Fix issue creation permissions check

Ensure permissions are checked when creating issue from a vulnerability.

ee/app/services/issues/create_from_vulnerability_data_service.rb

@@ -3,6 +3,8 @@
 module Issues
   class CreateFromVulnerabilityDataService < ::BaseService
     def execute
+      return error("Can't create issue") unless can?(@current_user, :create_issue, @project)
+
       vulnerability = case @params[:category]
                       when 'sast', 'dependency_scanning', 'dast'
                         Gitlab::Vulnerabilities::StandardVulnerability.new(params)

ee/changelogs/unreleased/9072_fix_permission_check_when_creating_issue_from_vulnerability.yml

+---
+title: Fix permission check when creating an issue from a vulnerability
+merge_request: 9055
+author:
+type: fixed

ee/spec/services/ee/issues/create_from_vulnerability_data_service_spec.rb

@@ -23,6 +23,29 @@ describe Issues::CreateFromVulnerabilityDataService, '#execute' do
     end
   end
 
+  context 'when user does not have permission to create issue' do
+    let(:result) { described_class.new(project, user, {}).execute }
+
+    before do
+      allow_any_instance_of(described_class).to receive(:can?).with(user, :create_issue, project).and_return(false)
+    end
+
+    it 'returns expected error' do
+      expect(result[:status]).to eq(:error)
+      expect(result[:message]).to eq("Can't create issue")
+    end
+  end
+
+  context 'when issues are disabled on project' do
+    let(:result) { described_class.new(project, user, {}).execute }
+    let(:project) { create(:project, :public, namespace: group, issues_access_level: ProjectFeature::DISABLED) }
+
+    it 'returns expected error' do
+      expect(result[:status]).to eq(:error)
+      expect(result[:message]).to eq("Can't create issue")
+    end
+  end
+
   context 'when params are valid' do
     context 'when category is SAST' do
       context 'when a description is present' do