diff --git a/app/api/repp/api.rb b/app/api/repp/api.rb index 40472e781..13712f997 100644 --- a/app/api/repp/api.rb +++ b/app/api/repp/api.rb @@ -12,6 +12,10 @@ module Repp error! I18n.t('ip_is_not_whitelisted'), 401 unless @current_user.registrar.api_ip_white?(request.ip) end + if @current_user.cannot?(:view, :repp) + error! I18n.t('no_permission'), 401 unless @current_user.registrar.api_ip_white?(request.ip) + end + next if Rails.env.test? || Rails.env.development? message = 'Certificate mismatch! Cert common name should be:' request_name = env['HTTP_SSL_CLIENT_S_DN_CN'] @@ -22,7 +26,6 @@ module Repp else error! "#{message} #{@current_user.username}", 401 if @current_user.username != request_name end - end helpers do diff --git a/app/controllers/registrar/sessions_controller.rb b/app/controllers/registrar/sessions_controller.rb index 57f92334a..0fa45ac6e 100644 --- a/app/controllers/registrar/sessions_controller.rb +++ b/app/controllers/registrar/sessions_controller.rb @@ -35,7 +35,7 @@ class Registrar::SessionsController < Devise::SessionsController @api_user = ApiUser.find_by(username: params[:depp_user][:tag]) if @api_user.active? sign_in @api_user - redirect_to registrar_root_url + redirect_to role_base_root_url(@api_user) else @depp_user.errors.add(:base, :not_active) render 'login' @@ -52,7 +52,7 @@ class Registrar::SessionsController < Devise::SessionsController if @user sign_in(@user, event: :authentication) - redirect_to registrar_root_url + redirect_to role_base_root_url(@user) else flash[:alert] = t('no_such_user') redirect_to registrar_login_url @@ -70,7 +70,7 @@ class Registrar::SessionsController < Devise::SessionsController if Rails.env.test? && phone == "123" @user = ApiUser.find_by(identity_code: "14212128025") sign_in(@user, event: :authentication) - return redirect_to registrar_root_url + return redirect_to role_base_root_url(@user) end # country_codes = {'+372' => 'EST'} @@ -112,7 +112,7 @@ class Registrar::SessionsController < Devise::SessionsController sign_in @user flash[:notice] = t(:welcome) flash.keep(:notice) - render js: "window.location = '#{registrar_root_path}'" + render js: "window.location = '#{role_base_root_url(@user)}'" when 'NOT_VALID' render json: { message: t(:user_signature_is_invalid) }, status: :bad_request when 'EXPIRED_TRANSACTION' @@ -149,4 +149,12 @@ class Registrar::SessionsController < Devise::SessionsController return if WhiteIp.registrar_ip_white?(request.ip) render text: t('ip_is_not_whitelisted') and return end + + def role_base_root_url(user) + if user.try(:roles) == ['billing'] + registrar_invoices_url + else + registrar_root_url + end + end end diff --git a/app/controllers/registrar_controller.rb b/app/controllers/registrar_controller.rb index 5ac47d06d..0bc56c356 100644 --- a/app/controllers/registrar_controller.rb +++ b/app/controllers/registrar_controller.rb @@ -16,7 +16,7 @@ class RegistrarController < ApplicationController sign_out(current_user) return end - + return if Rails.env.development? return if current_user.registrar.registrar_ip_white?(request.ip) flash[:alert] = t('ip_is_not_whitelisted') sign_out(current_user) diff --git a/app/models/ability.rb b/app/models/ability.rb index 04598ee1a..3d8a93eba 100644 --- a/app/models/ability.rb +++ b/app/models/ability.rb @@ -7,15 +7,13 @@ class Ability alias_action :show, to: :view alias_action :show, :create, :update, :destroy, to: :crud - @user = user || AdminUser.new + @user = user || User.new case @user.class.to_s when 'AdminUser' @user.roles.each { |role| send(role) } if @user.roles when 'ApiUser' @user.roles.each { |role| send(role) } if @user.roles - static_epp - static_registrar when 'RegistrantUser' static_registrant end @@ -45,10 +43,12 @@ class Ability can(:delete, Epp::Contact) { |c, pw| c.registrar_id == @user.registrar_id || c.auth_info == pw } can(:renew, Epp::Contact) can(:view_password, Epp::Contact) { |c, pw| c.registrar_id == @user.registrar_id || c.auth_info == pw } + + # REPP + can(:manage, :repp) end def static_registrar - can :read, AccountActivity can :manage, Nameserver can :view, :registrar_dashboard can :delete, :registrar_poll @@ -60,7 +60,6 @@ class Ability can :manage, Depp::Keyrelay can :confirm, :keyrelay can :confirm, :transfer - can :manage, :deposit end def static_registrant @@ -68,33 +67,32 @@ class Ability can :manage, Depp::Domain end - def static_billing - can :manage, Invoice - end - def user can :show, :dashboard end - # api_user dynamic role + # Registrar/api_user dynamic role def super - static_epp static_registrar + billing + epp end - # api_user dynamic role + # Registrar/api_user dynamic role def epp + static_registrar static_epp - static_registrar end - # api_user dynamic role + # Registrar/api_user dynamic role def billing - static_registrar - static_billing + can :view, :registrar_dashboard + can :manage, Invoice + can :manage, :deposit + can :read, AccountActivity end - # admin dynamic role + # Admin/admin_user dynamic role def customer_service user can :manage, Domain @@ -102,7 +100,7 @@ class Ability can :manage, Registrar end - # admin dynamic role + # Admin/admin_user dynamic role def admin customer_service can :manage, Setting diff --git a/config/locales/en.yml b/config/locales/en.yml index c3bd4256e..0e5bdfc56 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -796,3 +796,4 @@ en: registrant_domain_verification_rejected: 'Domain owner change has been rejected successfully.' registrant_domain_verification_rejected_failed: 'Something went wrong' ip_is_not_whitelisted: 'IP is not whitelisted' + no_permission: 'No permission'