Fixed that Issues API may disclose changesets that are not visible (#21136).

git-svn-id: http://svn.redmine.org/redmine/trunk@14794 e93f8b46-1217-0410-a6f0-8f06a7374b81
author: Jean-Philippe Lang <jp_lang@yahoo.fr> 2015-11-04 18:17:07 +0000
committer: Jean-Philippe Lang <jp_lang@yahoo.fr> 2015-11-04 18:17:07 +0000
commit: a196aaa2a97b6ce23e6ec4c5d5fad30c65a22034 (patch)
tree: 5687ff5d556d23422c3640e4271952aefc032346 /app/views
parent: 747247d81b623d9e4269a029f641176b7067de5b (diff)
download: redmine-a196aaa2a97b6ce23e6ec4c5d5fad30c65a22034.tar.gz
redmine-a196aaa2a97b6ce23e6ec4c5d5fad30c65a22034.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/app/views/issues/show.api.rsb b/app/views/issues/show.api.rsb
index f057b4c63..577a885c2 100644
--- a/app/views/issues/show.api.rsb
+++ b/app/views/issues/show.api.rsb
@@ -40,14 +40,14 @@ api.issue do
   end if include_in_api_response?('relations') && @relations.present?
 
   api.array :changesets do
-    @issue.changesets.each do |changeset|
+    @changesets.each do |changeset|
       api.changeset :revision => changeset.revision do
         api.user(:id => changeset.user_id, :name => changeset.user.name) unless changeset.user.nil?
         api.comments changeset.comments
         api.committed_on changeset.committed_on
       end
     end
-  end if include_in_api_response?('changesets') && User.current.allowed_to?(:view_changesets, @project)
+  end if include_in_api_response?('changesets')
 
   api.array :journals do
     @journals.each do |journal|
author	Jean-Philippe Lang <jp_lang@yahoo.fr>	2015-11-04 18:17:07 +0000
committer	Jean-Philippe Lang <jp_lang@yahoo.fr>	2015-11-04 18:17:07 +0000
commit	a196aaa2a97b6ce23e6ec4c5d5fad30c65a22034 (patch)
tree	5687ff5d556d23422c3640e4271952aefc032346 /app/views
parent	747247d81b623d9e4269a029f641176b7067de5b (diff)
download	redmine-a196aaa2a97b6ce23e6ec4c5d5fad30c65a22034.tar.gz redmine-a196aaa2a97b6ce23e6ec4c5d5fad30c65a22034.zip