diff --git a/app/views/issues/show.api.rsb b/app/views/issues/show.api.rsb
index f057b4c..577a885 100644
--- a/app/views/issues/show.api.rsb
+++ b/app/views/issues/show.api.rsb
@@ -40,14 +40,14 @@ api.issue do
   end if include_in_api_response?('relations') && @relations.present?
 
   api.array :changesets do
-    @issue.changesets.each do |changeset|
+    @changesets.each do |changeset|
       api.changeset :revision => changeset.revision do
         api.user(:id => changeset.user_id, :name => changeset.user.name) unless changeset.user.nil?
         api.comments changeset.comments
         api.committed_on changeset.committed_on
       end
     end
-  end if include_in_api_response?('changesets') && User.current.allowed_to?(:view_changesets, @project)
+  end if include_in_api_response?('changesets')
 
   api.array :journals do
     @journals.each do |journal|
diff --git a/test/fixtures/changesets.yml b/test/fixtures/changesets.yml
index 247dda3..e87272f 100644
--- a/test/fixtures/changesets.yml
+++ b/test/fixtures/changesets.yml
@@ -102,3 +102,13 @@ changesets_010:
   user_id: 3
   repository_id: 10
   committer: dlopper
+changesets_011:
+  commit_date: "2015-10-07"
+  comments: This is an empty changeset
+  committed_on: 2015-10-07 17:58:00
+  revision: "1"
+  id: 110
+  scmid:
+  user_id: 3
+  repository_id: 12
+  committer: dlopper
diff --git a/test/fixtures/changesets_issues.yml b/test/fixtures/changesets_issues.yml
new file mode 100644
index 0000000..b32ffcc
--- /dev/null
+++ b/test/fixtures/changesets_issues.yml
@@ -0,0 +1,4 @@
+---
+changesets_issues_001:
+  changeset_id: 110
+  issue_id: 1
diff --git a/test/fixtures/repositories.yml b/test/fixtures/repositories.yml
index 20225bb..618b09b 100644
--- a/test/fixtures/repositories.yml
+++ b/test/fixtures/repositories.yml
@@ -19,3 +19,13 @@ repositories_002:
   type: Repository::Subversion
   is_default: true
   created_on: 2006-07-19 19:04:21 +02:00
+repositories_003:
+  project_id: 3
+  url: svn://localhost/test
+  id: 12
+  root_url: svn://localhost
+  password: ""
+  login: ""
+  type: Repository::Subversion
+  is_default: true
+  created_on: 2015-10-07 17:54:00 +02:00
diff --git a/test/integration/api_test/issues_test.rb b/test/integration/api_test/issues_test.rb
index 08543ab..b4fba0e 100644
--- a/test/integration/api_test/issues_test.rb
+++ b/test/integration/api_test/issues_test.rb
@@ -42,7 +42,9 @@ class Redmine::ApiTest::IssuesTest < Redmine::ApiTest::Base
     :journals,
     :journal_details,
     :queries,
-    :attachments
+    :attachments,
+    :changesets,
+    :changesets_issues
 
   test "GET /issues.xml should contain metadata" do
     get '/issues.xml'
@@ -336,6 +338,15 @@ class Redmine::ApiTest::IssuesTest < Redmine::ApiTest::Base
     end
   end
 
+  test "GET /issues/:id.xml should not disclose associated changesets from projects the user has no access to" do
+    get '/issues/1.xml?include=changesets', {}, credentials('jsmith')
+
+    # the user jsmith has no permission to view the associated changeset
+    assert_select 'issue changesets[type=array]' do
+      assert_select 'changeset', 0
+    end
+  end
+
   test "POST /issues.xml should create an issue with the attributes" do
 
 payload = <<-XML