Update mutation to check for read list permissions

- Raise resource not found error if user can not read
the board list
- Add test examples for the case where the user
can not admin the board list and the list position
is not updated

app/graphql/mutations/boards/lists/update.rb

@@ -25,7 +25,7 @@ module Mutations
               description: 'Mutated list'
 
         def resolve(list: nil, **args)
-          authorize!(list)
+          raise_resource_not_available_error! unless can_read_list?(list)
           update_result = update_list(list, args)
 
           {
@@ -41,9 +41,10 @@ module Mutations
           service.execute(list)
         end
 
-        def authorize!(list)
-          raise_resource_not_available_error! unless list
-          raise_resource_not_available_error! unless Ability.allowed?(current_user, :admin_list, list.board)
+        def can_read_list?(list)
+          return false unless list.present?
+
+          Ability.allowed?(current_user, :read_list, list.board)
         end
       end
     end

spec/graphql/mutations/boards/lists/update_spec.rb

@@ -24,7 +24,7 @@ RSpec.describe Mutations::Boards::Lists::Update do
     context 'with permission to admin board lists' do
       let(:current_user) { reporter }
 
-      it 'updates the list as expected' do
+      it 'updates the list position and collapsed state as expected' do
         subject
 
         reloaded_list = list.reload
@@ -33,10 +33,22 @@ RSpec.describe Mutations::Boards::Lists::Update do
       end
     end
 
-    context 'without permission to admin board lists' do
+    context 'with permission to read board lists' do
       let(:current_user) { guest }
 
-      it 'fails' do
+      it 'updates the list collapsed state but not the list position' do
+        subject
+
+        reloaded_list = list.reload
+        expect(reloaded_list.position).to eq(0)
+        expect(reloaded_list.collapsed?(current_user)).to eq(true)
+      end
+    end
+
+    context 'without permission to read board lists' do
+      let(:current_user) { create(:user) }
+
+      it 'raises Resource Not Found error' do
         expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
       end
     end

spec/requests/api/graphql/mutations/boards/lists/update_spec.rb

@@ -14,18 +14,21 @@ RSpec.describe 'Update of an existing board list' do
   let(:mutation) { graphql_mutation(:update_board_list, input) }
   let(:mutation_response) { graphql_mutation_response(:update_board_list) }
 
-  context 'the user is not allowed to admin board lists' do
+  context 'the user is not allowed to read board lists' do
     it_behaves_like 'a mutation that returns top-level errors',
       errors: ['The resource that you are attempting to access does not exist or you don\'t have permission to perform this action']
   end
 
+  before do
+    list.update_preferences_for(current_user, collapsed: false)
+  end
+
   context 'when user has permissions to admin board lists' do
     before do
       group.add_reporter(current_user)
-      list.update_preferences_for(current_user, collapsed: false)
     end
 
-    it 'updates the list' do
+    it 'updates the list position and collapsed state' do
       post_graphql_mutation(mutation, current_user: current_user)
 
       expect(response).to have_gitlab_http_status(:success)
@@ -35,4 +38,20 @@ RSpec.describe 'Update of an existing board list' do
       )
     end
   end
+
+  context 'when user has permissions to read board lists' do
+    before do
+      group.add_guest(current_user)
+    end
+
+    it 'updates the list collapsed state but not the list position' do
+      post_graphql_mutation(mutation, current_user: current_user)
+
+      expect(response).to have_gitlab_http_status(:success)
+      expect(mutation_response['list']).to include(
+        'position' => 0,
+        'collapsed' => true
+      )
+    end
+  end
 end