Fix permissions for label promotion via API

Changelog: fixed

lib/api/helpers/label_helpers.rb

@@ -105,7 +105,11 @@ module API
       end
 
       def promote_label(parent)
-        authorize! :admin_label, parent
+        unless parent.group
+          render_api_error!('Failed to promote project label to group label', 400)
+        end
+
+        authorize! :admin_label, parent.group
 
         label = find_label(parent, params[:name], include_ancestor_groups: false)
 

spec/requests/api/labels_spec.rb

@@ -589,6 +589,15 @@ RSpec.describe API::Labels do
       expect(response).to have_gitlab_http_status(:forbidden)
     end
 
+    it 'returns 403 if reporter promotes label' do
+      reporter = create(:user)
+      project.add_reporter(reporter)
+
+      put api("/projects/#{project.id}/labels/promote", reporter), params: { name: label1.name }
+
+      expect(response).to have_gitlab_http_status(:forbidden)
+    end
+
     it 'returns 404 if label does not exist' do
       put api("/projects/#{project.id}/labels/promote", user), params: { name: 'unknown' }
 
@@ -601,6 +610,13 @@ RSpec.describe API::Labels do
       expect(response).to have_gitlab_http_status(:bad_request)
       expect(json_response['error']).to eq('name is missing')
     end
+
+    it 'returns 400 if project does not have a group' do
+      project = create(:project, creator_id: user.id, namespace: user.namespace)
+      put api("/projects/#{project.id}/labels/promote", user), params: { name: label1.name }
+
+      expect(response).to have_gitlab_http_status(:bad_request)
+    end
   end
 
   describe "POST /projects/:id/labels/:label_id/subscribe" do