Do not show moved issue ids for user not authorized

Do not show moved issue id for users that cannot read issue
author: Felipe Artur <felipefac@gmail.com> 2019-07-10 17:04:02 -0300
committer: Felipe Artur <felipefac@gmail.com> 2019-07-11 15:03:41 -0300
commit: 43830eca33b6be5d59685be5c2f3270ed81bf751 (patch)
tree: 0fff8cd8a4120bf8f30421422cc12afb3bc3b3ba /app/serializers
parent: 0cd59a756cdee7aac8915f3e96ba4f065e5cbc9c (diff)
download: gitlab-ce-43830eca33b6be5d59685be5c2f3270ed81bf751.tar.gz
1 files changed, 6 insertions, 1 deletions
diff --git a/app/serializers/issue_entity.rb b/app/serializers/issue_entity.rb
index 36e601f45c5..82139855760 100644
--- a/app/serializers/issue_entity.rb
+++ b/app/serializers/issue_entity.rb
@@ -16,9 +16,14 @@ class IssueEntity < IssuableEntity
   expose :discussion_locked
   expose :assignees, using: API::Entities::UserBasic
   expose :due_date
-  expose :moved_to_id
   expose :project_id
 
+  expose :moved_to_id do |issue|
+    if issue.moved_to_id.present? && can?(request.current_user, :read_issue, issue.moved_to)
+      issue.moved_to_id
+    end
+  end
+
   expose :web_url do |issue|
     project_issue_path(issue.project, issue)
   end
author	Felipe Artur <felipefac@gmail.com>	2019-07-10 17:04:02 -0300
committer	Felipe Artur <felipefac@gmail.com>	2019-07-11 15:03:41 -0300
commit	43830eca33b6be5d59685be5c2f3270ed81bf751 (patch)
tree	0fff8cd8a4120bf8f30421422cc12afb3bc3b3ba /app/serializers
parent	0cd59a756cdee7aac8915f3e96ba4f065e5cbc9c (diff)
download	gitlab-ce-43830eca33b6be5d59685be5c2f3270ed81bf751.tar.gz