API Issue creation not allowing created_at for group owners
Summary
Unable to set the created_at
field when creating an issue for a project within a group.
Steps to reproduce
- Create a group and project
- Add a user to the group as an owner (non-admin user)
- Attempt to create an issue in the project with
created_at
field
curl -X POST -H token "http://gitlab/api/v4/projects/89/issues" -H "Content-Type: application/json" -d '{"title":"stable", "created_at" : "2016-03-11T03:45:40Z2016-03-11T03:45:40Z"}' | jq .created_at
"2018-07-18T10:26:10.302-06:00"
Issue seems to stem from: https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/api/issues.rb#L173
unless current_user.admin? || user_project.owner == current_user
params.delete(:created_at)
end
Project's in groups link their owner to the parent group:
user_project = Project.find <project_id>
=> #<Project id:89 project/project>
current_user = User.find_by username: 'user'
=> #<User id:7 @user>
user_project.owner == current_user
=> false
user_project.owner
=> #<Group id:60 @project>
# Potential Solution?
current_user.owned_projects.include? user_project
=> true
What is the current bug behavior?
created_at
is ignored for non-admins for projects in groups.
What is the expected correct behavior?
Group ownership should be respected in group projects. Able to use the created_at
Possible fixes
unless current_user.admin? || current_user.owned_projects.include?(user_project)
params.delete(:created_at)
end