Defect #30121

Projects API should return only trackers, visible to the user

Added by Alex Stanev almost 2 years ago. Updated almost 2 years ago.

Status:ConfirmedStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:REST API
Target version:Candidate for next minor release
Resolution: Affected version:3.4.6

Description

Currently projects API returns all trackers, assigned to given project. This is inconsistency with web view, which shows only trackers, visible to the user. They are the only usable to current user anyways.
This is invoked like this: projects/PROJECTID.json?include=trackers
The problem is in redmine/app/helpers/projects_helper.rb, where the line:

project.trackers.each do |tracker|

should be changed to
project.trackers.visible.each do |tracker|

30121-api-will-return-trackers-with-role-based.patch Magnifier (2.06 KB) Yuichi HARADA, 2018-12-13 02:52

Related issues

Related to Redmine - Feature #285: Tracker role-based permissioning Closed

History

#1 Updated by Go MAEDA almost 2 years ago

  • Related to Feature #285: Tracker role-based permissioning added

#2 Updated by Go MAEDA almost 2 years ago

  • Category set to REST API

#3 Updated by Go MAEDA almost 2 years ago

  • Status changed from New to Confirmed

Confirmed the problem. Thank you for catching and reporting this.

#4 Updated by Yuichi HARADA almost 2 years ago

Alex Stanev wrote:

should be changed to

project.trackers.visible.each do |tracker|

I think that project.rolled_up_trackers(false).visible is better than project.trackers.visible .
I changed it as follows.

diff --git a/app/helpers/projects_helper.rb b/app/helpers/projects_helper.rb
index 794546163..64d6fea83 100644
--- a/app/helpers/projects_helper.rb
+++ b/app/helpers/projects_helper.rb
@@ -115,7 +115,7 @@ module ProjectsHelper

   def render_api_includes(project, api)
     api.array :trackers do
-      project.trackers.each do |tracker|
+      project.rolled_up_trackers(false).visible.each do |tracker|
         api.tracker(:id => tracker.id, :name => tracker.name)
       end
     end if include_in_api_response?('trackers')

I made a patch, and attach it.

#5 Updated by Alex Stanev almost 2 years ago

Hi, thanks for you help!
This approach will also do the trick, can't test it right now.
Also maybe Go will require test for this.

#6 Updated by Marius BALTEANU almost 2 years ago

  • Target version set to Candidate for next minor release

Also available in: Atom PDF