1 files changed, 11 insertions, 7 deletions

diff --git a/app/Controller/BoardAjaxController.php b/app/Controller/BoardAjaxController.php
index 9b721f06..ecb76e9c 100644
--- a/app/Controller/BoardAjaxController.php
+++ b/app/Controller/BoardAjaxController.php
@@ -3,7 +3,7 @@
 namespace Kanboard\Controller;
 
 use Kanboard\Core\Controller\AccessForbiddenException;
-use Kanboard\Formatter\BoardFormatter;
+use Kanboard\Model\UserMetadataModel;
 
 /**
  * Class BoardAjaxController
@@ -28,10 +28,14 @@ class BoardAjaxController extends BaseController
 
         $values = $this->request->getJson();
 
+        if (! $this->helper->projectRole->canMoveTask($project_id, $values['src_column_id'], $values['dst_column_id'])) {
+            throw new AccessForbiddenException(e("You don't have the permission to move this task"));
+        }
+
         $result =$this->taskPositionModel->movePosition(
             $project_id,
             $values['task_id'],
-            $values['column_id'],
+            $values['dst_column_id'],
             $values['position'],
             $values['swimlane_id']
         );
@@ -88,7 +92,7 @@ class BoardAjaxController extends BaseController
      */
     public function collapse()
     {
-        $this->changeDisplayMode(true);
+        $this->changeDisplayMode(1);
     }
 
     /**
@@ -98,19 +102,19 @@ class BoardAjaxController extends BaseController
      */
     public function expand()
     {
-        $this->changeDisplayMode(false);
+        $this->changeDisplayMode(0);
     }
 
     /**
      * Change display mode
      *
      * @access private
-     * @param  boolean $mode
+     * @param  int $mode
      */
     private function changeDisplayMode($mode)
     {
         $project_id = $this->request->getIntegerParam('project_id');
-        $this->userSession->setBoardDisplayMode($project_id, $mode);
+        $this->userMetadataCacheDecorator->set(UserMetadataModel::KEY_BOARD_COLLAPSED.$project_id, $mode);
 
         if ($this->request->isAjax()) {
             $this->response->html($this->renderBoard($project_id));
@@ -134,7 +138,7 @@ class BoardAjaxController extends BaseController
             'board_highlight_period' => $this->configModel->get('board_highlight_period'),
             'swimlanes' => $this->taskLexer
                 ->build($this->userSession->getFilters($project_id))
-                ->format(BoardFormatter::getInstance($this->container)->withProjectId($project_id))
+                ->format($this->boardFormatter->withProjectId($project_id))
         ));
     }
 }