fix: Check perms on Kanban Column actions

- Check Column options access (archive, indicators) - Check column dragability access (allow if write access to board) - Check card dragability access (allow if write access to board) - Hide "Add Column" if no write access to board - Avoid board update on load without write access (cherry picked from commit dcbfcdf)
frappe · Mar 16, 2023 · efa74bb · efa74bb
1 parent 4ffc7a5
commit efa74bb
Showing 1 changed file with 29 additions and 5 deletions.
diff --git a/frappe/public/js/frappe/views/kanban/kanban_board.bundle.js b/frappe/public/js/frappe/views/kanban/kanban_board.bundle.js
@@ -297,6 +297,7 @@ frappe.provide("frappe.views");
 		self.wrapper = opts.wrapper;
 		self.cur_list = opts.cur_list;
 		self.board_name = opts.board_name;
+		self.board_perms = self.cur_list.board_perms;
 
 		self.update = function (cards) {
 			// update cards internally
@@ -325,7 +326,11 @@ frappe.provide("frappe.views");
 			store.watch((state, getters) => {
 				return state.empty_state;
 			}, show_empty_state);
-			store.dispatch("update_order");
+
+			if (self.board_perms.write) {
+				// If write access to Board, update Kanban cards order on load
+				store.dispatch("update_order");
+			}
 		}
 
 		function prepare() {
@@ -347,7 +352,7 @@ frappe.provide("frappe.views");
 			var columns = store.state.columns;
 
 			columns.filter(is_active_column).map(function (col) {
-				frappe.views.KanbanBoardColumn(col, self.$kanban_board);
+				frappe.views.KanbanBoardColumn(col, self.$kanban_board, self.board_perms);
 			});
 		}
 
@@ -356,7 +361,10 @@ frappe.provide("frappe.views");
 			bind_clickdrag();
 		}
 
-		function setup_sortable() { // drag column
+		function setup_sortable() {
+			// If no write access, editing board (by dragging column) should be blocked
+			if (!self.board_perms.write) return;
+
 			var sortable = new Sortable(self.$kanban_board.get(0), {
 				group: "columns",
 				animation: 150,
@@ -372,6 +380,12 @@ frappe.provide("frappe.views");
 		}
 
 		function bind_add_column() {
+			if (!self.board_perms.write) {
+				// If no write access, editing board (by adding column) should be blocked
+				self.$kanban_board.find(".add-new-column").hide();
+				return;
+			}
+
 			var $add_new_column = self.$kanban_board.find(".add-new-column"),
 				$compose_column = $add_new_column.find(".compose-column"),
 				$compose_column_form = $add_new_column.find(".compose-column-form").hide();
@@ -513,7 +527,7 @@ frappe.provide("frappe.views");
 		return self;
 	};
 
-	frappe.views.KanbanBoardColumn = function (column, wrapper) {
+	frappe.views.KanbanBoardColumn = function (column, wrapper, board_perms) {
 		var self = {};
 		var filtered_cards = [];
 
@@ -566,7 +580,10 @@ frappe.provide("frappe.views");
 			}
 		}
 
-		function setup_sortable() { // drag card
+		function setup_sortable() {
+			// If no write access, editing board (by dragging card) should be blocked
+			if (!board_perms.write) return;
+
 			Sortable.create(self.$kanban_cards.get(0), {
 				group: "cards",
 				animation: 150,
@@ -641,6 +658,12 @@ frappe.provide("frappe.views");
 		}
 
 		function bind_options() {
+			if (!board_perms.write) {
+				// If no write access, column options should be hidden
+				self.$kanban_column.find(".column-options").hide();
+				return;
+			}
+
 			self.$kanban_column
 				.find(".column-options .dropdown-menu")
 				.on("click", "[data-action]", function () {
@@ -654,6 +677,7 @@ frappe.provide("frappe.views");
 						store.dispatch("set_indicator", { column, color });
 					}
 				});
+
 			get_column_indicators(function (indicators) {
 				let html = `<li class="button-group">${indicators
 					.map((indicator) => {