Allow date parameters on Issues and Notes API for group owners

- Allow `created_at` and `updated_at` parameters on Issues API
- Allow `created_at` on Issue Notes API

Closes gitlab-org/gitlab-ce#40059

changelogs/unreleased/fix-api-group-createdat.yml

+---
+title: Allow date parameters on Issues and Notes API for group owners
+merge_request:
+author: Florent Dubois
+type: fixed

doc/api/issues.md

@@ -470,7 +470,7 @@ POST /projects/:id/issues
 | `assignee_ids`                            | Array[integer] | no       | The ID of the users to assign issue |
 | `milestone_id`                            | integer | no       | The global ID of a milestone to assign issue  |
 | `labels`                                  | string  | no       | Comma-separated label names for an issue  |
-| `created_at`                              | string  | no       | Date time string, ISO 8601 formatted, e.g. `2016-03-11T03:45:40Z` (requires admin or project owner rights) |
+| `created_at`                              | string  | no       | Date time string, ISO 8601 formatted, e.g. `2016-03-11T03:45:40Z` (requires admin or project/group owner rights) |
 | `due_date`                                | string  | no       | Date time string in the format YEAR-MONTH-DAY, e.g. `2016-03-11` |
 | `merge_request_to_resolve_discussions_of` | integer | no       | The IID of a merge request in which to resolve all issues. This will fill the issue with a default description and mark all discussions as resolved. When passing a description or title, these values will take precedence over the default values.|
 | `discussion_to_resolve`                   | string  | no       | The ID of a discussion to resolve. This will fill in the issue with a default description and mark the discussion as resolved. Use in combination with `merge_request_to_resolve_discussions_of`. |

doc/api/notes.md

@@ -100,7 +100,7 @@ Parameters:
 - `id` (required) - The ID or [URL-encoded path of the project](README.md#namespaced-path-encoding)
 - `issue_id` (required) - The IID of an issue
 - `body` (required) - The content of a note
-- `created_at` (optional) - Date time string, ISO 8601 formatted, e.g. 2016-03-11T03:45:40Z
+- `created_at` (optional) - Date time string, ISO 8601 formatted, e.g. 2016-03-11T03:45:40Z (requires admin or project/group owner rights)
 ```bash
 curl --request POST --header "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" https://gitlab.example.com/api/v4/projects/5/issues/11/notes?body=note

lib/api/helpers/notes_helpers.rb

@@ -94,7 +94,7 @@ module API
         if opts[:created_at]
           opts.delete(:created_at) unless
-            current_user.admin? || parent.owned_by?(current_user)
+            (current_user.admin? || user_project.owner == current_user || current_user.owned_groups.include?(user_project.owner))
         end
         opts[:updated_at] = opts[:created_at] if opts[:created_at]

lib/api/issues.rb

@@ -173,7 +173,7 @@ module API
         authorize! :create_issue, user_project
         # Setting created_at time or iid only allowed for admins and project owners
-        unless current_user.admin? || user_project.owner == current_user
+        unless current_user.admin? || user_project.owner == current_user || current_user.owned_groups.include?(user_project.owner)
           params.delete(:created_at)
           params.delete(:iid)
         end
@@ -216,8 +216,8 @@ module API
         issue = user_project.issues.find_by!(iid: params.delete(:issue_iid))
         authorize! :update_issue, issue
-        # Setting created_at time only allowed for admins and project owners
-        unless current_user.admin? || user_project.owner == current_user
+        # Setting created_at time only allowed for admins and project/group owners
+        unless current_user.admin? || user_project.owner == current_user || current_user.owned_groups.include?(user_project.owner)
           params.delete(:updated_at)
         end