Fixed that Issues API may disclose changesets that are not visible (#21136).

git-svn-id: http://svn.redmine.org/redmine/trunk@14794 e93f8b46-1217-0410-a6f0-8f06a7374b81
2025-11-07 05:45:49 +01:00 · 2015-11-04 18:17:07 +00:00
parent 747247d81b
commit a196aaa2a9
2 changed files with 16 additions and 2 deletions
--- a/test/integration/api_test/issues_test.rb
+++ b/test/integration/api_test/issues_test.rb
@@ -336,6 +336,20 @@ class Redmine::ApiTest::IssuesTest < Redmine::ApiTest::Base
    end
  end

+  test "GET /issues/:id.xml should not disclose associated changesets from projects the user has no access to" do
+    project = Project.generate!(:is_public => false)
+    repository = Repository::Subversion.create!(:project => project, :url => "svn://localhost")
+    Issue.find(1).changesets << Changeset.generate!(:repository => repository)
+    assert Issue.find(1).changesets.any?
+
+    get '/issues/1.xml?include=changesets', {}, credentials('jsmith')
+
+    # the user jsmith has no permission to view the associated changeset
+    assert_select 'issue changesets[type=array]' do
+      assert_select 'changeset', 0
+    end
+  end
+
  test "POST /issues.xml should create an issue with the attributes" do

 payload = <<-XML