From e1cfdc38c98afc90bae97e1afd457af9dca5bb5a Mon Sep 17 00:00:00 2001
From: Go MAEDA <maeda@farend.jp>
Date: Tue, 23 Feb 2021 03:17:29 +0000
Subject: [PATCH] Projects API should not return invisible trackers (#30121).

Patch by Yuichi HARADA.


git-svn-id: http://svn.redmine.org/redmine/trunk@20753 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/helpers/projects_helper.rb             |  2 +-
 test/integration/api_test/projects_test.rb | 27 ++++++++++++++++++++++
 2 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/app/helpers/projects_helper.rb b/app/helpers/projects_helper.rb
index 7726050d9..77f964a9e 100644
--- a/app/helpers/projects_helper.rb
+++ b/app/helpers/projects_helper.rb
@@ -134,7 +134,7 @@ module ProjectsHelper
 
   def render_api_includes(project, api)
     api.array :trackers do
-      project.trackers.each do |tracker|
+      project.rolled_up_trackers(false).visible.each do |tracker|
         api.tracker(:id => tracker.id, :name => tracker.name)
       end
     end if include_in_api_response?('trackers')
diff --git a/test/integration/api_test/projects_test.rb b/test/integration/api_test/projects_test.rb
index befd8907d..044d67b49 100644
--- a/test/integration/api_test/projects_test.rb
+++ b/test/integration/api_test/projects_test.rb
@@ -154,6 +154,33 @@ class Redmine::ApiTest::ProjectsTest < Redmine::ApiTest::Base
     assert_select 'trackers[type=array] tracker[id="2"][name="Feature request"]'
   end
 
+  test "GET /projects/:id.xml with include=trackers should return trackers based on role-based permissioning" do
+    project = Project.find(1)
+    assert_equal [1, 2, 3], project.tracker_ids
+
+    role = Role.find(3) # Reporter
+    role.permissions_all_trackers = {'view_issues' => '0'}
+    role.permissions_tracker_ids = {'view_issues' => ['1']}
+    role.save!
+
+    user = User.find_by(:login => 'jsmith')
+    member = project.members.detect{|m| m.user == user}
+    member.roles.delete_all
+    member.role_ids = [role.id]
+    member.roles.reload
+    assert_equal [role.id], member.role_ids
+
+    get '/projects/1.xml?include=trackers', :headers => credentials(user.login)
+    assert_response :success
+    assert_equal 'application/xml', @response.content_type
+
+    assert_select 'trackers[type=array]' do
+      assert_select 'tracker[id="1"]', :count => 1
+      assert_select 'tracker[id="2"]', :count => 0
+      assert_select 'tracker[id="3"]', :count => 0
+    end
+  end
+
   test "GET /projects/:id.xml with include=enabled_modules should return enabled modules" do
     get '/projects/1.xml?include=enabled_modules'
     assert_response :success
-- 
2.39.5