Creating time tracking entry for other user through rest API doesn't work
Trying to create a time tracking entry for another user through rest API with admin user without a role not a member on the project.
I'm getting a forbidden 403 return.
Maybe this is related to #3848.
However, through the user interface it works ok.
I've created an workaround for my scripts with the following patch.
--- app/controllers/timelog_controller.rb +++ app/controllers/timelog_controller.rb @@ -256,16 +256,13 @@ render_403 return false end end def authorize_logging_time_for_other_users - if !User.current.allowed_to?(:log_time_for_other_users, @project) && params['time_entry'].present? && params['time_entry']['user_id'].present? && params['time_entry']['user_id'].to_i != User.current.id - render_error :message => l(:error_not_allowed_to_log_time_for_other_users), :status => 403 - return false - end + return true end def find_time_entries @time_entries = TimeEntry.where(:id => params[:id] || params[:ids]). preload(:project => :time_entry_activities). preload(:user).to_a
#5 Updated by Marius BALTEANU 10 days ago
- File 0001-Fix-creating-time-tracking-entry-through-rest-API-do.patch added
- Assignee deleted (
authorize_logging_time_for_other_users returns false because
@project is not set yet. Both methods
:project_id only as root params, not nested params (inside
The fix strictly for this case was to override method
find_optional_project in order to accept also
params[:time_entry][:project_id]. All tests pass.
Jean-Philippe, could your review the fix, please? Also, we should do the same change for
find_optional_issue as well?
Valdir Stiebe Junior, thanks for detecting and reporting the issue. Could you try the fix from the patch?