From 58ac731c3764d1cbf3a4a1e60e5c5374ec460546 Mon Sep 17 00:00:00 2001
From: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
Date: Mon, 10 Feb 2014 15:36:58 +0200
Subject: [PATCH] Fix Issues#bulk_update

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
---
 app/controllers/projects/issues_controller.rb | 9 ++++++---
 app/models/ability.rb                         | 1 +
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/app/controllers/projects/issues_controller.rb b/app/controllers/projects/issues_controller.rb
index f260a2e0597..ba5c52d510f 100644
--- a/app/controllers/projects/issues_controller.rb
+++ b/app/controllers/projects/issues_controller.rb
@@ -9,7 +9,10 @@ class Projects::IssuesController < Projects::ApplicationController
   before_filter :authorize_write_issue!, only: [:new, :create]
 
   # Allow modify issue
-  before_filter :authorize_modify_issue!, only: [:edit, :update, :bulk_update]
+  before_filter :authorize_modify_issue!, only: [:edit, :update]
+
+  # Allow issues bulk update
+  before_filter :authorize_admin_issues!, only: [:bulk_update]
 
   respond_to :html
 
@@ -107,8 +110,8 @@ class Projects::IssuesController < Projects::ApplicationController
     return render_404 unless can?(current_user, :modify_issue, @issue)
   end
 
-  def authorize_admin_issue!
-    return render_404 unless can?(current_user, :admin_issue, @issue)
+  def authorize_admin_issues!
+    return render_404 unless can?(current_user, :admin_issue, @project)
   end
 
   def module_enabled
diff --git a/app/models/ability.rb b/app/models/ability.rb
index 038668fccff..120af807448 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -126,6 +126,7 @@ class Ability
         :write_merge_request,
         :write_wiki,
         :modify_issue,
+        :admin_issue,
         :push_code
       ]
     end
-- 
GitLab