5 files changed, 61 insertions, 25 deletions

diff --git a/app/controllers/queries_controller.rb b/app/controllers/queries_controller.rb
index 194b1df57..da2c4a2c8 100644
--- a/app/controllers/queries_controller.rb
+++ b/app/controllers/queries_controller.rb
@@ -19,7 +19,7 @@ class QueriesController < ApplicationController
   layout 'base'
   menu_item :issues
   before_filter :find_query, :except => :new
-  before_filter :find_project, :authorize, :only => :new
+  before_filter :find_optional_project, :only => :new
   
   def new
     @query = Query.new(params[:query])
@@ -72,8 +72,9 @@ private
     render_404
   end
   
-  def find_project
-    @project = Project.find(params[:project_id])
+  def find_optional_project
+    @project = Project.find(params[:project_id]) if params[:project_id]
+    User.current.allowed_to?(:save_queries, @project, :global => true)
   rescue ActiveRecord::RecordNotFound
     render_404
   end
diff --git a/app/models/user.rb b/app/models/user.rb
index ae81d46d2..e0b1e238c 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -222,17 +222,26 @@ class User < ActiveRecord::Base
   # action can be:
   # * a parameter-like Hash (eg. :controller => 'projects', :action => 'edit')
   # * a permission Symbol (eg. :edit_project)
-  def allowed_to?(action, project)
-    # No action allowed on archived projects
-    return false unless project.active?
-    # No action allowed on disabled modules
-    return false unless project.allows_to?(action)
-    # Admin users are authorized for anything else
-    return true if admin?
-    
-    role = role_for_project(project)
-    return false unless role
-    role.allowed_to?(action) && (project.is_public? || role.member?)
+  def allowed_to?(action, project, options={})
+    if project
+      # No action allowed on archived projects
+      return false unless project.active?
+      # No action allowed on disabled modules
+      return false unless project.allows_to?(action)
+      # Admin users are authorized for anything else
+      return true if admin?
+      
+      role = role_for_project(project)
+      return false unless role
+      role.allowed_to?(action) && (project.is_public? || role.member?)
+      
+    elsif options[:global]
+      # authorize if user has at least one role that has this permission
+      roles = memberships.collect {|m| m.role}.uniq
+      roles.detect {|r| r.allowed_to?(action)}
+    else
+      false
+    end
   end
   
   def self.current=(user)
diff --git a/app/views/issues/_sidebar.rhtml b/app/views/issues/_sidebar.rhtml
index c269eee06..e94d4180b 100644
--- a/app/views/issues/_sidebar.rhtml
+++ b/app/views/issues/_sidebar.rhtml
@@ -1,6 +1,6 @@
-<% if @project %>
 <h3><%= l(:label_issue_plural) %></h3>
 <%= link_to l(:label_issue_view_all), { :controller => 'issues', :action => 'index', :project_id => @project, :set_filter => 1 } %><br />
+<% if @project %>
 <%= link_to l(:field_summary), :controller => 'reports', :action => 'issue_report', :id => @project %><br />
 <%= link_to l(:label_change_log), :controller => 'projects', :action => 'changelog', :id => @project %>
 <% end %>
diff --git a/app/views/issues/index.rhtml b/app/views/issues/index.rhtml
index 0123099f2..027f3f006 100644
--- a/app/views/issues/index.rhtml
+++ b/app/views/issues/index.rhtml
@@ -18,7 +18,7 @@
                          :update => "content",
                        }, :class => 'icon icon-reload'  %>
                        
-    <% if current_role && current_role.allowed_to?(:save_queries) %>
+    <% if User.current.allowed_to?(:save_queries, @project, :global => true) %>
     <%= link_to l(:button_save), {}, :onclick => "$('query_form').submit(); return false;", :class => 'icon icon-save' %>
     <% end %>
     </p>
diff --git a/test/functional/queries_controller_test.rb b/test/functional/queries_controller_test.rb
index 86af8edd7..de08b4245 100644
--- a/test/functional/queries_controller_test.rb
+++ b/test/functional/queries_controller_test.rb
@@ -31,7 +31,7 @@ class QueriesControllerTest < Test::Unit::TestCase
     User.current = nil
   end
   
-  def test_get_new
+  def test_get_new_project_query
     @request.session[:user_id] = 2
     get :new, :project_id => 1
     assert_response :success
@@ -45,6 +45,19 @@ class QueriesControllerTest < Test::Unit::TestCase
                                                  :disabled => nil }
   end
   
