Always check read_issue permissions when loading issuetidy-up-issues-controller-filters

We never want to skip the check, so that some actions did so was a mistake.

1 files changed, 6 insertions, 9 deletions

diff --git a/app/controllers/projects/issues_controller.rb b/app/controllers/projects/issues_controller.rb
index 8b1efd0c572..b53a79c859e 100644
--- a/app/controllers/projects/issues_controller.rb
+++ b/app/controllers/projects/issues_controller.rb
@@ -10,11 +10,7 @@ class Projects::IssuesController < Projects::ApplicationController
 
   before_action :redirect_to_external_issue_tracker, only: [:index, :new]
   before_action :module_enabled
-  before_action :issue, only: [:edit, :update, :show, :referenced_merge_requests,
-                               :related_branches, :can_create_branch, :realtime_changes, :create_merge_request]
-
-  # Allow read any issue
-  before_action :authorize_read_issue!, only: [:show, :realtime_changes]
+  before_action :issue, except: [:index, :new, :create, :bulk_update]
 
   # Allow write(create) issue
   before_action :authorize_create_issue!, only: [:new, :create]
@@ -229,18 +225,19 @@ class Projects::IssuesController < Projects::ApplicationController
   protected
 
   def issue
+    return @issue if defined?(@issue)
     # The Sortable default scope causes performance issues when used with find_by
     @noteable = @issue ||= @project.issues.where(iid: params[:id]).reorder(nil).take!
+
+    return render_404 unless can?(current_user, :read_issue, @issue)
+
+    @issue
   end
   alias_method :subscribable_resource, :issue
   alias_method :issuable, :issue
   alias_method :awardable, :issue
   alias_method :spammable, :issue
 
-  def authorize_read_issue!
-    return render_404 unless can?(current_user, :read_issue, @issue)
-  end
-
   def authorize_update_issue!
     return render_404 unless can?(current_user, :update_issue, @issue)
   end