From af2730de5e580d98e31e3372098b757fee5a7810 Mon Sep 17 00:00:00 2001
From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Sun, 8 Apr 2018 13:23:30 +0000
Subject: [PATCH] Global and public custom queries are shown as editable to non
 administrators in projects (#28264).

git-svn-id: http://svn.redmine.org/redmine/trunk@17292 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/models/query.rb     | 12 ++++++------
 test/unit/query_test.rb | 22 +++++++++++++++++++++-
 2 files changed, 27 insertions(+), 7 deletions(-)

diff --git a/app/models/query.rb b/app/models/query.rb
index 319a0b8a8..85de2f1a9 100644
--- a/app/models/query.rb
+++ b/app/models/query.rb
@@ -356,13 +356,13 @@ class Query < ActiveRecord::Base
     !is_private?
   end
 
-  def queried_table_name
-    @queried_table_name ||= self.class.queried_class.table_name
+  # Returns true if the query is available for all projects
+  def is_global?
+    new_record? ? project_id.nil? : project_id_in_database.nil?
   end
 
-  def initialize(attributes=nil, *args)
-    super attributes
-    @is_for_all = project.nil?
+  def queried_table_name
+    @queried_table_name ||= self.class.queried_class.table_name
   end
 
   # Builds the query from the given params
@@ -447,7 +447,7 @@ class Query < ActiveRecord::Base
     # Admin can edit them all and regular users can edit their private queries
     return true if user.admin? || (is_private? && self.user_id == user.id)
     # Members can not edit public queries that are for all project (only admin is allowed to)
-    is_public? && !@is_for_all && user.allowed_to?(:manage_public_queries, project)
+    is_public? && !is_global? && user.allowed_to?(:manage_public_queries, project)
   end
 
   def trackers
diff --git a/test/unit/query_test.rb b/test/unit/query_test.rb
index bb5effdef..4dfc25712 100644
--- a/test/unit/query_test.rb
+++ b/test/unit/query_test.rb
@@ -1742,9 +1742,29 @@ class QueryTest < ActiveSupport::TestCase
     assert q.editable_by?(admin)
     assert !q.editable_by?(manager)
     assert q.editable_by?(developer)
+  end
+
+  def test_editable_by_for_global_query
+    admin = User.find(1)
+    manager = User.find(2)
+    developer = User.find(3)
 
-    # Public query for all projects
     q = IssueQuery.find(4)
+    q.project = Project.find(1)
+
+    assert q.editable_by?(admin)
+    assert !q.editable_by?(manager)
+    assert !q.editable_by?(developer)
+  end
+
+  def test_editable_by_for_global_query_with_project_set
+    admin = User.find(1)
+    manager = User.find(2)
+    developer = User.find(3)
+
+    q = IssueQuery.find(4)
+    q.project = Project.find(1)
+
     assert q.editable_by?(admin)
     assert !q.editable_by?(manager)
     assert !q.editable_by?(developer)
-- 
2.39.5