+  def test_get_new_global_query
+    @request.session[:user_id] = 2
+    get :new
+    assert_response :success
+    assert_template 'new'
+    assert_no_tag :tag => 'input', :attributes => { :type => 'checkbox',
+                                                    :name => 'query[is_public]' } 
+    assert_tag :tag => 'input', :attributes => { :type => 'checkbox',
+                                                 :name => 'query_is_for_all',
+                                                 :checked => 'checked',
+                                                 :disabled => nil }
+  end
+  
   def test_new_project_public_query
     @request.session[:user_id] = 2
     post :new,
@@ -54,8 +67,7 @@ class QueriesControllerTest < Test::Unit::TestCase
          :fields => ["status_id", "assigned_to_id"],
          :operators => {"assigned_to_id" => "=", "status_id" => "o"},
          :values => { "assigned_to_id" => ["1"], "status_id" => ["1"]},
-         :query => {"name" => "test_new_project_public_query", "is_public" => "1"},
-         :column_names => ["", "tracker", "status", "priority", "subject", "updated_on", "category"]
+         :query => {"name" => "test_new_project_public_query", "is_public" => "1"}
          
     q = Query.find_by_name('test_new_project_public_query')
     assert_redirected_to :controller => 'issues', :action => 'index', :query_id => q
@@ -73,8 +85,7 @@ class QueriesControllerTest < Test::Unit::TestCase
          :fields => ["status_id", "assigned_to_id"],
          :operators => {"assigned_to_id" => "=", "status_id" => "o"},
          :values => { "assigned_to_id" => ["1"], "status_id" => ["1"]},
-         :query => {"name" => "test_new_project_private_query", "is_public" => "1"},
-         :column_names => ["", "tracker", "status", "priority", "subject", "updated_on", "category"]
+         :query => {"name" => "test_new_project_private_query", "is_public" => "1"}
          
     q = Query.find_by_name('test_new_project_private_query')
     assert_redirected_to :controller => 'issues', :action => 'index', :query_id => q
@@ -83,6 +94,23 @@ class QueriesControllerTest < Test::Unit::TestCase
     assert q.valid?
   end
   
+  def test_new_global_private_query_with_custom_columns
+    @request.session[:user_id] = 3
+    post :new,
+         :confirm => '1',
+         :fields => ["status_id", "assigned_to_id"],
+         :operators => {"assigned_to_id" => "=", "status_id" => "o"},
+         :values => { "assigned_to_id" => ["me"], "status_id" => ["1"]},
+         :query => {"name" => "test_new_global_private_query", "is_public" => "1", "column_names" => ["", "tracker", "subject", "priority", "category"]}
+         
+    q = Query.find_by_name('test_new_global_private_query')
+    assert_redirected_to :controller => 'issues', :action => 'index', :query_id => q
+    assert !q.is_public?
+    assert !q.has_default_columns?
+    assert_equal [:tracker, :subject, :priority, :category], q.columns.collect {|c| c.name}
+    assert q.valid?
+  end
+  
   def test_get_edit_global_public_query
     @request.session[:user_id] = 1
     get :edit, :id => 4
@@ -106,8 +134,7 @@ class QueriesControllerTest < Test::Unit::TestCase
          :fields => ["status_id", "assigned_to_id"],
          :operators => {"assigned_to_id" => "=", "status_id" => "o"},
          :values => { "assigned_to_id" => ["1"], "status_id" => ["1"]},
-         :query => {"name" => "test_edit_global_public_query", "is_public" => "1"},
-         :column_names => ["", "tracker", "status", "priority", "subject", "updated_on", "category"]
+         :query => {"name" => "test_edit_global_public_query", "is_public" => "1"}
          
     assert_redirected_to :controller => 'issues', :action => 'index', :query_id => 4
     q = Query.find_by_name('test_edit_global_public_query')
@@ -138,8 +165,7 @@ class QueriesControllerTest < Test::Unit::TestCase
          :fields => ["status_id", "assigned_to_id"],
          :operators => {"assigned_to_id" => "=", "status_id" => "o"},
          :values => { "assigned_to_id" => ["me"], "status_id" => ["1"]},
-         :query => {"name" => "test_edit_global_private_query", "is_public" => "1"},
-         :column_names => ["", "tracker", "status", "priority", "subject", "updated_on", "category"]
+         :query => {"name" => "test_edit_global_private_query", "is_public" => "1"}
          
     assert_redirected_to :controller => 'issues', :action => 'index', :query_id => 3
     q = Query.find_by_name('test_edit_global_private_query')