summaryrefslogtreecommitdiffstats
path: root/test/integration
diff options
context:
space:
mode:
authorJean-Philippe Lang <jp_lang@yahoo.fr>2015-11-04 18:17:07 +0000
committerJean-Philippe Lang <jp_lang@yahoo.fr>2015-11-04 18:17:07 +0000
commita196aaa2a97b6ce23e6ec4c5d5fad30c65a22034 (patch)
tree5687ff5d556d23422c3640e4271952aefc032346 /test/integration
parent747247d81b623d9e4269a029f641176b7067de5b (diff)
downloadredmine-a196aaa2a97b6ce23e6ec4c5d5fad30c65a22034.tar.gz
redmine-a196aaa2a97b6ce23e6ec4c5d5fad30c65a22034.zip
Fixed that Issues API may disclose changesets that are not visible (#21136).
git-svn-id: http://svn.redmine.org/redmine/trunk@14794 e93f8b46-1217-0410-a6f0-8f06a7374b81
Diffstat (limited to 'test/integration')
-rw-r--r--test/integration/api_test/issues_test.rb14
1 files changed, 14 insertions, 0 deletions
diff --git a/test/integration/api_test/issues_test.rb b/test/integration/api_test/issues_test.rb
index 5a7d64d47..4fc17fe13 100644
--- a/test/integration/api_test/issues_test.rb
+++ b/test/integration/api_test/issues_test.rb
@@ -336,6 +336,20 @@ class Redmine::ApiTest::IssuesTest < Redmine::ApiTest::Base
end
end
+ test "GET /issues/:id.xml should not disclose associated changesets from projects the user has no access to" do
+ project = Project.generate!(:is_public => false)
+ repository = Repository::Subversion.create!(:project => project, :url => "svn://localhost")
+ Issue.find(1).changesets << Changeset.generate!(:repository => repository)
+ assert Issue.find(1).changesets.any?
+
+ get '/issues/1.xml?include=changesets', {}, credentials('jsmith')
+
+ # the user jsmith has no permission to view the associated changeset
+ assert_select 'issue changesets[type=array]' do
+ assert_select 'changeset', 0
+ end
+ end
+
test "POST /issues.xml should create an issue with the attributes" do
payload = <<-XML