Allow to link vulnerability with issues from other projects

ee/app/policies/vulnerabilities/issue_link_policy.rb

@@ -3,10 +3,5 @@
 module Vulnerabilities
   class IssueLinkPolicy < BasePolicy
     delegate { @subject.vulnerability&.project }
-
-    with_scope :subject
-    condition(:cross_project_issue) { @subject.vulnerability&.project != @subject.issue&.project }
-
-    rule { cross_project_issue }.prevent :admin_vulnerability_issue_link
   end
 end

ee/changelogs/unreleased/9424-allow-link-vulnerability-with-issue-from-other-project.yml

+---
+title: Allow to link vulnerability with issues from other projects
+merge_request: 36410
+author:
+type: changed

ee/lib/api/vulnerability_issue_links.rb

@@ -45,11 +45,12 @@ module API
       end
       params do
         requires :target_issue_iid, type: Integer, desc: 'The IID of an issue to relate to'
+        optional :target_project_id, type: String, desc: 'The ID of the target project'
         optional :link_type, type: String, default: 'related', desc: 'Link type'
       end
       post ':id/issue_links' do
         vulnerability = find_and_authorize_vulnerability!(:admin_vulnerability_issue_link)
-        issue = find_project_issue(params[:target_issue_iid], vulnerability.project_id)
+        issue = find_project_issue(params[:target_issue_iid], params[:target_project_id].presence || vulnerability.project_id)
 
         response = ::VulnerabilityIssueLinks::CreateService.new(
           current_user, vulnerability, issue, link_type: params[:link_type]).execute

ee/spec/policies/vulnerabilities/issue_link_policy_spec.rb

@@ -25,12 +25,6 @@ RSpec.describe Vulnerabilities::IssueLinkPolicy do
       it { is_expected.to be_disallowed(:admin_vulnerability_issue_link) }
     end
 
-    context 'with missing issue' do
-      let(:issue) { nil }
-
-      it { is_expected.to be_disallowed(:admin_vulnerability_issue_link) }
-    end
-
     context 'when issue and link belong to the same project' do
       it { is_expected.to be_allowed(:admin_vulnerability_issue_link) }
     end
@@ -38,7 +32,7 @@ RSpec.describe Vulnerabilities::IssueLinkPolicy do
     context "when issue and link don't belong to the same project" do
       let(:issue) { create(:issue) }
 
-      it { is_expected.to be_disallowed(:admin_vulnerability_issue_link) }
+      it { is_expected.to be_allowed(:admin_vulnerability_issue_link) }
     end
   end
 end

ee/spec/requests/api/vulnerability_issue_links_spec.rb

@@ -81,6 +81,48 @@ RSpec.describe API::VulnerabilityIssueLinks do
         end
       end
 
+      context 'with valid target_project_id and target_issue_iid params' do
+        let_it_be(:other_issue) { create(:issue) }
+
+        let(:target_project_id) { other_issue.project_id }
+
+        let(:params) { { target_issue_iid: other_issue.iid, target_project_id: target_project_id } }
+
+        context 'when target_project_id is invalid' do
+          let(:target_project_id) { 0 }
+
+          it 'responds with "not found" and specific error message' do
+            create_issue_link
+
+            expect(response).to have_gitlab_http_status(:not_found)
+          end
+        end
+
+        context 'when user does not have access to the project' do
+          it 'responds with "not found" and specific error message' do
+            create_issue_link
+
+            expect(response).to have_gitlab_http_status(:not_found)
+          end
+        end
+
+        context 'when user is authorized with proper permissions to the project' do
+          before do
+            other_issue.project.add_developer(user)
+          end
+
+          it 'creates a new vulnerability-issue link' do
+            create_issue_link
+
+            expect(response).to have_gitlab_http_status(:created)
+            expect(response).to match_response_schema('public_api/v4/vulnerability_issue_link', dir: 'ee')
+            expect(json_response['id']).to eq Vulnerabilities::IssueLink.last.id
+            expect(json_response['issue']['id']).to eq other_issue.id
+            expect(json_response['vulnerability']['id']).to eq vulnerability.id
+          end
+        end
+      end
+
       context 'with unknown issue ID' do
         let(:target_issue_iid) { 0 }
 

ee/spec/services/vulnerability_issue_links/create_service_spec.rb

@@ -46,8 +46,14 @@ RSpec.describe VulnerabilityIssueLinks::CreateService do
     context 'with missing issue' do
       let(:service) { described_class.new(user, vulnerability, nil) }
 
-      it 'responds with an error' do
-        expect { create_issue_link }.to raise_error(Gitlab::Access::AccessDeniedError)
+      it 'responds with an error', :aggregate_failures do
+        expect { create_issue_link }.not_to change { Vulnerabilities::IssueLink.count }
+
+        response = create_issue_link
+
+        expect(response).to be_error
+        expect(response.http_status).to eq 422
+        expect(response.message).to eq "Issue can't be blank"
       end
     end
 
@@ -88,8 +94,8 @@ RSpec.describe VulnerabilityIssueLinks::CreateService do
     context 'when trying to relate an issue of a different project' do
       let(:issue) { create(:issue) }
 
-      it 'raises an access error' do
-        expect { create_issue_link }.to raise_error(Gitlab::Access::AccessDeniedError)
+      it 'creates a vulnerability-issue link' do
+        expect { create_issue_link }.to change { Vulnerabilities::IssueLink.count }.by(1)
       end
     end