Move WP edit authorization to model

lib/api/v3/work_packages/work_package_model.rb

@@ -44,6 +44,7 @@ module API
           super(object)
 
           @user = user
+          @can = WorkPackagePolicy.new(user)
         end
 
         # N.B. required by ActionView::Helpers::UrlHelper
@@ -163,6 +164,7 @@ module API
           model.closed?
         end
 
+        validate :user_allowed_to_edit
         validates_presence_of :subject, :project_id, :type, :author, :status
         validates_length_of :subject, maximum: 255
         validate :milestone_constraint
@@ -170,6 +172,10 @@ module API
 
         private
 
+        def user_allowed_to_edit
+          fail ::API::Errors::Unauthorized unless @can.allowed?(model, :edit)
+        end
+
         def milestone_constraint
           errors.add :parent_id, :cannot_be_milestone if model.parent && model.parent.is_milestone?
         end

lib/api/v3/work_packages/work_packages_api.rb

@@ -78,7 +78,6 @@ module API
             end
 
             patch do
-              authorize(:edit_work_packages, context: @work_package.project)
               authorize(:manage_subtasks, context: @work_package.project) if work_package_attributes.has_key? 'parentId'
               check_lock_version # fails if lock version is missing
               check_work_package_attributes # fails if request contains read-only attributes