From aff7dccc1f13e86b44dfa1530c6b5068dbb18f00 Mon Sep 17 00:00:00 2001
From: Sean McGivern <sean@gitlab.com>
Date: Wed, 22 Aug 2018 13:10:54 +0100
Subject: Use policies to determine if attributes can be set in the API

This is more idiomatic than checking membership explicitly.
---
 app/policies/group_policy.rb   | 2 ++
 app/policies/project_policy.rb | 4 ++++
 2 files changed, 6 insertions(+)

(limited to 'app/policies')

diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index a8d7a05f509..bb800929ea9 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -72,6 +72,8 @@ class GroupPolicy < BasePolicy
     enable :admin_namespace
     enable :admin_group_member
     enable :change_visibility_level
+
+    enable :set_note_created_at
   end
 
   rule { can?(:read_nested_project_resources) }.policy do
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 00c58f15013..fd6cc504a3b 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -143,6 +143,10 @@ class ProjectPolicy < BasePolicy
     enable :destroy_merge_request
     enable :destroy_issue
     enable :remove_pages
+
+    enable :set_issue_iid
+    enable :set_issue_created_at
+    enable :set_note_created_at
   end
 
   rule { can?(:guest_access) }.policy do
-- 
cgit v1.2.1