Defect #13274
openREST API cannot retrieve some time entries by ID although shown in full listing
0%
Description
Setup: There is one user, which we will call "user1." Also there is "admin." There are projects A and B. User1 has the "developer" role on project A and both the "developer" and "manager" roles on project B. Admin is not assigned any roles on either project. Role permissions have not been changed from the defaults. The system contains 4 time entries, 2 created by user1 and 2 created by admin.
With admin's login (using HTTP basic auth) I can retrieve the full time entry list as well as the individual time entries by ID.
Here's the strange part: Using user1's login I can get the full time entry list but only retrieve 1 time entry by its ID number. As user1, calling "/time_entries.xml" returns all 4 time entries. However, loading each time entry individually by ID (e.g., via "time_entries/1.xml"), I can only get 1 of them, which was one created by admin for an issue residing in project B. The other 3 time entries, which reside in project A, return HTTP 403 Forbidden with an empty body, even though I can view the contents of these entries in the full list. Additionally user1 can see all 4 time entries through the normal web UI.
For the above tests I used HTTP basic auth however I have also tried using the REST API key of each user respectively by appending ?key=X to the URL. I did not try all the scenarios with the key URL parameter authentication form but the ones I did try were consistent with the basic auth results. Also I tried using .json--again I did not test all the combinations but the results seem to be the same as the .xml results.
I have a log entry like this for each attempt:
Started GET "/redmine/time_entries/3.xml" for 192.168.1.69 at 2013-02-24 22:53:52 -0600 Processing by TimelogController#show as XML Parameters: {"id"=>"3"} Current user: chad (id=3) Filter chain halted as :find_time_entry rendered or redirected Completed 403 Forbidden in 34ms (ActiveRecord: 25.6ms)
Redmine version is 2.2.3.stable. No plugins. Pretty much a vanilla setup. Using Apache HTTP Server and Passenger. MySQL is 5.5.29.
root@vb-ubuntu:/usr/local/share/redmine/log# RAILS_ENV=production rake about (in /usr/local/share/redmine-2.2.3) About your application's environment Ruby version 1.9.3 (x86_64-linux) RubyGems version 1.8.23 Rack version 1.4 Rails version 3.2.12 Active Record version 3.2.12 Action Pack version 3.2.12 Active Resource version 3.2.12 Action Mailer version 3.2.12 Active Support version 3.2.12 Middleware Rack::Cache, ActionDispatch::Static, Rack::Lock, #<ActiveSupport::Cache::Strategy::LocalCache::Middleware:0x000000028b9fc8>, Rack::Runtime, Rack::MethodOverride, ActionDispatch::RequestId, Rails::Rack::Logger, ActionDispatch::ShowExceptions, ActionDispatch::DebugExceptions, ActionDispatch::RemoteIp, ActionDispatch::Callbacks, ActiveRecord::ConnectionAdapters::ConnectionManagement, ActiveRecord::QueryCache, ActionDispatch::Cookies, ActionDispatch::Session::CookieStore, ActionDispatch::Flash, ActionDispatch::ParamsParser, ActionDispatch::Head, Rack::ConditionalGet, Rack::ETag, ActionDispatch::BestStandardsSupport, OpenIdAuthentication Application root /usr/local/share/redmine-2.2.3 Environment production Database adapter mysql2 Database schema version 20121026003537
From the Information section of the Administration area in the web UI:
Environment: Redmine version 2.2.3.stable Ruby version 1.9.3 (x86_64-linux) Rails version 3.2.12 Environment production Database adapter Mysql2 Redmine plugins: no plugin installed
The server is on Ubuntu 12.10. API tested using Firefox 19.0 and IE 9.0 on a separate Windows machine as well as with Firefox 19.0 locally on the server.
No data to display