Project

General

Profile

Actions
Copy link

Defect #30121

closed

Projects API should not return invisible trackers

Added by Alex Stanev over 5 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Go MAEDA
Category:
REST API
Target version:
4.2.0
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:
3.4.6

Description

Currently projects API returns all trackers, assigned to given project. This is inconsistency with web view, which shows only trackers, visible to the user. They are the only usable to current user anyways.
This is invoked like this: projects/PROJECTID.json?include=trackers
The problem is in redmine/app/helpers/projects_helper.rb, where the line:

project.trackers.each do |tracker|

should be changed to
project.trackers.visible.each do |tracker|

Files

30121-api-will-return-trackers-with-role-based.patch (2.06 KB) 30121-api-will-return-trackers-with-role-based.patch Yuichi HARADA, 2018-12-13 02:52

Related issues

Related to Redmine - Feature #285: Tracker role-based permissioningClosedJean-Philippe Lang

Actions
Actions
Copy link
 #1

Updated by Go MAEDA over 5 years ago

  • Related to Feature #285: Tracker role-based permissioning added
Actions
Copy link
 #2

Updated by Go MAEDA over 5 years ago

  • Category set to REST API
Actions
Copy link
 #3

Updated by Go MAEDA over 5 years ago

  • Status changed from New to Confirmed

Confirmed the problem. Thank you for catching and reporting this.

Actions
Copy link
 #4

Updated by Yuichi HARADA over 5 years ago

Alex Stanev wrote:

should be changed to

project.trackers.visible.each do |tracker|

I think that project.rolled_up_trackers(false).visible is better than project.trackers.visible .
I changed it as follows.

diff --git a/app/helpers/projects_helper.rb b/app/helpers/projects_helper.rb
index 794546163..64d6fea83 100644
--- a/app/helpers/projects_helper.rb
+++ b/app/helpers/projects_helper.rb
@@ -115,7 +115,7 @@ module ProjectsHelper

   def render_api_includes(project, api)
     api.array :trackers do
-      project.trackers.each do |tracker|
+      project.rolled_up_trackers(false).visible.each do |tracker|
         api.tracker(:id => tracker.id, :name => tracker.name)
       end
     end if include_in_api_response?('trackers')

I made a patch, and attach it.

Actions
Copy link
 #5

Updated by Alex Stanev over 5 years ago

Hi, thanks for you help!
This approach will also do the trick, can't test it right now.
Also maybe Go will require test for this.

Actions
Copy link
 #6

Updated by Marius BÄ‚LTEANU about 5 years ago

  • Target version set to Candidate for next minor release
Actions
Copy link
 #7

Updated by vzvu 3k6k about 3 years ago

LGTM. We (matobaa, sanak and me) have verified the following with trunk (revision 20744).

  • The bug reported in the issue has been fixed by your patch.
  • All tests are also successful.

In the patch, we noticed that the argument of rolled_up_trackers is false instead of Setting.display_subprojects_issues? as in ProjectsController#show. We assume this is because the sub project trackers are probably not needed with this API.

Actions
Copy link
 #8

Updated by Go MAEDA about 3 years ago

  • Subject changed from Projects API should return only trackers, visible to the user to Projects API should not return invisible trackers
  • Target version changed from Candidate for next minor release to 4.1.2

Setting the target version to 4.1.2.

Actions
Copy link
 #9

Updated by Go MAEDA about 3 years ago

  • Status changed from Confirmed to Resolved
  • Assignee set to Go MAEDA

Committed the patch. Thank you all for your contribution.

Actions
Copy link
 #10

Updated by Go MAEDA about 3 years ago

  • Status changed from Resolved to Closed
  • Target version changed from 4.1.2 to 4.2.0
  • Resolution set to Fixed
Actions
Copy link

Also available in: Atom PDF