Disallow updating designs if issue locked or moved

https://gitlab.com/gitlab-org/gitlab/issues/13426#note_210926182

changelogs/unreleased/13426-disable-design-mutation-abilities-when-issue-moved-or-locked.yml

+---
+title: Make designs read-only if the issue has been moved, or if its discussion has been locked
+merge_request: 18551
+author:
+type: changed

doc/user/project/issues/design_management.md

@@ -63,6 +63,9 @@ To upload design images, click the **Upload Designs** button and select images t
 Designs with the same filename as an existing uploaded design will create a new version
 of the design, and will replace the previous version.
 
+Designs cannot be added if the issue has been moved, or its
+[discussion is locked](../../discussions/#lock-discussions).
+
 ## Viewing designs
 
 Images on the Design Management page can be enlarged by clicking on them.

ee/app/policies/ee/issue_policy.rb

@@ -4,11 +4,18 @@ module EE
   module IssuePolicy
     extend ActiveSupport::Concern
     prepended do
+      condition(:moved) { @subject.moved? }
+
       rule { ~can?(:read_issue) }.policy do
         prevent :read_design
         prevent :create_design
         prevent :destroy_design
       end
+
+      rule { locked | moved }.policy do
+        prevent :create_design
+        prevent :destroy_design
+      end
     end
   end
 end

ee/spec/policies/design_management/design_policy_spec.rb

@@ -94,6 +94,11 @@ describe DesignManagement::DesignPolicy do
     end
   end
 
+  shared_examples_for "read-only design abilities" do
+    it { is_expected.to be_allowed(:read_design) }
+    it { is_expected.to be_disallowed(:create_design, :destroy_design) }
+  end
+
   context "when the feature flag is off" do
     before do
       stub_licensed_features(design_management: true)
@@ -164,6 +169,20 @@ describe DesignManagement::DesignPolicy do
       end
     end
 
+    context "when the issue is locked" do
+      let(:current_user) { owner }
+      let(:issue) { create(:issue, :locked, project: project) }
+
+      it_behaves_like "read-only design abilities"
+    end
+
+    context "when the issue has moved" do
+      let(:current_user) { owner }
+      let(:issue) { create(:issue, project: project, moved_to: create(:issue)) }
+
+      it_behaves_like "read-only design abilities"
+    end
+
     context "when the project is archived" do
       let(:current_user) { owner }
 
@@ -171,10 +190,7 @@ describe DesignManagement::DesignPolicy do
         project.update!(archived: true)
       end
 
-      it "only allows reading designs" do
-        expect(design_policy).to be_allowed(:read_design)
-        expect(design_policy).to be_disallowed(:create_design, :destroy_design)
-      end
+      it_behaves_like "read-only design abilities"
     end
   end
 end