diff options
| author | Rémy Coutable <remy@rymai.me> | 2018-08-28 09:59:34 +0000 |
|---|---|---|
| committer | Rémy Coutable <remy@rymai.me> | 2018-08-28 09:59:34 +0000 |
| commit | 3b9eb5631fa17bbf525b5e869d8e36665638cd5a (patch) | |
| tree | f68e1f71a10d071a10a5dda577f15da249ab4c09 /lib | |
| parent | e78f5bf8d67b6c37266dc486bc645e209384087f (diff) | |
| parent | 0f269f9c99e72e082fef6283387366b2831702d8 (diff) | |
| download | gitlab-ce-3b9eb5631fa17bbf525b5e869d8e36665638cd5a.tar.gz | |
Merge branch 'fldubois/gitlab-ce-fix-api-group-createdat' into 'master'
Allow date parameters on Issues, Notes, and Discussions API for group owners
Closes #40059
See merge request gitlab-org/gitlab-ce!21342
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/api/helpers/notes_helpers.rb | 5 | ||||
| -rw-r--r-- | lib/api/issues.rb | 11 |
2 files changed, 5 insertions, 11 deletions
diff --git a/lib/api/helpers/notes_helpers.rb b/lib/api/helpers/notes_helpers.rb index e2984b08eca..7b1f5c2584b 100644 --- a/lib/api/helpers/notes_helpers.rb +++ b/lib/api/helpers/notes_helpers.rb @@ -92,10 +92,7 @@ module API parent = noteable_parent(noteable) - if opts[:created_at] - opts.delete(:created_at) unless - current_user.admin? || parent.owned_by?(current_user) - end + opts.delete(:created_at) unless current_user.can?(:set_note_created_at, policy_object) opts[:updated_at] = opts[:created_at] if opts[:created_at] diff --git a/lib/api/issues.rb b/lib/api/issues.rb index bda05d1795b..cedfd2fbaa0 100644 --- a/lib/api/issues.rb +++ b/lib/api/issues.rb @@ -172,11 +172,8 @@ module API authorize! :create_issue, user_project - # Setting created_at time or iid only allowed for admins and project owners - unless current_user.admin? || user_project.owner == current_user - params.delete(:created_at) - params.delete(:iid) - end + params.delete(:created_at) unless current_user.can?(:set_issue_created_at, user_project) + params.delete(:iid) unless current_user.can?(:set_issue_iid, user_project) issue_params = declared_params(include_missing: false) @@ -216,8 +213,8 @@ module API issue = user_project.issues.find_by!(iid: params.delete(:issue_iid)) authorize! :update_issue, issue - # Setting created_at time only allowed for admins and project owners - unless current_user.admin? || user_project.owner == current_user + # Setting created_at time only allowed for admins and project/group owners + unless current_user.admin? || user_project.owner == current_user || current_user.owned_groups.include?(user_project.owner) params.delete(:updated_at) end |