diff --git a/app/controllers/epp/polls_controller.rb b/app/controllers/epp/polls_controller.rb
index a7568b6bd..060931796 100644
--- a/app/controllers/epp/polls_controller.rb
+++ b/app/controllers/epp/polls_controller.rb
@@ -1,8 +1,7 @@
 module Epp
   class PollsController < BaseController
-    skip_authorization_check # TODO: move authorization under ability
-
     def poll
+      authorize! :manage, :poll
       req_poll if params[:parsed_frame].css('poll').first['op'] == 'req'
       ack_poll if params[:parsed_frame].css('poll').first['op'] == 'ack'
     end
diff --git a/test/integration/epp/poll_test.rb b/test/integration/epp/poll_test.rb
index c08b0fd9a..6d3ec467e 100644
--- a/test/integration/epp/poll_test.rb
+++ b/test/integration/epp/poll_test.rb
@@ -124,4 +124,20 @@ class EppPollTest < EppTestCase
 
     assert_epp_response :object_does_not_exist
   end
+
+  def test_anonymous_user_cannot_access
+    request_xml = <<-XML
+      <?xml version="1.0" encoding="UTF-8" standalone="no"?>
+      <epp xmlns="https://epp.tld.ee/schema/epp-ee-1.0.xsd">
+        <command>
+          <poll op="req"/>
+        </command>
+      </epp>
+    XML
+
+    post '/epp/command/poll', params: { frame: request_xml },
+         headers: { 'HTTP_COOKIE' => 'session=non-existent' }
+
+    assert_epp_response :authorization_error
+  end
 end