Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merged r14794 (#21136).
git-svn-id: http://svn.redmine.org/redmine/branches/2.6-stable@14843 e93f8b46-1217-0410-a6f0-8f06a7374b81
  • Loading branch information
jplang committed Nov 8, 2015
1 parent 4a254b6 commit 8d8f612
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 2 deletions.
4 changes: 2 additions & 2 deletions app/views/issues/show.api.rsb
Expand Up @@ -40,14 +40,14 @@ api.issue do
end if include_in_api_response?('relations') && @relations.present?

api.array :changesets do
@issue.changesets.each do |changeset|
@changesets.each do |changeset|
api.changeset :revision => changeset.revision do
api.user(:id => changeset.user_id, :name => changeset.user.name) unless changeset.user.nil?
api.comments changeset.comments
api.committed_on changeset.committed_on
end
end
end if include_in_api_response?('changesets') && User.current.allowed_to?(:view_changesets, @project)
end if include_in_api_response?('changesets')

api.array :journals do
@journals.each do |journal|
Expand Down
14 changes: 14 additions & 0 deletions test/integration/api_test/issues_test.rb
Expand Up @@ -510,6 +510,20 @@ def test_show_should_include_issue_attributes
end
end

test "GET /issues/:id.xml should not disclose associated changesets from projects the user has no access to" do
project = Project.generate!(:is_public => false)
repository = Repository::Subversion.create!(:project => project, :url => "svn://localhost")
Issue.find(1).changesets << Changeset.generate!(:repository => repository)
assert Issue.find(1).changesets.any?

get '/issues/1.xml?include=changesets', {}, credentials('jsmith')

# the user jsmith has no permission to view the associated changeset
assert_select 'issue changesets[type=array]' do
assert_select 'changeset', 0
end
end

context "POST /issues.xml" do
should_allow_api_authentication(
:post,
Expand Down

0 comments on commit 8d8f612

Please sign in to comment.