From 9ad8f5e6b260424a672325636e59d09a2183f475 Mon Sep 17 00:00:00 2001
From: MAEDA Go <maeda@farend.jp>
Date: Sun, 7 Jun 2026 11:49:26 +0900
Subject: [PATCH] Return visible roles for all role-aware custom fields in API

---
 app/controllers/custom_fields_controller.rb   |  2 +-
 app/views/custom_fields/index.api.rsb         |  3 ++
 .../api_test/custom_fields_test.rb            | 35 +++++++++++++++++++
 3 files changed, 39 insertions(+), 1 deletion(-)

diff --git a/app/controllers/custom_fields_controller.rb b/app/controllers/custom_fields_controller.rb
index cb07c1f13..b170dbae3 100644
--- a/app/controllers/custom_fields_controller.rb
+++ b/app/controllers/custom_fields_controller.rb
@@ -34,7 +34,7 @@ class CustomFieldsController < ApplicationController
           IssueCustomField.where(is_for_all: false).joins(:projects).group(:custom_field_id).count
       end
       format.api do
-        @custom_fields = CustomField.all
+        @custom_fields = CustomField.includes(:roles).all
       end
     end
   end
diff --git a/app/views/custom_fields/index.api.rsb b/app/views/custom_fields/index.api.rsb
index d4b19d62b..82431805a 100644
--- a/app/views/custom_fields/index.api.rsb
+++ b/app/views/custom_fields/index.api.rsb
@@ -35,6 +35,9 @@ api.array :custom_fields do
             api.tracker :id => tracker.id, :name => tracker.name
           end
         end
+      end
+
+      if %w(IssueCustomField TimeEntryCustomField ProjectCustomField VersionCustomField).include?(field.class.name)
         api.array :roles do
           field.roles.each do |role|
             api.role :id => role.id, :name => role.name
diff --git a/test/integration/api_test/custom_fields_test.rb b/test/integration/api_test/custom_fields_test.rb
index 4fb06636e..f26983686 100644
--- a/test/integration/api_test/custom_fields_test.rb
+++ b/test/integration/api_test/custom_fields_test.rb
@@ -56,4 +56,39 @@ class Redmine::ApiTest::CustomFieldsTest < Redmine::ApiTest::Base
       assert_select "value:contains(?) + label:contains(?)", bar.id.to_s, 'Bar'
     end
   end
+
+  test "GET /custom_fields.xml should include roles for custom fields visible by role" do
+    custom_fields = [
+      IssueCustomField.generate!(:visible => false, :role_ids => [1, 2]),
+      TimeEntryCustomField.generate!(:visible => false, :role_ids => [1, 2]),
+      ProjectCustomField.generate!(:visible => false, :role_ids => [1, 2]),
+      VersionCustomField.generate!(:visible => false, :role_ids => [1, 2])
+    ]
+
+    get '/custom_fields.xml', :headers => credentials('admin')
+    assert_response :success
+
+    xml = Hash.from_xml(response.body)
+    fields = xml['custom_fields']
+    custom_fields.each do |custom_field|
+      field = fields.detect {|f| f['id'] == custom_field.id.to_s}
+      assert_kind_of Hash, field
+      assert_kind_of Array, field['roles']
+      roles = field['roles'].sort_by {|role| role['id'].to_i}
+      assert_equal({'id' => '1', 'name' => 'Manager'}, roles[0])
+      assert_equal({'id' => '2', 'name' => 'Developer'}, roles[1])
+    end
+  end
+
+  test "GET /custom_fields.json should not include roles for custom fields that do not support role visibility" do
+    custom_field = UserCustomField.generate!(:visible => false, :role_ids => [1, 2])
+
+    get '/custom_fields.json', :headers => credentials('admin')
+    assert_response :success
+
+    json = ActiveSupport::JSON.decode(response.body)
+    field = json['custom_fields'].detect {|f| f['id'] == custom_field.id}
+    assert_kind_of Hash, field
+    assert_not field.has_key?('roles')
+  end
 end
-- 
2.50.1