Show action not allowed for time entries in closed projects (#24297).

Patch by Felix Schäfer.

git-svn-id: http://svn.redmine.org/redmine/trunk@15955 e93f8b46-1217-0410-a6f0-8f06a7374b81

diff --git a/app/controllers/timelog_controller.rb b/app/controllers/timelog_controller.rb
index 4256ff30ee16bfb042cae821d6e200d1b1e8b9bb..6c0cd3ee641b88d4d36f33f8f90ac6c761c7990f 100644 (file)
--- a/app/controllers/timelog_controller.rb
+++ b/app/controllers/timelog_controller.rb
@@ -19,6 +19,7 @@ class TimelogController < ApplicationController
   menu_item :time_entries
 
   before_action :find_time_entry, :only => [:show, :edit, :update]
+  before_action :check_editability, :only => [:edit, :update]
   before_action :find_time_entries, :only => [:bulk_edit, :bulk_update, :destroy]
   before_action :authorize, :only => [:show, :edit, :update, :bulk_edit, :bulk_update, :destroy]
 
@@ -221,13 +222,16 @@ class TimelogController < ApplicationController
 private
   def find_time_entry
     @time_entry = TimeEntry.find(params[:id])
+    @project = @time_entry.project
+  rescue ActiveRecord::RecordNotFound
+    render_404
+  end
+
+  def check_editability
     unless @time_entry.editable_by?(User.current)
       render_403
       return false
     end
-    @project = @time_entry.project
-  rescue ActiveRecord::RecordNotFound
-    render_404
   end
 
   def find_time_entries