Defect #30121
Projects API should return only trackers, visible to the user
Status: | Confirmed | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 0% | |
Category: | REST API | |||
Target version: | Candidate for next minor release | |||
Resolution: | Affected version: | 3.4.6 |
Description
Currently projects API returns all trackers, assigned to given project. This is inconsistency with web view, which shows only trackers, visible to the user. They are the only usable to current user anyways.
This is invoked like this: projects/PROJECTID.json?include=trackers
The problem is in redmine/app/helpers/projects_helper.rb, where the line:
project.trackers.each do |tracker|
should be changed to
project.trackers.visible.each do |tracker|
Related issues
History
#1
Updated by Go MAEDA 3 months ago
- Related to Feature #285: Tracker role-based permissioning added
#4
Updated by Yuichi HARADA 2 months ago
Alex Stanev wrote:
should be changed to
project.trackers.visible.each do |tracker|
I think that project.rolled_up_trackers(false).visible
is better than project.trackers.visible
.
I changed it as follows.
diff --git a/app/helpers/projects_helper.rb b/app/helpers/projects_helper.rb
index 794546163..64d6fea83 100644
--- a/app/helpers/projects_helper.rb
+++ b/app/helpers/projects_helper.rb
@@ -115,7 +115,7 @@ module ProjectsHelper
def render_api_includes(project, api)
api.array :trackers do
- project.trackers.each do |tracker|
+ project.rolled_up_trackers(false).visible.each do |tracker|
api.tracker(:id => tracker.id, :name => tracker.name)
end
end if include_in_api_response?('trackers')
I made a patch, and attach it.
#5
Updated by Alex Stanev 2 months ago
Hi, thanks for you help!
This approach will also do the trick, can't test it right now.
Also maybe Go will require test for this.
#6
Updated by Marius BALTEANU 18 days ago
- Target version set to Candidate for next minor release