Added role base redirect and updated abilities

app/api/repp/api.rb

@@ -12,6 +12,10 @@ module Repp
         error! I18n.t('ip_is_not_whitelisted'), 401 unless @current_user.registrar.api_ip_white?(request.ip)
       end
 
+      if @current_user.cannot?(:view, :repp)
+        error! I18n.t('no_permission'), 401 unless @current_user.registrar.api_ip_white?(request.ip)
+      end
+
       next if Rails.env.test? || Rails.env.development?
       message = 'Certificate mismatch! Cert common name should be:'
       request_name = env['HTTP_SSL_CLIENT_S_DN_CN']
@@ -22,7 +26,6 @@ module Repp
       else
         error! "#{message} #{@current_user.username}", 401 if @current_user.username != request_name
       end
-
     end
 
     helpers do

app/controllers/registrar/sessions_controller.rb

@@ -35,7 +35,7 @@ class Registrar::SessionsController < Devise::SessionsController
       @api_user = ApiUser.find_by(username: params[:depp_user][:tag])
       if @api_user.active?
         sign_in @api_user
-        redirect_to registrar_root_url
+        redirect_to role_base_root_url(@api_user)
       else
         @depp_user.errors.add(:base, :not_active)
         render 'login'
@@ -52,7 +52,7 @@ class Registrar::SessionsController < Devise::SessionsController
 
     if @user
       sign_in(@user, event: :authentication)
-      redirect_to registrar_root_url
+      redirect_to role_base_root_url(@user)
     else
       flash[:alert] = t('no_such_user')
       redirect_to registrar_login_url
@@ -70,7 +70,7 @@ class Registrar::SessionsController < Devise::SessionsController
     if Rails.env.test? && phone == "123"
       @user = ApiUser.find_by(identity_code: "14212128025")
       sign_in(@user, event: :authentication)
-      return redirect_to registrar_root_url
+      return redirect_to role_base_root_url(@user)
     end
 
     # country_codes = {'+372' => 'EST'}
@@ -112,7 +112,7 @@ class Registrar::SessionsController < Devise::SessionsController
       sign_in @user
       flash[:notice] = t(:welcome)
       flash.keep(:notice)
-      render js: "window.location = '#{registrar_root_path}'"
+      render js: "window.location = '#{role_base_root_url(@user)}'"
     when 'NOT_VALID'
       render json: { message: t(:user_signature_is_invalid) }, status: :bad_request
     when 'EXPIRED_TRANSACTION'
@@ -149,4 +149,12 @@ class Registrar::SessionsController < Devise::SessionsController
     return if WhiteIp.registrar_ip_white?(request.ip)
     render text: t('ip_is_not_whitelisted') and return
   end
+
+  def role_base_root_url(user)
+    if user.try(:roles) == ['billing']
+      registrar_invoices_url
+    else
+      registrar_root_url
+    end
+  end
 end

app/controllers/registrar_controller.rb

@@ -16,7 +16,7 @@ class RegistrarController < ApplicationController
       sign_out(current_user)
       return
     end
-
+    return if Rails.env.development?
     return if current_user.registrar.registrar_ip_white?(request.ip)
     flash[:alert] = t('ip_is_not_whitelisted')
     sign_out(current_user)

app/models/ability.rb

@@ -7,15 +7,13 @@ class Ability
     alias_action :show, to: :view
     alias_action :show, :create, :update, :destroy, to: :crud
 
-    @user = user || AdminUser.new
+    @user = user || User.new
 
     case @user.class.to_s
     when 'AdminUser'
       @user.roles.each { |role| send(role) } if @user.roles
     when 'ApiUser'
       @user.roles.each { |role| send(role) } if @user.roles
-      static_epp
-      static_registrar
     when 'RegistrantUser'
       static_registrant
     end
@@ -45,10 +43,12 @@ class Ability
     can(:delete, Epp::Contact) { |c, pw| c.registrar_id == @user.registrar_id || c.auth_info == pw }
     can(:renew,  Epp::Contact)
     can(:view_password, Epp::Contact) { |c, pw| c.registrar_id == @user.registrar_id || c.auth_info == pw }
+
+    # REPP
+    can(:manage, :repp)
   end
 
   def static_registrar
-    can :read, AccountActivity
     can :manage, Nameserver
     can :view, :registrar_dashboard
     can :delete, :registrar_poll
@@ -60,7 +60,6 @@ class Ability
     can :manage, Depp::Keyrelay
     can :confirm, :keyrelay
     can :confirm, :transfer
-    can :manage, :deposit
   end
 
   def static_registrant
@@ -68,33 +67,32 @@ class Ability
     can :manage, Depp::Domain
   end
 
-  def static_billing
-    can :manage, Invoice
-  end
-
   def user
     can :show, :dashboard
   end
 
-  # api_user dynamic role
+  # Registrar/api_user dynamic role
   def super
-    static_epp
     static_registrar
+    billing
+    epp
   end
 
-  # api_user dynamic role
+  # Registrar/api_user dynamic role
   def epp
+    static_registrar
     static_epp
-    static_registrar
   end
 
-  # api_user dynamic role
+  # Registrar/api_user dynamic role
   def billing
-    static_registrar
-    static_billing
+    can :view, :registrar_dashboard
+    can :manage, Invoice
+    can :manage, :deposit
+    can :read, AccountActivity
   end
 
-  # admin dynamic role
+  # Admin/admin_user dynamic role
   def customer_service
     user
     can :manage, Domain
@@ -102,7 +100,7 @@ class Ability
     can :manage, Registrar
   end
 
-  # admin dynamic role
+  # Admin/admin_user dynamic role
   def admin
     customer_service
     can :manage, Setting

config/locales/en.yml

@@ -796,3 +796,4 @@ en:
   registrant_domain_verification_rejected: 'Domain owner change has been rejected successfully.'
   registrant_domain_verification_rejected_failed: 'Something went wrong'
   ip_is_not_whitelisted: 'IP is not whitelisted'
+  no_permission: 'No permission'