From 1cc914f25ac6283e375c6e02c5e8f015640e5b21 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rub=C3=A9n=20D=C3=A1vila?= <rdavila84@gmail.com>
Date: Fri, 4 Mar 2016 15:56:15 -0500
Subject: [PATCH] Show Edit link on sidebar only if current user can update the
 Issue/MR

---
 CHANGELOG                                    | 1 +
 app/helpers/issuables_helper.rb              | 6 ++++++
 app/views/shared/issuable/_sidebar.html.haml | 6 +++---
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 8692f61fe367..fbacf0b6f102 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -12,6 +12,7 @@ v 8.6.0 (unreleased)
   - Allow search for logged out users
   - Don't show Issues/MRs from archived projects in Groups view
   - Increase the notes polling timeout over time (Roberto Dip)
+  - Fix: Show Edit link on sidebar only if current user can update the Issue/MR
 
 v 8.5.4
   - Do not cache requests for badges (including builds badge)
diff --git a/app/helpers/issuables_helper.rb b/app/helpers/issuables_helper.rb
index 91a3aa371ef5..b2ce63edfffe 100644
--- a/app/helpers/issuables_helper.rb
+++ b/app/helpers/issuables_helper.rb
@@ -20,6 +20,12 @@ def prev_issuable_for(issuable)
     base_issuable_scope(issuable).where('iid < ?', issuable.iid).first
   end
 
+  def can_update_issuable?(issuable)
+    return false unless current_user
+
+    can?(current_user, :"update_#{issuable.to_ability_name}", issuable)
+  end
+
   private
 
   def sidebar_gutter_collapsed?
diff --git a/app/views/shared/issuable/_sidebar.html.haml b/app/views/shared/issuable/_sidebar.html.haml
index 36f063778869..51695d22831f 100644
--- a/app/views/shared/issuable/_sidebar.html.haml
+++ b/app/views/shared/issuable/_sidebar.html.haml
@@ -30,7 +30,7 @@
         .title.hide-collapsed
           %label
             Assignee
-          - if can?(current_user, :"admin_#{issuable.to_ability_name}", @project)
+          - if can_update_issuable?(issuable)
             .pull-right
               = link_to 'Edit', '#', class: 'edit-link'
         .value.hide-collapsed
@@ -56,7 +56,7 @@
         .title.hide-collapsed
           %label
             Milestone
-          - if can?(current_user, :"admin_#{issuable.to_ability_name}", @project)
+          - if can_update_issuable?(issuable)
             .pull-right
               = link_to 'Edit', '#', class: 'edit-link'
         .value.hide-collapsed
@@ -81,7 +81,7 @@
               = issuable.labels.count
           .title.hide-collapsed
             %label Labels
-            - if can?(current_user, :"admin_#{issuable.to_ability_name}", @project)
+            - if can_update_issuable?(issuable)
               .pull-right
                 = link_to 'Edit', '#', class: 'edit-link'
           .value.issuable-show-labels.hide-collapsed
-- 
GitLab