diff options
| author | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2015-11-08 09:09:03 +0000 |
|---|---|---|
| committer | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2015-11-08 09:09:03 +0000 |
| commit | 8d8f612fa368a72c56b63f7ce6b7e98cab9feb22 (patch) | |
| tree | 3c589b5195a73998b0f5dabf021944bc6a9bbf61 | |
| parent | 4a254b6f0663ae86c7f141e95933c8e03dacbaac (diff) | |
| download | redmine-8d8f612fa368a72c56b63f7ce6b7e98cab9feb22.tar.gz redmine-8d8f612fa368a72c56b63f7ce6b7e98cab9feb22.zip | |
Merged r14794 (#21136).
git-svn-id: http://svn.redmine.org/redmine/branches/2.6-stable@14843 e93f8b46-1217-0410-a6f0-8f06a7374b81
| -rw-r--r-- | app/views/issues/show.api.rsb | 4 | ||||
| -rw-r--r-- | test/integration/api_test/issues_test.rb | 14 |
2 files changed, 16 insertions, 2 deletions
diff --git a/app/views/issues/show.api.rsb b/app/views/issues/show.api.rsb index f057b4c63..577a885c2 100644 --- a/app/views/issues/show.api.rsb +++ b/app/views/issues/show.api.rsb @@ -40,14 +40,14 @@ api.issue do end if include_in_api_response?('relations') && @relations.present? api.array :changesets do - @issue.changesets.each do |changeset| + @changesets.each do |changeset| api.changeset :revision => changeset.revision do api.user(:id => changeset.user_id, :name => changeset.user.name) unless changeset.user.nil? api.comments changeset.comments api.committed_on changeset.committed_on end end - end if include_in_api_response?('changesets') && User.current.allowed_to?(:view_changesets, @project) + end if include_in_api_response?('changesets') api.array :journals do @journals.each do |journal| diff --git a/test/integration/api_test/issues_test.rb b/test/integration/api_test/issues_test.rb index 029bdb8c3..f5843fa8b 100644 --- a/test/integration/api_test/issues_test.rb +++ b/test/integration/api_test/issues_test.rb @@ -510,6 +510,20 @@ class Redmine::ApiTest::IssuesTest < Redmine::ApiTest::Base end end + test "GET /issues/:id.xml should not disclose associated changesets from projects the user has no access to" do + project = Project.generate!(:is_public => false) + repository = Repository::Subversion.create!(:project => project, :url => "svn://localhost") + Issue.find(1).changesets << Changeset.generate!(:repository => repository) + assert Issue.find(1).changesets.any? + + get '/issues/1.xml?include=changesets', {}, credentials('jsmith') + + # the user jsmith has no permission to view the associated changeset + assert_select 'issue changesets[type=array]' do + assert_select 'changeset', 0 + end + end + context "POST /issues.xml" do should_allow_api_authentication( :post, |