Add confidential parameter to epic link creation API

- set to copy the confidentiality status from the parent epic
- replicate this behavior on the frontend

Fixes https://gitlab.com/gitlab-org/gitlab/-/issues/229839

doc/api/epic_links.md

@@ -131,6 +131,7 @@ POST /groups/:id/epics/:epic_iid/epics
 | `id`            | integer/string | yes      | The ID or [URL-encoded path of the group](README.md#namespaced-path-encoding) owned by the authenticated user      |
 | `epic_iid`      | integer        | yes      | The internal ID of the (future parent) epic.                                                                                       |
 | `title`         | string         | yes      | The title of a newly created epic. |
+| `confidential`  | boolean        | no       | Whether the epic should be confidential. Will be ignored if `confidential_epics` feature flag is disabled. Defaults to the confidentiality state of the parent epic.  |
 
 ```shell
 curl --request POST --header  "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/groups/1/epics/5/epics?title=Newpic"

ee/app/assets/javascripts/api.js

@@ -67,12 +67,13 @@ export default {
       });
   },
 
-  createChildEpic({ groupId, parentEpicIid, title }) {
+  createChildEpic({ confidential, groupId, parentEpicIid, title }) {
     const url = Api.buildUrl(this.childEpicPath)
       .replace(':id', encodeURIComponent(groupId))
       .replace(':epic_iid', parentEpicIid);
 
     return axios.post(url, {
+      confidential,
       title,
     });
   },

ee/app/assets/javascripts/related_items_tree/store/actions.js

@@ -389,6 +389,7 @@ export const createItem = ({ state, dispatch }, { itemTitle }) => {
   dispatch('requestCreateItem');
 
   Api.createChildEpic({
+    confidential: state.parentItem.confidential,
     groupId: state.parentItem.fullPath,
     parentEpicIid: state.parentItem.iid,
     title: itemTitle,

ee/changelogs/unreleased/229839-confidential-epic-from-confidential-epic.yml

+---
+title: Allow creation of confidential sub-epics from tree
+merge_request: 37882
+author: Jan Beckmann
+type: fixed

ee/lib/api/epic_links.rb

@@ -74,12 +74,14 @@ module API
       end
       params do
         requires :title, type: String, desc: 'The title of a child epic'
+        optional :confidential, type: Boolean, desc: 'Indicates if the epic is confidential. Will be ignored if `confidential_epics` feature flag is disabled'
       end
       post ':id/(-/)epics/:epic_iid/epics' do
         authorize_subepics_feature!
         authorize_can_admin_epic_link!
 
-        create_params = { parent_id: epic.id, title: params[:title] }
+        confidential = params[:confidential].nil? ? epic.confidential : params[:confidential]
+        create_params = { parent_id: epic.id, title: params[:title], confidential: confidential }
 
         child_epic = ::Epics::CreateService.new(user_group, current_user, create_params).execute
 

ee/spec/requests/api/epic_links_spec.rb

@@ -151,6 +151,28 @@ RSpec.describe API::EpicLinks do
           expect(epic.reload.children).to include(Epic.last)
         end
 
+        context 'when the parent epic is confidential' do
+          let(:epic) { create(:epic, group: group, confidential: true) }
+
+          it 'copies the confidentiality status from the parent epic' do
+            subject
+
+            expect(Epic.last).to be_confidential
+          end
+
+          it 'does not allow creating a non-confidential sub-epic' do
+            post api(url, user), params: { title: 'child epic', confidential: false }
+
+            expect(response).to have_gitlab_http_status(:bad_request)
+          end
+        end
+
+        it 'does apply the confidential parameter if set' do
+          post api(url, user), params: { title: 'child epic', confidential: true }
+
+          expect(Epic.last).to be_confidential
+        end
+
         context 'and epic has errors' do
           it 'returns 400 error' do
             child_epic = Epic.new(title: 'with errors')