Move action to render board lists to `Projects::Boards::ListsController`

app/controllers/projects/boards/lists_controller.rb

 module Projects
   module Boards
     class ListsController < Boards::ApplicationController
-      before_action :authorize_admin_list!
+      before_action :authorize_admin_list!, only: [:create, :update, :destroy, :generate]
+      before_action :authorize_read_list!, only: [:index]
+
+      def index
+        render json: project.board.lists.as_json(only: [:id, :list_type, :position], methods: [:title], include: { label: { only: [:id, :title, :description, :color, :priority] } })
+      end
 
       def create
         list = ::Boards::Lists::CreateService.new(project, current_user, list_params).execute
@@ -49,6 +54,10 @@ module Projects
         return render_403 unless can?(current_user, :admin_list, project)
       end
 
+      def authorize_read_list!
+        return render_403 unless can?(current_user, :read_list, project)
+      end
+
       def list_params
         params.require(:list).permit(:label_id)
       end

app/controllers/projects/boards_controller.rb

 class Projects::BoardsController < Projects::ApplicationController
+  respond_to :html
+
   before_action :authorize_read_board!, only: [:show]
 
   def show
-    board = Boards::CreateService.new(project, current_user).execute
-
-    respond_to do |format|
-      format.html
-      format.json { render json: board.lists.as_json(only: [:id, :list_type, :position], methods: [:title], include: { label: { only: [:id, :title, :description, :color, :priority] } }) }
-    end
+    ::Boards::CreateService.new(project, current_user).execute
   end
 
   private
 
   def authorize_read_board!
-    unless can?(current_user, :read_board, project)
-      respond_to do |format|
-        format.html { return access_denied! }
-        format.json { return render_403 }
-      end
-    end
+    return access_denied! unless can?(current_user, :read_board, project)
   end
 end

app/models/ability.rb

@@ -91,6 +91,7 @@ class Ability
         rules = [
           :read_project,
           :read_board,
+          :read_list,
           :read_wiki,
           :read_label,
           :read_milestone,
@@ -230,6 +231,7 @@ class Ability
         :read_wiki,
         :read_issue,
         :read_board,
+        :read_list,
         :read_label,
         :read_milestone,
         :read_project_snippet,

config/routes.rb

@@ -860,7 +860,7 @@ Rails.application.routes.draw do
           scope module: :boards do
             resources :issues, only: [:update]
 
-            resources :lists, only: [:create, :update, :destroy] do
+            resources :lists, only: [:index, :create, :update, :destroy] do
               collection do
                 post :generate
               end

spec/controllers/projects/boards/lists_controller_spec.rb

@@ -11,6 +11,46 @@ describe Projects::Boards::ListsController do
     project.team << [guest, :guest]
   end
 
+  describe 'GET #index' do
+    it 'returns a successful 200 response' do
+      read_board_list user: user
+
+      expect(response).to have_http_status(200)
+      expect(response.content_type).to eq 'application/json'
+    end
+
+    it 'returns a list of board lists' do
+      board = project.create_board
+      create(:backlog_list, board: board)
+      create(:list, board: board)
+      create(:done_list, board: board)
+
+      read_board_list user: user
+
+      parsed_response = JSON.parse(response.body)
+
+      expect(response).to match_response_schema('list', array: true)
+      expect(parsed_response.length).to eq 3
+    end
+
+    it 'returns a successful 403 response with unauthorized user' do
+      allow(Ability.abilities).to receive(:allowed?).with(user, :read_project, project).and_return(true)
+      allow(Ability.abilities).to receive(:allowed?).with(user, :read_list, project).and_return(false)
+
+      read_board_list user: user
+
+      expect(response).to have_http_status(403)
+    end
+
+    def read_board_list(user:)
+      sign_in(user)
+
+      get :index, namespace_id: project.namespace.to_param,
+                  project_id: project.to_param,
+                  format: :json
+    end
+  end
+
   describe 'POST #create' do
     let(:label) { create(:label, project: project, name: 'Development') }
 

spec/controllers/projects/boards_controller_spec.rb

@@ -10,13 +10,10 @@ describe Projects::BoardsController do
   end
 
   describe 'GET #show' do
-    context 'when project does not have a board' do
-      it 'creates a new board' do
+    it 'creates a new board when project does not have one' do
       expect { read_board }.to change(Board, :count).by(1)
     end
-    end
 
-    context 'when format is HTML' do
     it 'renders HTML template' do
       read_board
 
@@ -24,8 +21,7 @@ describe Projects::BoardsController do
       expect(response.content_type).to eq 'text/html'
     end
 
-      context 'with unauthorized user' do
-        it 'returns a successful 404 response' do
+    it 'returns a successful 404 response with unauthorized user' do
       allow(Ability.abilities).to receive(:allowed?).with(user, :read_project, project).and_return(true)
       allow(Ability.abilities).to receive(:allowed?).with(user, :read_board, project).and_return(false)
 
@@ -33,42 +29,6 @@ describe Projects::BoardsController do
 
       expect(response).to have_http_status(404)
     end
-      end
-    end
-
-    context 'when format is JSON' do
-      it 'returns a successful 200 response' do
-        read_board format: :json
-
-        expect(response).to have_http_status(200)
-        expect(response.content_type).to eq 'application/json'
-      end
-
-      it 'returns a list of board lists' do
-        board = project.create_board
-        create(:backlog_list, board: board)
-        create(:list, board: board)
-        create(:done_list, board: board)
-
-        read_board format: :json
-
-        parsed_response = JSON.parse(response.body)
-
-        expect(response).to match_response_schema('list', array: true)
-        expect(parsed_response.length).to eq 3
-      end
-
-      context 'with unauthorized user' do
-        it 'returns a successful 403 response' do
-          allow(Ability.abilities).to receive(:allowed?).with(user, :read_project, project).and_return(true)
-          allow(Ability.abilities).to receive(:allowed?).with(user, :read_board, project).and_return(false)
-
-          read_board format: :json
-
-          expect(response).to have_http_status(403)
-        end
-      end
-    end
 
     def read_board(format: :html)
       get :show, namespace_id: project.namespace.to_param,