From d5bec063e7b656974b09f9d5f9bf29326a041b7c Mon Sep 17 00:00:00 2001
From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Mon, 26 Jun 2017 19:40:16 +0000
Subject: [PATCH] Use ApplicationController#find_optional_project instead.

git-svn-id: http://svn.redmine.org/redmine/trunk@16720 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/controllers/queries_controller.rb      |  7 ------
 test/functional/queries_controller_test.rb | 25 ++++++++++++++++++++++
 2 files changed, 25 insertions(+), 7 deletions(-)

diff --git a/app/controllers/queries_controller.rb b/app/controllers/queries_controller.rb
index 54f695fd7..9a6102a16 100644
--- a/app/controllers/queries_controller.rb
+++ b/app/controllers/queries_controller.rb
@@ -114,13 +114,6 @@ class QueriesController < ApplicationController
     render_404
   end
 
-  def find_optional_project
-    @project = Project.find(params[:project_id]) if params[:project_id]
-    render_403 unless User.current.allowed_to?(:save_queries, @project, :global => true)
-  rescue ActiveRecord::RecordNotFound
-    render_404
-  end
-
   def update_query_from_params
     @query.project = params[:query_is_for_all] ? nil : @project
     @query.build_from_params(params)
diff --git a/test/functional/queries_controller_test.rb b/test/functional/queries_controller_test.rb
index 4aac31540..5149a447d 100644
--- a/test/functional/queries_controller_test.rb
+++ b/test/functional/queries_controller_test.rb
@@ -244,6 +244,31 @@ class QueriesControllerTest < Redmine::ControllerTest
     assert_select 'input[name=?]', 'query[name]'
   end
 
+  def test_create_query_without_permission_should_fail
+    Role.all.each {|r| r.remove_permission! :save_queries, :manage_public_queries}
+
+    @request.session[:user_id] = 2
+    assert_no_difference '::Query.count' do
+      post :create, :params => {
+          :project_id => 'ecookbook',
+          :query => {:name => 'Foo'}
+        }
+    end
+    assert_response 403
+  end
+
+  def test_create_global_query_without_permission_should_fail
+    Role.all.each {|r| r.remove_permission! :save_queries, :manage_public_queries}
+
+    @request.session[:user_id] = 2
+    assert_no_difference '::Query.count' do
+      post :create, :params => {
+          :query => {:name => 'Foo'}
+        }
+    end
+    assert_response 403
+  end
+
   def test_create_global_query_from_gantt
     @request.session[:user_id] = 1
     assert_difference 'IssueQuery.count' do
-- 
2.39.5