SONAR-12753 add canChangeStatus to api/hotspots/show response

server/sonar-webserver-webapi/src/main/java/org/sonar/server/hotspot/ws/HotspotWsSupport.java

 import org.sonar.api.issue.Issue;
 import org.sonar.api.rules.RuleType;
 import org.sonar.api.utils.System2;
+import org.sonar.api.web.UserRole;
 import org.sonar.core.issue.IssueChangeContext;
 import org.sonar.db.DbClient;
 import org.sonar.db.DbSession;
     return project;
   }
 
+  boolean canChangeStatus(ComponentDto project) {
+    return userSession.hasComponentPermission(UserRole.SECURITYHOTSPOT_ADMIN, project);
+  }
+
   IssueChangeContext newIssueChangeContext() {
     return IssueChangeContext.createUser(new Date(system2.now()), checkLoggedIn());
   }

server/sonar-webserver-webapi/src/main/java/org/sonar/server/hotspot/ws/ShowAction.java

     responseBuilder
       .setProject(responseFormatter.formatComponent(Hotspots.Component.newBuilder(), components.getProject()))
       .setComponent(responseFormatter.formatComponent(Hotspots.Component.newBuilder(), components.getComponent()));
+    responseBuilder.setCanChangeStatus(hotspotWsSupport.canChangeStatus(components.getProject()));
   }
 
   private void formatRule(ShowWsResponse.Builder responseBuilder, RuleDefinitionDto ruleDefinitionDto) {

server/sonar-webserver-webapi/src/main/resources/org/sonar/server/hotspot/ws/show-example.json

       "name": "Joe",
       "active": true
     }
-  ]
+  ],
+  "canChangeStatus": true
 }

server/sonar-webserver-webapi/src/test/java/org/sonar/server/hotspot/ws/ShowActionTest.java

