1 files changed, 11 insertions, 11 deletions

diff --git a/app/controllers/projects/todos_controller.rb b/app/controllers/projects/todos_controller.rb
index 648d42c56c5..23868d986e9 100644
--- a/app/controllers/projects/todos_controller.rb
+++ b/app/controllers/projects/todos_controller.rb
@@ -1,18 +1,12 @@
 class Projects::TodosController < Projects::ApplicationController
-  def create
-    todos = TodoService.new.mark_todo(issuable, current_user)
-
-    render json: {
-      todo: todos,
-      count: current_user.todos_pending_count,
-    }
-  end
+  before_action :authenticate_user!, only: [:create]
 
-  def update
-    current_user.todos.find_by_id(params[:id]).update(state: :done)
+  def create
+    todo = TodoService.new.mark_todo(issuable, current_user)
 
     render json: {
       count: current_user.todos_pending_count,
+      delete_path: dashboard_todo_path(todo)
     }
   end
 
@@ -22,7 +16,13 @@ class Projects::TodosController < Projects::ApplicationController
     @issuable ||= begin
       case params[:issuable_type]
       when "issue"
-        @project.issues.find(params[:issuable_id])
+        issue = @project.issues.find(params[:issuable_id])
+
+        if can?(current_user, :read_issue, issue)
+          issue
+        else
+          render_404
+        end
       when "merge_request"
         @project.merge_requests.find(params[:issuable_id])
       end