From 16bb6a946cc2014aa709aba60940a96b5452936d Mon Sep 17 00:00:00 2001
From: Frank <frank3manuel@gmail.com>
Date: Fri, 19 Aug 2022 00:14:07 +0800
Subject: [PATCH] FIX: Allow groups to access system queries (#185)

* FIX: allow groups to access system queries (without having to run the query once first)

Bug is: Trying to allow a group to access a system query results in a Discourse::NotFound unless the query is run first.

Cause:

 - System queries don't exist in the database by default
 - update calls set_query before action
 - set_query searches the database for the system query with Query.find_by(:id), which will not exist by default.
 - running system queries first fixes this because Query.find is overridden to include system queries (Queries.default) in its results, avoiding the Discourse::NotFound.

Solution: use the overridden Query.find in set_query to include system queries in the search, instead of Query.find_by(:id)

* Added test for fixing allowing groups to access system query.

* Fixed test formatting.
---
 .../data_explorer/query_controller.rb         |  2 +-
 spec/requests/query_controller_spec.rb        | 22 +++++++++++++++++++
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/app/controllers/data_explorer/query_controller.rb b/app/controllers/data_explorer/query_controller.rb
index e2fe7a5..8a870d4 100644
--- a/app/controllers/data_explorer/query_controller.rb
+++ b/app/controllers/data_explorer/query_controller.rb
@@ -232,7 +232,7 @@ class DataExplorer::QueryController < ::ApplicationController
   end
 
   def set_query
-    @query = DataExplorer::Query.find_by(id: params[:id])
+    @query = DataExplorer::Query.find(params[:id])
     raise Discourse::NotFound unless @query
   end
 end
diff --git a/spec/requests/query_controller_spec.rb b/spec/requests/query_controller_spec.rb
index e4dd410..065a8f9 100644
--- a/spec/requests/query_controller_spec.rb
+++ b/spec/requests/query_controller_spec.rb
@@ -87,6 +87,28 @@ describe DataExplorer::QueryController do
       end
     end
 
+    describe "#update" do
+      fab!(:user2) { Fabricate(:user) }
+      fab!(:group2) { Fabricate(:group, users: [user2]) }
+
+      it "allows group to access system query" do
+        query = DataExplorer::Query.find(-4)
+        put "/admin/plugins/explorer/queries/#{query.id}.json", params: {
+          "query" => {
+            "name" => query.name,
+            "description" => query.description,
+            "sql" => query.sql,
+            "user_id" => query.user_id,
+            "created_at" => query.created_at,
+            "group_ids" => [group2.id],
+            "last_run_at" => query.last_run_at
+          },
+          "id" => query.id }
+
+        expect(response.status).to eq(200)
+      end
+    end
+
     describe "#run" do
       def run_query(id, params = {})
         params = Hash[params.map { |a| [a[0], a[1].to_s] }]