diff --git a/app/controllers/epp/sessions_controller.rb b/app/controllers/epp/sessions_controller.rb index b877c01ce..c4b66e411 100644 --- a/app/controllers/epp/sessions_controller.rb +++ b/app/controllers/epp/sessions_controller.rb @@ -56,6 +56,15 @@ class Epp::SessionsController < EppController success = false end + if success && @api_user.cannot?(:create, :epp_login) + epp_errors << { + msg: 'Authentication error; server closing connection (API user does not have epp role)', + code: '2501' + } + + success = false + end + if success && !ip_white? epp_errors << { msg: 'Authentication error; server closing connection (IP is not whitelisted)', @@ -105,7 +114,7 @@ class Epp::SessionsController < EppController end def connection_limit_ok? - return true if Rails.env.test? + return true if Rails.env.test? || Rails.env.development? c = EppSession.where( 'registrar_id = ? AND updated_at >= ?', @api_user.registrar_id, Time.zone.now - 5.minutes ).count diff --git a/app/controllers/registrar/sessions_controller.rb b/app/controllers/registrar/sessions_controller.rb index a2310a0d1..b28dfdcf0 100644 --- a/app/controllers/registrar/sessions_controller.rb +++ b/app/controllers/registrar/sessions_controller.rb @@ -71,7 +71,7 @@ class Registrar::SessionsController < Devise::SessionsController redirect_to :back and return end - if @api_user.can_make_api_calls? + if @api_user.can?(:create, :epp_login) unless @api_user.registrar.api_ip_white?(request.ip) flash[:alert] = I18n.t(:ip_is_not_whitelisted) redirect_to :back and return diff --git a/app/controllers/registrar_controller.rb b/app/controllers/registrar_controller.rb index ba165da07..a665cee09 100644 --- a/app/controllers/registrar_controller.rb +++ b/app/controllers/registrar_controller.rb @@ -18,14 +18,14 @@ class RegistrarController < ApplicationController return end return if Rails.env.development? - riw = current_user.registrar.registrar_ip_white?(request.ip) + registrar_ip_whitelisted = current_user.registrar.registrar_ip_white?(request.ip) - aiw = true - if current_user.can_make_api_calls? - aiw = current_user.registrar.api_ip_white?(request.ip) + api_ip_whitelisted = true + if current_user.can?(:create, :epp_request) + api_ip_whitelisted = current_user.registrar.api_ip_white?(request.ip) end - return if riw && aiw + return if registrar_ip_whitelisted && api_ip_whitelisted flash[:alert] = t('ip_is_not_whitelisted') sign_out(current_user) redirect_to registrar_login_path and return diff --git a/app/mailers/domain_mailer.rb b/app/mailers/domain_mailer.rb index 1eb4341c9..3e9b7c360 100644 --- a/app/mailers/domain_mailer.rb +++ b/app/mailers/domain_mailer.rb @@ -73,8 +73,8 @@ class DomainMailer < ApplicationMailer @domain = domain # no delivery off control, driggered by que, no epp request - @new_registrant_email = @domain.pending_json[:new_registrant_email] - @new_registrant_name = @domain.pending_json[:new_registrant_name] + @new_registrant_email = @domain.pending_json['new_registrant_email'] + @new_registrant_name = @domain.pending_json['new_registrant_name'] return if whitelist_blocked?(@new_registrant_email) mail(to: @new_registrant_email, @@ -86,8 +86,8 @@ class DomainMailer < ApplicationMailer @domain = domain # no delivery off control, driggered by cron, no epp request - @new_registrant_email = @domain.pending_json[:new_registrant_email] - @new_registrant_name = @domain.pending_json[:new_registrant_name] + @new_registrant_email = @domain.pending_json['new_registrant_email'] + @new_registrant_name = @domain.pending_json['new_registrant_name'] return if whitelist_blocked?