Merged r11518 from trunk (#8529).

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/branches/2.3-stable@11570 e93f8b46-1217-0410-a6f0-8f06a7374b81

diff --git a/app/views/users/show.api.rsb b/app/views/users/show.api.rsb
index de16f06817b242ad84cb2559cbb81b378474c47e..7168cb94fd2c05159d1315f3cb5d1776544b8c6d 100644 (file)
--- a/app/views/users/show.api.rsb
+++ b/app/views/users/show.api.rsb
@@ -6,6 +6,7 @@ api.user do
   api.mail       @user.mail if User.current.admin? || !@user.pref.hide_mail
   api.created_on @user.created_on
   api.last_login_on @user.last_login_on
+  api.api_key    @user.api_key if User.current.admin? || (User.current == @user)
 
   render_api_custom_values @user.visible_custom_field_values, api
 

diff --git a/test/integration/api_test/users_test.rb b/test/integration/api_test/users_test.rb
index 0bbf3b9e3650d3c7de6949dec388092064ae8317..7f72872a2dd17dc0f7b98f74230db3c2f9f5b768 100644 (file)
--- a/test/integration/api_test/users_test.rb
+++ b/test/integration/api_test/users_test.rb
@@ -108,6 +108,18 @@ class Redmine::ApiTest::UsersTest < Redmine::ApiTest::Base
     assert_tag 'user', :child => {:tag => 'login', :content => 'jsmith'}
   end
 
+  test "GET /users/:id should not return api_key for other user" do
+    get '/users/3.xml', {}, credentials('jsmith')
+    assert_response :success
+    assert_no_tag 'user', :child => {:tag => 'api_key'}
+  end
+
+  test "GET /users/:id should return api_key for current user" do
+    get '/users/2.xml', {}, credentials('jsmith')
+    assert_response :success
+    assert_tag 'user', :child => {:tag => 'api_key', :content => User.find(2).api_key}
+  end
+
   context "POST /users" do
     context "with valid parameters" do
       setup do