Merge branch 'rs-issue-2092' into 'master'

Dynamically check `:admin_*` ability in two more spots.

Closes #2092 

Depends on !1037 

See merge request !1042

6 files changed, 27 insertions, 5 deletions

diff --git a/app/models/concerns/issuable.rb b/app/models/concerns/issuable.rb
index 97846b06d72..c21e7fd0e3b 100644
--- a/app/models/concerns/issuable.rb
+++ b/app/models/concerns/issuable.rb
@@ -159,6 +159,16 @@ module Issuable
     end
   end
 
+  # Convert this Issuable class name to a format usable by Ability definitions
+  #
+  # Examples:
+  #
+  #   issuable.class           # => MergeRequest
+  #   issuable.to_ability_name # => "merge_request"
+  def to_ability_name
+    self.class.to_s.underscore
+  end
+
   private
 
   def filter_superceded_votes(votes, notes)
diff --git a/app/services/issuable_base_service.rb b/app/services/issuable_base_service.rb
index f1ef5ca84fe..15b3825f96a 100644
--- a/app/services/issuable_base_service.rb
+++ b/app/services/issuable_base_service.rb
@@ -27,8 +27,10 @@ class IssuableBaseService < BaseService
       old_branch, new_branch)
   end
 
-  def filter_params
-    unless can?(current_user, :admin_issue, project)
+  def filter_params(issuable_ability_name = :issue)
+    ability = :"admin_#{issuable_ability_name}"
+
+    unless can?(current_user, ability, project)
       params.delete(:milestone_id)
       params.delete(:label_ids)
       params.delete(:assignee_id)
diff --git a/app/services/issues/base_service.rb b/app/services/issues/base_service.rb
index c3ca04a4343..770f32de944 100644
--- a/app/services/issues/base_service.rb
+++ b/app/services/issues/base_service.rb
@@ -10,6 +10,10 @@ module Issues
 
     private
 
+    def filter_params
+      super(:issue)
+    end
+
     def execute_hooks(issue, action = 'open')
       issue_data = hook_data(issue, action)
       issue.project.execute_hooks(issue_data, :issue_hooks)
diff --git a/app/services/merge_requests/base_service.rb b/app/services/merge_requests/base_service.rb
index e455fe95791..7b306a8a531 100644
--- a/app/services/merge_requests/base_service.rb
+++ b/app/services/merge_requests/base_service.rb
@@ -20,5 +20,11 @@ module MergeRequests
         merge_request.project.execute_services(merge_data, :merge_request_hooks)
       end
     end
+
+    private
+
+    def filter_params
+      super(:merge_request)
+    end
   end
 end
diff --git a/app/views/shared/issuable/_context.html.haml b/app/views/shared/issuable/_context.html.haml
index d1bd5ef968d..19e8c31975b 100644
--- a/app/views/shared/issuable/_context.html.haml
+++ b/app/views/shared/issuable/_context.html.haml
@@ -8,7 +8,7 @@
       - else
         none
     .issuable-context-selectbox
-      - if can?(current_user, :"admin_#{issuable.class.to_s.underscore}", @project)
+      - if can?(current_user, :"admin_#{issuable.to_ability_name}", @project)
         = users_select_tag("#{issuable.class.table_name.singularize}[assignee_id]", placeholder: 'Select assignee', class: 'custom-form-control js-select2 js-assignee', selected: issuable.assignee_id, project: @target_project, null_user: true)
 
   %div.prepend-top-20.clearfix
@@ -24,7 +24,7 @@
       - else
         none
     .issuable-context-selectbox
-      - if can?(current_user, :"admin_#{issuable.class.to_s.underscore}", @project)
+      - if can?(current_user, :"admin_#{issuable.to_ability_name}", @project)
         = f.select(:milestone_id, milestone_options(issuable), { include_blank: 'Select milestone' }, {class: 'select2 select2-compact js-select2 js-milestone'})
         = hidden_field_tag :issuable_context
         = f.submit class: 'btn hide'
diff --git a/app/views/shared/issuable/_form.html.haml b/app/views/shared/issuable/_form.html.haml
index e434e1b6b98..8cc0b517cd2 100644
--- a/app/views/shared/issuable/_form.html.haml
+++ b/app/views/shared/issuable/_form.html.haml
@@ -38,7 +38,7 @@
       .clearfix
       .error-alert
   %hr
-- if can?(current_user, :admin_issue, @project)
+- if can?(current_user, :"admin_#{issuable.to_ability_name}", @project)
   .form-group
     .issue-assignee
       = f.label :assignee_id, class: 'control-label' do