Optional password for contact#info

app/helpers/epp/contacts_helper.rb

@@ -36,9 +36,8 @@ module Epp::ContactsHelper
   end
 
   def info_contact
-    # handle_errors and return unless rights?
-    @contact = find_contact
     handle_errors(@contact) and return unless @contact
+    handle_errors(@contact) and return unless rights?
     render 'epp/contacts/info'
   end
 
@@ -88,16 +87,20 @@ module Epp::ContactsHelper
     xml_attrs_present?(@ph, [['id']])
   end
 
-  ## CHECK
+  ## check
   def validate_contact_check_request
     @ph = params_hash['epp']['command']['check']['check']
     xml_attrs_present?(@ph, [['id']])
   end
 
-  ## INFO
+  ## info
-  def validate_contact_info_request
+  def validate_contact_info_request # and process
     @ph = params_hash['epp']['command']['info']['info']
     xml_attrs_present?(@ph, [['id']])
+    @contact = find_contact
+    return false unless @contact
+    return true if current_epp_user.registrar == @contact.registrar || xml_attrs_present?(@ph, [%w(authInfo pw)])
+    false
   end
 
   ## SHARED
@@ -123,7 +126,8 @@ module Epp::ContactsHelper
   def rights?
     pw = @ph.try(:[], :authInfo).try(:[], :pw)
 
-    return true if  !find_contact.nil? && find_contact.auth_info_matches(pw)
+    return true if current_epp_user.try(:registrar) == @contact.try(:registrar)
+    return true if @contact.auth_info_matches(pw)
 
     epp_errors << { code: '2201', msg: t('errors.messages.epp_authorization_error'), value: { obj: 'pw', val: pw } }
     false

spec/epp/contact_spec.rb

@@ -249,10 +249,11 @@ describe 'EPP Contact', epp: true do
       end
 
       it 'returns info about contact' do
-        Fabricate(:contact, created_by_id: '1', code: 'info-4444', auth_info: '2fooBAR', name: 'Johnny Awesome',
+        @contact = Fabricate(:contact, registrar: zone, code: 'info-4444', name: 'Johnny Awesome',
                   address: Fabricate(:address))
 
-        response = epp_request('contacts/info.xml')
+        xml = EppXml::Contact.info(id: { value: @contact.code })
+        response = epp_request(xml, :xml, :zone)
         contact = response[:parsed].css('resData chkData')
 
         expect(response[:result_code]).to eq('1000')
@@ -275,14 +276,36 @@ describe 'EPP Contact', epp: true do
         expect(contact.css('name').present?).to be(true)
       end
 
-      it 'doesn\'t display unassociated object', pending: true do
+      it 'doesn\'t display unassociated object without password' do
-        pending 'Have to rework contact info request to have optional password requirement'
+        @contact = Fabricate(:contact, code: 'info-4444', registrar: zone)
-        Fabricate(:contact, code: 'info-4444')
 
-        response = epp_request('contacts/info.xml')
+        xml = EppXml::Contact.info(id: { value: @contact.code })
+        response = epp_request(xml, :xml, :elkdata)
+        expect(response[:result_code]).to eq('2003')
+        expect(response[:msg]).to eq('Required parameter missing: pw')
+      end
+
+      it 'doesn\'t display unassociated object with wrong password' do
+        @contact = Fabricate(:contact, code: 'info-4444', registrar: zone)
+
+        xml = EppXml::Contact.info(id: { value: @contact.code }, authInfo: { pw: { value: 'qwe321' } })
+        response = epp_request(xml, :xml, :elkdata)
         expect(response[:result_code]).to eq('2201')
         expect(response[:msg]).to eq('Authorization error')
       end
+
+      it 'doest display unassociated object with correct password' do
+        @contact = Fabricate(:contact, code: 'info-4444', registrar: zone, name: 'Johnny Awesome')
+
+        xml = EppXml::Contact.info(id: { value: @contact.code }, authInfo: { pw: { value: @contact.auth_info } })
+        response = epp_request(xml, :xml, :elkdata)
+        contact = response[:parsed].css('resData chkData')
+
+        expect(response[:result_code]).to eq('1000')
+        expect(response[:msg]).to eq('Command completed successfully')
+        expect(contact.css('name').first.text).to eq('Johnny Awesome')
+      end
+
     end
 
     context 'renew command' do