(@new_registrant_email) if @new_registrant_email.blank? diff --git a/app/models/ability.rb b/app/models/ability.rb index 0fcd87d6b..0c659026b 100644 --- a/app/models/ability.rb +++ b/app/models/ability.rb @@ -24,7 +24,26 @@ class Ability can :create, :registrant_domain_update_confirm end - def static_epp + # + # User roles + # + + def super # Registrar/api_user dynamic role + static_registrar + epp + billing + end + + def epp # Registrar/api_user dynamic role + static_registrar + + # REPP + can(:manage, :repp) + + # EPP + can(:create, :epp_login) # billing can establis epp connection in order to login + can(:create, :epp_request) + # Epp::Domain can(:info, Epp::Domain) { |d, pw| d.registrar_id == @user.registrar_id || pw.blank? ? true : d.auth_info == pw } can(:check, Epp::Domain) @@ -44,66 +63,24 @@ class Ability can(:delete, Epp::Contact) { |c, pw| c.registrar_id == @user.registrar_id || c.auth_info == pw } can(:renew, Epp::Contact) can(:view_password, Epp::Contact) { |c, pw| c.registrar_id == @user.registrar_id || c.auth_info == pw } - - # REPP - can(:manage, :repp) end - def static_registrar - can :manage, Nameserver - can :view, :registrar_dashboard - can :delete, :registrar_poll - can :manage, :registrar_xml_console - can :manage, Depp::Contact - can :manage, Depp::Domain - can :renew, Depp::Domain - can :transfer, Depp::Domain - can :manage, Depp::Keyrelay - can :confirm, :keyrelay - can :confirm, :transfer - end - - def static_registrant - can :manage, :registrant_domains - can :manage, :registrant_whois - can :manage, Depp::Domain - end - - def user - can :show, :dashboard - end - - # Registrar/api_user dynamic role - def super - static_registrar - billing - epp - end - - # Registrar/api_user dynamic role - def epp - static_registrar - static_epp - end - - # Registrar/api_user dynamic role - def billing + def billing # Registrar/api_user dynamic role can :view, :registrar_dashboard can(:manage, Invoice) { |i| i.buyer_id == @user.registrar_id } can :manage, :deposit can :read, AccountActivity + can(:create, :epp_login) # billing can establis epp connection in order to login end - # Admin/admin_user dynamic role - def customer_service + def customer_service # Admin/admin_user dynamic role user can :manage, Domain can :manage, Contact can :manage, Registrar end - # Admin/admin_user dynamic role - def admin + def admin # Admin/admin_user dynamic role customer_service can :manage, Setting can :manage, BlockedDomain @@ -128,6 +105,34 @@ class Ability can :create, :zonefile can :access, :settings_menu end + + # + # Static roles, linked from dynamic roles + # + def static_registrar + can :manage, Nameserver + can :view, :registrar_dashboard + can :delete, :registrar_poll + can :manage, :registrar_xml_console + can :manage, Depp::Contact + can :manage, Depp::Domain + can :renew, Depp::Domain + can :transfer, Depp::Domain + can :manage, Depp::Keyrelay + can :confirm, :keyrelay + can :confirm, :transfer + end + + def static_registrant + can :manage, :registrant_domains + can :manage, :registrant_whois + can :manage, Depp::Domain + end + + def user + can :show, :dashboard + end + # rubocop: enable Metrics/LineLength # rubocop: enable Metrics/CyclomaticComplexity # rubocop: enable Metrics/PerceivedComplexity diff --git a/app/models/api_user.rb b/app/models/api_user.rb index a8e0174bd..260441620 100644 --- a/app/models/api_user.rb +++ b/app/models/api_user.rb @@ -40,12 +40,22 @@ class ApiUser < User self.active = true unless active_changed? end - def registrar_typeahead - @registrar_typeahead || registrar || nil + class << self + def find_by_idc_data(idc_data) + return false if idc_data.blank? + identity_code = idc_data.scan(/serialNumber=(\d+)/).flatten.first + + find_by(identity_code: identity_code) + end + + def all_by_identity_code(identity_code) + ApiUser.where(identity_code: identity_code) + .where("identity_code is NOT NULL and identity_code != ''").includes(:registrar) + end end - def can_make_api_calls? - ([SUPER, EPP] & roles).any? + def registrar_typeahead + @registrar_typeahead || registrar || nil end def to_s @@ -75,13 +85,4 @@ class ApiUser < User md5 = OpenSSL::Digest::MD5.new(cert.to_der).to_s certificates.api.exists?