Allow date parameters on Issues and Notes API for group owners

- Allow `created_at` and `updated_at` parameters on Issues API - Allow `created_at` on Issue Notes API Closes gitlab-org/gitlab-ce#40059
author: Florent Dubois <florent.dubois@devaddict.io> 2017-12-06 12:07:08 +0100
committer: Sean McGivern <sean@gitlab.com> 2018-08-22 12:16:48 +0100
commit: b63ed7cff664bc1ee0bf70912fffd4814f757079 (patch)
tree: 241982a476e831b971121e66b47348dc370c0b34
parent: 1c95c5ec867b31389b513bd09a9cadc5f3fb6836 (diff)
download: gitlab-ce-b63ed7cff664bc1ee0bf70912fffd4814f757079.tar.gz
5 files changed, 11 insertions, 6 deletions
diff --git a/changelogs/unreleased/fix-api-group-createdat.yml b/changelogs/unreleased/fix-api-group-createdat.yml
new file mode 100644
index 00000000000..cec651b47da
--- /dev/null
+++ b/changelogs/unreleased/fix-api-group-createdat.yml
@@ -0,0 +1,5 @@
+---
+title: Allow date parameters on Issues and Notes API for group owners
+merge_request:
+author: Florent Dubois
+type: fixed
diff --git a/doc/api/issues.md b/doc/api/issues.md
index 103eaa5655f..f4c0f4ea65b 100644
--- a/doc/api/issues.md
+++ b/doc/api/issues.md
@@ -470,7 +470,7 @@ POST /projects/:id/issues
 | `assignee_ids`                            | Array[integer] | no       | The ID of the users to assign issue |
 | `milestone_id`                            | integer | no       | The global ID of a milestone to assign issue  |
 | `labels`                                  | string  | no       | Comma-separated label names for an issue  |
-| `created_at`                              | string  | no       | Date time string, ISO 8601 formatted, e.g. `2016-03-11T03:45:40Z` (requires admin or project owner rights) |
+| `created_at`                              | string  | no       | Date time string, ISO 8601 formatted, e.g. `2016-03-11T03:45:40Z` (requires admin or project/group owner rights) |
 | `due_date`                                | string  | no       | Date time string in the format YEAR-MONTH-DAY, e.g. `2016-03-11` |
 | `merge_request_to_resolve_discussions_of` | integer | no       | The IID of a merge request in which to resolve all issues. This will fill the issue with a default description and mark all discussions as resolved. When passing a description or title, these values will take precedence over the default values.|
 | `discussion_to_resolve`                   | string  | no       | The ID of a discussion to resolve. This will fill in the issue with a default description and mark the discussion as resolved. Use in combination with `merge_request_to_resolve_discussions_of`. |
diff --git a/doc/api/notes.md b/doc/api/notes.md
index c271d46688f..44940bdd9e5 100644
--- a/doc/api/notes.md
+++ b/doc/api/notes.md
@@ -100,7 +100,7 @@ Parameters:
 - `id` (required) - The ID or [URL-encoded path of the project](README.md#namespaced-path-encoding)
 - `issue_id` (required) - The IID of an issue
 - `body` (required) - The content of a note
-- `created_at` (optional) - Date time string, ISO 8601 formatted, e.g. 2016-03-11T03:45:40Z
+- `created_at` (optional) - Date time string, ISO 8601 formatted, e.g. 2016-03-11T03:45:40Z (requires admin or project/group owner rights)
 
 ```bash
 curl --request POST --header "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" https://gitlab.example.com/api/v4/projects/5/issues/11/notes?body=note
diff --git a/lib/api/helpers/notes_helpers.rb b/lib/api/helpers/notes_helpers.rb
index e2984b08eca..7885e3fa1e1 100644
--- a/lib/api/helpers/notes_helpers.rb
+++ b/lib/api/helpers/notes_helpers.rb
@@ -94,7 +94,7 @@ module API
 
         if opts[:created_at]
           opts.delete(:created_at) unless
-            current_user.admin? || parent.owned_by?(current_user)
+            (current_user.admin? || user_project.owner == current_user || current_user.owned_groups.include?(user_project.owner))
         end
 
         opts[:updated_at] = opts[:created_at] if opts[:created_at]
diff --git a/lib/api/issues.rb b/lib/api/issues.rb
index bda05d1795b..2d2250acaa2 100644
--- a/lib/api/issues.rb
+++ b/lib/api/issues.rb
@@ -173,7 +173,7 @@ module API
         authorize! :create_issue, user_project
 
         # Setting created_at time or iid only allowed for admins and project owners
-        unless current_user.admin? || user_project.owner == current_user
+        unless current_user.admin? || user_project.owner == current_user || current_user.owned_groups.include?(user_project.owner)
           params.delete(:created_at)
           params.delete(:iid)
         end
@@ -216,8 +216,8 @@ module API
         issue = user_project.issues.find_by!(iid: params.delete(:issue_iid))
         authorize! :update_issue, issue
 
-        # Setting created_at time only allowed for admins and project owners
-        unless current_user.admin? || user_project.owner == current_user
+        # Setting created_at time only allowed for admins and project/group owners
+        unless current_user.admin? || user_project.owner == current_user || current_user.owned_groups.include?(user_project.owner)
           params.delete(:updated_at)
         end
author	Florent Dubois <florent.dubois@devaddict.io>	2017-12-06 12:07:08 +0100
committer	Sean McGivern <sean@gitlab.com>	2018-08-22 12:16:48 +0100
commit	b63ed7cff664bc1ee0bf70912fffd4814f757079 (patch)
tree	241982a476e831b971121e66b47348dc370c0b34
parent	1c95c5ec867b31389b513bd09a9cadc5f3fb6836 (diff)
download	gitlab-ce-b63ed7cff664bc1ee0bf70912fffd4814f757079.tar.gz