##// END OF EJS Templates
jro_apps » redmine
RSS
Fixed that Issues API may disclose changesets that are not visible (#21136)....
Jean-Philippe Lang -
r14412:a196aaa2a97b
parent child
Show More
Side by Side Unified
Context file:
r14412:a196aaa2a97b Loading diff...:
Show file before | Show file after | Hide comments
@@ -40,14 +40,14 api.issue do
40 end if include_in_api_response?('relations') && @relations.present?
40 end if include_in_api_response?('relations') && @relations.present?
41
41
42 api.array :changesets do
42 api.array :changesets do
43 @issue.changesets.each do |changeset|
43 @changesets.each do |changeset|
44 api.changeset :revision => changeset.revision do
44 api.changeset :revision => changeset.revision do
45 api.user(:id => changeset.user_id, :name => changeset.user.name) unless changeset.user.nil?
45 api.user(:id => changeset.user_id, :name => changeset.user.name) unless changeset.user.nil?
46 api.comments changeset.comments
46 api.comments changeset.comments
47 api.committed_on changeset.committed_on
47 api.committed_on changeset.committed_on
48 end
48 end
49 end
49 end
50 end if include_in_api_response?('changesets') && User.current.allowed_to?(:view_changesets, @project)
50 end if include_in_api_response?('changesets')
51
51
52 api.array :journals do
52 api.array :journals do
53 @journals.each do |journal|
53 @journals.each do |journal|
Show file before | Show file after | Hide comments
@@ -336,6 +336,20 class Redmine::ApiTest::IssuesTest < Redmine::ApiTest::Base
336 end
336 end
337 end
337 end
338
338
339 test "GET /issues/:id.xml should not disclose associated changesets from projects the user has no access to" do
340 project = Project.generate!(:is_public => false)
341 repository = Repository::Subversion.create!(:project => project, :url => "svn://localhost")
342 Issue.find(1).changesets << Changeset.generate!(:repository => repository)
343 assert Issue.find(1).changesets.any?
344
345 get '/issues/1.xml?include=changesets', {}, credentials('jsmith')
346
347 # the user jsmith has no permission to view the associated changeset
348 assert_select 'issue changesets[type=array]' do
349 assert_select 'changeset', 0
350 end
351 end
352
339 test "POST /issues.xml should create an issue with the attributes" do
353 test "POST /issues.xml should create an issue with the attributes" do
340
354
341 payload = <<-XML
355 payload = <<-XML
General Comments 0
You need to be logged in to leave comments. Login now