Check user permissions correctly

Check permission for both cases
 - when adding one child epic at time
 - when adding more child epics

ee/app/models/ee/epic.rb

@@ -346,7 +346,7 @@ module EE
       elsif parent.has_ancestor?(self)
         errors.add :parent, "This epic can't be added as it is already assigned to this epic's ancestor"
       elsif !preloaded_parent_group_and_descendants.include?(group)
-        errors.add :parent, "This epic can't be added because parent and child epics must belong to the same group"
+        errors.add :parent, "This epic can't be added because it must belong to the same group as the parent, or subgroup of the parent epic’s group"
       elsif level_depth_exceeded?(parent)
         errors.add :parent, "This epic can't be added as the maximum depth of nested epics would be exceeded"
       end

ee/app/services/epic_links/create_service.rb

@@ -3,6 +3,10 @@
 module EpicLinks
   class CreateService < IssuableLinks::CreateService
     def execute
+      unless can?(current_user, :admin_epic, issuable.group)
+        return error(issuables_not_found_message, 404)
+      end
+
       if issuable.max_hierarchy_depth_achieved?
         return error("This epic can't be added because the parent is already at the maximum depth from its most distant ancestor", 409)
       end
@@ -54,8 +58,6 @@ module EpicLinks
 
     def linkable_issuables(epics)
       @linkable_issuables ||= begin
-        return [] unless can?(current_user, :admin_epic, issuable.group)
-
         epics.select do |epic|
           linkable_epic?(epic)
         end