diff --git a/app/models/ability.rb b/app/models/ability.rb index 6e727ca7b56..b4a9adb5ffc 100644 --- a/app/models/ability.rb +++ b/app/models/ability.rb @@ -246,20 +246,16 @@ class Ability [:issue, :note, :project_snippet, :personal_snippet, :merge_request].each do |name| define_method "#{name}_abilities" do |user, subject| - if subject.author == user || user.is_admin? - rules = [ - :"read_#{name}", - :"write_#{name}", - :"modify_#{name}", - :"admin_#{name}" - ] - rules.push(:change_visibility_level) if subject.is_a?(Snippet) - rules - elsif subject.respond_to?(:assignee) && subject.assignee == user + if user.is_admin? [ :"read_#{name}", - :"write_#{name}", - :"modify_#{name}", + :"update_#{name}", + :"admin_#{name}" + ] + elsif subject.author == user || (subject.respond_to?(:assignee) && subject.assignee == user) + [ + :"read_#{name}", + :"update_#{name}", ] else if subject.respond_to?(:project) && subject.project @@ -299,8 +295,8 @@ class Ability def named_abilities(name) [ :"read_#{name}", - :"write_#{name}", - :"modify_#{name}", + :"create_#{name}", + :"update_#{name}", :"admin_#{name}" ] end diff --git a/app/services/update_snippet_service.rb b/app/services/update_snippet_service.rb index 9d181c2d2ab..e9328bb7323 100644 --- a/app/services/update_snippet_service.rb +++ b/app/services/update_snippet_service.rb @@ -9,9 +9,9 @@ class UpdateSnippetService < BaseService def execute # check that user is allowed to set specified visibility_level new_visibility = params[:visibility_level] + if new_visibility && new_visibility.to_i != snippet.visibility_level - unless can?(current_user, :change_visibility_level, snippet) && - Gitlab::VisibilityLevel.allowed_for?(current_user, new_visibility) + unless Gitlab::VisibilityLevel.allowed_for?(current_user, new_visibility) deny_visibility_level(snippet, new_visibility) return snippet end