diff --git a/app/helpers/projects_helper.rb b/app/helpers/projects_helper.rb index 794546163..64d6fea83 100644 --- a/app/helpers/projects_helper.rb +++ b/app/helpers/projects_helper.rb @@ -115,7 +115,7 @@ module ProjectsHelper def render_api_includes(project, api) api.array :trackers do - project.trackers.each do |tracker| + project.rolled_up_trackers(false).visible.each do |tracker| api.tracker(:id => tracker.id, :name => tracker.name) end end if include_in_api_response?('trackers') diff --git a/test/integration/api_test/projects_test.rb b/test/integration/api_test/projects_test.rb index f5d1e69c2..2e0959953 100644 --- a/test/integration/api_test/projects_test.rb +++ b/test/integration/api_test/projects_test.rb @@ -130,6 +130,33 @@ class Redmine::ApiTest::ProjectsTest < Redmine::ApiTest::Base assert_select 'trackers[type=array] tracker[id="2"][name="Feature request"]' end + test "GET /projects/:id.xml with include=trackers should return trackers based on role-based permissioning" do + project = Project.find(1) + assert_equal [1, 2, 3], project.tracker_ids + + role = Role.find(3) # Reporter + role.permissions_all_trackers = {'view_issues' => '0'} + role.permissions_tracker_ids = {'view_issues' => ['1']} + role.save! + + user = User.find_by_login('jsmith') + member = project.members.detect{|m| m.user == user} + member.roles.delete_all + member.role_ids = [role.id] + member.roles.reload + assert_equal [role.id], member.role_ids + + get '/projects/1.xml?include=trackers', :headers => credentials(user.login) + assert_response :success + assert_equal 'application/xml', @response.content_type + + assert_select 'trackers[type=array]' do + assert_select 'tracker[id="1"]', :count => 1 + assert_select 'tracker[id="2"]', :count => 0 + assert_select 'tracker[id="3"]', :count => 0 + end + end + test "GET /projects/:id.xml with include=enabled_modules should return enabled modules" do get '/projects/1.xml?include=enabled_modules' assert_response :success