From 945a091c94a9ed651f61e225fa8646479478e9d4 Mon Sep 17 00:00:00 2001
From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Wed, 4 Nov 2015 18:40:15 +0000
Subject: Don't let users log time on issues they cannot see in their projects
 (#21150).

git-svn-id: http://svn.redmine.org/redmine/trunk@14796 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/models/time_entry.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'app/models/time_entry.rb')

diff --git a/app/models/time_entry.rb b/app/models/time_entry.rb
index b133f502a..ea33c0bc6 100644
--- a/app/models/time_entry.rb
+++ b/app/models/time_entry.rb
@@ -95,7 +95,7 @@ class TimeEntry < ActiveRecord::Base
     if attrs
       attrs = super(attrs)
       if issue_id_changed? && issue
-        if user.allowed_to?(:log_time, issue.project)
+        if issue.visible?(user) && user.allowed_to?(:log_time, issue.project)
           if attrs[:project_id].blank? && issue.project_id != project_id
             self.project_id = issue.project_id
           end
-- 
cgit v1.2.3