Projects API should not return invisible trackers (#30121).

Patch by Yuichi HARADA.


git-svn-id: http://svn.redmine.org/redmine/trunk@20753 e93f8b46-1217-0410-a6f0-8f06a7374b81

1 files changed, 27 insertions, 0 deletions

diff --git a/test/integration/api_test/projects_test.rb b/test/integration/api_test/projects_test.rb
index befd8907d..044d67b49 100644
--- a/test/integration/api_test/projects_test.rb
+++ b/test/integration/api_test/projects_test.rb
@@ -154,6 +154,33 @@ class Redmine::ApiTest::ProjectsTest < Redmine::ApiTest::Base
     assert_select 'trackers[type=array] tracker[id="2"][name="Feature request"]'
   end
 
+  test "GET /projects/:id.xml with include=trackers should return trackers based on role-based permissioning" do
+    project = Project.find(1)
+    assert_equal [1, 2, 3], project.tracker_ids
+
+    role = Role.find(3) # Reporter
+    role.permissions_all_trackers = {'view_issues' => '0'}
+    role.permissions_tracker_ids = {'view_issues' => ['1']}
+    role.save!
+
+    user = User.find_by(:login => 'jsmith')
+    member = project.members.detect{|m| m.user == user}
+    member.roles.delete_all
+    member.role_ids = [role.id]
+    member.roles.reload
+    assert_equal [role.id], member.role_ids
+
+    get '/projects/1.xml?include=trackers', :headers => credentials(user.login)
+    assert_response :success
+    assert_equal 'application/xml', @response.content_type
+
+    assert_select 'trackers[type=array]' do
+      assert_select 'tracker[id="1"]', :count => 1
+      assert_select 'tracker[id="2"]', :count => 0
+      assert_select 'tracker[id="3"]', :count => 0
+    end
+  end
+
   test "GET /projects/:id.xml with include=enabled_modules should return enabled modules" do
     get '/projects/1.xml?include=enabled_modules'
     assert_response :success