JIRA Scrum Board allows Version to be set without Resolve Issues permission

Summary

The Resolve Issues project permission is defined as:

Ability to resolve and reopen issues. This includes the ability to set a fix version.

If this permission is revoked, a user will (correctly) not be allowed to edit the Affects Version/s and Fix Version/s fields from the Default View Issue screen, but will still be allowed to edit everything else (assuming they have Edit Issues permission).

However, if the view is changed to the Scrum Board's Backlog screen, the same user may drag the issue into a Version panel and the issue will be assigned that version, completely bypassing the Resolve Issues project permission

For a demonstration, see following mp4 screencapture: JSW-15528.mp4

Environment

Tested in JIRA Software 7.2.7 and JIRA Software 7.3.0

Steps to Reproduce

1. Create a new Software Project with a Scrum Board
2. Create a new version (i.e. "Test Version")
3. Ensure that the current user has both Edit Issues and Resolve Issues permissions
4. Ensure that the current user may set either the Affects Version/s or Fix Version/s field
5. Revoke the current user's permission to Resolve Issues

Expected Results

1. The user should lose the ability to edit the Version/s fields
2. The user should not be able to drag the issue into the Version panel in the Backlog

Actual Results

1. The user loses the ability to edit the Version/s fields
2. The user can still drag the issue into the Version panel in the Backlog, bypassing the Resolve Issues permission