From 58b8c194bc6c131ba4962b1b2276f5336bfcd1a0 Mon Sep 17 00:00:00 2001
From: Artur Beljajev <artur.beljajev@internet.ee>
Date: Tue, 3 Sep 2019 13:22:52 +0300
Subject: [PATCH 1/2] Handle anonymous user in EPP poll request

Unlike mod_epp, new EPP proxy (https://github.com/internetee/epp_proxy
passes through all valid requests even if a user is not logged in,
therefore we now need to handle such cases on registry app side.

#730
---
 app/controllers/epp/polls_controller.rb |  3 +--
 test/integration/epp/poll_test.rb       | 15 +++++++++++++++
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/app/controllers/epp/polls_controller.rb b/app/controllers/epp/polls_controller.rb
index a7568b6bd..060931796 100644
--- a/app/controllers/epp/polls_controller.rb
+++ b/app/controllers/epp/polls_controller.rb
@@ -1,8 +1,7 @@
 module Epp
   class PollsController < BaseController
-    skip_authorization_check # TODO: move authorization under ability
-
     def poll
+      authorize! :manage, :poll
       req_poll if params[:parsed_frame].css('poll').first['op'] == 'req'
       ack_poll if params[:parsed_frame].css('poll').first['op'] == 'ack'
     end
diff --git a/test/integration/epp/poll_test.rb b/test/integration/epp/poll_test.rb
index c08b0fd9a..a6d0b81bd 100644
--- a/test/integration/epp/poll_test.rb
+++ b/test/integration/epp/poll_test.rb
@@ -124,4 +124,19 @@ class EppPollTest < EppTestCase
 
     assert_epp_response :object_does_not_exist
   end
+
+  def test_anonymous_user_cannot_access
+    request_xml = <<-XML
+      <?xml version="1.0" encoding="UTF-8" standalone="no"?>
+      <epp xmlns="https://epp.tld.ee/schema/epp-ee-1.0.xsd">
+        <command>
+          <poll op="req"/>
+        </command>
+      </epp>
+    XML
+
+    post '/epp/command/poll', { frame: request_xml }, 'HTTP_COOKIE' => 'session=non-existent'
+
+    assert_epp_response :authorization_error
+  end
 end

From 7b7f383656116d4c1789fd2ae59a39d7a806cdda Mon Sep 17 00:00:00 2001
From: Alex Sherman <yul.golem@gmail.com>
Date: Wed, 2 Sep 2020 12:14:20 +0500
Subject: [PATCH 2/2] Fix tests

---
 test/integration/epp/poll_test.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/test/integration/epp/poll_test.rb b/test/integration/epp/poll_test.rb
index a6d0b81bd..6d3ec467e 100644
--- a/test/integration/epp/poll_test.rb
+++ b/test/integration/epp/poll_test.rb
@@ -135,7 +135,8 @@ class EppPollTest < EppTestCase
       </epp>
     XML
 
-    post '/epp/command/poll', { frame: request_xml }, 'HTTP_COOKIE' => 'session=non-existent'
+    post '/epp/command/poll', params: { frame: request_xml },
+         headers: { 'HTTP_COOKIE' => 'session=non-existent' }
 
     assert_epp_response :authorization_error
   end