##// END OF EJS Templates
jro_apps » redmine
RSS
Merged r14794 (#21136)....
Jean-Philippe Lang -
r14461:8d8f612fa368
parent child
Show More
Side by Side Unified
Context file:
r14461:8d8f612fa368 Loading diff...:
Show file before | Show file after | Hide comments
@@ -40,14 +40,14 api.issue do
40 end if include_in_api_response?('relations') && @relations.present?
40 end if include_in_api_response?('relations') && @relations.present?
41
41
42 api.array :changesets do
42 api.array :changesets do
43 @issue.changesets.each do |changeset|
43 @changesets.each do |changeset|
44 api.changeset :revision => changeset.revision do
44 api.changeset :revision => changeset.revision do
45 api.user(:id => changeset.user_id, :name => changeset.user.name) unless changeset.user.nil?
45 api.user(:id => changeset.user_id, :name => changeset.user.name) unless changeset.user.nil?
46 api.comments changeset.comments
46 api.comments changeset.comments
47 api.committed_on changeset.committed_on
47 api.committed_on changeset.committed_on
48 end
48 end
49 end
49 end
50 end if include_in_api_response?('changesets') && User.current.allowed_to?(:view_changesets, @project)
50 end if include_in_api_response?('changesets')
51
51
52 api.array :journals do
52 api.array :journals do
53 @journals.each do |journal|
53 @journals.each do |journal|
Show file before | Show file after | Hide comments
@@ -510,6 +510,20 class Redmine::ApiTest::IssuesTest < Redmine::ApiTest::Base
510 end
510 end
511 end
511 end
512
512
513 test "GET /issues/:id.xml should not disclose associated changesets from projects the user has no access to" do
514 project = Project.generate!(:is_public => false)
515 repository = Repository::Subversion.create!(:project => project, :url => "svn://localhost")
516 Issue.find(1).changesets << Changeset.generate!(:repository => repository)
517 assert Issue.find(1).changesets.any?
518
519 get '/issues/1.xml?include=changesets', {}, credentials('jsmith')
520
521 # the user jsmith has no permission to view the associated changeset
522 assert_select 'issue changesets[type=array]' do
523 assert_select 'changeset', 0
524 end
525 end
526
513 context "POST /issues.xml" do
527 context "POST /issues.xml" do
514 should_allow_api_authentication(
528 should_allow_api_authentication(
515 :post,
529 :post,
General Comments 0
You need to be logged in to leave comments. Login now