From aff7dccc1f13e86b44dfa1530c6b5068dbb18f00 Mon Sep 17 00:00:00 2001
From: Sean McGivern <sean@gitlab.com>
Date: Wed, 22 Aug 2018 13:10:54 +0100
Subject: Use policies to determine if attributes can be set in the API

This is more idiomatic than checking membership explicitly.
---
 lib/api/issues.rb | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

(limited to 'lib/api/issues.rb')

diff --git a/lib/api/issues.rb b/lib/api/issues.rb
index 2d2250acaa2..cedfd2fbaa0 100644
--- a/lib/api/issues.rb
+++ b/lib/api/issues.rb
@@ -172,11 +172,8 @@ module API
 
         authorize! :create_issue, user_project
 
-        # Setting created_at time or iid only allowed for admins and project owners
-        unless current_user.admin? || user_project.owner == current_user || current_user.owned_groups.include?(user_project.owner)
-          params.delete(:created_at)
-          params.delete(:iid)
-        end
+        params.delete(:created_at) unless current_user.can?(:set_issue_created_at, user_project)
+        params.delete(:iid) unless current_user.can?(:set_issue_iid, user_project)
 
         issue_params = declared_params(include_missing: false)
 
-- 
cgit v1.2.1