Remove push_code check on Mutation.securityFindingCreateMergeRequest

40dbb285 · mo khan · Michał Wielich · 2b197c20 · 40dbb285 · 40dbb285
--- a/ee/app/policies/ee/project_policy.rb
+++ b/ee/app/policies/ee/project_policy.rb
@@ -718,6 +718,7 @@ module ProjectPolicy
      end
      rule { custom_roles_allowed & role_enables_admin_merge_request }.policy do
+        enable :create_merge_request_from
        enable :read_merge_request
        enable :admin_merge_request
        enable :download_code # required to negate https://gitlab.com/gitlab-org/gitlab/-/blob/3061d30d9b3d6d4c4dd5abe68bc1e4a8a93c7966/app/policies/project_policy.rb#L603-607

--- a/ee/app/services/merge_requests/create_from_vulnerability_data_service.rb
+++ b/ee/app/services/merge_requests/create_from_vulnerability_data_service.rb
@@ -22,7 +22,7 @@ def execute
      ]
      target_branch = vulnerability.target_branch || @project.default_branch
-      return error("User is not permitted to create merge request") unless can_create_merge_request?(source_branch)
+      return error("User is not permitted to create merge request") unless can_create_merge_request?
      if vulnerability.remediations.blank? && llm_patch.blank?
        return error("No remediations available for merge request")
@@ -131,10 +131,9 @@ def render_template(file:, locals:, formats:)
      ApplicationController.render(template: file, locals: locals, formats: formats)
    end
-    def can_create_merge_request?(source_branch)
+    def can_create_merge_request?
      can?(@current_user, :create_merge_request_in, @project) &&
-        can?(@current_user, :create_merge_request_from, @project) &&
+        can?(@current_user, :create_merge_request_from, @project)
-        ::Gitlab::UserAccess.new(@current_user, container: @project).can_push_to_branch?(source_branch)
    end
  end
 end
--- a/ee/spec/factories/member_roles.rb
+++ b/ee/spec/factories/member_roles.rb
@@ -9,6 +9,10 @@
    trait(:reporter) { base_access_level { Gitlab::Access::REPORTER } }
    trait(:guest) { base_access_level { Gitlab::Access::GUEST } }
+    trait :admin_merge_request do
+      admin_merge_request { true }
+    end
    trait :admin_vulnerability do
      admin_vulnerability { true }
      read_vulnerability { true }

--- a/ee/spec/requests/api/graphql/mutations/security/finding/create_merge_request_spec.rb
+++ b/ee/spec/requests/api/graphql/mutations/security/finding/create_merge_request_spec.rb
@@ -47,7 +47,7 @@
  let(:mutation) { graphql_mutation(mutation_name, uuid: security_finding.uuid) }
  before do
-    stub_licensed_features(security_dashboard: true)
+    stub_licensed_features(custom_roles: true, security_dashboard: true)
  end
  context 'when the user does not have permission' do
@@ -97,4 +97,25 @@
      ]
    end
  end
+  context 'when the user is a member of a custom role with permission' do
+    let_it_be(:group) { project.group }
+    let_it_be(:role) { create(:member_role, :guest, :admin_merge_request, :admin_vulnerability, namespace: group) }
+    let_it_be(:membership) { create(:group_member, :guest, user: current_user, source: group, member_role: role) }
+    before do
+      allow_next_instance_of(Commits::CommitPatchService) do |service|
+        allow(service).to receive(:execute).and_return({ status: :success })
+      end
+    end
+    it 'returns a successful response' do
+      post_graphql_mutation(mutation, current_user: current_user)
+      expect(response).to have_gitlab_http_status(:success)
+      mutation_response = graphql_mutation_response(mutation_name)
+      expect(mutation_response).to be_present
+      expect(mutation_response['errors']).to be_empty
+    end
+  end
 end