From cabc131cfbee72e3a1eaae94619dcf1e3cc59d5a Mon Sep 17 00:00:00 2001
From: Phil Hughes <me@iamphill.com>
Date: Tue, 25 Oct 2016 12:57:56 +0100
Subject: [PATCH] Stop unauthized users dragging on issue boards

Closes #23763
---
 CHANGELOG.md                        | 3 ++-
 app/helpers/boards_helper.rb        | 2 +-
 spec/features/boards/boards_spec.rb | 4 ++++
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 21f2bec867f..a8603170355 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -23,7 +23,8 @@ Please view this file on the master branch, on stable branches it's out of date.
   - Fixed hidden pipeline graph on commit and MR page !6895
   - Expire and build repository cache after project import
   - Fix 404 for group pages when GitLab setup uses relative url
-  - Simpler arguments passed to named_route on toggle_award_url helper method 
+  - Simpler arguments passed to named_route on toggle_award_url helper method
+  - Fix unauthorized users dragging on issue boards
   - Better handle when no users were selected for adding to group or project. (Linus Thiel)
   - Only show register tab if signup enabled.
 
diff --git a/app/helpers/boards_helper.rb b/app/helpers/boards_helper.rb
index b7247ffa8b2..38c586ccd31 100644
--- a/app/helpers/boards_helper.rb
+++ b/app/helpers/boards_helper.rb
@@ -5,7 +5,7 @@ module BoardsHelper
     {
       endpoint: namespace_project_boards_path(@project.namespace, @project),
       board_id: board.id,
-      disabled: !can?(current_user, :admin_list, @project),
+      disabled: "#{!can?(current_user, :admin_list, @project)}",
       issue_link_base: namespace_project_issues_path(@project.namespace, @project)
     }
   end
diff --git a/spec/features/boards/boards_spec.rb b/spec/features/boards/boards_spec.rb
index 0fb1608a0a3..c533ce1d87f 100644
--- a/spec/features/boards/boards_spec.rb
+++ b/spec/features/boards/boards_spec.rb
@@ -624,6 +624,10 @@ describe 'Issue Boards', feature: true, js: true do
     it 'does not show create new list' do
       expect(page).not_to have_selector('.js-new-board-list')
     end
+
+    it 'does not allow dragging' do
+      expect(page).not_to have_selector('.user-can-drag')
+    end
   end
 
   context 'as guest user' do