From 58ceb8e95097df51d08a74c16de83152044e9c58 Mon Sep 17 00:00:00 2001
From: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
Date: Fri, 26 Jun 2015 16:02:57 +0200
Subject: [PATCH] Only people who can manage issue can assign labels to it

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
---
 lib/api/issues.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/api/issues.rb b/lib/api/issues.rb
index c8db93eb778..4d632ce77c1 100644
--- a/lib/api/issues.rb
+++ b/lib/api/issues.rb
@@ -157,7 +157,7 @@ module API
         if issue.valid?
           # Find or create labels and attach to issue. Labels are valid because
           # we already checked its name, so there can't be an error here
-          unless params[:labels].nil?
+          if params[:labels] && can?(current_user, :admin_issue, user_project)
             issue.remove_labels
             # Create and add labels to the new created issue
             issue.add_labels_by_names(params[:labels].split(','))
-- 
GitLab