From aff7dccc1f13e86b44dfa1530c6b5068dbb18f00 Mon Sep 17 00:00:00 2001
From: Sean McGivern <sean@gitlab.com>
Date: Wed, 22 Aug 2018 13:10:54 +0100
Subject: Use policies to determine if attributes can be set in the API

This is more idiomatic than checking membership explicitly.
---
 lib/api/helpers/notes_helpers.rb | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

(limited to 'lib/api/helpers')

diff --git a/lib/api/helpers/notes_helpers.rb b/lib/api/helpers/notes_helpers.rb
index 7885e3fa1e1..7b1f5c2584b 100644
--- a/lib/api/helpers/notes_helpers.rb
+++ b/lib/api/helpers/notes_helpers.rb
@@ -92,10 +92,7 @@ module API
 
         parent = noteable_parent(noteable)
 
-        if opts[:created_at]
-          opts.delete(:created_at) unless
-            (current_user.admin? || user_project.owner == current_user || current_user.owned_groups.include?(user_project.owner))
-        end
+        opts.delete(:created_at) unless current_user.can?(:set_note_created_at, policy_object)
 
         opts[:updated_at] = opts[:created_at] if opts[:created_at]
 
-- 
cgit v1.2.1