File tree 2 files changed +16
-2
lines changed
test/integration/api_test
2 files changed +16
-2
lines changed Original file line number Diff line number Diff line change @@ -40,14 +40,14 @@ api.issue do
4040 end if include_in_api_response?('relations') && @relations.present?
4141
4242 api.array :changesets do
43- @issue. changesets.each do |changeset|
43+ @changesets.each do |changeset|
4444 api.changeset :revision => changeset.revision do
4545 api.user(:id => changeset.user_id, :name => changeset.user.name) unless changeset.user.nil?
4646 api.comments changeset.comments
4747 api.committed_on changeset.committed_on
4848 end
4949 end
50- end if include_in_api_response?('changesets') && User.current.allowed_to?(:view_changesets, @project)
50+ end if include_in_api_response?('changesets')
5151
5252 api.array :journals do
5353 @journals.each do |journal|
Original file line number Diff line number Diff line change @@ -510,6 +510,20 @@ def test_show_should_include_issue_attributes
510510 end
511511 end
512512
513+ test "GET /issues/:id.xml should not disclose associated changesets from projects the user has no access to" do
514+ project = Project . generate! ( :is_public => false )
515+ repository = Repository ::Subversion . create! ( :project => project , :url => "svn://localhost" )
516+ Issue . find ( 1 ) . changesets << Changeset . generate! ( :repository => repository )
517+ assert Issue . find ( 1 ) . changesets . any?
518+
519+ get '/issues/1.xml?include=changesets' , { } , credentials ( 'jsmith' )
520+
521+ # the user jsmith has no permission to view the associated changeset
522+ assert_select 'issue changesets[type=array]' do
523+ assert_select 'changeset' , 0
524+ end
525+ end
526+
513527 context "POST /issues.xml" do
514528 should_allow_api_authentication (
515529 :post ,
You can’t perform that action at this time.
0 commit comments