Add authorization to Projects::Boards::IssuesController#create action

1 files changed, 5 insertions, 0 deletions

diff --git a/app/controllers/projects/boards/issues_controller.rb b/app/controllers/projects/boards/issues_controller.rb
index 3b1b236a89a..fea7a35232d 100644
--- a/app/controllers/projects/boards/issues_controller.rb
+++ b/app/controllers/projects/boards/issues_controller.rb
@@ -2,6 +2,7 @@ module Projects
   module Boards
     class IssuesController < Boards::ApplicationController
       before_action :authorize_read_issue!, only: [:index]
+      before_action :authorize_create_issue!, only: [:create]
       before_action :authorize_update_issue!, only: [:update]
 
       def index
@@ -52,6 +53,10 @@ module Projects
         return render_403 unless can?(current_user, :read_issue, project)
       end
 
+      def authorize_create_issue!
+        return render_403 unless can?(current_user, :admin_issue, project)
+      end
+
       def authorize_update_issue!
         return render_403 unless can?(current_user, :update_issue, issue)
       end