Allow to update own contact without password

2025-05-19 02:39:37 +02:00 · 2015-05-04 11:47:06 +03:00 · 2015-05-04 11:47:06 +03:00 · 430f3e3e58
commit 430f3e3e58
parent 8cc03774ff
4 changed files with 44 additions and 12 deletions
--- a/app/controllers/epp/contacts_controller.rb
+++ b/app/controllers/epp/contacts_controller.rb
@ -117,7 +117,7 @@ class Epp::ContactsController < EppController
    contact_org_disabled
    fax_disabled
    status_editing_disabled
-    requires 'id', 'authInfo > pw'
+    requires 'id'
    @prefix = nil
  end

--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@ -36,7 +36,7 @@ class Ability
    can(:view_full_info, Epp::Contact) { |c, pw| c.registrar_id == @user.registrar_id || c.auth_info == pw }
    can(:check,  Epp::Contact)
    can(:create, Epp::Contact)
-    can(:update, Epp::Contact) { |c, pw| c.registrar_id == @user.registrar_id && c.auth_info == pw }
+    can(:update, Epp::Contact) { |c, pw| c.registrar_id == @user.registrar_id || c.auth_info == pw }
    can(:delete, Epp::Contact) { |c, pw| c.registrar_id == @user.registrar_id || c.auth_info == pw }
    can(:renew,  Epp::Contact)
    can(:view_password, Epp::Contact) { |c, pw| c.registrar_id == @user.registrar_id || c.auth_info == pw }
--- a/app/models/epp/contact.rb
+++ b/app/models/epp/contact.rb
@ -23,7 +23,6 @@ class Epp::Contact < Contact
        at[:street]       = nil if f.css('postalInfo addr street').present?
        at[:state]        = nil if f.css('postalInfo addr sp').present?
        at[:country_code] = nil if f.css('postalInfo addr cc').present?
-        at[:auth_info]    = nil if f.css('authInfo pw').present? 
      else
        at[:name]       = f.css('postalInfo name').text        if f.css('postalInfo name').present? 
        at[:org_name]   = f.css('postalInfo org').text         if f.css('postalInfo org').present? 
--- a/spec/epp/contact_spec.rb
+++ b/spec/epp/contact_spec.rb
@ -231,10 +231,7 @@ describe 'EPP Contact', epp: true do
        response[:results][1][:msg].should ==
          'Required parameter missing: update > update > id [id]'
        response[:results][1][:result_code].should == '2003'
-        response[:results][2][:msg].should ==
-          'Required parameter missing: update > update > authInfo > pw [pw]'
-        response[:results][2][:result_code].should == '2003'
-        response[:results].count.should == 3
+        response[:results].count.should == 2
      end

      it 'returns error if obj doesnt exist' do
@ -253,11 +250,47 @@ describe 'EPP Contact', epp: true do
        @contact.email.should == 'edited@example.example'
      end

-      it 'fails with wrong authentication info' do
+      it 'is succesful for own contact without password' do
+        without_password = {
+          id: { value: 'sh8013' },
+          chg: {
+            postalInfo: {
+              name: { value: 'John Doe Edited' }
+            }
+          }
+        }
+        update_xml = @epp_xml.update(without_password)
+        response = epp_plain_request(update_xml, :xml)
+
+        response[:msg].should == 'Command completed successfully'
+        @contact.reload
+        @contact.name.should  == 'John Doe Edited'
+      end
+
+      it 'should update other contact with correct password' do
        login_as :registrar2 do
          response = update_request({ id: { value: 'sh8013' } })
+          response[:msg].should == 'Command completed successfully'
+          response[:result_code].should == '1000'
+        end
+      end
+
+      it 'should not update other contact without password' do
+        login_as :registrar2 do
+          without_password = {
+            id: { value: 'sh8013' },
+            chg: {
+              postalInfo: {
+                name: { value: 'John Doe Edited' }
+              }
+            }
+          }
+          update_xml = @epp_xml.update(without_password)
+          response = epp_plain_request(update_xml, :xml)
+
          response[:msg].should == 'Authorization error'
-          response[:result_code].should == '2201'
+          @contact.reload
+          @contact.name.should  == 'John Doe Edited'
        end
      end

@ -519,7 +552,7 @@ describe 'EPP Contact', epp: true do
        contact.update_attribute(:phone, '+372.7654321') # restore default value
      end

-      it 'should return authorization error when removing auth info' do
+      it 'should not remove password' do
        xml = @epp_xml.update({
          id: { value: 'sh8013' },
          authInfo: { pw: { value: 'password' } },
@ -529,8 +562,8 @@ describe 'EPP Contact', epp: true do
        })

        response = epp_plain_request(xml, :xml)
-        response[:results][0][:msg].should == 'Authorization error'
-        response[:results][0][:result_code].should == '2201'
+        response[:results][0][:msg].should == 'Command completed successfully'
+        response[:results][0][:result_code].should == '1000'

        contact = Contact.find_by(code: 'sh8013')
        contact.auth_info.should == 'password'