Add API endpoint for ordering issue inside epic

ee/lib/api/epic_issues.rb

+module API
+  class EpicIssues < Grape::API
+    before do
+      authenticate!
+      check_epics!
+    end
+
+    helpers do
+      def check_epics!
+        forbidden! unless ::License.feature_available?(:epics) # TODO: check for group feature instead
+      end
+    end
+
+    params do
+      requires :id, type: String, desc: 'The ID of a group'
+    end
+
+    resource :groups, requirements: API::PROJECT_ENDPOINT_REQUIREMENTS do
+      desc 'Update epic issue association' do
+      end
+      params do
+        requires :epic_iid, type: Integer, desc: 'The iid of the epic'
+        requires :epic_issue_id, type: Integer, desc: 'The id of the epic issue association'
+        requires :position, type: Integer, desc: 'The new position of the issue in the epic (index starting with 0)'
+      end
+      put ':id/-/epics/:epic_iid/issues/:epic_issue_id' do
+        epic = user_group.epics.find_by(iid: params[:epic_iid])
+        authorize!(:admin_epic, epic)
+
+        link = EpicIssue.find(params[:epic_issue_id])
+        forbidden! if link.epic != epic
+
+        result = ::EpicIssues::UpdateService
+          .new(link, current_user, { position: params[:position].to_i }).execute
+
+        render_api_error!({ error: "Issue could not be moved!" }, 400) unless result
+      end
+    end
+  end
+end

lib/api/api.rb

@@ -124,6 +124,7 @@ module API
     mount ::API::DeployKeys
     mount ::API::Deployments
     mount ::API::Environments
+    mount ::API::EpicIssues
     mount ::API::Events
     mount ::API::Features
     mount ::API::Files

spec/ee/spec/requests/api/epic_issues_spec.rb

+require 'spec_helper'
+
+describe API::EpicIssues do
+  let(:user) { create(:user) }
+  let(:group) { create(:group) }
+  let(:project) { create(:project, group: group) }
+  let(:epic) { create(:epic, group: group) }
+  let(:issues) { create_list(:issue, 2, project: project) }
+  let!(:epic_issue1) { create(:epic_issue, epic: epic, issue: issues[0], position: 1) }
+
+  describe 'PUT /groups/:id/-/epics/:epic_iid/issues/:epic_issue_id' do
+    let(:url) { "/groups/#{group.path}/-/epics/#{epic.iid}/issues/#{epic_issue1.id}?position=1" }
+
+    context 'when an error occurs' do
+      it 'returns 401 unauthorized error for non autehnticated user' do
+        put api(url)
+
+        expect(response).to have_gitlab_http_status(401)
+      end
+
+      it 'returns 404 not found error for user who does not have permissions to see the group' do
+        group.update(visibility_level: Gitlab::VisibilityLevel::PRIVATE)
+        put api(url, user)
+
+        expect(response).to have_gitlab_http_status(404)
+      end
+
+      it 'returns 403 forbidden error for user who does can not move the issue' do
+        group.update(visibility_level: Gitlab::VisibilityLevel::PRIVATE)
+        put api(url, user)
+
+        expect(response).to have_gitlab_http_status(404)
+      end
+
+      it 'returns 403 forbidden error for the link of another epic' do
+        group.add_developer(user)
+        another_epic = create(:epic, group: group)
+        url = "/groups/#{group.path}/-/epics/#{another_epic.iid}/issues/#{epic_issue1.id}?position=1"
+        put api(url, user)
+
+        expect(response).to have_gitlab_http_status(403)
+      end
+    end
+
+    context 'when the request is correct' do
+      let!(:epic_issue2) { create(:epic_issue, epic: epic, issue: issues[1], position: 2) }
+
+      before do
+        stub_licensed_features(epics: true)
+        group.add_developer(user)
+        put api(url, user)
+      end
+
+      it 'returns 200 status' do
+        expect(response).to have_gitlab_http_status(200)
+      end
+
+      it 'updates the positions values' do
+        expect(epic_issue1.reload.position).to eq(2)
+        expect(epic_issue2.reload.position).to eq(1)
+      end
+    end
+  end
+end