Merge branch 'board-dragging-disabled' into 'master'

Stop unauthorized users dragging on issue boards

Closes #23763

See merge request !7096
Signed-off-by: Rémy Coutable <remy@rymai.me>

CHANGELOG.md

@@ -17,6 +17,7 @@ Please view this file on the master branch, on stable branches it's out of date.
   - Fix reply-by-email not working due to queue name mismatch. !7068
   - Fix 404 for group pages when GitLab setup uses relative url. !7071
   - Fix `User#to_reference`. !7088
+  - Fix unauthorized users dragging on issue boards. !7096
 
 ## 8.13.0 (2016-10-22)
 

app/helpers/boards_helper.rb

@@ -5,7 +5,7 @@ module BoardsHelper
     {
       endpoint: namespace_project_boards_path(@project.namespace, @project),
       board_id: board.id,
-      disabled: !can?(current_user, :admin_list, @project),
+      disabled: "#{!can?(current_user, :admin_list, @project)}",
       issue_link_base: namespace_project_issues_path(@project.namespace, @project)
     }
   end

spec/features/boards/boards_spec.rb

@@ -624,6 +624,10 @@ describe 'Issue Boards', feature: true, js: true do
     it 'does not show create new list' do
       expect(page).not_to have_selector('.js-new-board-list')
     end
+
+    it 'does not allow dragging' do
+      expect(page).not_to have_selector('.user-can-drag')
+    end
   end
 
   context 'as guest user' do