Defect #13274


REST API cannot retrieve some time entries by ID although shown in full listing

Added by Chad B over 11 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Affected version:


Setup: There is one user, which we will call "user1." Also there is "admin." There are projects A and B. User1 has the "developer" role on project A and both the "developer" and "manager" roles on project B. Admin is not assigned any roles on either project. Role permissions have not been changed from the defaults. The system contains 4 time entries, 2 created by user1 and 2 created by admin.

With admin's login (using HTTP basic auth) I can retrieve the full time entry list as well as the individual time entries by ID.

Here's the strange part: Using user1's login I can get the full time entry list but only retrieve 1 time entry by its ID number. As user1, calling "/time_entries.xml" returns all 4 time entries. However, loading each time entry individually by ID (e.g., via "time_entries/1.xml"), I can only get 1 of them, which was one created by admin for an issue residing in project B. The other 3 time entries, which reside in project A, return HTTP 403 Forbidden with an empty body, even though I can view the contents of these entries in the full list. Additionally user1 can see all 4 time entries through the normal web UI.

For the above tests I used HTTP basic auth however I have also tried using the REST API key of each user respectively by appending ?key=X to the URL. I did not try all the scenarios with the key URL parameter authentication form but the ones I did try were consistent with the basic auth results. Also I tried using .json--again I did not test all the combinations but the results seem to be the same as the .xml results.

I have a log entry like this for each attempt:

Started GET "/redmine/time_entries/3.xml" for at 2013-02-24 22:53:52 -0600
Processing by TimelogController#show as XML
  Parameters: {"id"=>"3"}
  Current user: chad (id=3)
Filter chain halted as :find_time_entry rendered or redirected
Completed 403 Forbidden in 34ms (ActiveRecord: 25.6ms)

Redmine version is 2.2.3.stable. No plugins. Pretty much a vanilla setup. Using Apache HTTP Server and Passenger. MySQL is 5.5.29.

root@vb-ubuntu:/usr/local/share/redmine/log# RAILS_ENV=production rake about
(in /usr/local/share/redmine-2.2.3)
About your application's environment
Ruby version              1.9.3 (x86_64-linux)
RubyGems version          1.8.23
Rack version              1.4
Rails version             3.2.12
Active Record version     3.2.12
Action Pack version       3.2.12
Active Resource version   3.2.12
Action Mailer version     3.2.12
Active Support version    3.2.12
Middleware                Rack::Cache, ActionDispatch::Static, Rack::Lock, #<ActiveSupport::Cache::Strategy::LocalCache::Middleware:0x000000028b9fc8>, Rack::Runtime, Rack::MethodOverride, ActionDispatch::RequestId, Rails::Rack::Logger, ActionDispatch::ShowExceptions, ActionDispatch::DebugExceptions, ActionDispatch::RemoteIp, ActionDispatch::Callbacks, ActiveRecord::ConnectionAdapters::ConnectionManagement, ActiveRecord::QueryCache, ActionDispatch::Cookies, ActionDispatch::Session::CookieStore, ActionDispatch::Flash, ActionDispatch::ParamsParser, ActionDispatch::Head, Rack::ConditionalGet, Rack::ETag, ActionDispatch::BestStandardsSupport, OpenIdAuthentication
Application root          /usr/local/share/redmine-2.2.3
Environment               production
Database adapter          mysql2
Database schema version   20121026003537

From the Information section of the Administration area in the web UI:

  Redmine version                          2.2.3.stable
  Ruby version                             1.9.3 (x86_64-linux)
  Rails version                            3.2.12
  Environment                              production
  Database adapter                         Mysql2
Redmine plugins:
  no plugin installed

The server is on Ubuntu 12.10. API tested using Firefox 19.0 and IE 9.0 on a separate Windows machine as well as with Firefox 19.0 locally on the server.

No data to display


Also available in: Atom PDF