API issues - minor cleanup of permission check

Adds `set_issue_updated_at` similar to `set_issue_created_at` permission and cleans up the related permission check in issues API.
author: Jan Provaznik <jprovaznik@gitlab.com> 2019-06-11 23:12:21 +0000
committer: Thong Kuah <tkuah@gitlab.com> 2019-06-11 23:12:21 +0000
commit: a17a15562d7f1ada0ddce1ad3a0369a69a46bcab (patch)
tree: d3fb0512c98bb70a158034e862a3e8e66feec017 /lib
parent: 2a29f910592e82d8f8d108e15497dd2fbbbb07ca (diff)
download: gitlab-ce-a17a15562d7f1ada0ddce1ad3a0369a69a46bcab.tar.gz
1 files changed, 3 insertions, 8 deletions
diff --git a/lib/api/issues.rb b/lib/api/issues.rb
index 56960a2eb64..039ebf92187 100644
--- a/lib/api/issues.rb
+++ b/lib/api/issues.rb
@@ -252,14 +252,9 @@ module API
         issue = user_project.issues.find_by!(iid: params.delete(:issue_iid))
         authorize! :update_issue, issue
 
-        # Setting updated_at only allowed for admins and owners as well
-        if params[:updated_at].present?
-          if current_user.admin? || user_project.owner == current_user || current_user.owned_groups.include?(user_project.owner)
-            issue.system_note_timestamp = params[:updated_at]
-          else
-            params.delete(:updated_at)
-          end
-        end
+        # Setting updated_at is allowed only for admins and owners
+        params.delete(:updated_at) unless current_user.can?(:set_issue_updated_at, user_project)
+        issue.system_note_timestamp = params[:updated_at]
 
         update_params = declared_params(include_missing: false).merge(request: request, api: true)
author	Jan Provaznik <jprovaznik@gitlab.com>	2019-06-11 23:12:21 +0000
committer	Thong Kuah <tkuah@gitlab.com>	2019-06-11 23:12:21 +0000
commit	a17a15562d7f1ada0ddce1ad3a0369a69a46bcab (patch)
tree	d3fb0512c98bb70a158034e862a3e8e66feec017 /lib
parent	2a29f910592e82d8f8d108e15497dd2fbbbb07ca (diff)
download	gitlab-ce-a17a15562d7f1ada0ddce1ad3a0369a69a46bcab.tar.gz