     assertThat(response.getKey()).isEqualTo(hotspot.getKey());
   }
 
+  @Test
+  public void return_canChangeStatus_false_on_public_project_when_anonymous() {
+    ComponentDto project = dbTester.components().insertPublicProject();
+    userSessionRule.registerComponents(project);
+    ComponentDto file = dbTester.components().insertComponent(newFileDto(project));
+    RuleDefinitionDto rule = newRule(SECURITY_HOTSPOT);
+    IssueDto hotspot = dbTester.issues().insertHotspot(rule, project, file);
+    mockChangelogAndCommentsFormattingContext();
+
+    Hotspots.ShowWsResponse response = newRequest(hotspot)
+      .executeProtobuf(Hotspots.ShowWsResponse.class);
+
+    assertThat(response.getCanChangeStatus()).isFalse();
+  }
+
+  @Test
+  @UseDataProvider("allPublicProjectPermissionsButSECURITYHOTSPOT_ADMIN")
+  public void return_canChangeStatus_false_on_public_project_when_authenticated_without_SECURITYHOTSPOT_ADMIN_permission(@Nullable String permission) {
+    ComponentDto project = dbTester.components().insertPublicProject();
+    userSessionRule.logIn().registerComponents(project);
+    if (permission != null) {
+      userSessionRule.addProjectPermission(permission, project);
+    }
+    ComponentDto file = dbTester.components().insertComponent(newFileDto(project));
+    RuleDefinitionDto rule = newRule(SECURITY_HOTSPOT);
+    IssueDto hotspot = dbTester.issues().insertHotspot(rule, project, file);
+    mockChangelogAndCommentsFormattingContext();
+
+    Hotspots.ShowWsResponse response = newRequest(hotspot)
+      .executeProtobuf(Hotspots.ShowWsResponse.class);
+
+    assertThat(response.getCanChangeStatus()).isFalse();
+  }
+
+  @Test
+  @UseDataProvider("allPublicProjectPermissionsButSECURITYHOTSPOT_ADMIN")
+  public void return_canChangeStatus_true_on_public_project_when_authenticated_with_SECURITYHOTSPOT_ADMIN_permission(@Nullable String permission) {
+    ComponentDto project = dbTester.components().insertPublicProject();
+    userSessionRule.registerComponents(project)
+      .addProjectPermission(UserRole.SECURITYHOTSPOT_ADMIN, project);
+    if (permission != null) {
+      userSessionRule.addProjectPermission(permission, project);
+    }
+    ComponentDto file = dbTester.components().insertComponent(newFileDto(project));
+    RuleDefinitionDto rule = newRule(SECURITY_HOTSPOT);
+    IssueDto hotspot = dbTester.issues().insertHotspot(rule, project, file);
+    mockChangelogAndCommentsFormattingContext();
+
+    Hotspots.ShowWsResponse response = newRequest(hotspot)
+      .executeProtobuf(Hotspots.ShowWsResponse.class);
+
+    assertThat(response.getCanChangeStatus()).isTrue();
+  }
+
+  @DataProvider
+  public static Object[][] allPublicProjectPermissionsButSECURITYHOTSPOT_ADMIN() {
+    return new Object[][] {
+      {null}, // no permission
+      {UserRole.ADMIN},
+      {UserRole.SCAN},
+      {UserRole.ISSUE_ADMIN}
+    };
+  }
+
+  @Test
+  @UseDataProvider("allPrivateProjectPermissionsButSECURITYHOTSPOT_ADMIN_and_USER")
+  public void return_canChangeStatus_false_on_private_project_without_SECURITYHOTSPOT_ADMIN_permission(@Nullable String permission) {
+    ComponentDto project = dbTester.components().insertPrivateProject();
+    userSessionRule
+      .registerComponents(project)
+      .logIn()
+      .addProjectPermission(UserRole.USER, project);
+    if (permission != null) {
+      userSessionRule.addProjectPermission(permission, project);
+    }
+    ComponentDto file = dbTester.components().insertComponent(newFileDto(project));
+    RuleDefinitionDto rule = newRule(SECURITY_HOTSPOT);
+    IssueDto hotspot = dbTester.issues().insertHotspot(rule, project, file);
+    mockChangelogAndCommentsFormattingContext();
+
+    Hotspots.ShowWsResponse response = newRequest(hotspot)
+      .executeProtobuf(Hotspots.ShowWsResponse.class);
+
+    assertThat(response.getCanChangeStatus()).isFalse();
+  }
+
+  @Test
+  @UseDataProvider("allPrivateProjectPermissionsButSECURITYHOTSPOT_ADMIN_and_USER")
+  public void return_canChangeStatus_false_on_private_project_with_SECURITYHOTSPOT_ADMIN_permission(@Nullable String permission) {
+    ComponentDto project = dbTester.components().insertPrivateProject();
+    userSessionRule
+      .registerComponents(project)
+      .logIn()
+      .addProjectPermission(UserRole.USER, project)
+      .addProjectPermission(UserRole.SECURITYHOTSPOT_ADMIN, project);
+    if (permission != null) {
+      userSessionRule.addProjectPermission(permission, project);
+    }
+    ComponentDto file = dbTester.components().insertComponent(newFileDto(project));
+    RuleDefinitionDto rule = newRule(SECURITY_HOTSPOT);
+    IssueDto hotspot = dbTester.issues().insertHotspot(rule, project, file);
+    mockChangelogAndCommentsFormattingContext();
+
+    Hotspots.ShowWsResponse response = newRequest(hotspot)
+      .executeProtobuf(Hotspots.ShowWsResponse.class);
+
+    assertThat(response.getCanChangeStatus()).isTrue();
+  }
+
+  @DataProvider
+  public static Object[][] allPrivateProjectPermissionsButSECURITYHOTSPOT_ADMIN_and_USER() {
+    return new Object[][] {
+      {null}, // only USER permission
+      {UserRole.CODEVIEWER},
+      {UserRole.ADMIN},
+      {UserRole.SCAN},
+      {UserRole.ISSUE_ADMIN}
+    };
+  }
+
   @Test
   @UseDataProvider("statusAndResolutionCombinations")
   public void returns_status_and_resolution(String status, @Nullable String resolution) {
       .setName("test-project")
       .setLongName("test-project")
       .setDbKey("com.sonarsource:test-project"));
-    userSessionRule.registerComponents(project);
+    userSessionRule.registerComponents(project)
+      .addProjectPermission(UserRole.SECURITYHOTSPOT_ADMIN, project);
 
     ComponentDto file = dbTester.components().insertComponent(
       newFileDto(project)

sonar-ws/src/main/protobuf/ws-hotspots.proto

   repeated sonarqube.ws.commons.Changelog changelog = 14;
   repeated sonarqube.ws.commons.Comment comment = 15;
   repeated sonarqube.ws.commons.User users = 16;
+  optional bool canChangeStatus = 17;
 }
 
 message Component {