Redmine 4.1.0 - Time entry for another user through API

Added by Valdir Stiebe Junior about 1 month ago


I'm trying to create a time tracking entry for another user through rest API with admin user without a role not a member on the project. I'm getting a forbidden 403 return.
However, through the user interface it works ok.

I expect the same behaviour from the user interface for the rest API.

I've created an workaround for my scripts with the following patch.
Should I create a defect task? Could anyone confirm this behaviour?

--- app/controllers/timelog_controller.rb
+++ app/controllers/timelog_controller.rb
@@ -256,16 +256,13 @@
       return false

   def authorize_logging_time_for_other_users
-    if !User.current.allowed_to?(:log_time_for_other_users, @project) && params['time_entry'].present? && params['time_entry']['user_id'].present? && params['time_entry']['user_id'].to_i !=
-      render_error :message => l(:error_not_allowed_to_log_time_for_other_users), :status => 403
-      return false
-    end
+    return true

   def find_time_entries
     @time_entries = TimeEntry.where(:id => params[:id] || params[:ids]).
       preload(:project => :time_entry_activities).

Replies (1)