fix: send back queries but ignore them on the FE (#15507)

> #15009 

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

<!-- Note that API documentation changes are now addressed by the
product design team. -->

- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality

changes/15009-queries-observer

@@ -0,0 +1 @@
+- Fixes bug where Global Observers were not able to list all queries through the API.

frontend/pages/queries/ManageQueriesPage/ManageQueriesPage.tsx

@@ -90,6 +90,7 @@ const ManageQueriesPage = ({
     filteredQueriesPath,
     isPremiumTier,
     isSandboxMode,
+    isGlobalObserver,
     config,
   } = useContext(AppContext);
   const { setLastEditedQueryBody, setSelectedQueryTargetsByType } = useContext(
@@ -137,6 +138,12 @@ const ManageQueriesPage = ({
     [{ scope: "queries", teamId: teamIdForApi }],
     ({ queryKey: [{ teamId }] }) =>
       queriesAPI.loadAll(teamId).then(({ queries }) => {
+        if (isGlobalObserver) {
+          return queries
+            .filter((q: ISchedulableQuery) => q.observer_can_run)
+            .map(enhanceQuery);
+        }
+
         return queries.map(enhanceQuery);
       }),
     {

server/service/queries.go

@@ -114,7 +114,10 @@ func (svc *Service) ListQueries(ctx context.Context, opt fleet.ListOptions, team
 
 func onlyShowObserverCanRunQueries(user *fleet.User, teamID *uint) bool {
 	if user.GlobalRole != nil && *user.GlobalRole == fleet.RoleObserver {
-		return true
+		// Return false here because Global Observers should be able to access all queries via API.
+		// However, the UI will only show queries that have "observer can run" set to true.
+		// See the user permissions matrix: https://fleetdm.com/docs/using-fleet/manage-access#user-permissions
+		return false
 	}
 
 	return teamID != nil && user.TeamMembership(func(ut fleet.UserTeam) bool {

server/service/queries_test.go

@@ -14,7 +14,7 @@ import (
 
 func TestFilterQueriesForObserver(t *testing.T) {
 	t.Run("global role", func(t *testing.T) {
-		require.True(t, onlyShowObserverCanRunQueries(&fleet.User{
+		require.False(t, onlyShowObserverCanRunQueries(&fleet.User{
 			GlobalRole: ptr.String(fleet.RoleObserver),
 		}, nil))
 
@@ -89,7 +89,7 @@ func TestListQueries(t *testing.T) {
 		{
 			title:        "global observer",
 			user:         &fleet.User{GlobalRole: ptr.String(fleet.RoleObserver)},
-			expectedOpts: fleet.ListQueryOptions{OnlyObserverCanRun: true},
+			expectedOpts: fleet.ListQueryOptions{OnlyObserverCanRun: false},
 		},
 		{
 			title:        "team maintainer",