.api_ip_white?(request.ip) flash[:alert] = I18n.t(:ip_is_not_whitelisted) redirect_to :back and return diff --git a/app/controllers/registrar_controller.rb b/app/controllers/registrar_controller.rb index ba165da07..47d43a794 100644 --- a/app/controllers/registrar_controller.rb +++ b/app/controllers/registrar_controller.rb @@ -21,7 +21,7 @@ class RegistrarController < ApplicationController riw = current_user.registrar.registrar_ip_white?(request.ip) aiw = true - if current_user.can_make_api_calls? + if current_user.can?(:create, :epp_request) aiw = current_user.registrar.api_ip_white?(request.ip) end diff --git a/app/models/ability.rb b/app/models/ability.rb index 0fcd87d6b..a9efb046b 100644 --- a/app/models/ability.rb +++ b/app/models/ability.rb @@ -24,7 +24,77 @@ class Ability can :create, :registrant_domain_update_confirm end + # + # User roles + # + + def super # Registrar/api_user dynamic role + static_registrar + static_epp + billing + end + + def epp # Registrar/api_user dynamic role + static_registrar + static_epp + end + + def billing # Registrar/api_user dynamic role + can :view, :registrar_dashboard + can(:manage, Invoice) { |i| i.buyer_id == @user.registrar_id } + can :manage, :deposit + can :read, AccountActivity + static_epp_login # billing can establis epp connection in order to login + end + + def customer_service # Admin/admin_user dynamic role + user + can :manage, Domain + can :manage, Contact + can :manage, Registrar + end + + def admin # Admin/admin_user dynamic role + customer_service + can :manage, Setting + can :manage, BlockedDomain + can :manage, ReservedDomain + can :manage, ZonefileSetting + can :manage, DomainVersion + can :manage, Pricelist + can :manage, User + can :manage, ApiUser + can :manage, AdminUser + can :manage, Certificate + can :manage, Keyrelay + can :manage, LegalDocument + can :manage, BankStatement + can :manage, BankTransaction + can :manage, Invoice + can :manage, WhiteIp + can :read, ApiLog::EppLog + can :read, ApiLog::ReppLog + can :update, :pending + can :destroy, :pending + can :create, :zonefile + can :access, :settings_menu + end + + # + # Static roles, linked from dynamic roles + # + def static_epp_login + can(:create, :epp_login) + end + def static_epp + # REPP + can(:manage, :repp) + + # EPP + static_epp_login + can(:create, :epp_requests) + # Epp::Domain can(:info, Epp::Domain) { |d, pw| d.registrar_id == @user.registrar_id || pw.blank? ? true : d.auth_info == pw } can(:check, Epp::Domain) @@ -45,8 +115,6 @@ class Ability can(:renew, Epp::Contact) can(:view_password, Epp::Contact) { |c, pw| c.registrar_id == @user.registrar_id || c.auth_info == pw } - # REPP - can(:manage, :repp) end def static_registrar @@ -73,62 +141,11 @@ class Ability can :show, :dashboard end - # Registrar/api_user dynamic role - def super - static_registrar - billing - epp - end - # Registrar/api_user dynamic role - def epp - static_registrar - static_epp - end - # Registrar/api_user dynamic role - def billing - can :view, :registrar_dashboard - can(:manage, Invoice) { |i| i.buyer_id == @user.registrar_id } - can :manage, :deposit - can :read, AccountActivity - end - - # Admin/admin_user dynamic role - def customer_service - user - can :manage, Domain - can :manage, Contact - can :manage, Registrar - end - - # Admin/admin_user dynamic role - def admin - customer_service - can :manage, Setting - can :manage, BlockedDomain - can :manage, ReservedDomain - can :manage, ZonefileSetting - can :manage, DomainVersion - can :manage, Pricelist - can :manage, User - can :manage, ApiUser - can :manage, AdminUser - can :manage, Certificate - can :manage, Keyrelay - can :manage, LegalDocument - can :manage, BankStatement - can :manage, BankTransaction - can :manage, Invoice - can :manage, WhiteIp - can :read, ApiLog::EppLog - can :read, ApiLog::ReppLog - can :update, :pending - can :destroy, :pending - can :create, :zonefile - can :access, :settings_menu - end # rubocop: enable Metrics/LineLength # rubocop: enable Metrics/CyclomaticComplexity # rubocop: enable Metrics/PerceivedComplexity + + end diff --git a/app/models/api_user.rb b/app/models/api_user.rb index 51c4da606..260441620 100644 --- a/app/models/api_user.rb +++ b/app/models/api_user.rb @@ -58,10 +58,6 @@ class ApiUser < User @registrar_typeahead || registrar || nil end - def can_make_api_calls? - ([SUPER, EPP] & roles).any? - end - def to_s username end