Show Edit link on sidebar only if current user can update the Issue/MR

CHANGELOG

@@ -12,6 +12,7 @@ v 8.6.0 (unreleased)
   - Allow search for logged out users
   - Don't show Issues/MRs from archived projects in Groups view
   - Increase the notes polling timeout over time (Roberto Dip)
+  - Fix: Show Edit link on sidebar only if current user can update the Issue/MR
 v 8.5.4
   - Do not cache requests for badges (including builds badge)

app/helpers/issuables_helper.rb

@@ -20,6 +20,12 @@ module IssuablesHelper
     base_issuable_scope(issuable).where('iid < ?', issuable.iid).first
   end
+  def can_update_issuable?(issuable)
+    return false unless current_user
+
+    can?(current_user, :"update_#{issuable.to_ability_name}", issuable)
+  end
+
   private
   def sidebar_gutter_collapsed?

app/views/shared/issuable/_sidebar.html.haml

@@ -30,7 +30,7 @@
         .title.hide-collapsed
           %label
             Assignee
-          - if can?(current_user, :"admin_#{issuable.to_ability_name}", @project)
+          - if can_update_issuable?(issuable)
             .pull-right
               = link_to 'Edit', '#', class: 'edit-link'
         .value.hide-collapsed
@@ -56,7 +56,7 @@
         .title.hide-collapsed
           %label
             Milestone
-          - if can?(current_user, :"admin_#{issuable.to_ability_name}", @project)
+          - if can_update_issuable?(issuable)
             .pull-right
               = link_to 'Edit', '#', class: 'edit-link'
         .value.hide-collapsed
@@ -81,7 +81,7 @@
               = issuable.labels.count
           .title.hide-collapsed
             %label Labels
-            - if can?(current_user, :"admin_#{issuable.to_ability_name}", @project)
+            - if can_update_issuable?(issuable)
               .pull-right
                 = link_to 'Edit', '#', class: 'edit-link'
           .value.issuable-show-labels.hide-collapsed