Improve permissions checks for feature flag issue links

Use Ability interface

Improve permissions checks for feature flag issue links
Use Ability interface
b847affa · Jason Goodman · cd9838f8 · b847affa · b847affa
Commit b847affa authored Jun 30, 2020 by Jason Goodman
2 changed files
--- a/ee/app/services/feature_flag_issues/create_service.rb
+++ b/ee/app/services/feature_flag_issues/create_service.rb
@@ -7,7 +7,7 @@ module FeatureFlagIssues
    end

    def linkable_issuables(issues)
-      issues.select { |issue| can?(current_user, :read_issue, issue) }
+      Ability.issues_readable_by_user(issues, current_user)
    end

    def relate_issuables(referenced_issue)

--- a/ee/spec/controllers/projects/feature_flag_issues_controller_spec.rb
+++ b/ee/spec/controllers/projects/feature_flag_issues_controller_spec.rb
@@ -323,8 +323,8 @@ RSpec.describe Projects::FeatureFlagIssuesController do
    it 'does not create a link when the user cannot read the issue' do
      feature_flag, issue = setup
      sign_in(developer)
-      allow(Ability).to receive(:allowed?).and_call_original
-      allow(Ability).to receive(:allowed?).with(developer, :read_issue, issue).and_return(false)
+      allow(Ability).to receive(:issues_readable_by_user).and_call_original
+      allow(Ability).to receive(:issues_readable_by_user).with([issue], developer).and_return([])

      post_request(project, feature_flag, issue)