Merge branch 'prevent_authored_awardable_votes' into 'master'

prevent authored awardable thumbs votes ## What does this MR do? This MR should prevent users from upvoting or downvoting issues/merge requests/notes authored by them. ## What are the relevant issue numbers? Closes #20913 See merge request !5841
author: Robert Speicher <robert@gitlab.com> 2016-08-30 22:32:17 +0000
committer: Robert Speicher <robert@gitlab.com> 2016-08-30 22:32:17 +0000
commit: b8d44c4c4d7cb252ee39be9dceb657d3e5522ed1 (patch)
tree: 1d252bf2161d36e79723a743199a4ec05f2ac707 /lib
parent: 7dd97cff3448b6b5d081829e782823113c2db91f (diff)
parent: 5c5d13c42d152ba58818a572a51e796cba4a281d (diff)
download: gitlab-ce-b8d44c4c4d7cb252ee39be9dceb657d3e5522ed1.tar.gz
1 files changed, 5 insertions, 1 deletions
diff --git a/lib/api/award_emoji.rb b/lib/api/award_emoji.rb
index 2efe7e3adf3..7c22b17e4e5 100644
--- a/lib/api/award_emoji.rb
+++ b/lib/api/award_emoji.rb
@@ -54,7 +54,7 @@ module API
           post endpoint do
             required_attributes! [:name]
 
-            not_found!('Award Emoji') unless can_read_awardable?
+            not_found!('Award Emoji') unless can_read_awardable? && can_award_awardable?
 
             award = awardable.create_award_emoji(params[:name], current_user)
 
@@ -92,6 +92,10 @@ module API
         can?(current_user, ability, awardable)
       end
 
+      def can_award_awardable?
+        awardable.user_can_award?(current_user, params[:name])
+      end
+
       def awardable
         @awardable ||=
           begin
author	Robert Speicher <robert@gitlab.com>	2016-08-30 22:32:17 +0000
committer	Robert Speicher <robert@gitlab.com>	2016-08-30 22:32:17 +0000
commit	b8d44c4c4d7cb252ee39be9dceb657d3e5522ed1 (patch)
tree	1d252bf2161d36e79723a743199a4ec05f2ac707 /lib
parent	7dd97cff3448b6b5d081829e782823113c2db91f (diff)
parent	5c5d13c42d152ba58818a572a51e796cba4a281d (diff)
download	gitlab-ce-b8d44c4c4d7cb252ee39be9dceb657d3e5522ed1.tar.gz