Users API should return twofa_scheme only for administrators (#34242).

git-svn-id: http://svn.redmine.org/redmine/trunk@20687 e93f8b46-1217-0410-a6f0-8f06a7374b81

app/views/users/show.api.rsb

@@ -9,7 +9,7 @@ api.user do
   api.updated_on @user.updated_on
   api.last_login_on     @user.last_login_on
   api.passwd_changed_on @user.passwd_changed_on
-  api.twofa_scheme      @user.twofa_scheme
+  api.twofa_scheme      @user.twofa_scheme if User.current.admin? || (User.current == @user)
   api.api_key    @user.api_key if User.current.admin? || (User.current == @user)
   api.status     @user.status if User.current.admin?
 

test/integration/api_test/users_test.rb

@@ -84,7 +84,6 @@ class Redmine::ApiTest::UsersTest < Redmine::ApiTest::Base
     assert_select 'user id', :text => '2'
     assert_select 'user updated_on', :text => Time.zone.parse('2006-07-19T20:42:15Z').iso8601
     assert_select 'user passwd_changed_on', :text => ''
-    assert_select 'user twofa_scheme', :text => ''
   end
 
   test "GET /users/:id.json should return the user" do
@@ -174,6 +173,20 @@ class Redmine::ApiTest::UsersTest < Redmine::ApiTest::Base
     assert_select 'user admin', 0
   end
 
+  test "GET /users/:id should not return twofa_scheme for standard user" do
+    User.find(2).update(twofa_scheme: 'totp')
+    get '/users/3.xml', :headers => credentials('jsmith')
+    assert_response :success
+    assert_select 'twofa_scheme', 0
+  end
+
+  test "GET /users/:id should return twofa_scheme for administrators" do
+    User.find(2).update(twofa_scheme: 'totp')
+    get '/users/2.xml', :headers => credentials('admin')
+    assert_response :success
+    assert_select 'twofa_scheme', :text => 'totp'
+  end
+
   test "POST /users.xml with valid parameters should create the user" do
     assert_difference('User.count') do
       post(