From ba27fe1b4ec6578f85e557de70be67c177a69040 Mon Sep 17 00:00:00 2001
From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Sun, 5 Apr 2020 14:23:40 +0000
Subject: [PATCH] Creating time tracking entry for other user through rest API
 fails with 403 (#32774).

Patch by Marius BALTEANU.

git-svn-id: http://svn.redmine.org/redmine/trunk@19669 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/controllers/timelog_controller.rb         |  8 +++++++
 .../integration/api_test/time_entries_test.rb | 21 +++++++++++++++++++
 2 files changed, 29 insertions(+)

diff --git a/app/controllers/timelog_controller.rb b/app/controllers/timelog_controller.rb
index d304fe3b2..c01e949d6 100644
--- a/app/controllers/timelog_controller.rb
+++ b/app/controllers/timelog_controller.rb
@@ -288,6 +288,14 @@ class TimelogController < ApplicationController
     end
   end
 
+  def find_optional_project
+    if params[:project_id].present? || params[:time_entry].present? && params[:time_entry][:project_id].present?
+      project_id = params[:project_id] || params[:time_entry][:project_id]
+      find_project(project_id)
+    end
+    authorize_global
+  end
+
   # Returns the TimeEntry scope for index and report actions
   def time_entry_scope(options={})
     @query.results_scope(options)
diff --git a/test/integration/api_test/time_entries_test.rb b/test/integration/api_test/time_entries_test.rb
index 33aa88aa1..6dd8119c5 100644
--- a/test/integration/api_test/time_entries_test.rb
+++ b/test/integration/api_test/time_entries_test.rb
@@ -144,6 +144,27 @@ class Redmine::ApiTest::TimeEntriesTest < Redmine::ApiTest::Base
     assert_select 'errors error', :text => "Hours cannot be blank"
   end
 
+  test "POST /time_entries.xml for other user" do
+    Role.find_by_name('Manager').add_permission! :log_time_for_other_users
+
+    assert_difference 'TimeEntry.count' do
+      post(
+        '/time_entries.xml',
+        :params =>
+          {:time_entry =>
+            {:project_id => '1', :spent_on => '2010-12-02', :user_id => '3',
+             :hours => '3.5', :activity_id => '11'}},
+        :headers => credentials('jsmith'))
+    end
+    assert_response :created
+
+    assert_equal 'application/xml', @response.content_type
+
+    entry = TimeEntry.order('id DESC').first
+    assert_equal 3, entry.user_id
+    assert_equal 2, entry.author_id
+  end
+
   test "PUT /time_entries/:id.xml with valid parameters should update time entry" do
     assert_no_difference 'TimeEntry.count' do
       put(
-- 
2.39.5