summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJean-Philippe Lang <jp_lang@yahoo.fr>2020-04-05 14:23:40 +0000
committerJean-Philippe Lang <jp_lang@yahoo.fr>2020-04-05 14:23:40 +0000
commitba27fe1b4ec6578f85e557de70be67c177a69040 (patch)
treefc3ff81983b08fe12ae7615dc5d3df0b03d9221c
parent9b5cccff390475899b8a7190938d834f1e64dbc4 (diff)
downloadredmine-ba27fe1b4ec6578f85e557de70be67c177a69040.tar.gz
redmine-ba27fe1b4ec6578f85e557de70be67c177a69040.zip
Creating time tracking entry for other user through rest API fails with 403 (#32774).
Patch by Marius BALTEANU. git-svn-id: http://svn.redmine.org/redmine/trunk@19669 e93f8b46-1217-0410-a6f0-8f06a7374b81
-rw-r--r--app/controllers/timelog_controller.rb8
-rw-r--r--test/integration/api_test/time_entries_test.rb21
2 files changed, 29 insertions, 0 deletions
diff --git a/app/controllers/timelog_controller.rb b/app/controllers/timelog_controller.rb
index d304fe3b2..c01e949d6 100644
--- a/app/controllers/timelog_controller.rb
+++ b/app/controllers/timelog_controller.rb
@@ -288,6 +288,14 @@ class TimelogController < ApplicationController
end
end
+ def find_optional_project
+ if params[:project_id].present? || params[:time_entry].present? && params[:time_entry][:project_id].present?
+ project_id = params[:project_id] || params[:time_entry][:project_id]
+ find_project(project_id)
+ end
+ authorize_global
+ end
+
# Returns the TimeEntry scope for index and report actions
def time_entry_scope(options={})
@query.results_scope(options)
diff --git a/test/integration/api_test/time_entries_test.rb b/test/integration/api_test/time_entries_test.rb
index 33aa88aa1..6dd8119c5 100644
--- a/test/integration/api_test/time_entries_test.rb
+++ b/test/integration/api_test/time_entries_test.rb
@@ -144,6 +144,27 @@ class Redmine::ApiTest::TimeEntriesTest < Redmine::ApiTest::Base
assert_select 'errors error', :text => "Hours cannot be blank"
end
+ test "POST /time_entries.xml for other user" do
+ Role.find_by_name('Manager').add_permission! :log_time_for_other_users
+
+ assert_difference 'TimeEntry.count' do
+ post(
+ '/time_entries.xml',
+ :params =>
+ {:time_entry =>
+ {:project_id => '1', :spent_on => '2010-12-02', :user_id => '3',
+ :hours => '3.5', :activity_id => '11'}},
+ :headers => credentials('jsmith'))
+ end
+ assert_response :created
+
+ assert_equal 'application/xml', @response.content_type
+
+ entry = TimeEntry.order('id DESC').first
+ assert_equal 3, entry.user_id
+ assert_equal 2, entry.author_id
+ end
+
test "PUT /time_entries/:id.xml with valid parameters should update time entry" do
assert_no_difference 'TimeEntry.count' do
put(