Merge branch 'rj-fix-manual-order' into 'master'

Don't let logged out user do manual order See merge request gitlab-org/gitlab-ce!30264
2019-07-03 06:52:53 +00:00 · 2019-07-03 06:52:53 +00:00 · ae7a439758
commit ae7a439758
parent 4a8fa7fac7 2302385cce
3 changed files with 25 additions and 1 deletions
--- a/app/assets/javascripts/manual_ordering.js
+++ b/app/assets/javascripts/manual_ordering.js
@ -21,7 +21,7 @@ const updateIssue = (url, issueList, { move_before_id, move_after_id }) =>
 const initManualOrdering = () => {
  const issueList = document.querySelector('.manual-ordering');

-  if (!issueList || !(gon.features && gon.features.manualSorting)) {
+  if (!issueList || !(gon.features && gon.features.manualSorting) || !(gon.current_user_id > 0)) {
    return;
  }

--- a/changelogs/unreleased/rj-fix-manual-order.yml
+++ b/changelogs/unreleased/rj-fix-manual-order.yml
@ -0,0 +1,5 @@
+---
+title: Don't let logged out user do manual order
+merge_request: 30264
+author:
+type: fixed
--- a/spec/features/groups/issues_spec.rb
+++ b/spec/features/groups/issues_spec.rb
@ -150,6 +150,25 @@ describe 'Group issues page' do
      check_issue_order
    end

+    it 'issues should not be draggable when user is not logged in', :js do
+      sign_out(user_in_group)
+
+      visit issues_group_path(group, sort: 'relative_position')
+
+      drag_to(selector: '.manual-ordering',
+        from_index: 0,
+        to_index: 2)
+
+      wait_for_requests
+
+      # Issue order should remain the same
+      page.within('.manual-ordering') do
+        expect(find('.issue:nth-child(1) .title')).to have_content('Issue #1')
+        expect(find('.issue:nth-child(2) .title')).to have_content('Issue #2')
+        expect(find('.issue:nth-child(3) .title')).to have_content('Issue #3')
+      end
+    end
+
    def check_issue_order
      page.within('.manual-ordering') do
        expect(find('.issue:nth-child(1) .title')).to have_content('Issue #2')