disclose attributes validator

2025-07-28 13:36:15 +02:00 · 2022-11-28 11:26:43 +02:00 · 2022-11-28 11:26:43 +02:00 · ea2fc01a60
commit ea2fc01a60
parent 1b92bf0d64
3 changed files with 42 additions and 22 deletions
--- a/app/controllers/api/v1/registrant/contacts_controller.rb
+++ b/app/controllers/api/v1/registrant/contacts_controller.rb
@ -50,6 +50,13 @@ module Api
          reparsed_request = reparsed_request(request.body.string)
          disclosed_attributes = reparsed_request[:disclosed_attributes]

+          if disclosed_attributes.present?
+            extra_attrs = disclosed_attributes - Contact::DISCLOSE_ATTRIBUTES
+            attributes_not_exist_error(extra_attrs) and return if extra_attrs.present?
+          end
+
+          # render_disclosed_attributes_error and return if disclosed_attributes.present? && contact.org?
+
          contact.disclosed_attributes = disclosed_attributes if disclosed_attributes
          publishable = reparsed_request[:registrant_publishable]
          contact.registrant_publishable = publishable if publishable.in? [true, false]
@ -116,6 +123,11 @@ module Api
          )
        end

+        def attributes_not_exist_error(extra_attrs)
+          error_msg = "Request contains extra attributes: #{extra_attrs.join(', ')}"
+          render json: { errors: [{ disclosed_attributes: [error_msg] }] }, status: :bad_request
+        end
+
        def render_address_error
          error_msg = 'Address processing is disabled and therefore cannot be updated'
          render json: { errors: [{ address: [error_msg] }] }, status: :bad_request
--- a/app/models/contact.rb
+++ b/app/models/contact.rb
@ -147,6 +147,15 @@ class Contact < ApplicationRecord
  # "clientDeleteProhibited" or "serverDeleteProhibited" status.
  PENDING_DELETE = 'pendingDelete'.freeze

+  DISCLOSE_ATTRIBUTES = %w[
+    name
+    email
+    phone
+    registrant_publishable
+    address
+    fax
+  ].freeze
+
  STATUSES = [
    CLIENT_DELETE_PROHIBITED, SERVER_DELETE_PROHIBITED,
    CLIENT_TRANSFER_PROHIBITED,
--- a/test/integration/api/v1/registrant/contacts/update_test.rb
+++ b/test/integration/api/v1/registrant/contacts/update_test.rb
@ -9,7 +9,6 @@ class RegistrantApiV1ContactUpdateTest < ActionDispatch::IntegrationTest
    @original_address_processing = Setting.address_processing
    @original_fax_enabled_setting = ENV['fax_enabled']
    @user = users(:registrant)
-
  end

  teardown do
@ -91,18 +90,18 @@ class RegistrantApiV1ContactUpdateTest < ActionDispatch::IntegrationTest
                 @contact.address
  end

-  # def test_update_address_when_enabled_without_address_params
-  #   Setting.address_processing = false
+  def test_update_address_when_enabled_without_address_params
+    Setting.address_processing = false

-  #   patch api_v1_registrant_contact_path(@contact.uuid), params: { address: { } },
-  #         as: :json,
-  #         headers: { 'HTTP_AUTHORIZATION' => auth_token }
+    patch api_v1_registrant_contact_path(@contact.uuid), params: { address: { } },
+          as: :json,
+          headers: { 'HTTP_AUTHORIZATION' => auth_token }

-  #   assert_response :bad_request
-  #   @contact.reload
-  #   assert_equal Contact::Address.new(nil, nil, nil, nil, nil),
-  #                @contact.address
-  # end
+    assert_response :bad_request
+    @contact.reload
+    assert_equal Contact::Address.new(nil, nil, nil, nil, nil),
+                 @contact.address
+  end

  def test_address_is_optional_when_enabled
    Setting.address_processing = true
@ -179,7 +178,7 @@ class RegistrantApiV1ContactUpdateTest < ActionDispatch::IntegrationTest
  # def test_legal_persons_disclosed_attributes_cannot_be_changed
  #   @contact = contacts(:acme_ltd)

-  #   # contacts(:acme_ltd).ident
+  #   contacts(:acme_ltd).ident
  #   assert_equal '1234567', @contact.ident

  #   assert_equal Contact::ORG, @contact.ident_type
@ -254,20 +253,20 @@ class RegistrantApiV1ContactUpdateTest < ActionDispatch::IntegrationTest
                                                                              symbolize_names: true)
  end

-  # def test_org_disclosed_attributes
-  #   patch api_v1_registrant_contact_path(@contact_org.uuid), params: { disclosed_attributes: ["some_attr"] },
-  #         as: :json,
-  #         headers: { 'HTTP_AUTHORIZATION' => auth_token }
+  def test_org_disclosed_attributes
+    patch api_v1_registrant_contact_path(@contact_org.uuid), params: { disclosed_attributes: ["some_attr"] },
+          as: :json,
+          headers: { 'HTTP_AUTHORIZATION' => auth_token }

-  #   assert_response :bad_request
+    assert_response :bad_request

-  #   err_msg = "Legal person's data is visible by default and cannot be concealed. Please remove this parameter."
+    err_msg = "Request contains extra attributes: some_attr"

-  #   response_json = JSON.parse(response.body, symbolize_names: true)
-  #   response_msg = response_json[:errors][0][:disclosed_attributes][0]
+    response_json = JSON.parse(response.body, symbolize_names: true)
+    response_msg = response_json[:errors][0][:disclosed_attributes][0]

-  #   assert_equal err_msg, response_msg
-  # end
+    assert_equal err_msg, response_msg
+  end

  def test_unmanaged_contact_cannot_be_updated
    assert_equal 'US-1234', @user.registrant_ident