Defect #32774

Creating time tracking entry for other user through rest API fails with 403

Added by Valdir Stiebe Junior 9 months ago. Updated 6 months ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:Jean-Philippe Lang% Done:

0%

Category:Time tracking
Target version:4.1.1
Resolution:Fixed Affected version:4.1.0

Description

Trying to create a time tracking entry for another user through rest API with admin user without a role not a member on the project.
I'm getting a forbidden 403 return.
Maybe this is related to #3848.

However, through the user interface it works ok.

I've created an workaround for my scripts with the following patch.

--- app/controllers/timelog_controller.rb
+++ app/controllers/timelog_controller.rb
@@ -256,16 +256,13 @@
       render_403
       return false
     end
   end

   def authorize_logging_time_for_other_users
-    if !User.current.allowed_to?(:log_time_for_other_users, @project) && params['time_entry'].present? && params['time_entry']['user_id'].present? && params['time_entry']['user_id'].to_i != User.current.id
-      render_error :message => l(:error_not_allowed_to_log_time_for_other_users), :status => 403
-      return false
-    end
+    return true
   end

   def find_time_entries
     @time_entries = TimeEntry.where(:id => params[:id] || params[:ids]).
       preload(:project => :time_entry_activities).
       preload(:user).to_a

0001-Fix-creating-time-tracking-entry-through-rest-API-do.patch Magnifier (2.32 KB) Marius BALTEANU, 2020-01-12 23:51


Related issues

Related to Redmine - Feature #3848: Permission to log time for another user Closed 2009-09-11

Associated revisions

Revision 19669
Added by Jean-Philippe Lang 6 months ago

Creating time tracking entry for other user through rest API fails with 403 (#32774).

Patch by Marius BALTEANU.

Revision 19670
Added by Jean-Philippe Lang 6 months ago

Creating time tracking entry for other user through rest API fails with 403 (#32774).

Revision 19676
Added by Jean-Philippe Lang 6 months ago

Creating time tracking entry for other user through rest API fails with 403 (#32774).

Revision 19677
Added by Jean-Philippe Lang 6 months ago

Set time entry author in controller (#32774).

Revision 19678
Added by Jean-Philippe Lang 6 months ago

Don't use User.current in TimeEntryImport model but #user instead (#32774).

Revision 19679
Added by Jean-Philippe Lang 6 months ago

Merged r19676 to r19678 to 4.1-stable (#32774).

History

#1 Updated by Marius BALTEANU 9 months ago

#2 Updated by Marius BALTEANU 9 months ago

#3 Updated by Marius BALTEANU 9 months ago

  • Related to Feature #3848: Permission to log time for another user added

#4 Updated by Marius BALTEANU 9 months ago

  • Status changed from New to Confirmed
  • Assignee set to Marius BALTEANU
  • Target version set to 4.1.1

#5 Updated by Marius BALTEANU 9 months ago

authorize_logging_time_for_other_users returns false because @project is not set yet. Both methods find_optional_issue and find_optional_project from TimelogController expects :issue_id and :project_id only as root params, not nested params (inside :time_entry).

The fix strictly for this case was to override method find_optional_project in order to accept also params[:time_entry][:project_id]. All tests pass.

Jean-Philippe, could your review the fix, please? Also, we should do the same change for find_optional_issue as well?
Valdir Stiebe Junior, thanks for detecting and reporting the issue. Could you try the fix from the patch?

#6 Updated by Marius BALTEANU 9 months ago

  • Subject changed from Creating time tracking entry through rest API doesn't behaviour like the user interface to Creating time tracking entry for other user through rest API doesn't work

#7 Updated by Valdir Stiebe Junior 8 months ago

Valdir Stiebe Junior, thanks for detecting and reporting the issue. Could you try the fix from the patch?

It works for us. Thank you!

#8 Updated by Go MAEDA 7 months ago

  • Assignee set to Jean-Philippe Lang

#9 Updated by Jean-Philippe Lang 6 months ago

  • Subject changed from Creating time tracking entry for other user through rest API doesn't work to Creating time tracking entry for other user through rest API fails with 403
  • Status changed from Confirmed to Resolved
  • Resolution set to Fixed

Committed, thanks.

Marius BALTEANU wrote:

Also, we should do the same change for find_optional_issue as well?

Good point, I've fixed find_optional_issue in r19670.

#10 Updated by Jean-Philippe Lang 6 months ago

  • Status changed from Resolved to New
  • Resolution deleted (Fixed)

I've reverted the change and will work on another fix.
We should not respond with 403 when submitting the form at /time_entries/new with an project or issue that is not OK.

#11 Updated by Marius BALTEANU 6 months ago

Jean-Philippe Lang wrote:

I've reverted the change and will work on another fix.
We should not respond with 403 when submitting the form at /time_entries/new with an project or issue that is not OK.

Ok, please let me know if you need my help on this.

#12 Updated by Jean-Philippe Lang 6 months ago

  • Status changed from New to Closed
  • Resolution set to Fixed

Fix committed.

#13 Updated by Marius BALTEANU 6 months ago

Jean-Philippe Lang wrote:

Fix committed.

Thanks Jean-Philippe for fixing this issue, it seems that I've added some bad lines of code. I'll add in the following weeks a patch to remove the method set_author_if_nil from TimeEntry model.

Also available in: Atom PDF