From e7a976ce898b4644e6e660312ab93f6ed764e96e Mon Sep 17 00:00:00 2001
From: Sergei Tsoganov <sergei@Sergeis-MacBook-Pro.local>
Date: Fri, 9 Dec 2022 11:27:42 +0200
Subject: [PATCH] Added missing abilities to xml_console and contacts
 controllers

---
 app/controllers/concerns/epp_requestable.rb    | 1 +
 app/controllers/repp/v1/contacts_controller.rb | 3 +++
 app/models/ability.rb                          | 3 +++
 3 files changed, 7 insertions(+)

diff --git a/app/controllers/concerns/epp_requestable.rb b/app/controllers/concerns/epp_requestable.rb
index d290c8e38..59d064644 100644
--- a/app/controllers/concerns/epp_requestable.rb
+++ b/app/controllers/concerns/epp_requestable.rb
@@ -6,6 +6,7 @@ module EppRequestable
   end
 
   def create
+    authorize! :create, Epp::Server
     result = server.request(request_params[:payload])
     render_success(data: { xml: result.force_encoding('UTF-8') })
   rescue StandardError
diff --git a/app/controllers/repp/v1/contacts_controller.rb b/app/controllers/repp/v1/contacts_controller.rb
index 510525ac5..83b98835b 100644
--- a/app/controllers/repp/v1/contacts_controller.rb
+++ b/app/controllers/repp/v1/contacts_controller.rb
@@ -74,6 +74,7 @@ module Repp
       api :POST, '/repp/v1/contacts'
       desc 'Create a new contact'
       def create
+        authorize! :create, Epp::Contact
         @contact = Epp::Contact.new(contact_params_with_address, current_user.registrar, epp: false)
         action = Actions::ContactCreate.new(@contact, contact_params[:legal_document],
                                             contact_ident_params)
@@ -89,6 +90,7 @@ module Repp
       api :PUT, '/repp/v1/contacts/:contact_code'
       desc 'Update existing contact'
       def update
+        authorize! :update, Epp::Contact
         action = Actions::ContactUpdate.new(@contact, contact_params_with_address(required: false),
                                             contact_params[:legal_document],
                                             contact_ident_params(required: false), current_user)
@@ -104,6 +106,7 @@ module Repp
       api :DELETE, '/repp/v1/contacts/:contact_code'
       desc 'Delete a specific contact'
       def destroy
+        authorize! :delete, Epp::Contact
         action = Actions::ContactDelete.new(@contact, params[:legal_document])
         unless action.call
           handle_errors(@contact)
diff --git a/app/models/ability.rb b/app/models/ability.rb
index 74906c72d..d90283262 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -33,6 +33,9 @@ class Ability
   def epp # Registrar/api_user dynamic role
     can :manage, Account
 
+    # Epp::Server
+    can :create, Epp::Server
+
     # Poll
     can :manage, :poll