(md5: md5, common_name: cn) end - - class << self - def find_by_idc_data(idc_data) - return false if idc_data.blank? - identity_code = idc_data.scan(/serialNumber=(\d+)/).flatten.first - - find_by(identity_code: identity_code) - end - end end diff --git a/app/models/domain.rb b/app/models/domain.rb index 55c246987..9ed9afde4 100644 --- a/app/models/domain.rb +++ b/app/models/domain.rb @@ -394,10 +394,10 @@ class Domain < ActiveRecord::Base self.registrant_verification_token = token self.registrant_verification_asked_at = asked_at set_pending_update - pending_json[:domain] = changes_cache - pending_json[:new_registrant_id] = new_registrant_id - pending_json[:new_registrant_email] = new_registrant_email - pending_json[:new_registrant_name] = new_registrant_name + pending_json['domain'] = changes_cache + pending_json['new_registrant_id'] = new_registrant_id + pending_json['new_registrant_email'] = new_registrant_email + pending_json['new_registrant_name'] = new_registrant_name # This pending_update! method is triggered by before_update # Note, all before_save callbacks are excecuted before before_update, diff --git a/app/views/admin/admin_users/_form.haml b/app/views/admin/admin_users/_form.haml index e7738a9f0..ba7203e1e 100644 --- a/app/views/admin/admin_users/_form.haml +++ b/app/views/admin/admin_users/_form.haml @@ -1,3 +1,10 @@ +- if @admin_user.new_record? + - overwrite_required = '' + - field_required = 'required' +- else + - overwrite_required = 'not-required' # otherwise automatic one adds required + - field_required = '' + = form_for([:admin, @admin_user], html: { class: 'form-horizontal', autocomplete: 'off' }) do |f| = render 'shared/full_errors', object: @admin_user @@ -11,22 +18,22 @@ - if @admin_user.new_record? || can?(:update, AdminUser) .form-group .col-md-4.control-label - - not_required = @admin_user.new_record? ? '' : 'not-required' - = f.label :password, class: not_required + + = f.label :password, class: overwrite_required .col-md-8 - = f.text_field(:password, class: 'form-control') + = f.text_field(:password, class: "form-control #{field_required}") .form-group .col-md-4.control-label - = f.label :password_confirmation, class: not_required + = f.label :password_confirmation, class: overwrite_required .col-md-8 - = f.text_field(:password_confirmation, class: 'form-control') + = f.text_field(:password_confirmation, class: "form-control #{field_required}") %hr .form-group .col-md-4.control-label = f.label :identity_code .col-md-8 - = f.text_field(:identity_code, class: 'form-control') + = f.text_field(:identity_code, class: 'form-control required') .form-group .col-md-4.control-label = f.label :email @@ -37,13 +44,15 @@ = f.label :country_code, t(:country) .col-md-8 = f.select(:country_code, - SortedCountry.all_options(f.object.country_code), {}, class: 'form-control') + SortedCountry.all_options(f.object.country_code), {}, class: 'form-control required') %hr .form-group .col-md-4.control-label - = f.label :role + = f.label :role, class: 'required' .col-md-8 - = select_tag 'admin_user[roles][]', options_for_select(AdminUser::ROLES.map {|x| [t(x), x] }, @admin_user.roles.try(:first)), class: 'form-control selectize' + = select_tag 'admin_user[roles][]', + options_for_select(AdminUser::ROLES.map {|x| [t(x), x] }, + @admin_user.roles.try(:first)), class: 'form-control selectize' %hr .row diff --git a/app/views/admin/api_users/_form.haml b/app/views/admin/api_users/_form.haml index e6851e424..00e6bb248 100644 --- a/app/views/admin/api_users/_form.haml +++ b/app/views/admin/api_users/_form.haml @@ -1,3 +1,11 @@ +- if @api_user.new_record? + - overwrite_required = '' + - field_required = 'required' +- else + - overwrite_required = 'not-required' # otherwise automatic one adds required + - field_required = '' + + = form_for([:admin, @api_user], multipart: true, html: {class: 'form-horizontal', autocomplete: 'off'}) do |f| = render 'shared/full_errors', object: @api_user @@ -11,16 +19,16 @@ = f.text_field(:username, class: 'form-control') .form-group .col-md-4.control-label - - not_required = @api_user.new_record? ? '' : 'not-required' - = f.label :password, class: not_required + = f.label :password, class: overwrite_required .col-md-7 - = f.text_field :password, class: 'form-control', autocomplete: 'off' + = f.text_field :password, class: "form-control #{field_required}", autocomplete: 'off' .form-group .col-md-4.control-label = f.label :identity_code .col-md-7 = f.text_field(:identity_code, class: 'form-control') + .form-group .form-group.has-feedback.js-typeahead-container .col-md-4.control-label @@ -32,9 +40,10 @@ %span.glyphicon.glyphicon-ok.form-control-feedback.js-typeahead-ok.hidden %span.glyphicon.glyphicon-remove.form-control-feedback.js-typeahead-remove = f.hidden_field(:registrar_id, class: 'js-registrar-id') + .form-group .col-md-4.control-label - = f.label :role + = f.label :role, class: 'required' .col-md-7 = select_tag 'api_user[roles][]', options_for_select(ApiUser::ROLES.map {|x| [t(x), x] }, @api_user.roles.try(:first)), diff --git a/app/views/layouts/registrar/application.haml b/app/views/layouts/registrar/application.haml index a2273de22..3754cd0bf 100644 --- a/app/views/layouts/registrar/application.haml +++ b/app/views/layouts/registrar/application.haml @@ -54,7 +54,7 @@ = "#{current_user} (#{current_user.roles.first}) - #{current_user.registrar}" %span.caret %ul.dropdown-menu{role: "menu"} - - ApiUser.where(identity_code: current_user.identity_code).includes(:registrar).each do |x| + - ApiUser.all_by_identity_code(current_user.identity_code).each do |x| %li= link_to "#{x} (#{x.roles.first}) - #{x.registrar}", "/registrar/switch_user/#{x.id}" - if user_signed_in? %li= link_to t(:log_out_), '/registrar/logout' diff --git a/app/views/registrar/invoices/index.haml b/app/views/registrar/invoices/index.haml index ed543f381..543070c32 100644 --- a/app/views/registrar/invoices/index.haml +++ b/app/views/registrar/invoices/index.haml @@ -4,7 +4,7 @@ = render 'shared/title', name: t(:your_account) = t(:your_current_account_balance_is, - balance: current_user.registrar.cash_account.balance, + balance: currency(current_user.registrar.cash_account.balance), currency: current_user.registrar.cash_account.currency) %h1= t(:invoices) @@ -68,7 +68,7 @@ %td{class: 'text-danger'}= t(:unpaid) %td= l(x.due_date, format: :date_long) - %td= x.sum + %td= currency(x.sum) .row .col-md-12 = paginate @invoices diff --git a/config/locales/en.yml b/config/locales/en.yml index 36c1a304d..a9c2bc4f2 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -780,14 +780,14 @@ en: unimplemented_object_service: 'Unimplemented object service' contact_email_update_subject: 'Teie domeenide kontakt epostiaadress on muutunud / Contact e-mail addresses of your domains have changed' object_status_prohibits_operation: 'Object status prohibits operation' - pending_update_request_for_old_registrant_subject: "Kinnitustaotlus domeeni %{name} registreerija vahetuseks / Application for approval for registrant chache of %{name}" + pending_update_request_for_old_registrant_subject: "Kinnitustaotlus domeeni %{name} registreerija vahetuseks / Application for approval for registrant change of %{name}" pending_update_notification_for_new_registrant_subject: "Domeeni %{name} registreerija vahetus protseduur on algatatud / %{name} registrant change" pending_update_rejected_notification_for_new_registrant_subject: "Domeeni %{name} registreerija vahetuse