From 2ba71571de1147e6b5e6e6f8c14b05d07c6050c2 Mon Sep 17 00:00:00 2001
From: Heinrich Lee Yu <hleeyu@gmail.com>
Date: Thu, 25 Oct 2018 11:38:02 +0800
Subject: Simplify query and add tests for authorization change

---
 app/controllers/concerns/boards_responses.rb      | 10 +++-------
 spec/controllers/boards/issues_controller_spec.rb | 19 +++++++++++++++----
 2 files changed, 18 insertions(+), 11 deletions(-)

diff --git a/app/controllers/concerns/boards_responses.rb b/app/controllers/concerns/boards_responses.rb
index e6c54e688b6..3cdf4ddf8bb 100644
--- a/app/controllers/concerns/boards_responses.rb
+++ b/app/controllers/concerns/boards_responses.rb
@@ -50,14 +50,10 @@ module BoardsResponses
   end
 
   def authorize_create_issue
-    board = board_parent.boards.find(issue_params[:board_id])
-    list = board.lists.find(issue_params[:list_id])
+    list = List.find(issue_params[:list_id])
+    action = list.backlog? ? :create_issue : :admin_issue
 
-    if list.backlog?
-      authorize_action_for!(project, :create_issue)
-    else
-      authorize_action_for!(project, :admin_issue)
-    end
+    authorize_action_for!(project, action)
   end
 
   def authorize_admin_list
diff --git a/spec/controllers/boards/issues_controller_spec.rb b/spec/controllers/boards/issues_controller_spec.rb
index c365988a100..98946e4287b 100644
--- a/spec/controllers/boards/issues_controller_spec.rb
+++ b/spec/controllers/boards/issues_controller_spec.rb
@@ -208,11 +208,22 @@ describe Boards::IssuesController do
       end
     end
 
-    context 'with unauthorized user' do
-      it 'returns a forbidden 403 response' do
-        create_issue user: guest, board: board, list: list1, title: 'New issue'
+    context 'with guest user' do
+      context 'in open list' do
+        it 'returns a successful 200 response' do
+          open_list = board.lists.create(list_type: :backlog)
+          create_issue user: guest, board: board, list: open_list, title: 'New issue'
 
-        expect(response).to have_gitlab_http_status(403)
+          expect(response).to have_gitlab_http_status(200)
+        end
+      end
+
+      context 'in label list' do
+        it 'returns a forbidden 403 response' do
+          create_issue user: guest, board: board, list: list1, title: 'New issue'
+
+          expect(response).to have_gitlab_http_status(403)
+        end
       end
     end
 
-- 
cgit v1.2.1