3 files changed, 21 insertions, 0 deletions

diff --git a/changelogs/unreleased/issue_30663.yml b/changelogs/unreleased/issue_30663.yml
new file mode 100644
index 00000000000..b20ed6a82e7
--- /dev/null
+++ b/changelogs/unreleased/issue_30663.yml
@@ -0,0 +1,5 @@
+---
+title: Prevent creating issues through API when user does not have permissions
+merge_request:
+author:
+type: security
diff --git a/lib/api/issues.rb b/lib/api/issues.rb
index 74dfd9f96de..2ee7238135f 100644
--- a/lib/api/issues.rb
+++ b/lib/api/issues.rb
@@ -161,6 +161,8 @@ module API
         use :issue_params
       end
       post ':id/issues' do
+        authorize! :create_issue, user_project
+
         # Setting created_at time only allowed for admins and project owners
         unless current_user.admin? || user_project.owner == current_user
           params.delete(:created_at)
diff --git a/spec/requests/api/issues_spec.rb b/spec/requests/api/issues_spec.rb
index 99525cd0a6a..3f5070a1fd2 100644
--- a/spec/requests/api/issues_spec.rb
+++ b/spec/requests/api/issues_spec.rb
@@ -860,6 +860,20 @@ describe API::Issues, :mailer do
       end
     end
 
+    context 'user does not have permissions to create issue' do
+      let(:not_member)  { create(:user) }
+
+      before do
+        project.project_feature.update(issues_access_level: ProjectFeature::PRIVATE)
+      end
+
+      it 'renders 403' do
+        post api("/projects/#{project.id}/issues", not_member), title: 'new issue'
+
+        expect(response).to have_gitlab_http_status(403)
+      end
+    end
+
     it 'creates a new project issue' do
       post api("/projects/#{project.id}/issues", user),
         title: 'new issue', labels: 'label, label2', weight: 3,