Count epics against issue creation rate limit

Changelog: changed
MR: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/67179
EE: true

app/views/admin/application_settings/network.html.haml

@@ -68,7 +68,7 @@
     %button.btn.gl-button.btn-default.js-settings-toggle{ type: 'button' }
       = expanded_by_default? ? _('Collapse') : _('Expand')
     %p
-      = _('Limit the number of issues per minute a user can create through web and API requests.')
+      = _('Limit the number of issues and epics per minute a user can create through web and API requests.')
       = link_to _('Learn more.'), help_page_path('user/admin_area/settings/rate_limit_on_issues_creation.md'), target: '_blank', rel: 'noopener noreferrer'
   .settings-content
     = render 'issue_limits'

ee/app/controllers/groups/epics_controller.rb

@@ -17,6 +17,9 @@ class Groups::EpicsController < Groups::ApplicationController
   before_action :verify_group_bulk_edit_enabled!, only: [:bulk_update]
   after_action :log_epic_show, only: :show
 
+  # Limit the amount of epics created per minute
+  before_action :create_rate_limit, only: [:create]
+
   before_action do
     push_frontend_feature_flag(:vue_epics_list, @group, type: :development, default_enabled: :yaml)
     push_frontend_feature_flag(:improved_emoji_picker, @group, type: :development, default_enabled: :yaml)
@@ -130,4 +133,19 @@ class Groups::EpicsController < Groups::ApplicationController
   def verify_group_bulk_edit_enabled!
     render_404 unless group.licensed_feature_available?(:group_bulk_edit)
   end
+
+  def create_rate_limit
+    # Epics share the issue creation rate limit
+    key = :issues_create
+
+    if rate_limiter.throttled?(key, scope: current_user)
+      rate_limiter.log_request(request, "#{key}_request_limit".to_sym, current_user)
+
+      render plain: _('This endpoint has been requested too many times. Try again later.'), status: :too_many_requests
+    end
+  end
+
+  def rate_limiter
+    ::Gitlab::ApplicationRateLimiter
+  end
 end

ee/spec/controllers/groups/epics_controller_spec.rb

@@ -483,6 +483,36 @@ RSpec.describe Groups::EpicsController do
             expect(Epic.count).to eq(0)
           end
         end
+
+        context 'when the endpoint receives requests above the limit' do
+          before do
+            stub_application_setting(issues_create_limit: 5)
+          end
+
+          it 'prevents from creating more epics', :request_store do
+            5.times { post :create, params: { group_id: group, epic: { title: 'new epic', description: 'description' } } }
+
+            post :create, params: { group_id: group, epic: { title: 'new epic', description: 'description' } }
+            expect(response.body).to eq(_('This endpoint has been requested too many times. Try again later.'))
+            expect(response).to have_gitlab_http_status(:too_many_requests)
+          end
+
+          it 'logs the event on auth.log' do
+            attributes = {
+              message: 'Application_Rate_Limiter_Request',
+              env: :issues_create_request_limit,
+              remote_ip: '0.0.0.0',
+              request_method: 'POST',
+              path: group_epics_path(group),
+              user_id: user.id,
+              username: user.username
+            }
+
+            expect(Gitlab::AuthLogger).to receive(:error).with(attributes).once
+
+            6.times { post :create, params: { group_id: group, epic: { title: 'new epic', description: 'description' } } }
+          end
+        end
       end
 
       context 'with unauthorized user' do

locale/gitlab.pot

@@ -19983,7 +19983,7 @@ msgstr ""
 msgid "Limit the number of concurrent operations this secondary node can run in the background."
 msgstr ""
 
-msgid "Limit the number of issues per minute a user can create through web and API requests."
+msgid "Limit the number of issues and epics per minute a user can create through web and API requests."
 msgstr ""
 
 msgid "Limited to showing %d event at most"