diff --git a/app/controllers/projects/issues_controller.rb b/app/controllers/projects/issues_controller.rb
index 9face235baa9518d1d43cd43fb3349b2740a4362..016f5dd0005bd7f784733e30d2541899cc507c78 100644
--- a/app/controllers/projects/issues_controller.rb
+++ b/app/controllers/projects/issues_controller.rb
@@ -96,6 +96,8 @@ def update
if params[:move_to_project_id].to_i > 0
new_project = Project.find(params[:move_to_project_id])
+ return render_404 unless issue.can_move?(current_user, new_project)
+
move_service = Issues::MoveService.new(project, current_user)
@issue = move_service.execute(@issue, new_project)
end
diff --git a/spec/controllers/projects/issues_controller_spec.rb b/spec/controllers/projects/issues_controller_spec.rb
index d6e4cd71ce6b11233b18f130142cf62b41b96283..2b2ad3b9412ab3a78b2fc3fc03b0e9c1c98bb59c 100644
--- a/spec/controllers/projects/issues_controller_spec.rb
+++ b/spec/controllers/projects/issues_controller_spec.rb
@@ -40,6 +40,45 @@
end
end
+ describe 'PUT #update' do
+ context 'when moving issue to another private project' do
+ let(:another_project) { create(:project, :private) }
+
+ before do
+ sign_in(user)
+ project.team << [user, :developer]
+ end
+
+ context 'when user has access to move issue' do
+ before { another_project.team << [user, :reporter] }
+
+ it 'moves issue to another project' do
+ move_issue
+
+ expect(response).to have_http_status :found
+ expect(another_project.issues).to_not be_empty
+ end
+ end
+
+ context 'when user does not have access to move issue' do
+ it 'responds with 404' do
+ move_issue
+
+ expect(response).to have_http_status :not_found
+ end
+ end
+
+ def move_issue
+ put :update,
+ namespace_id: project.namespace.to_param,
+ project_id: project.to_param,
+ id: issue.iid,
+ issue: { title: 'New title' },
+ move_to_project_id: another_project.id
+ end
+ end
+ end
+
describe 'Confidential Issues' do
let(:project) { create(:project_empty_repo, :public) }
let(:assignee) { create(:assignee) }