Skip to content

Commit 8d8f612

Browse files
committed
Merged r14794 (#21136).
git-svn-id: http://svn.redmine.org/redmine/branches/2.6-stable@14843 e93f8b46-1217-0410-a6f0-8f06a7374b81
1 parent 4a254b6 commit 8d8f612

File tree

2 files changed

+16
-2
lines changed

2 files changed

+16
-2
lines changed

Diff for: app/views/issues/show.api.rsb

+2-2
Original file line numberDiff line numberDiff line change
@@ -40,14 +40,14 @@ api.issue do
4040
end if include_in_api_response?('relations') && @relations.present?
4141

4242
api.array :changesets do
43-
@issue.changesets.each do |changeset|
43+
@changesets.each do |changeset|
4444
api.changeset :revision => changeset.revision do
4545
api.user(:id => changeset.user_id, :name => changeset.user.name) unless changeset.user.nil?
4646
api.comments changeset.comments
4747
api.committed_on changeset.committed_on
4848
end
4949
end
50-
end if include_in_api_response?('changesets') && User.current.allowed_to?(:view_changesets, @project)
50+
end if include_in_api_response?('changesets')
5151

5252
api.array :journals do
5353
@journals.each do |journal|

Diff for: test/integration/api_test/issues_test.rb

+14
Original file line numberDiff line numberDiff line change
@@ -510,6 +510,20 @@ def test_show_should_include_issue_attributes
510510
end
511511
end
512512

513+
test "GET /issues/:id.xml should not disclose associated changesets from projects the user has no access to" do
514+
project = Project.generate!(:is_public => false)
515+
repository = Repository::Subversion.create!(:project => project, :url => "svn://localhost")
516+
Issue.find(1).changesets << Changeset.generate!(:repository => repository)
517+
assert Issue.find(1).changesets.any?
518+
519+
get '/issues/1.xml?include=changesets', {}, credentials('jsmith')
520+
521+
# the user jsmith has no permission to view the associated changeset
522+
assert_select 'issue changesets[type=array]' do
523+
assert_select 'changeset', 0
524+
end
525+
end
526+
513527
context "POST /issues.xml" do
514528
should_allow_api_authentication(
515529
:post,

0 commit comments

Comments
 (0)