Merged r14794 (#21136).

author Jean-Philippe Lang <jp_lang@yahoo.fr>

Sun, 8 Nov 2015 09:05:46 +0000 (09:05 +0000)

committer Jean-Philippe Lang <jp_lang@yahoo.fr>

Sun, 8 Nov 2015 09:05:46 +0000 (09:05 +0000)
author Jean-Philippe Lang <jp_lang@yahoo.fr>
Sun, 8 Nov 2015 09:05:46 +0000 (09:05 +0000)
committer Jean-Philippe Lang <jp_lang@yahoo.fr>
Sun, 8 Nov 2015 09:05:46 +0000 (09:05 +0000)
diff --git a/app/views/issues/show.api.rsb b/app/views/issues/show.api.rsb

index f057b4c637446bae9fbc71d54d03bc4fd68ca134..577a885c2d12a49ce51e357340420a29462abcf8 100644 (file)
--- a/app/views/issues/show.api.rsb
+++ b/app/views/issues/show.api.rsb
@@ -40,14 +40,14 @@ api.issue do
    end if include_in_api_response?('relations') && @relations.present?
  
    api.array :changesets do
-    @issue.changesets.each do |changeset|
+    @changesets.each do |changeset|
        api.changeset :revision => changeset.revision do
          api.user(:id => changeset.user_id, :name => changeset.user.name) unless changeset.user.nil?
          api.comments changeset.comments
          api.committed_on changeset.committed_on
        end
      end
-  end if include_in_api_response?('changesets') && User.current.allowed_to?(:view_changesets, @project)
+  end if include_in_api_response?('changesets')
  
    api.array :journals do
      @journals.each do |journal|
diff --git a/test/integration/api_test/issues_test.rb b/test/integration/api_test/issues_test.rb

index 08543ab150f91d71e9a26daf5b796d7ea5f49231..298cc80e8e8323974807864f3220334ddeae9e42 100644 (file)
--- a/test/integration/api_test/issues_test.rb
+++ b/test/integration/api_test/issues_test.rb
@@ -336,6 +336,20 @@ class Redmine::ApiTest::IssuesTest < Redmine::ApiTest::Base
      end
    end
  
+  test "GET /issues/:id.xml should not disclose associated changesets from projects the user has no access to" do
+    project = Project.generate!(:is_public => false)
+    repository = Repository::Subversion.create!(:project => project, :url => "svn://localhost")
+    Issue.find(1).changesets << Changeset.generate!(:repository => repository)
+    assert Issue.find(1).changesets.any?
+
+    get '/issues/1.xml?include=changesets', {}, credentials('jsmith')
+
+    # the user jsmith has no permission to view the associated changeset
+    assert_select 'issue changesets[type=array]' do
+      assert_select 'changeset', 0
+    end
+  end
+
    test "POST /issues.xml should create an issue with the attributes" do
  
  payload = <<-XML
author	Jean-Philippe Lang <jp_lang@yahoo.fr>
	Sun, 8 Nov 2015 09:05:46 +0000 (09:05 +0000)
committer	Jean-Philippe Lang <jp_lang@yahoo.fr>
	Sun, 8 Nov 2015 09:05:46 +0000 (09:05 +0000)
app/views/issues/show.api.rsb		patch \| blob \| history
test/integration/api_test/issues_test.rb		patch \| blob \| history