From a551d1b4e097d9f1c1c55c51fab851c32a909254 Mon Sep 17 00:00:00 2001
From: Martin Lensment <mlensment@gmail.com>
Date: Fri, 14 Aug 2015 13:42:21 +0300
Subject: [PATCH] Allow registrar to see only its own invoices #2819

---
 app/models/ability.rb    | 2 +-
 spec/epp/contact_spec.rb | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/models/ability.rb b/app/models/ability.rb
index 8e98748c4..0fcd87d6b 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -89,7 +89,7 @@ class Ability
   # Registrar/api_user dynamic role
   def billing
     can :view, :registrar_dashboard
-    can :manage, Invoice
+    can(:manage, Invoice) { |i| i.buyer_id == @user.registrar_id }
     can :manage, :deposit
     can :read, AccountActivity
   end
diff --git a/spec/epp/contact_spec.rb b/spec/epp/contact_spec.rb
index 4eab8dac1..35ad4558f 100644
--- a/spec/epp/contact_spec.rb
+++ b/spec/epp/contact_spec.rb
@@ -522,7 +522,7 @@ describe 'EPP Contact', epp: true do
             authInfo: { pw: { value: 'newpassword' } }
           }
         })
-        puts Nokogiri xml
+
         response = epp_plain_request(xml, :xml)
         response[:results][0][:msg].should == 'Command completed successfully'
         response[:results][0][:result_code].should == '1000'