Use policies to determine if attributes can be set in the API

This is more idiomatic than checking membership explicitly.
author: Sean McGivern <sean@gitlab.com> 2018-08-22 13:10:54 +0100
committer: Sean McGivern <sean@gitlab.com> 2018-08-22 14:17:29 +0100
commit: aff7dccc1f13e86b44dfa1530c6b5068dbb18f00 (patch)
tree: 0193754c17b7023499ad4d1cd438cb287547793d /app/policies
parent: b63ed7cff664bc1ee0bf70912fffd4814f757079 (diff)
download: gitlab-ce-aff7dccc1f13e86b44dfa1530c6b5068dbb18f00.tar.gz
2 files changed, 6 insertions, 0 deletions
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index a8d7a05f509..bb800929ea9 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -72,6 +72,8 @@ class GroupPolicy < BasePolicy
     enable :admin_namespace
     enable :admin_group_member
     enable :change_visibility_level
+
+    enable :set_note_created_at
   end
 
   rule { can?(:read_nested_project_resources) }.policy do
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 00c58f15013..fd6cc504a3b 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -143,6 +143,10 @@ class ProjectPolicy < BasePolicy
     enable :destroy_merge_request
     enable :destroy_issue
     enable :remove_pages
+
+    enable :set_issue_iid
+    enable :set_issue_created_at
+    enable :set_note_created_at
   end
 
   rule { can?(:guest_access) }.policy do
author	Sean McGivern <sean@gitlab.com>	2018-08-22 13:10:54 +0100
committer	Sean McGivern <sean@gitlab.com>	2018-08-22 14:17:29 +0100
commit	aff7dccc1f13e86b44dfa1530c6b5068dbb18f00 (patch)
tree	0193754c17b7023499ad4d1cd438cb287547793d /app/policies
parent	b63ed7cff664bc1ee0bf70912fffd4814f757079 (diff)
download	gitlab-ce-aff7dccc1f13e86b44dfa1530c6b5068dbb18f00.tar.gz