Merge branch '9424-allow-link-vulnerability-with-issue-from-other-project' into 'master'

Allow to link vulnerability with issues from other projects See merge request gitlab-org/gitlab!36410

Merge branch '9424-allow-link-vulnerability-with-issue-from-other-project' into 'master'
Allow to link vulnerability with issues from other projects See merge request gitlab-org/gitlab!36410
1f632da5 · Douglas Barbosa Alexandre · 6043f317 · b11c3332 · 1f632da5 · 1f632da5
Commit 1f632da5 authored Jul 10, 2020 by Douglas Barbosa Alexandre
6 changed files
--- a/ee/app/policies/vulnerabilities/issue_link_policy.rb
+++ b/ee/app/policies/vulnerabilities/issue_link_policy.rb
@@ -3,10 +3,5 @@
 module Vulnerabilities
  class IssueLinkPolicy < BasePolicy
    delegate { @subject.vulnerability&.project }
-    with_scope :subject
-    condition(:cross_project_issue) { @subject.vulnerability&.project != @subject.issue&.project }
-    rule { cross_project_issue }.prevent :admin_vulnerability_issue_link
  end
 end
--- a/ee/changelogs/unreleased/9424-allow-link-vulnerability-with-issue-from-other-project.yml
+++ b/ee/changelogs/unreleased/9424-allow-link-vulnerability-with-issue-from-other-project.yml
+---
+title: Allow to link vulnerability with issues from other projects
+merge_request: 36410
+author:
+type: changed
--- a/ee/lib/api/vulnerability_issue_links.rb
+++ b/ee/lib/api/vulnerability_issue_links.rb
@@ -45,11 +45,12 @@ module API
      end
      params do
        requires :target_issue_iid, type: Integer, desc: 'The IID of an issue to relate to'
+        optional :target_project_id, type: String, desc: 'The ID of the target project'
        optional :link_type, type: String, default: 'related', desc: 'Link type'
      end
      post ':id/issue_links' do
        vulnerability = find_and_authorize_vulnerability!(:admin_vulnerability_issue_link)
-        issue = find_project_issue(params[:target_issue_iid], vulnerability.project_id)
+        issue = find_project_issue(params[:target_issue_iid], params[:target_project_id].presence || vulnerability.project_id)
        response = ::VulnerabilityIssueLinks::CreateService.new(
          current_user, vulnerability, issue, link_type: params[:link_type]).execute

--- a/ee/spec/policies/vulnerabilities/issue_link_policy_spec.rb
+++ b/ee/spec/policies/vulnerabilities/issue_link_policy_spec.rb
@@ -25,12 +25,6 @@ RSpec.describe Vulnerabilities::IssueLinkPolicy do
      it { is_expected.to be_disallowed(:admin_vulnerability_issue_link) }
    end
-    context 'with missing issue' do
-      let(:issue) { nil }
-      it { is_expected.to be_disallowed(:admin_vulnerability_issue_link) }
-    end
    context 'when issue and link belong to the same project' do
      it { is_expected.to be_allowed(:admin_vulnerability_issue_link) }
    end
@@ -38,7 +32,7 @@ RSpec.describe Vulnerabilities::IssueLinkPolicy do
    context "when issue and link don't belong to the same project" do
      let(:issue) { create(:issue) }
-      it { is_expected.to be_disallowed(:admin_vulnerability_issue_link) }
+      it { is_expected.to be_allowed(:admin_vulnerability_issue_link) }
    end
  end
 end
--- a/ee/spec/requests/api/vulnerability_issue_links_spec.rb
+++ b/ee/spec/requests/api/vulnerability_issue_links_spec.rb
@@ -81,6 +81,48 @@ RSpec.describe API::VulnerabilityIssueLinks do
        end
      end
+      context 'with valid target_project_id and target_issue_iid params' do
+        let_it_be(:other_issue) { create(:issue) }
+        let(:target_project_id) { other_issue.project_id }
+        let(:params) { { target_issue_iid: other_issue.iid, target_project_id: target_project_id } }
+        context 'when target_project_id is invalid' do
+          let(:target_project_id) { 0 }
+          it 'responds with "not found" and specific error message' do
+            create_issue_link
+            expect(response).to have_gitlab_http_status(:not_found)
+          end
+        end
+        context 'when user does not have access to the project' do
+          it 'responds with "not found" and specific error message' do
+            create_issue_link
+            expect(response).to have_gitlab_http_status(:not_found)
+          end
+        end
+        context 'when user is authorized with proper permissions to the project' do
+          before do
+            other_issue.project.add_developer(user)
+          end
+          it 'creates a new vulnerability-issue link' do
+            create_issue_link
+            expect(response).to have_gitlab_http_status(:created)
+            expect(response).to match_response_schema('public_api/v4/vulnerability_issue_link', dir: 'ee')
+            expect(json_response['id']).to eq Vulnerabilities::IssueLink.last.id
+            expect(json_response['issue']['id']).to eq other_issue.id
+            expect(json_response['vulnerability']['id']).to eq vulnerability.id
+          end
+        end
+      end
      context 'with unknown issue ID' do
        let(:target_issue_iid) { 0 }

--- a/ee/spec/services/vulnerability_issue_links/create_service_spec.rb
+++ b/ee/spec/services/vulnerability_issue_links/create_service_spec.rb
@@ -46,8 +46,14 @@ RSpec.describe VulnerabilityIssueLinks::CreateService do
    context 'with missing issue' do
      let(:service) { described_class.new(user, vulnerability, nil) }
-      it 'responds with an error' do
+      it 'responds with an error', :aggregate_failures do
-        expect { create_issue_link }.to raise_error(Gitlab::Access::AccessDeniedError)
+        expect { create_issue_link }.not_to change { Vulnerabilities::IssueLink.count }
+        response = create_issue_link
+        expect(response).to be_error
+        expect(response.http_status).to eq 422
+        expect(response.message).to eq "Issue can't be blank"
      end
    end
@@ -88,8 +94,8 @@ RSpec.describe VulnerabilityIssueLinks::CreateService do
    context 'when trying to relate an issue of a different project' do
      let(:issue) { create(:issue) }
-      it 'raises an access error' do
+      it 'creates a vulnerability-issue link' do
-        expect { create_issue_link }.to raise_error(Gitlab::Access::AccessDeniedError)
+        expect { create_issue_link }.to change { Vulnerabilities::IssueLink.count }.by(1)
      end
    end