diff options
author | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2020-04-05 14:23:40 +0000 |
---|---|---|
committer | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2020-04-05 14:23:40 +0000 |
commit | ba27fe1b4ec6578f85e557de70be67c177a69040 (patch) | |
tree | fc3ff81983b08fe12ae7615dc5d3df0b03d9221c | |
parent | 9b5cccff390475899b8a7190938d834f1e64dbc4 (diff) | |
download | redmine-ba27fe1b4ec6578f85e557de70be67c177a69040.tar.gz redmine-ba27fe1b4ec6578f85e557de70be67c177a69040.zip |
Creating time tracking entry for other user through rest API fails with 403 (#32774).
Patch by Marius BALTEANU.
git-svn-id: http://svn.redmine.org/redmine/trunk@19669 e93f8b46-1217-0410-a6f0-8f06a7374b81
-rw-r--r-- | app/controllers/timelog_controller.rb | 8 | ||||
-rw-r--r-- | test/integration/api_test/time_entries_test.rb | 21 |
2 files changed, 29 insertions, 0 deletions
diff --git a/app/controllers/timelog_controller.rb b/app/controllers/timelog_controller.rb index d304fe3b2..c01e949d6 100644 --- a/app/controllers/timelog_controller.rb +++ b/app/controllers/timelog_controller.rb @@ -288,6 +288,14 @@ class TimelogController < ApplicationController end end + def find_optional_project + if params[:project_id].present? || params[:time_entry].present? && params[:time_entry][:project_id].present? + project_id = params[:project_id] || params[:time_entry][:project_id] + find_project(project_id) + end + authorize_global + end + # Returns the TimeEntry scope for index and report actions def time_entry_scope(options={}) @query.results_scope(options) diff --git a/test/integration/api_test/time_entries_test.rb b/test/integration/api_test/time_entries_test.rb index 33aa88aa1..6dd8119c5 100644 --- a/test/integration/api_test/time_entries_test.rb +++ b/test/integration/api_test/time_entries_test.rb @@ -144,6 +144,27 @@ class Redmine::ApiTest::TimeEntriesTest < Redmine::ApiTest::Base assert_select 'errors error', :text => "Hours cannot be blank" end + test "POST /time_entries.xml for other user" do + Role.find_by_name('Manager').add_permission! :log_time_for_other_users + + assert_difference 'TimeEntry.count' do + post( + '/time_entries.xml', + :params => + {:time_entry => + {:project_id => '1', :spent_on => '2010-12-02', :user_id => '3', + :hours => '3.5', :activity_id => '11'}}, + :headers => credentials('jsmith')) + end + assert_response :created + + assert_equal 'application/xml', @response.content_type + + entry = TimeEntry.order('id DESC').first + assert_equal 3, entry.user_id + assert_equal 2, entry.author_id + end + test "PUT /time_entries/:id.xml with valid parameters should update time entry" do assert_no_difference 'TimeEntry.count' do put( |