From 988a36babc2b203d7a8de40eef390962f8a11313 Mon Sep 17 00:00:00 2001
From: Go MAEDA <maeda@farend.jp>
Date: Wed, 23 Dec 2020 03:47:45 +0000
Subject: [PATCH] Users API should return twofa_scheme only for administrators
 (#34242).

git-svn-id: http://svn.redmine.org/redmine/trunk@20687 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/views/users/show.api.rsb            |  2 +-
 test/integration/api_test/users_test.rb | 15 ++++++++++++++-
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/app/views/users/show.api.rsb b/app/views/users/show.api.rsb
index 5fe3d5b1c..a19a8c637 100644
--- a/app/views/users/show.api.rsb
+++ b/app/views/users/show.api.rsb
@@ -9,7 +9,7 @@ api.user do
   api.updated_on @user.updated_on
   api.last_login_on     @user.last_login_on
   api.passwd_changed_on @user.passwd_changed_on
-  api.twofa_scheme      @user.twofa_scheme
+  api.twofa_scheme      @user.twofa_scheme if User.current.admin? || (User.current == @user)
   api.api_key    @user.api_key if User.current.admin? || (User.current == @user)
   api.status     @user.status if User.current.admin?
 
diff --git a/test/integration/api_test/users_test.rb b/test/integration/api_test/users_test.rb
index b79791a7c..d54701ad5 100644
--- a/test/integration/api_test/users_test.rb
+++ b/test/integration/api_test/users_test.rb
@@ -84,7 +84,6 @@ class Redmine::ApiTest::UsersTest < Redmine::ApiTest::Base
     assert_select 'user id', :text => '2'
     assert_select 'user updated_on', :text => Time.zone.parse('2006-07-19T20:42:15Z').iso8601
     assert_select 'user passwd_changed_on', :text => ''
-    assert_select 'user twofa_scheme', :text => ''
   end
 
   test "GET /users/:id.json should return the user" do
@@ -174,6 +173,20 @@ class Redmine::ApiTest::UsersTest < Redmine::ApiTest::Base
     assert_select 'user admin', 0
   end
 
+  test "GET /users/:id should not return twofa_scheme for standard user" do
+    User.find(2).update(twofa_scheme: 'totp')
+    get '/users/3.xml', :headers => credentials('jsmith')
+    assert_response :success
+    assert_select 'twofa_scheme', 0
+  end
+
+  test "GET /users/:id should return twofa_scheme for administrators" do
+    User.find(2).update(twofa_scheme: 'totp')
+    get '/users/2.xml', :headers => credentials('admin')
+    assert_response :success
+    assert_select 'twofa_scheme', :text => 'totp'
+  end
+
   test "POST /users.xml with valid parameters should create the user" do
     assert_difference('User.count') do
       post(
-- 
2.39.5