| @@ -40,14 +40,14 api.issue do | |||
|
|
40 | 40 | end if include_in_api_response?('relations') && @relations.present? |
|
|
41 | 41 | |
|
|
42 | 42 | api.array :changesets do |
|
|
43 |
@ |
|
|
|
43 | @changesets.each do |changeset| | |
|
|
44 | 44 | api.changeset :revision => changeset.revision do |
|
|
45 | 45 | api.user(:id => changeset.user_id, :name => changeset.user.name) unless changeset.user.nil? |
|
|
46 | 46 | api.comments changeset.comments |
|
|
47 | 47 | api.committed_on changeset.committed_on |
|
|
48 | 48 | end |
|
|
49 | 49 | end |
|
|
50 |
end if include_in_api_response?('changesets') |
|
|
|
50 | end if include_in_api_response?('changesets') | |
|
|
51 | 51 | |
|
|
52 | 52 | api.array :journals do |
|
|
53 | 53 | @journals.each do |journal| |
| @@ -510,6 +510,20 class Redmine::ApiTest::IssuesTest < Redmine::ApiTest::Base | |||
|
|
510 | 510 | end |
|
|
511 | 511 | end |
|
|
512 | 512 | |
|
|
513 | test "GET /issues/:id.xml should not disclose associated changesets from projects the user has no access to" do | |
|
|
514 | project = Project.generate!(:is_public => false) | |
|
|
515 | repository = Repository::Subversion.create!(:project => project, :url => "svn://localhost") | |
|
|
516 | Issue.find(1).changesets << Changeset.generate!(:repository => repository) | |
|
|
517 | assert Issue.find(1).changesets.any? | |
|
|
518 | ||
|
|
519 | get '/issues/1.xml?include=changesets', {}, credentials('jsmith') | |
|
|
520 | ||
|
|
521 | # the user jsmith has no permission to view the associated changeset | |
|
|
522 | assert_select 'issue changesets[type=array]' do | |
|
|
523 | assert_select 'changeset', 0 | |
|
|
524 | end | |
|
|
525 | end | |
|
|
526 | ||
|
|
513 | 527 | context "POST /issues.xml" do |
|
|
514 | 528 | should_allow_api_authentication( |
|
|
515 | 529 | :post, |
General Comments 0
You need to be logged in to leave comments.
Login now