Do not show contact if given domain does not belong to the current user

app/controllers/registrant/contacts_controller.rb

@@ -29,6 +29,17 @@ class Registrant::ContactsController < RegistrantController
   end
 
   def domain
-    Domain.find(params[:domain_id])
+    current_user_domains.find(params[:domain_id])
   end
-end
+
+  def current_user_domains
+    ident_cc, ident = @current_user.registrant_ident.split '-'
+    begin
+      BusinessRegistryCache.fetch_associated_domains ident, ident_cc
+    rescue Soap::Arireg::NotAvailableError => error
+      flash[:notice] = I18n.t(error.json[:message])
+      Rails.logger.fatal("[EXCEPTION] #{error.to_s}")
+      current_user.domains
+    end
+  end
+end

test/fixtures/contacts.yml

@@ -60,7 +60,7 @@ jack:
   name: Jack
   email: jack@inbox.test
   phone: '+555.555'
-  ident: 1234
+  ident: 12345
   ident_type: org
   registrar: goodnames
   ident_country_code: US

test/integration/api/registrant/registrant_api_contacts_test.rb

@@ -25,7 +25,7 @@ class RegistrantApiContactsTest < ApplicationIntegrationTest
     assert_equal(200, response.status)
 
     json_body = JSON.parse(response.body, symbolize_names: true)
-    assert_equal(5, json_body.count)
+    assert_equal(4, json_body.count)
     array_of_contact_codes = json_body.map { |x| x[:code] }
     assert(array_of_contact_codes.include?('william-001'))
     assert(array_of_contact_codes.include?('jane-001'))
@@ -39,7 +39,7 @@ class RegistrantApiContactsTest < ApplicationIntegrationTest
 
     get '/api/v1/registrant/contacts', {}, @auth_headers
     response_json = JSON.parse(response.body, symbolize_names: true)
-    assert_equal(5, response_json.count)
+    assert_equal(4, response_json.count)
   end
 
   def test_get_contact_details_by_uuid

test/integration/api/registrant/registrant_api_domains_test.rb

@@ -57,7 +57,7 @@ class RegistrantApiDomainsTest < ApplicationIntegrationTest
     get '/api/v1/registrant/domains', {}, @auth_headers
     response_json = JSON.parse(response.body, symbolize_names: true)
 
-    assert_equal(5, response_json.count)
+    assert_equal(4, response_json.count)
   end
 
   def test_root_does_not_accept_limit_higher_than_200

test/system/registrant_area/contacts/details_test.rb

@@ -24,4 +24,12 @@ class RegistrantAreaContactDetailsTest < ApplicationSystemTestCase
     assert_text "Created at #{l Time.zone.parse('2010-07-05')}"
     assert_text "Updated at #{l Time.zone.parse('2010-07-06')}"
   end
+
+  def test_registrant_user_cannot_access_contact_when_given_domain_belongs_to_another_user
+    suppress(ActionView::Template::Error) do
+      visit registrant_domain_contact_url(domains(:metro), @contact)
+      assert_response :not_found
+      assert_no_text 'Name John'
+    end
+  end
 end

test/system/registrant_area/domains/details_test.rb

@@ -55,4 +55,12 @@ class RegistrantAreaDomainDetailsTest < ApplicationSystemTestCase
       assert_css '.tech-domain-contact', count: 2
     end
   end
+
+  def test_registrant_user_cannot_access_domains_of_other_users
+    suppress(ActiveRecord::RecordNotFound) do
+      visit registrant_domain_url(domains(:metro))
+      assert_response :not_found
+      assert_no_text 'metro.test'
+    end
+  end
 end

test/system/registrant_area/domains/list_test.rb

@@ -15,6 +15,11 @@ class RegistrantAreaDomainListTest < ApplicationSystemTestCase
     assert_link 'John', href: registrant_domain_contact_path(@domain, @domain.registrant)
     assert_link 'Best Names', href: registrant_registrar_path(@domain.registrar)
     assert_text l(Time.zone.parse('2010-07-05'))
-    assert_css '.domains .domain', count: 5
+    assert_css '.domains .domain', count: 4
+  end
+
+  def test_do_not_show_domains_of_other_registrant_users
+    visit registrant_domains_url
+    assert_no_text 'metro.test'
   end
 end