Merge branch 'boards-dropdown-hide-options' into 'master'

Hides multiple board actions if user doesnt have permissions Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/23678 See merge request !816

Merge branch 'boards-dropdown-hide-options' into 'master'
Hides multiple board actions if user doesnt have permissions Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/23678 See merge request !816
2724a950 · Sean McGivern · dee938f1 · bf786eb5 · 2724a950 · 2724a950
Commit 2724a950 authored Oct 25, 2016 by Sean McGivern
4 changed files
--- a/CHANGELOG-EE.md
+++ b/CHANGELOG-EE.md
@@ -3,6 +3,7 @@ Please view this file on the master branch, on stable branches it's out of date.
 ## 8.13.1

  - Fix Elasticsearch::Transport::Transport::Errors::BadRequest when ES is enabled. #21036
+  - Hides multiple board actions if user doesnt have permissions

 ## 8.13.0 (2016-10-22)


--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -58,6 +58,7 @@ class ProjectPolicy < BasePolicy
    can! :update_issue
    can! :admin_issue
    can! :admin_label
+    can! :admin_board
    can! :admin_list
    can! :read_commit_status
    can! :read_build

--- a/app/views/projects/boards/_title.html.haml
+++ b/app/views/projects/boards/_title.html.haml
@@ -23,6 +23,7 @@
              {{ board.name }}
      .dropdown-loading{ "v-if" => "loading" }
        = icon("spin spinner")
+      - if can?(current_user, :admin_board, @project)
        %board-selector-form{ "inline-template" => true,
          "v-if" => "currentPage === 'edit'",
          "type" => "edit",
@@ -48,6 +49,7 @@
            %button.btn.btn-default.pull-right{ type: "button",
              "@click.stop.prevent" => "currentPage = ''" }
              Cancel
+      - if can?(current_user, :admin_board, @project)
        .dropdown-footer{ "v-if" => "currentPage === ''" }
          %ul.dropdown-footer-list
            %li

--- a/spec/features/boards/multiple_boards_spec.rb
+++ b/spec/features/boards/multiple_boards_spec.rb
@@ -10,6 +10,7 @@ describe 'Multiple Issue Boards', feature: true, js: true do
  let!(:board)    { create(:board, project: project) }
  let!(:board2)   { create(:board, project: project) }

+  context 'authorized user' do
    before do
      project.team << [user, :master]

@@ -142,4 +143,22 @@ describe 'Multiple Issue Boards', feature: true, js: true do

      expect(page).to have_selector('.board', count: 2)
    end
+  end
+
+  context 'unauthorized user' do
+    before do
+      visit namespace_project_boards_path(project.namespace, project)
+      wait_for_vue_resource
+    end
+
+    it 'does not show action links' do
+      click_button board.name
+
+      page.within('.boards-title-holder .dropdown-menu') do
+        expect(page).not_to have_content('Create new board')
+        expect(page).not_to have_content('Edit board name')
+        expect(page).not_to have_content('Delete board')
+      end
+    end
+  end
 end