3 files changed, 53 insertions, 11 deletions

diff --git a/app/controllers/issues_controller.rb b/app/controllers/issues_controller.rb
index a598ac8f5..bbe71a3ea 100644
--- a/app/controllers/issues_controller.rb
+++ b/app/controllers/issues_controller.rb
@@ -136,26 +136,19 @@ class IssuesController < ApplicationController
       render_error l(:error_no_tracker_in_project)
       return
     end
+    if @issue.status.nil?
+      render_error l(:error_no_default_issue_status)
+      return
+    end
     if params[:issue].is_a?(Hash)
       @issue.safe_attributes = params[:issue]
       @issue.watcher_user_ids = params[:issue]['watcher_user_ids'] if User.current.allowed_to?(:add_issue_watchers, @project)
     end
     @issue.author = User.current
     
-    default_status = IssueStatus.default
-    unless default_status
-      render_error l(:error_no_default_issue_status)
-      return
-    end    
-    @issue.status = default_status
-    @allowed_statuses = @issue.new_statuses_allowed_to(User.current, true)
-    
     if request.get? || request.xhr?
       @issue.start_date ||= Date.today
     else
-      requested_status = IssueStatus.find_by_id(params[:issue][:status_id])
-      # Check that the user is allowed to apply the requested status
-      @issue.status = (@allowed_statuses.include? requested_status) ? requested_status : default_status
       call_hook(:controller_issues_new_before_save, { :params => params, :issue => @issue })
       if @issue.save
         attachments = Attachment.attach_files(@issue, params[:attachments])
@@ -179,6 +172,7 @@ class IssuesController < ApplicationController
       end
     end 
     @priorities = IssuePriority.all
+    @allowed_statuses = @issue.new_statuses_allowed_to(User.current, true)
     render :layout => !request.xhr?
   end
   
diff --git a/app/models/issue.rb b/app/models/issue.rb
index 6eca869d2..012661cad 100644
--- a/app/models/issue.rb
+++ b/app/models/issue.rb
@@ -163,6 +163,11 @@ class Issue < ActiveRecord::Base
     end
     issue
   end
+
+  def status_id=(sid)
+    self.status = nil
+    write_attribute(:status_id, sid)
+  end
   
   def priority_id=(pid)
     self.priority = nil
diff --git a/test/functional/issues_controller_test.rb b/test/functional/issues_controller_test.rb
index 11d35f500..23d09152c 100644
--- a/test/functional/issues_controller_test.rb
+++ b/test/functional/issues_controller_test.rb
@@ -451,6 +451,7 @@ class IssuesControllerTest < ActionController::TestCase
     assert_difference 'Issue.count' do
       post :new, :project_id => 1, 
                  :issue => {:tracker_id => 3,
+                            :status_id => 2,
                             :subject => 'This is the test_new issue',
                             :description => 'This is the description',
                             :priority_id => 5,
@@ -463,6 +464,7 @@ class IssuesControllerTest < ActionController::TestCase
     assert_not_nil issue
     assert_equal 2, issue.author_id
     assert_equal 3, issue.tracker_id
+    assert_equal 2, issue.status_id
     assert_nil issue.estimated_hours
     v = issue.custom_values.find(:first, :conditions => {:custom_field_id => 2})
     assert_not_nil v
@@ -598,6 +600,47 @@ class IssuesControllerTest < ActionController::TestCase
     end
   end
   
+  context "without workflow privilege" do
+    setup do
+      Workflow.delete_all(["role_id = ?", Role.anonymous.id])
+      Role.anonymous.add_permission! :add_issues
+    end
+    
+    context "#new" do
+      should "propose default status only" do
+        get :new, :project_id => 1
+        assert_response :success
+        assert_template 'new'
+        assert_tag :tag => 'select',
+          :attributes => {:name => 'issue[status_id]'},
+          :children => {:count => 1},
+          :child => {:tag => 'option', :attributes => {:value => IssueStatus.default.id.to_s}}
+      end
+      
+      should "accept default status" do
+        assert_difference 'Issue.count' do
+          post :new, :project_id => 1, 
+                     :issue => {:tracker_id => 1,
+                                :subject => 'This is an issue',
+                                :status_id => 1}
+        end
+        issue = Issue.last(:order => 'id')
+        assert_equal IssueStatus.default, issue.status
+      end
+      
+      should "ignore unauthorized status" do
+        assert_difference 'Issue.count' do
+          post :new, :project_id => 1, 
+                     :issue => {:tracker_id => 1,
+                                :subject => 'This is an issue',
+                                :status_id => 3}
+        end
+        issue = Issue.last(:order => 'id')
+        assert_equal IssueStatus.default, issue.status
+      end
+    end
+  end
+  
   def test_copy_issue
     @request.session[:user_id] = 2
     get :new, :project_id => 1, :copy_from => 1