Own contacts can be deleted without password

app/controllers/epp/contacts_controller.rb

@@ -123,7 +123,7 @@ class Epp::ContactsController < EppController
 
   def validate_delete
     @prefix = 'delete > delete >'
-    requires 'id', 'authInfo > pw'
+    requires 'id'
     @prefix = nil
   end
 

app/models/ability.rb

@@ -37,7 +37,7 @@ class Ability
     can(:check,  Epp::Contact)
     can(:create, Epp::Contact)
     can(:update, Epp::Contact) { |c, pw| c.registrar_id == @user.registrar_id && c.auth_info == pw }
-    can(:delete, Epp::Contact) { |c, pw| c.registrar_id == @user.registrar_id && c.auth_info == pw }
+    can(:delete, Epp::Contact) { |c, pw| c.registrar_id == @user.registrar_id || c.auth_info == pw }
     can(:renew,  Epp::Contact)
     can(:view_password, Epp::Contact) { |c, pw| c.registrar_id == @user.registrar_id || c.auth_info == pw }
   end

spec/epp/contact_spec.rb

@@ -588,10 +588,7 @@ describe 'EPP Contact', epp: true do
         response[:results][0][:msg].should ==
           'Required parameter missing: delete > delete > id [id]'
         response[:results][0][:result_code].should == '2003'
-        response[:results][1][:msg].should ==
+        response[:results].count.should == 1
-          'Required parameter missing: delete > delete > authInfo > pw [pw]'
-        response[:results][1][:result_code].should == '2003'
-        response[:results].count.should == 2
       end
 
       it 'returns error if obj doesnt exist' do
@@ -610,6 +607,25 @@ describe 'EPP Contact', epp: true do
         Contact.find_by_id(@contact.id).should == nil
       end
 
+      it 'deletes own contact even with wrong password' do
+        response = delete_request({ authInfo: { pw: { value: 'wrong password' } } })
+        response[:msg].should == 'Command completed successfully'
+        response[:result_code].should == '1000'
+        response[:clTRID].should == 'ABC-12345'
+
+        Contact.find_by_id(@contact.id).should == nil
+      end
+
+      it 'deletes own contact even without password' do
+        delete_xml = @epp_xml.delete({ id: { value: @contact.code } })
+        response = epp_plain_request(delete_xml, :xml)
+        response[:msg].should == 'Command completed successfully'
+        response[:result_code].should == '1000'
+        response[:clTRID].should == 'ABC-12345'
+
+        Contact.find_by_id(@contact.id).should == nil
+      end
+
       it 'fails if contact has associated domain' do
         @domain = Fabricate(:domain, registrar: @registrar1, registrant: @contact)
         @domain.registrant.present?.should == true
@@ -622,9 +638,29 @@ describe 'EPP Contact', epp: true do
         @domain.registrant.present?.should == true
       end
 
-      it 'fails with wrong authentication info' do
+      it 'should delete when not owner but with correct password' do
         login_as :registrar2 do
           response = delete_request
+          response[:msg].should == 'Command completed successfully'
+          response[:result_code].should == '1000'
+          response[:clTRID].should == 'ABC-12345'
+          Contact.find_by_id(@contact.id).should == nil
+        end
+      end
+
+      it 'should not delete when not owner without password' do
+        login_as :registrar2 do
+          delete_xml = @epp_xml.delete({ id: { value: @contact.code } })
+          response = epp_plain_request(delete_xml, :xml)
+          response[:msg].should == 'Authorization error'
+          response[:result_code].should == '2201'
+          response[:results].count.should == 1
+        end
+      end
+
+      it 'should not delete when not owner with wrong password' do
+        login_as :registrar2 do
+          response = delete_request({ authInfo: { value: 'wrong password' } })
           response[:msg].should == 'Authorization error'
           response[:result_code].should == '2201'
           response[:results].count.should == 1