Skip to content

G
gitlab-ce
Commit fbae63a9 authored by Jarka Kadlecová's avatar Jarka Kadlecová
Browse files
Options

reorganise authorization checks

parent 55607e49
Hide whitespace changes
Inline Side-by-side
Showing with 11 additions and 2 deletions
ee/lib/api/epic_issues.rb
View file @ fbae63a9
...@@ -2,13 +2,19 @@ module API ...@@ -2,13 +2,19 @@ module API
class EpicIssues < Grape::API class EpicIssues < Grape::API
before do before do
authenticate! authenticate!
authorize_can_admin! authorize_epics!
end end
helpers do helpers do
def authorize_epics!
forbidden! unless user_group.feature_available?(:epics)
end
def authorize_can_admin! def authorize_can_admin!
forbidden! unless user_group.feature_available?(:epics) # TODO: check for group feature instead
authorize!(:admin_epic, epic) authorize!(:admin_epic, epic)
end
def check_epic_link!
forbidden! if link.epic != epic forbidden! if link.epic != epic
end end
...@@ -34,6 +40,9 @@ module API ...@@ -34,6 +40,9 @@ module API
requires :position, type: Integer, desc: 'The new position of the issue in the epic (index starting with 0)' requires :position, type: Integer, desc: 'The new position of the issue in the epic (index starting with 0)'
end end
put ':id/-/epics/:epic_iid/issues/:epic_issue_id' do put ':id/-/epics/:epic_iid/issues/:epic_issue_id' do
authorize_can_admin!
check_epic_link!
result = ::EpicIssues::UpdateService.new(link, current_user, { position: params[:position].to_i }).execute result = ::EpicIssues::UpdateService.new(link, current_user, { position: params[:position].to_i }).execute
# For now we return empty body # For now we return empty body
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7