Defect #32774

Creating time tracking entry for other user through rest API doesn't work

Added by Valdir Stiebe Junior 15 days ago. Updated 10 days ago.

Status:ConfirmedStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Time tracking
Target version:4.1.1
Resolution: Affected version:4.1.0

Description

Trying to create a time tracking entry for another user through rest API with admin user without a role not a member on the project.
I'm getting a forbidden 403 return.
Maybe this is related to #3848.

However, through the user interface it works ok.

I've created an workaround for my scripts with the following patch.

--- app/controllers/timelog_controller.rb
+++ app/controllers/timelog_controller.rb
@@ -256,16 +256,13 @@
       render_403
       return false
     end
   end

   def authorize_logging_time_for_other_users
-    if !User.current.allowed_to?(:log_time_for_other_users, @project) && params['time_entry'].present? && params['time_entry']['user_id'].present? && params['time_entry']['user_id'].to_i != User.current.id
-      render_error :message => l(:error_not_allowed_to_log_time_for_other_users), :status => 403
-      return false
-    end
+    return true
   end

   def find_time_entries
     @time_entries = TimeEntry.where(:id => params[:id] || params[:ids]).
       preload(:project => :time_entry_activities).
       preload(:user).to_a

0001-Fix-creating-time-tracking-entry-through-rest-API-do.patch Magnifier (2.32 KB) Marius BALTEANU, 2020-01-12 23:51


Related issues

Related to Redmine - Feature #3848: Permission to log time for another user Closed 2009-09-11

History

#1 Updated by Marius BALTEANU 10 days ago

#2 Updated by Marius BALTEANU 10 days ago

#3 Updated by Marius BALTEANU 10 days ago

  • Related to Feature #3848: Permission to log time for another user added

#4 Updated by Marius BALTEANU 10 days ago

  • Status changed from New to Confirmed
  • Assignee set to Marius BALTEANU
  • Target version set to 4.1.1

#5 Updated by Marius BALTEANU 10 days ago

authorize_logging_time_for_other_users returns false because @project is not set yet. Both methods find_optional_issue and find_optional_project from TimelogController expects :issue_id and :project_id only as root params, not nested params (inside :time_entry).

The fix strictly for this case was to override method find_optional_project in order to accept also params[:time_entry][:project_id]. All tests pass.

Jean-Philippe, could your review the fix, please? Also, we should do the same change for find_optional_issue as well?
Valdir Stiebe Junior, thanks for detecting and reporting the issue. Could you try the fix from the patch?

#6 Updated by Marius BALTEANU 10 days ago

  • Subject changed from Creating time tracking entry through rest API doesn't behaviour like the user interface to Creating time tracking entry for other user through rest API doesn't work

#7 Updated by Valdir Stiebe Junior 10 days ago

Valdir Stiebe Junior, thanks for detecting and reporting the issue. Could you try the fix from the patch?

It works for us. Thank you!

Also available in: Atom PDF