Dont allow set assignee, milestone or labels if user is guest

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

app/services/issuable_base_service.rb

@@ -26,4 +26,18 @@ class IssuableBaseService < BaseService
       issuable, issuable.project, current_user, branch_type,
       old_branch, new_branch)
   end
+
+  def filter_params
+    unless can?(current_user, :set_milestone, project)
+      params.delete(:milestone_id)
+    end
+
+    unless can?(current_user, :set_label, project)
+      params.delete(:label_ids)
+    end
+
+    unless can?(current_user, :set_assignee, project)
+      params.delete(:assignee_id)
+    end
+  end
 end

app/services/issues/create_service.rb

 module Issues
   class CreateService < Issues::BaseService
     def execute
+      filter_params
       label_params = params[:label_ids]
       issue = project.issues.new(params.except(:label_ids))
       issue.author = current_user

app/services/issues/update_service.rb

@@ -17,6 +17,7 @@ module Issues
       params[:assignee_id]  = "" if params[:assignee_id] == IssuableFinder::NONE
       params[:milestone_id] = "" if params[:milestone_id] == IssuableFinder::NONE
 
+      filter_params
       old_labels = issue.labels.to_a
 
       if params.present? && issue.update_attributes(params.except(:state_event,

app/services/merge_requests/create_service.rb

 module MergeRequests
   class CreateService < MergeRequests::BaseService
     def execute
+      filter_params
       label_params = params[:label_ids]
       merge_request = MergeRequest.new(params.except(:label_ids))
       merge_request.source_project = project

app/services/merge_requests/update_service.rb

@@ -27,6 +27,7 @@ module MergeRequests
       params[:assignee_id]  = "" if params[:assignee_id] == IssuableFinder::NONE
       params[:milestone_id] = "" if params[:milestone_id] == IssuableFinder::NONE
 
+      filter_params
       old_labels = merge_request.labels.to_a
 
       if params.present? && merge_request.update_attributes(