From c528505c6de6bbb96c9cc7856f80fd1a959ef01c Mon Sep 17 00:00:00 2001
From: Jonas Franz <info@jonasfranz.software>
Date: Mon, 18 Jun 2018 15:40:52 +0200
Subject: [PATCH] Fix milestone appliance Fix missing permission check

Signed-off-by: Jonas Franz <info@jonasfranz.software>
---
 routers/api/v1/repo/issue.go | 25 ++++++++++++++++---------
 1 file changed, 16 insertions(+), 9 deletions(-)

diff --git a/routers/api/v1/repo/issue.go b/routers/api/v1/repo/issue.go
index 211d8045a..cf03283a5 100644
--- a/routers/api/v1/repo/issue.go
+++ b/routers/api/v1/repo/issue.go
@@ -165,7 +165,7 @@ func CreateIssue(ctx *context.APIContext, form api.CreateIssueOption) {
 	//     "$ref": "#/responses/Issue"
 
 	var deadlineUnix util.TimeStamp
-	if form.Deadline != nil {
+	if form.Deadline != nil && ctx.Repo.IsWriter() {
 		deadlineUnix = util.TimeStamp(form.Deadline.Unix())
 	}
 
@@ -178,15 +178,22 @@ func CreateIssue(ctx *context.APIContext, form api.CreateIssueOption) {
 		DeadlineUnix: deadlineUnix,
 	}
 
-	// Get all assignee IDs
-	assigneeIDs, err := models.MakeIDsFromAPIAssigneesToAdd(form.Assignee, form.Assignees)
-	if err != nil {
-		if models.IsErrUserNotExist(err) {
-			ctx.Error(422, "", fmt.Sprintf("Assignee does not exist: [name: %s]", err))
-		} else {
-			ctx.Error(500, "AddAssigneeByName", err)
+	var assigneeIDs = make([]int64, 0)
+	var err error
+	if ctx.Repo.IsWriter() {
+		issue.MilestoneID = form.Milestone
+		assigneeIDs, err = models.MakeIDsFromAPIAssigneesToAdd(form.Assignee, form.Assignees)
+		if err != nil {
+			if models.IsErrUserNotExist(err) {
+				ctx.Error(422, "", fmt.Sprintf("Assignee does not exist: [name: %s]", err))
+			} else {
+				ctx.Error(500, "AddAssigneeByName", err)
+			}
+			return
 		}
-		return
+	} else {
+		// setting labels is only allowed if user is writter
+		form.Labels = make([]int64, 0)
 	}
 
 	if err := models.NewIssue(ctx.Repo.Repository, issue, form.Labels, assigneeIDs, nil); err != nil {