Commit b847affa authored by Jason Goodman's avatar Jason Goodman

Improve permissions checks for feature flag issue links

Use Ability interface
parent cd9838f8
...@@ -7,7 +7,7 @@ module FeatureFlagIssues ...@@ -7,7 +7,7 @@ module FeatureFlagIssues
end end
def linkable_issuables(issues) def linkable_issuables(issues)
issues.select { |issue| can?(current_user, :read_issue, issue) } Ability.issues_readable_by_user(issues, current_user)
end end
def relate_issuables(referenced_issue) def relate_issuables(referenced_issue)
......
...@@ -323,8 +323,8 @@ RSpec.describe Projects::FeatureFlagIssuesController do ...@@ -323,8 +323,8 @@ RSpec.describe Projects::FeatureFlagIssuesController do
it 'does not create a link when the user cannot read the issue' do it 'does not create a link when the user cannot read the issue' do
feature_flag, issue = setup feature_flag, issue = setup
sign_in(developer) sign_in(developer)
allow(Ability).to receive(:allowed?).and_call_original allow(Ability).to receive(:issues_readable_by_user).and_call_original
allow(Ability).to receive(:allowed?).with(developer, :read_issue, issue).and_return(false) allow(Ability).to receive(:issues_readable_by_user).with([issue], developer).and_return([])
post_request(project, feature_flag, issue) post_request(project, feature_flag, issue)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment