Defect #12287

Time entries of private issues are visible by users without permission to see them

Added by Ricardo S almost 10 years ago. Updated over 5 years ago.

Status:ConfirmedStart date:
Priority:HighDue date:
Assignee:-% Done:


Category:Time tracking
Target version:Candidate for next minor release
Resolution: Affected version:


By accessing /projects/:id/time_entries users can see time entries submitted on privates issues even if they don't have access to the issue.

Affected version:
Redmine: 2.1.2.devel.10772
Rails: 3.2.8
Ruby: 1.9.3 (x86_64-linux)


#1 Updated by Daniel Felix almost 10 years ago

  • Status changed from New to Confirmed
  • Priority changed from Normal to High


i can confirm this with current trunk (10781)!

#2 Updated by Ricardo S almost 10 years ago

This can be fixed with the following modifications on the TimeEntry model:

  # Create this method
  def self.visible_condition(user, options={})
     "(#{Issue.visible_condition(user, options)} AND #{Project.allowed_to_condition(user, :view_time_entries, options)})" 

  # Update the :visible scope
  scope :visible, lambda {|*args| {
    :include => [:project, :issue],
    :conditions => TimeEntry.visible_condition(args.shift || User.current, *args)

With these changes, time entries on private issues will no longer be visible neither on search results page nor on the /projects/:id/time_entries page.

#3 Updated by Etienne Massip almost 10 years ago

  • Target version set to Candidate for next minor release

#4 Updated by Toshi MARUYAMA over 9 years ago

What status is this issue?

#5 Updated by Marius BALTEANU over 5 years ago

Time entries logged on private issues are still visible to users that have permissions to see all time entries, but they don't have enough permissions to see the respective issues.

Is this a defect or it's the expected behaviour?

Also available in: Atom PDF