Cannot create a merge request from the UI for a confidential issue in a non-public project

Summary

For confidential issues inside non-public projects (I've tested in private, but not internal), the issue UI does not show the usual "Create merge request" button.

It's not common (or even necessarily advisable) to mark issues confidential inside projects that are already non-public. However, there are some cases where it still might happen. One particularly important example occurs in the vulnerability management workflow. When a vulnerability is detected and you view its detail page, you're presented with a "Create issue" button; if you click it and create the issue using the default values, the resulting issue is confidential.

Steps to reproduce

  1. Create a private project.
  2. In that project, create an issue and mark it confidential.
  3. View the issue's page and note that there are no UI components present that the user could use to create an associated merge request.

What is the current bug behavior?

Currently, the confidential issue page does not display any UI components that the user could use to create an associated merge request.

What is the expected correct behavior?

For most issues in GitLab, it's possible to create an associated merge request by clicking the "Create merge request" button underneath the issue description. For confidential issues on public projects, this becomes "Create confidential merge request" as described in https://docs.gitlab.com/ee/user/project/merge_requests/confidential.html.

In this case, for confidential issues on private projects, I think the user should see the standard "Create merge request" button, as there is no real need to follow the forking model described in the linked documentation —the merge request in this case doesn't need to be any more private than the project itself already is.

Proposal

There are two options:

  1. We could always have the Create merge request button available in issues (regardless of private project, confidential, etc...
  2. When using the create issue from vulnerability button, if that issue would be created in a private project, don't default the issue to confidential

Output of checks

This bug happens on GitLab.com

Edited by 🤖 GitLab Bot 🤖