Merge branch 'board-dragging-disabled' into 'master'

Stop unauthorized users dragging on issue boards

Closes #23763

See merge request !7096

CHANGELOG.md

@@ -23,7 +23,8 @@ Please view this file on the master branch, on stable branches it's out of date.
   - Fixed hidden pipeline graph on commit and MR page !6895
   - Expire and build repository cache after project import
   - Fix 404 for group pages when GitLab setup uses relative url
-  - Simpler arguments passed to named_route on toggle_award_url helper method 
+  - Simpler arguments passed to named_route on toggle_award_url helper method
+  - Fix unauthorized users dragging on issue boards
   - Better handle when no users were selected for adding to group or project. (Linus Thiel)
   - Only show register tab if signup enabled.
 

app/helpers/boards_helper.rb

@@ -5,7 +5,7 @@ module BoardsHelper
     {
       endpoint: namespace_project_boards_path(@project.namespace, @project),
       board_id: board.id,
-      disabled: !can?(current_user, :admin_list, @project),
+      disabled: "#{!can?(current_user, :admin_list, @project)}",
       issue_link_base: namespace_project_issues_path(@project.namespace, @project)
     }
   end

spec/features/boards/boards_spec.rb

@@ -624,6 +624,10 @@ describe 'Issue Boards', feature: true, js: true do
     it 'does not show create new list' do
       expect(page).not_to have_selector('.js-new-board-list')
     end
+
+    it 'does not allow dragging' do
+      expect(page).not_to have_selector('.user-can-drag')
+    end
   end
 
   context 'as guest user' do