zydronium/internetee-registry
1
0
Fork 0
mirror of https://github.com/internetee/registry.git synced 2025-07-22 02:35:57 +02:00
Code Issues Projects Releases Packages Wiki Activity

Own contacts can be deleted without password

Browse source
This commit is contained in:
Priit Tark 2015-05-04 11:27:14 +03:00
parent 670df629b4
commit 8cc03774ff
3 changed files with 43 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

2
app/controllers/epp/contacts_controller.rb
View file

@ -123,7 +123,7 @@ class Epp::ContactsController < EppController
def validate_delete
@prefix = 'delete > delete >'
requires 'id', 'authInfo > pw'
requires 'id'
@prefix = nil
end

2
app/models/ability.rb
View file

@ -37,7 +37,7 @@ class Ability
can(:check, Epp::Contact)
can(:create, Epp::Contact)
can(:update, Epp::Contact) { |c, pw| c.registrar_id == @user.registrar_id && c.auth_info == pw }
can(:delete, Epp::Contact) { |c, pw| c.registrar_id == @user.registrar_id && c.auth_info == pw }
can(:delete, Epp::Contact) { |c, pw| c.registrar_id == @user.registrar_id || c.auth_info == pw }
can(:renew, Epp::Contact)
can(:view_password, Epp::Contact) { |c, pw| c.registrar_id == @user.registrar_id || c.auth_info == pw }
end

46
spec/epp/contact_spec.rb
View file

@ -588,10 +588,7 @@ describe 'EPP Contact', epp: true do
response[:results][0][:msg].should ==
'Required parameter missing: delete > delete > id [id]'
response[:results][0][:result_code].should == '2003'
response[:results][1][:msg].should ==
'Required parameter missing: delete > delete > authInfo > pw [pw]'
response[:results][1][:result_code].should == '2003'
response[:results].count.should == 2
response[:results].count.should == 1
end
it 'returns error if obj doesnt exist' do
@ -610,6 +607,25 @@ describe 'EPP Contact', epp: true do
Contact.find_by_id(@contact.id).should == nil
end
it 'deletes own contact even with wrong password' do
response = delete_request({ authInfo: { pw: { value: 'wrong password' } } })
response[:msg].should == 'Command completed successfully'
response[:result_code].should == '1000'
response[:clTRID].should == 'ABC-12345'
Contact.find_by_id(@contact.id).should == nil
end
it 'deletes own contact even without password' do
delete_xml = @epp_xml.delete({ id: { value: @contact.code } })
response = epp_plain_request(delete_xml, :xml)
response[:msg].should == 'Command completed successfully'
response[:result_code].should == '1000'
response[:clTRID].should == 'ABC-12345'
Contact.find_by_id(@contact.id).should == nil
end
it 'fails if contact has associated domain' do
@domain = Fabricate(:domain, registrar: @registrar1, registrant: @contact)
@domain.registrant.present?.should == true
@ -622,9 +638,29 @@ describe 'EPP Contact', epp: true do
@domain.registrant.present?.should == true
end
it 'fails with wrong authentication info' do
it 'should delete when not owner but with correct password' do
login_as :registrar2 do
response = delete_request
response[:msg].should == 'Command completed successfully'
response[:result_code].should == '1000'
response[:clTRID].should == 'ABC-12345'
Contact.find_by_id(@contact.id).should == nil
end
end
it 'should not delete when not owner without password' do
login_as :registrar2 do
delete_xml = @epp_xml.delete({ id: { value: @contact.code } })
response = epp_plain_request(delete_xml, :xml)
response[:msg].should == 'Authorization error'
response[:result_code].should == '2201'
response[:results].count.should == 1
end
end
it 'should not delete when not owner with wrong password' do
login_as :registrar2 do
response = delete_request({ authInfo: { value: 'wrong password' } })
response[:msg].should == 'Authorization error'
response[:result_code].should == '2201'
response[:results].count.should == 1