Defect #32774

Creating time tracking entry for other user through rest API fails with 403

Added by Valdir Stiebe Junior 11 months ago. Updated 8 months ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:Jean-Philippe Lang% Done:

0%

Category:Time tracking
Target version:4.1.1
Resolution:Fixed Affected version:4.1.0

Description

Trying to create a time tracking entry for another user through rest API with admin user without a role not a member on the project.
I'm getting a forbidden 403 return.
Maybe this is related to #3848.

However, through the user interface it works ok.

I've created an workaround for my scripts with the following patch.

--- app/controllers/timelog_controller.rb
+++ app/controllers/timelog_controller.rb
@@ -256,16 +256,13 @@
       render_403
       return false
     end
   end

   def authorize_logging_time_for_other_users
-    if !User.current.allowed_to?(:log_time_for_other_users, @project) && params['time_entry'].present? && params['time_entry']['user_id'].present? && params['time_entry']['user_id'].to_i != User.current.id
-      render_error :message => l(:error_not_allowed_to_log_time_for_other_users), :status => 403
-      return false
-    end
+    return true
   end

   def find_time_entries
     @time_entries = TimeEntry.where(:id => params[:id] || params[:ids]).
       preload(:project => :time_entry_activities).
       preload(:user).to_a

0001-Fix-creating-time-tracking-entry-through-rest-API-do.patch Magnifier (2.32 KB) Marius BALTEANU, 2020-01-12 23:51


Related issues

Related to Redmine - Feature #3848: Permission to log time for another user Closed 2009-09-11

Associated revisions

Revision 19669
Added by Jean-Philippe Lang 8 months ago

Creating time tracking entry for other user through rest API fails with 403 (#32774).

Patch by Marius BALTEANU.

Revision 19670
Added by Jean-Philippe Lang 8 months ago

Creating time tracking entry for other user through rest API fails with 403 (#32774).

Revision 19676
Added by Jean-Philippe Lang 8 months ago

Creating time tracking entry for other user through rest API fails with 403 (#32774).

Revision 19677
Added by Jean-Philippe Lang 8 months ago

Set time entry author in controller (#32774).

Revision 19678
Added by Jean-Philippe Lang 8 months ago

Don't use User.current in TimeEntryImport model but #user instead (#32774).

Revision 19679
Added by Jean-Philippe Lang 8 months ago

Merged r19676 to r19678 to 4.1-stable (#32774).

History

#1 Updated by Marius BALTEANU 11 months ago

#2 Updated by Marius BALTEANU 11 months ago

#3 Updated by Marius BALTEANU 11 months ago

  • Related to Feature #3848: Permission to log time for another user added

#4 Updated by Marius BALTEANU 11 months ago

  • Status changed from New to Confirmed
  • Assignee set to Marius BALTEANU
  • Target version set to 4.1.1

#5 Updated by Marius BALTEANU 11 months ago

authorize_logging_time_for_other_users returns false because @project is not set yet. Both methods find_optional_issue and find_optional_project from TimelogController expects :issue_id and :project_id only as root params, not nested params (inside :time_entry).

The fix strictly for this case was to override method find_optional_project in order to accept also params[:time_entry][:project_id]. All tests pass.

Jean-Philippe, could your review the fix, please? Also, we should do the same change for find_optional_issue as well?
Valdir Stiebe Junior, thanks for detecting and reporting the issue. Could you try the fix from the patch?

#6 Updated by Marius BALTEANU 11 months ago

  • Subject changed from Creating time tracking entry through rest API doesn't behaviour like the user interface to Creating time tracking entry for other user through rest API doesn't work

#7 Updated by Valdir Stiebe Junior 11 months ago

Valdir Stiebe Junior, thanks for detecting and reporting the issue. Could you try the fix from the patch?

It works for us. Thank you!

#8 Updated by Go MAEDA 9 months ago

  • Assignee set to Jean-Philippe Lang

#9 Updated by Jean-Philippe Lang 8 months ago

  • Subject changed from Creating time tracking entry for other user through rest API doesn't work to Creating time tracking entry for other user through rest API fails with 403
  • Status changed from Confirmed to Resolved
  • Resolution set to Fixed

Committed, thanks.

Marius BALTEANU wrote:

Also, we should do the same change for find_optional_issue as well?

Good point, I've fixed find_optional_issue in r19670.

#10 Updated by Jean-Philippe Lang 8 months ago

  • Status changed from Resolved to New
  • Resolution deleted (Fixed)

I've reverted the change and will work on another fix.
We should not respond with 403 when submitting the form at /time_entries/new with an project or issue that is not OK.

#11 Updated by Marius BALTEANU 8 months ago

Jean-Philippe Lang wrote:

I've reverted the change and will work on another fix.
We should not respond with 403 when submitting the form at /time_entries/new with an project or issue that is not OK.

Ok, please let me know if you need my help on this.

#12 Updated by Jean-Philippe Lang 8 months ago

  • Status changed from New to Closed
  • Resolution set to Fixed

Fix committed.

#13 Updated by Marius BALTEANU 8 months ago

Jean-Philippe Lang wrote:

Fix committed.

Thanks Jean-Philippe for fixing this issue, it seems that I've added some bad lines of code. I'll add in the following weeks a patch to remove the method set_author_if_nil from TimeEntry model.

Also available in: Atom PDF