From f4def66c58a18af6591894282edbb8dba503bc51 Mon Sep 17 00:00:00 2001
From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Sat, 9 Mar 2013 10:19:39 +0000
Subject: [PATCH] Merged r11518 from trunk (#8529).

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/branches/2.3-stable@11570 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/views/users/show.api.rsb            |  1 +
 test/integration/api_test/users_test.rb | 12 ++++++++++++
 2 files changed, 13 insertions(+)

diff --git a/app/views/users/show.api.rsb b/app/views/users/show.api.rsb
index de16f0681..7168cb94f 100644
--- a/app/views/users/show.api.rsb
+++ b/app/views/users/show.api.rsb
@@ -6,6 +6,7 @@ api.user do
   api.mail       @user.mail if User.current.admin? || !@user.pref.hide_mail
   api.created_on @user.created_on
   api.last_login_on @user.last_login_on
+  api.api_key    @user.api_key if User.current.admin? || (User.current == @user)
 
   render_api_custom_values @user.visible_custom_field_values, api
 
diff --git a/test/integration/api_test/users_test.rb b/test/integration/api_test/users_test.rb
index 0bbf3b9e3..7f72872a2 100644
--- a/test/integration/api_test/users_test.rb
+++ b/test/integration/api_test/users_test.rb
@@ -108,6 +108,18 @@ class Redmine::ApiTest::UsersTest < Redmine::ApiTest::Base
     assert_tag 'user', :child => {:tag => 'login', :content => 'jsmith'}
   end
 
+  test "GET /users/:id should not return api_key for other user" do
+    get '/users/3.xml', {}, credentials('jsmith')
+    assert_response :success
+    assert_no_tag 'user', :child => {:tag => 'api_key'}
+  end
+
+  test "GET /users/:id should return api_key for current user" do
+    get '/users/2.xml', {}, credentials('jsmith')
+    assert_response :success
+    assert_tag 'user', :child => {:tag => 'api_key', :content => User.find(2).api_key}
+  end
+
   context "POST /users" do
     context "with valid parameters" do
       setup do
-- 
2.39.5