diff options
| author | Sean McGivern <sean@gitlab.com> | 2018-08-22 13:10:54 +0100 |
|---|---|---|
| committer | Sean McGivern <sean@gitlab.com> | 2018-08-22 14:17:29 +0100 |
| commit | aff7dccc1f13e86b44dfa1530c6b5068dbb18f00 (patch) | |
| tree | 0193754c17b7023499ad4d1cd438cb287547793d /lib/api/issues.rb | |
| parent | b63ed7cff664bc1ee0bf70912fffd4814f757079 (diff) | |
| download | gitlab-ce-aff7dccc1f13e86b44dfa1530c6b5068dbb18f00.tar.gz | |
Use policies to determine if attributes can be set in the API
This is more idiomatic than checking membership explicitly.
Diffstat (limited to 'lib/api/issues.rb')
| -rw-r--r-- | lib/api/issues.rb | 7 |
1 files changed, 2 insertions, 5 deletions
diff --git a/lib/api/issues.rb b/lib/api/issues.rb index 2d2250acaa2..cedfd2fbaa0 100644 --- a/lib/api/issues.rb +++ b/lib/api/issues.rb @@ -172,11 +172,8 @@ module API authorize! :create_issue, user_project - # Setting created_at time or iid only allowed for admins and project owners - unless current_user.admin? || user_project.owner == current_user || current_user.owned_groups.include?(user_project.owner) - params.delete(:created_at) - params.delete(:iid) - end + params.delete(:created_at) unless current_user.can?(:set_issue_created_at, user_project) + params.delete(:iid) unless current_user.can?(:set_issue_iid, user_project) issue_params = declared_params(include_missing: false) |