Prevent moving news between projects

This is not expected to be possible

app/contracts/news/base_contract.rb

@@ -37,7 +37,6 @@ class News::BaseContract < ModelContract
     News
   end
 
-  attribute :project
   attribute :title
   attribute :summary
   attribute :description

app/contracts/news/create_contract.rb

@@ -29,4 +29,5 @@
 #++
 
 class News::CreateContract < News::BaseContract
+  attribute :project
 end

spec/requests/api/v3/news/update_resource_spec.rb

@@ -66,6 +66,33 @@ RSpec.describe API::V3::News::NewsAPI,
     it_behaves_like "updates the news"
   end
 
+  describe "user with only view_news on source project and manage_news on different project" do
+    let(:attacker_project) { create(:project, enabled_module_names: %w[news]) }
+    let(:user) do
+      create(:user,
+             member_with_permissions: {
+               project => %i[view_news],
+               attacker_project => %i[view_news manage_news]
+             })
+    end
+    let(:parameters) do
+      {
+        _links: {
+          project: {
+            href: api_v3_paths.project(attacker_project.id)
+          }
+        }
+      }
+    end
+
+    it "does not move the news to another project" do
+      expect(last_response.status).to eq(422)
+      expect(news.reload.project).to eq(project)
+    end
+
+    it_behaves_like "read-only violation", "project", News
+  end
+
   describe "unauthorized user" do
     let(:user) { build(:user) }