Merge branch 'feature-jp-issue-permission' into 'master'

API issues - minor cleanup of permission check See merge request gitlab-org/gitlab-ce!29423

Merge branch 'feature-jp-issue-permission' into 'master'
API issues - minor cleanup of permission check See merge request gitlab-org/gitlab-ce!29423
f4cb71d3 · Thong Kuah · 2a29f910 · a17a1556 · f4cb71d3 · f4cb71d3
Commit f4cb71d3 authored Jun 11, 2019 by Thong Kuah
4 changed files
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -164,6 +164,7 @@ class ProjectPolicy < BasePolicy

    enable :set_issue_iid
    enable :set_issue_created_at
+    enable :set_issue_updated_at
    enable :set_note_created_at
  end


--- a/lib/api/issues.rb
+++ b/lib/api/issues.rb
@@ -252,14 +252,9 @@ module API
        issue = user_project.issues.find_by!(iid: params.delete(:issue_iid))
        authorize! :update_issue, issue

-        # Setting updated_at only allowed for admins and owners as well
-        if params[:updated_at].present?
-          if current_user.admin? || user_project.owner == current_user || current_user.owned_groups.include?(user_project.owner)
-            issue.system_note_timestamp = params[:updated_at]
-          else
-            params.delete(:updated_at)
-          end
-        end
+        # Setting updated_at is allowed only for admins and owners
+        params.delete(:updated_at) unless current_user.can?(:set_issue_updated_at, user_project)
+        issue.system_note_timestamp = params[:updated_at]

        update_params = declared_params(include_missing: false).merge(request: request, api: true)


--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -66,7 +66,7 @@ describe ProjectPolicy do
    %i[
      change_namespace change_visibility_level rename_project remove_project
      archive_project remove_fork_project destroy_merge_request destroy_issue
-      set_issue_iid set_issue_created_at set_note_created_at
+      set_issue_iid set_issue_created_at set_issue_updated_at set_note_created_at
    ]
  end


--- a/spec/support/shared_contexts/policies/project_policy_shared_context.rb
+++ b/spec/support/shared_contexts/policies/project_policy_shared_context.rb
@@ -64,7 +64,7 @@ RSpec.shared_context 'ProjectPolicy context' do
    %i[
      change_namespace change_visibility_level rename_project remove_project
      archive_project remove_fork_project destroy_merge_request destroy_issue
-      set_issue_iid set_issue_created_at set_note_created_at
+      set_issue_iid set_issue_created_at set_issue_updated_at set_note_created_at
    ]
  end