Allow registrar to see other registrars domains

app/models/ability.rb

@@ -22,12 +22,13 @@ class Ability
   # rubocop: disable Metrics/LineLength
   def epp
     # Epp::Domain
-    can(:info,     Epp::Domain) { |d, pw| d.registrar_id == @user.registrar_id || d.auth_info == pw }
+    can(:info,     Epp::Domain) { |d, pw| d.registrar_id == @user.registrar_id || pw.blank? ? true : d.auth_info == pw }
     can(:check,    Epp::Domain)
     can(:create,   Epp::Domain)
     can(:renew,    Epp::Domain)
     can(:update,   Epp::Domain) { |d, pw| d.registrar_id == @user.registrar_id || d.auth_info == pw }
     can(:transfer, Epp::Domain) { |d, pw| d.auth_info == pw }
+    can(:view_password, Epp::Domain) { |d, pw| d.registrar_id == @user.registrar_id || d.auth_info == pw }
 
     # Epp::Contact
     can(:info, Epp::Contact)           { |c, pw| c.registrar_id == @user.registrar_id || pw.blank? ? true : c.auth_info == pw }

app/views/epp/domains/info.xml.builder

@@ -52,12 +52,14 @@ xml.epp_head do
         # TODO Make domain transferrable
         #xml.tag!('domain:trDate', @domain.transferred_at) if @domain.transferred_at
 
+        if can? :view_password, @domain, @password
           xml.tag!('domain:authInfo') do
             xml.tag!('domain:pw', @domain.auth_info)
           end
         end
       end
     end
+  end
 
   xml.extension do
     xml.tag!('secDNS:infData', 'xmlns:secDNS' => 'urn:ietf:params:xml:ns:secDNS-1.1') do

spec/epp/domain_spec.rb

@@ -1857,7 +1857,7 @@ describe 'EPP Domain', epp: true do
       inf_data.css('status').first[:s].should == 'ok'
     end
 
-    it 'can not see other registrar domains' do
+    it 'can not see other registrar domains with invalid password' do
       login_as :registrar2 do
         response = epp_plain_request(domain_info_xml(name: { value: domain.name }), :xml)
         response[:result_code].should == '2201'
@@ -1865,6 +1865,31 @@ describe 'EPP Domain', epp: true do
       end
     end
 
+    it 'can see other registrar domains without password' do
+      login_as :registrar2 do
+        response = epp_plain_request(domain_info_xml(
+          name: { value: domain.name },
+          authInfo: nil
+        ), :xml)
+
+        response[:result_code].should == '1000'
+        response[:parsed].css('authInfo pw').first.should == nil
+      end
+    end
+
+    it 'can see other registrar domains with correct password' do
+      login_as :registrar2 do
+        pw = domain.auth_info
+        response = epp_plain_request(domain_info_xml(
+          name: { value: domain.name },
+          authInfo: { pw: { value: pw } }
+        ), :xml)
+
+        response[:result_code].should == '1000'
+        response[:parsed].css('authInfo pw').text.should == pw
+      end
+    end
+
     ### DELETE ###
     it 'deletes domain' do
       response = epp_plain_request(@epp_xml.domain.delete({