From 9a425c3f9232a552f18e19c8a36b4c23acc9ac80 Mon Sep 17 00:00:00 2001
From: Phil Hughes <me@iamphill.com>
Date: Wed, 17 Aug 2016 14:05:34 +0100
Subject: [PATCH] Fixed permissions around create new list button

---
 app/views/shared/issuable/_filter.html.haml |  2 +-
 spec/features/boards/boards_spec.rb         | 28 ++++++++++++++++++++-
 2 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/app/views/shared/issuable/_filter.html.haml b/app/views/shared/issuable/_filter.html.haml
index 949592a36eb..ffe8d4fbdbf 100644
--- a/app/views/shared/issuable/_filter.html.haml
+++ b/app/views/shared/issuable/_filter.html.haml
@@ -29,7 +29,7 @@
         .pull-right
           - if controller.controller_name != 'boards'
             = render 'shared/sort_dropdown'
-          - elsif current_user
+          - if can?(current_user, :admin_list, @project)
             .dropdown
               %button.btn.btn-create.js-new-board-list{ type: "button", data: { toggle: "dropdown", labels: labels_filter_path, project_id: @project.try(:id) } }
                 Create new list
diff --git a/spec/features/boards/boards_spec.rb b/spec/features/boards/boards_spec.rb
index cf20ca90b21..2864784559b 100644
--- a/spec/features/boards/boards_spec.rb
+++ b/spec/features/boards/boards_spec.rb
@@ -3,7 +3,7 @@ require 'rails_helper'
 describe 'Issue Boards', feature: true, js: true do
   include WaitForAjax
 
-  let(:project) { create(:empty_project) }
+  let(:project) { create(:empty_project, :public) }
   let(:user)    { create(:user) }
   let!(:user2)  { create(:user) }
 
@@ -561,6 +561,32 @@ describe 'Issue Boards', feature: true, js: true do
     end
   end
 
+  context 'signed out user' do
+    before do
+      logout
+      visit namespace_project_board_path(project.namespace, project)
+    end
+
+    it 'does not show create new list' do
+      expect(page).not_to have_selector('.js-new-board-list')
+    end
+  end
+
+  context 'as guest user' do
+    let(:user_guest) { create(:user) }
+
+    before do
+      project.team << [user_guest, :guest]
+      logout
+      login_as(user_guest)
+      visit namespace_project_board_path(project.namespace, project)
+    end
+
+    it 'does not show create new list' do
+      expect(page).not_to have_selector('.js-new-board-list')
+    end
+  end
+
   def drag_to(list_from_index: 0, card_index: 0, to_index: 0, list_to_index: 0, selector: '.board-list')
     evaluate_script("simulateDrag({scrollable: document.getElementById('board-app'), from: {el: $('#{selector}').eq(#{list_from_index}).get(0), index: #{card_index}}, to: {el: $('.board-list').eq(#{list_to_index}).get(0), index: #{to_index}}});")
 
-- 
GitLab