diff --git a/console-webapp/src/app/users/userEditForm.component.html b/console-webapp/src/app/users/userEditForm.component.html
index 0b1aab4b3..f445bf08d 100644
--- a/console-webapp/src/app/users/userEditForm.component.html
+++ b/console-webapp/src/app/users/userEditForm.component.html
@@ -29,7 +29,7 @@
>
- Editor
+ Editor
Viewer
diff --git a/core/src/main/java/google/registry/ui/server/console/ConsoleUsersAction.java b/core/src/main/java/google/registry/ui/server/console/ConsoleUsersAction.java
index 6246e87fc..2b1d78ed5 100644
--- a/core/src/main/java/google/registry/ui/server/console/ConsoleUsersAction.java
+++ b/core/src/main/java/google/registry/ui/server/console/ConsoleUsersAction.java
@@ -17,6 +17,7 @@ package google.registry.ui.server.console;
import static com.google.common.base.Strings.isNullOrEmpty;
import static com.google.common.collect.ImmutableList.toImmutableList;
import static google.registry.model.console.RegistrarRole.ACCOUNT_MANAGER;
+import static google.registry.model.console.RegistrarRole.TECH_CONTACT;
import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
import static google.registry.request.Action.Method.DELETE;
import static google.registry.request.Action.Method.GET;
@@ -152,7 +153,7 @@ public class ConsoleUsersAction extends ConsoleApiAction {
updateUserRegistrarRoles(
this.userData.get().emailAddress,
registrarId,
- RegistrarRole.valueOf(this.userData.get().role));
+ requestRoleToAllowedRoles(this.userData.get().role));
sendConfirmationEmail(registrarId, this.userData.get().emailAddress, "Added existing user");
consoleApiParams.response().setStatus(SC_OK);
@@ -222,11 +223,9 @@ public class ConsoleUsersAction extends ConsoleApiAction {
throw e;
}
+ RegistrarRole newRole = requestRoleToAllowedRoles(userData.get().role);
UserRoles userRoles =
- new UserRoles.Builder()
- .setRegistrarRoles(
- ImmutableMap.of(registrarId, RegistrarRole.valueOf(userData.get().role)))
- .build();
+ new UserRoles.Builder().setRegistrarRoles(ImmutableMap.of(registrarId, newRole)).build();
User.Builder builder = new User.Builder().setUserRoles(userRoles).setEmailAddress(newEmail);
tm().put(builder.build());
@@ -238,9 +237,7 @@ public class ConsoleUsersAction extends ConsoleApiAction {
.setPayload(
consoleApiParams
.gson()
- .toJson(
- new UserData(
- newEmail, null, ACCOUNT_MANAGER.toString(), newUser.getPassword())));
+ .toJson(new UserData(newEmail, null, newRole.toString(), newUser.getPassword())));
finishAndPersistConsoleUpdateHistory(
new ConsoleUpdateHistory.Builder()
.setType(ConsoleUpdateHistory.Type.USER_CREATE)
@@ -257,7 +254,7 @@ public class ConsoleUsersAction extends ConsoleApiAction {
updateUserRegistrarRoles(
this.userData.get().emailAddress,
registrarId,
- RegistrarRole.valueOf(this.userData.get().role));
+ requestRoleToAllowedRoles(this.userData.get().role));
sendConfirmationEmail(registrarId, this.userData.get().emailAddress, "Updated user");
consoleApiParams.response().setStatus(SC_OK);
@@ -333,6 +330,11 @@ public class ConsoleUsersAction extends ConsoleApiAction {
.collect(toImmutableList()));
}
+ /** Maps a request role string to a RegistrarRole, using ACCOUNT_MANAGER as the default. */
+ private RegistrarRole requestRoleToAllowedRoles(String role) {
+ return TECH_CONTACT.name().equals(role) ? TECH_CONTACT : ACCOUNT_MANAGER;
+ }
+
private boolean sendConfirmationEmail(String registrarId, String emailAddress, String operation) {
Optional registrar = Registrar.loadByRegistrarId(registrarId);
if (registrar.isEmpty()) { // Shouldn't happen, but worth checking
diff --git a/core/src/test/java/google/registry/ui/server/console/ConsoleUsersActionTest.java b/core/src/test/java/google/registry/ui/server/console/ConsoleUsersActionTest.java
index ff2a40719..fc1634154 100644
--- a/core/src/test/java/google/registry/ui/server/console/ConsoleUsersActionTest.java
+++ b/core/src/test/java/google/registry/ui/server/console/ConsoleUsersActionTest.java
@@ -170,7 +170,26 @@ class ConsoleUsersActionTest extends ConsoleActionBaseTestCase {
createAction(
Optional.of(ConsoleApiParamsUtils.createFake(authResult)),
Optional.of("POST"),
- Optional.of(new UserData("lol", null, RegistrarRole.ACCOUNT_MANAGER.toString(), null)));
+ Optional.of(new UserData("lol", null, RegistrarRole.TECH_CONTACT.name(), null)));
+ action.cloudTasksUtils = cloudTasksHelper.getTestCloudTasksUtils();
+ when(directory.users()).thenReturn(users);
+ when(users.insert(any(com.google.api.services.directory.model.User.class))).thenReturn(insert);
+ action.run();
+ assertThat(response.getStatus()).isEqualTo(SC_CREATED);
+ assertThat(response.getPayload())
+ .contains(
+ "{\"emailAddress\":\"lol.TheRegistrar@email.com\",\"role\":\"TECH_CONTACT\",\"password\":\"abcdefghijklmnop\"}");
+ }
+
+ @Test
+ void testSuccess_roleEnforcementCreate() throws IOException {
+ User user = DatabaseHelper.createAdminUser("email@email.com");
+ AuthResult authResult = AuthResult.createUser(user);
+ ConsoleUsersAction action =
+ createAction(
+ Optional.of(ConsoleApiParamsUtils.createFake(authResult)),
+ Optional.of("POST"),
+ Optional.of(new UserData("lol", null, RegistrarRole.PRIMARY_CONTACT.name(), null)));
action.cloudTasksUtils = cloudTasksHelper.getTestCloudTasksUtils();
when(directory.users()).thenReturn(users);
when(users.insert(any(com.google.api.services.directory.model.User.class))).thenReturn(insert);