Merge branch '9072_fix_permission_check_when_creating_issue_from_vulnerability' into 'master'

Add permissions check when creating an issue from a vulnerability See merge request gitlab-org/gitlab-ee!9055

Merge branch '9072_fix_permission_check_when_creating_issue_from_vulnerability' into 'master'
Add permissions check when creating an issue from a vulnerability See merge request gitlab-org/gitlab-ee!9055
3e9a7657 · Kamil Trzciński · 963a6999 · 4e8364cd · 3e9a7657 · 3e9a7657
Commit 3e9a7657 authored Jan 07, 2019 by Kamil Trzciński
3 changed files
--- a/ee/app/services/issues/create_from_vulnerability_data_service.rb
+++ b/ee/app/services/issues/create_from_vulnerability_data_service.rb
@@ -3,6 +3,8 @@
 module Issues
  class CreateFromVulnerabilityDataService < ::BaseService
    def execute
+      return error("Can't create issue") unless can?(@current_user, :create_issue, @project)
      vulnerability = case @params[:category]
                      when 'sast', 'dependency_scanning', 'dast'
                        Gitlab::Vulnerabilities::StandardVulnerability.new(params)

--- a/ee/changelogs/unreleased/9072_fix_permission_check_when_creating_issue_from_vulnerability.yml
+++ b/ee/changelogs/unreleased/9072_fix_permission_check_when_creating_issue_from_vulnerability.yml
+---
+title: Fix permission check when creating an issue from a vulnerability
+merge_request: 9055
+author:
+type: fixed
--- a/ee/spec/services/ee/issues/create_from_vulnerability_data_service_spec.rb
+++ b/ee/spec/services/ee/issues/create_from_vulnerability_data_service_spec.rb
@@ -23,6 +23,29 @@ describe Issues::CreateFromVulnerabilityDataService, '#execute' do
    end
  end
+  context 'when user does not have permission to create issue' do
+    let(:result) { described_class.new(project, user, {}).execute }
+    before do
+      allow_any_instance_of(described_class).to receive(:can?).with(user, :create_issue, project).and_return(false)
+    end
+    it 'returns expected error' do
+      expect(result[:status]).to eq(:error)
+      expect(result[:message]).to eq("Can't create issue")
+    end
+  end
+  context 'when issues are disabled on project' do
+    let(:result) { described_class.new(project, user, {}).execute }
+    let(:project) { create(:project, :public, namespace: group, issues_access_level: ProjectFeature::DISABLED) }
+    it 'returns expected error' do
+      expect(result[:status]).to eq(:error)
+      expect(result[:message]).to eq("Can't create issue")
+    end
+  end
  context 'when params are valid' do
    context 'when category is SAST' do
      context 'when a description is present' do