taotlus tagasi lükatud / %{name} registrant change declined" pending_update_expired_notification_for_new_registrant_subject: "Domeeni %{name} registreerija vahetuse taotlus on tühistatud / %{name} registrant change cancelled" registrant_updated_notification_for_new_registrant_subject: 'Domeeni %{name} registreerija vahetus teostatud / Registrant change of %{name} has been finished.' registrant_updated_notification_for_old_registrant_subject: 'Domeeni %{name} registreerija vahetus teostatud / Registrant change of %{name} has been finished.' domain_pending_deleted_subject: "Kinnitustaotlus domeeni %{name} kustutamiseks .ee registrist / Application for approval for deletion of %{name}" - pending_delete_rejected_notification_subject: "Domeeni %{name} kustutamise taotlus tagasi lükatud / %{name) deletion declined" + pending_delete_rejected_notification_subject: "Domeeni %{name} kustutamise taotlus tagasi lükatud / %{name} deletion declined" pending_delete_expired_notification_subject: "Domeeni %{name} kustutamise taotlus on tühistatud / %{name} deletion cancelled" delete_confirmation_subject: "Domeeni %{name} kustutatud / %{name} deleted" whois: WHOIS diff --git a/lib/sorted_country.rb b/lib/sorted_country.rb index 114213681..d05a31bab 100644 --- a/lib/sorted_country.rb +++ b/lib/sorted_country.rb @@ -6,12 +6,13 @@ class SortedCountry include ActionView::Helpers def all_options(selected = nil) - quick_options = options_for_select(quick_list + [['---', '']], selected) + quick_options = options_for_select([['', '']] + quick_list, { selected: selected }) # no double select selected = quick_list.map(&:second).include?(selected) ? '' : selected - all_options = options_for_select(all_sorted_truncated, selected) + all_options = options_for_select([['---', '---']] + all_sorted_truncated, + { selected: selected, disabled: ['---'] }) quick_options + all_options end diff --git a/spec/features/registrar/domain_spec.rb b/spec/features/registrar/domain_spec.rb index 49c4c5497..f9eb76c76 100644 --- a/spec/features/registrar/domain_spec.rb +++ b/spec/features/registrar/domain_spec.rb @@ -54,7 +54,6 @@ feature 'Domains', type: :feature do page.should_not have_text(d1.name) page.should have_text(d2.name) - end it 'should search domains' do diff --git a/spec/mailers/domain_mailer_spec.rb b/spec/mailers/domain_mailer_spec.rb index bf06d4677..ec9fd4672 100644 --- a/spec/mailers/domain_mailer_spec.rb +++ b/spec/mailers/domain_mailer_spec.rb @@ -122,8 +122,8 @@ describe DomainMailer do @new_registrant = Fabricate(:registrant, email: 'new@example.org') @domain = Fabricate(:domain, registrant: @registrant) @domain.deliver_emails = true - @domain.pending_json[:new_registrant_email] = 'new@example.org' - @domain.pending_json[:new_registrant_name] = 'test name' + @domain.pending_json['new_registrant_email'] = 'new@example.org' + @domain.pending_json['new_registrant_name'] = 'test name' @mail = DomainMailer.pending_update_rejected_notification_for_new_registrant(@domain) end diff --git a/spec/models/api_user_spec.rb b/spec/models/api_user_spec.rb index 8e46d0c6e..f159e5a7a 100644 --- a/spec/models/api_user_spec.rb +++ b/spec/models/api_user_spec.rb @@ -3,6 +3,22 @@ require 'rails_helper' describe ApiUser do it { should belong_to(:registrar) } + context 'class methods' do + before do + Fabricate(:api_user, identity_code: '') + Fabricate(:api_user, identity_code: 14212128025) + end + + it 'should return all api users with given identity code' do + ApiUser.all_by_identity_code('14212128025').size.should == 1 + ApiUser.all_by_identity_code(14212128025).size.should == 1 + end + + it 'should not return any api user with blank identity code' do + ApiUser.all_by_identity_code('').size.should == 0 + end + end + context 'with invalid attribute' do before :all do @api_user = ApiUser.new