Add latest changes from gitlab-org/security/gitlab@14-4-stable-ee

2 files changed, 3 insertions, 0 deletions

diff --git a/app/graphql/mutations/issues/set_severity.rb b/app/graphql/mutations/issues/set_severity.rb
index 778563ba053..872a0e7b33d 100644
--- a/app/graphql/mutations/issues/set_severity.rb
+++ b/app/graphql/mutations/issues/set_severity.rb
@@ -8,6 +8,8 @@ module Mutations
       argument :severity, Types::IssuableSeverityEnum, required: true,
                description: 'Set the incident severity level.'
 
+      authorize :admin_issue
+
       def resolve(project_path:, iid:, severity:)
         issue = authorized_find!(project_path: project_path, iid: iid)
         project = issue.project
diff --git a/app/services/issuable_base_service.rb b/app/services/issuable_base_service.rb
index 59e521853de..2daf098b94a 100644
--- a/app/services/issuable_base_service.rb
+++ b/app/services/issuable_base_service.rb
@@ -142,6 +142,7 @@ class IssuableBaseService < ::BaseProjectService
   def filter_severity(issuable)
     severity = params.delete(:severity)
     return unless severity && issuable.supports_severity?
+    return unless can_admin_issuable?(issuable)
 
     severity = IssuableSeverity::DEFAULT unless IssuableSeverity.severities.key?(severity)
     return if severity == issuable.severity