Change API permissions to set epic of an issue

- Update GraphQL mutation Issues::SetEpic
- Update RESt endpoint

Changelog: changed
EE: true

ee/app/graphql/mutations/issues/set_epic.rb

@@ -16,7 +16,7 @@ module Mutations
         issue = authorized_find!(project_path: project_path, iid: iid)
         project = issue.project
 
-        authorize_admin_rights!(epic)
+        authorize_admin_rights!(issue)
 
         begin
           ::Issues::UpdateService.new(project: project, current_user: current_user, params: { epic: epic })
@@ -33,10 +33,10 @@ module Mutations
 
       private
 
-      def authorize_admin_rights!(epic)
-        return unless epic.present?
+      def authorize_admin_rights!(issue)
+        return unless issue.present?
 
-        raise_resource_not_available_error! unless Ability.allowed?(current_user, :admin_epic, epic.group)
+        raise_resource_not_available_error! unless Ability.allowed?(current_user, :admin_issue, issue)
       end
     end
   end

ee/app/services/ee/issues/base_service.rb

@@ -52,7 +52,7 @@ module EE
 
         return unless epic
 
-        unless can?(current_user, :admin_epic, epic)
+        unless can?(current_user, :admin_issue, issue)
           raise ::Gitlab::Access::AccessDeniedError
         end
 

ee/app/services/epic_issues/create_service.rb

@@ -35,10 +35,9 @@ module EpicIssues
 
     def linkable_issuables(issues)
       @linkable_issues ||= begin
-        return [] unless can?(current_user, :admin_epic, issuable.group)
-
         issues.select do |issue|
           issue.supports_epic? &&
+            can?(current_user, :admin_issue, issue) &&
             issuable_group_descendants.include?(issue.project.group) &&
             !previous_related_issuables.include?(issue)
         end

ee/lib/api/epic_issues.rb

@@ -40,7 +40,7 @@ module API
         use :pagination
       end
       put ':id/(-/)epics/:epic_iid/issues/:epic_issue_id' do
-        authorize_can_admin_epic!
+        authorize!(:admin_issue, link.issue)
 
         update_params = {
           move_before_id: params[:move_before_id],
@@ -84,9 +84,8 @@ module API
       end
       # rubocop: disable CodeReuse/ActiveRecord
       post ':id/(-/)epics/:epic_iid/issues/:issue_id' do
-        authorize_can_admin_epic!
-
         issue = Issue.find(params[:issue_id])
+        authorize!(:admin_issue, issue)
 
         create_params = { target_issuable: issue }
 
@@ -110,8 +109,7 @@ module API
         requires :epic_issue_id, type: Integer, desc: 'The ID of the association'
       end
       delete ':id/(-/)epics/:epic_iid/issues/:epic_issue_id' do
-        authorize_can_admin_epic!
-
+        authorize!(:admin_issue, link.issue)
         result = ::EpicIssues::DestroyService.new(link, current_user).execute
 
         if result[:status] == :success

ee/spec/graphql/mutations/issues/set_epic_spec.rb

@@ -22,7 +22,7 @@ RSpec.describe Mutations::Issues::SetEpic do
     context 'when the user can update the issue' do
       before do
         stub_licensed_features(epics: true)
-        project.add_developer(user)
+        project.add_guest(user)
       end
 
       it 'raises an error if the epic is not accessible to the user' do

ee/spec/requests/api/epic_issues_spec.rb

@@ -120,11 +120,17 @@ RSpec.describe API::EpicIssues do
           expect(response).to have_gitlab_http_status(:not_found)
         end
 
-        it 'returns 403 forbidden error for a user without permissions to admin the epic' do
+        context 'With user without permissions to admin the issue' do
+          before do
+            project.add_guest(user)
+          end
+
+          it 'returns 403 forbidden error' do
             post api(url, user)
 
             expect(response).to have_gitlab_http_status(:forbidden)
           end
+        end
 
         context 'when issue project is not under the epic group' do
           before do
@@ -205,11 +211,17 @@ RSpec.describe API::EpicIssues do
           expect(response).to have_gitlab_http_status(:not_found)
         end
 
-        it 'returns 403 forbidden error for a user without permissions to admin the epic' do
+        context 'With user without permissions to admin the issue' do
+          before do
+            project.add_guest(user)
+          end
+
+          it 'returns 403 forbidden error' do
             delete api(url, user)
 
             expect(response).to have_gitlab_http_status(:forbidden)
           end
+        end
 
         context 'when epic_issue association does not include the epic in the url' do
           before do

ee/spec/services/ee/issues/update_service_spec.rb

@@ -252,6 +252,10 @@ RSpec.describe Issues::UpdateService do
       subject { update_issue(params) }
 
       context 'when a user does not have permissions to assign an epic' do
+        before do
+          project.add_guest(author)
+        end
+
         it 'raises an exception' do
           expect { subject }.to raise_error(Gitlab::Access::AccessDeniedError)
         end

ee/spec/support/shared_examples/services/issue_epic_shared_examples.rb

@@ -26,7 +26,7 @@ RSpec.shared_examples 'issue with epic_id parameter' do
 
   context 'when user can not add issues to the epic' do
     before do
-      project.add_maintainer(user)
+      project.add_guest(user)
     end
 
     let(:params) { { title: 'issue1', epic_id: epic.id } }