From e7a4bbb04a86259a569f6ac239ecb35ad36f39b5 Mon Sep 17 00:00:00 2001
From: Douglas Barbosa Alexandre <dbalexandre@gmail.com>
Date: Tue, 4 Oct 2016 15:37:13 -0300
Subject: [PATCH] Add authorization to
 Projects::Boards::IssuesController#create action

---
 app/controllers/projects/boards/issues_controller.rb | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/app/controllers/projects/boards/issues_controller.rb b/app/controllers/projects/boards/issues_controller.rb
index 3b1b236a89a..fea7a35232d 100644
--- a/app/controllers/projects/boards/issues_controller.rb
+++ b/app/controllers/projects/boards/issues_controller.rb
@@ -2,6 +2,7 @@ module Projects
   module Boards
     class IssuesController < Boards::ApplicationController
       before_action :authorize_read_issue!, only: [:index]
+      before_action :authorize_create_issue!, only: [:create]
       before_action :authorize_update_issue!, only: [:update]
 
       def index
@@ -52,6 +53,10 @@ module Projects
         return render_403 unless can?(current_user, :read_issue, project)
       end
 
+      def authorize_create_issue!
+        return render_403 unless can?(current_user, :admin_issue, project)
+      end
+
       def authorize_update_issue!
         return render_403 unless can?(current_user, :update_issue, issue)
       end
-- 
GitLab