Merge branch 'board-dragging-disabled' into 'master'

Stop unauthorized users dragging on issue boards

Closes #23763

See merge request !7096

Signed-off-by: Rémy Coutable <remy@rymai.me>

3 files changed, 6 insertions, 1 deletions

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ae1e95c4c6f..6d915a61bbd 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -17,6 +17,7 @@ Please view this file on the master branch, on stable branches it's out of date.
   - Fix reply-by-email not working due to queue name mismatch. !7068
   - Fix 404 for group pages when GitLab setup uses relative url. !7071
   - Fix `User#to_reference`. !7088
+  - Fix unauthorized users dragging on issue boards. !7096
 
 ## 8.13.0 (2016-10-22)
 
diff --git a/app/helpers/boards_helper.rb b/app/helpers/boards_helper.rb
index b7247ffa8b2..38c586ccd31 100644
--- a/app/helpers/boards_helper.rb
+++ b/app/helpers/boards_helper.rb
@@ -5,7 +5,7 @@ module BoardsHelper
     {
       endpoint: namespace_project_boards_path(@project.namespace, @project),
       board_id: board.id,
-      disabled: !can?(current_user, :admin_list, @project),
+      disabled: "#{!can?(current_user, :admin_list, @project)}",
       issue_link_base: namespace_project_issues_path(@project.namespace, @project)
     }
   end
diff --git a/spec/features/boards/boards_spec.rb b/spec/features/boards/boards_spec.rb
index 0fb1608a0a3..c533ce1d87f 100644
--- a/spec/features/boards/boards_spec.rb
+++ b/spec/features/boards/boards_spec.rb
@@ -624,6 +624,10 @@ describe 'Issue Boards', feature: true, js: true do
     it 'does not show create new list' do
       expect(page).not_to have_selector('.js-new-board-list')
     end
+
+    it 'does not allow dragging' do
+      expect(page).not_to have_selector('.user-can-drag')
+    end
   end
 
   context 'as guest user' do