Make the superuser flag bypass TLD access checks

The --superuser command in the nomulus command-line tool should be bypassing checks on whether the passed-in registrar client ID has access to the TLD in question, but currently it is not. ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=158974462
2026-01-11 00:10:36 +00:00 · 2017-06-14 07:14:19 -07:00
parent 3a02e6fb11
commit 580c41f2d6
26 changed files with 223 additions and 38 deletions
--- a/java/google/registry/flows/domain/DomainTransferRejectFlow.java
+++ b/java/google/registry/flows/domain/DomainTransferRejectFlow.java
@@ -32,6 +32,7 @@ import com.googlecode.objectify.Key;
 import google.registry.flows.EppException;
 import google.registry.flows.ExtensionManager;
 import google.registry.flows.FlowModule.ClientId;
+import google.registry.flows.FlowModule.Superuser;
 import google.registry.flows.FlowModule.TargetId;
 import google.registry.flows.TransactionalFlow;
 import google.registry.flows.annotations.ReportingSpec;
@@ -71,6 +72,7 @@ public final class DomainTransferRejectFlow implements TransactionalFlow {
  @Inject Optional<AuthInfo> authInfo;
  @Inject @ClientId String clientId;
  @Inject @TargetId String targetId;
+  @Inject @Superuser boolean isSuperuser;
  @Inject HistoryEntry.Builder historyBuilder;
  @Inject EppResponse.Builder responseBuilder;
  @Inject DomainTransferRejectFlow() {}
@@ -91,7 +93,9 @@ public final class DomainTransferRejectFlow implements TransactionalFlow {
    verifyOptionalAuthInfo(authInfo, existingDomain);
    verifyHasPendingTransfer(existingDomain);
    verifyResourceOwnership(clientId, existingDomain);
-    checkAllowedAccessToTld(clientId, existingDomain.getTld());
+    if (!isSuperuser) {
+      checkAllowedAccessToTld(clientId, existingDomain.getTld());
+    }
    DomainResource newDomain =
        denyPendingTransfer(existingDomain, TransferStatus.CLIENT_REJECTED, now);
    ofy().save().<ImmutableObject>entities(