Defect #32774
Creating time tracking entry for other user through rest API fails with 403
| Status: | Closed | Start date: | ||
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: |  Jean-Philippe Lang | % Done: | 0% | |
| Category: | Time tracking | |||
| Target version: | 4.1.1 | |||
| Resolution: | Fixed | Affected version: | 4.1.0 |
Description
Trying to create a time tracking entry for another user through rest API with admin user without a role not a member on the project.
I'm getting a forbidden 403 return.
Maybe this is related to #3848.
However, through the user interface it works ok.
I've created an workaround for my scripts with the following patch.
--- app/controllers/timelog_controller.rb
+++ app/controllers/timelog_controller.rb
@@ -256,16 +256,13 @@
render_403
return false
end
end
def authorize_logging_time_for_other_users
- if !User.current.allowed_to?(:log_time_for_other_users, @project) && params['time_entry'].present? && params['time_entry']['user_id'].present? && params['time_entry']['user_id'].to_i != User.current.id
- render_error :message => l(:error_not_allowed_to_log_time_for_other_users), :status => 403
- return false
- end
+ return true
end
def find_time_entries
@time_entries = TimeEntry.where(:id => params[:id] || params[:ids]).
preload(:project => :time_entry_activities).
preload(:user).to_a
Related issues
Associated revisions
Creating time tracking entry for other user through rest API fails with 403 (#32774).
Patch by Marius BALTEANU.
Creating time tracking entry for other user through rest API fails with 403 (#32774).
Creating time tracking entry for other user through rest API fails with 403 (#32774).
Set time entry author in controller (#32774).
Don't use User.current in TimeEntryImport model but #user instead (#32774).
History
#1
Updated by Marius BALTEANU over 1 year ago
- Related to Feature #6486: Log time for other users added
#2
Updated by Marius BALTEANU over 1 year ago
- Related to deleted (Feature #6486: Log time for other users)
#3
Updated by Marius BALTEANU over 1 year ago
- Related to Feature #3848: Permission to log time for another user added
#4
Updated by Marius BALTEANU over 1 year ago
- Status changed from New to Confirmed
- Assignee set to Marius BALTEANU
- Target version set to 4.1.1
#5
Updated by Marius BALTEANU over 1 year ago
- File 0001-Fix-creating-time-tracking-entry-through-rest-API-do.patch
added - Assignee deleted (
Marius BALTEANU)
authorize_logging_time_for_other_users returns false because @project is not set yet. Both methods find_optional_issue and find_optional_project from TimelogController expects :issue_id and :project_id only as root params, not nested params (inside :time_entry).
The fix strictly for this case was to override method find_optional_project in order to accept also params[:time_entry][:project_id]. All tests pass.
Jean-Philippe, could your review the fix, please? Also, we should do the same change for find_optional_issue as well?
Valdir Stiebe Junior, thanks for detecting and reporting the issue. Could you try the fix from the patch?
#6
Updated by Marius BALTEANU over 1 year ago
- Subject changed from Creating time tracking entry through rest API doesn't behaviour like the user interface to Creating time tracking entry for other user through rest API doesn't work
#7
Updated by Valdir Stiebe Junior over 1 year ago
Valdir Stiebe Junior, thanks for detecting and reporting the issue. Could you try the fix from the patch?
It works for us. Thank you!
#8
Updated by Go MAEDA over 1 year ago
- Assignee set to Jean-Philippe Lang
#9
Updated by Jean-Philippe Lang over 1 year ago
- Subject changed from Creating time tracking entry for other user through rest API doesn't work to Creating time tracking entry for other user through rest API fails with 403
- Status changed from Confirmed to Resolved
- Resolution set to Fixed
Committed, thanks.
Marius BALTEANU wrote:
Also, we should do the same change for
find_optional_issueas well?
Good point, I've fixed find_optional_issue in r19670.
#10
Updated by Jean-Philippe Lang over 1 year ago
- Status changed from Resolved to New
- Resolution deleted (
Fixed)
I've reverted the change and will work on another fix.
We should not respond with 403 when submitting the form at /time_entries/new with an project or issue that is not OK.
#11
Updated by Marius BALTEANU over 1 year ago
Jean-Philippe Lang wrote:
I've reverted the change and will work on another fix.
We should not respond with 403 when submitting the form at /time_entries/new with an project or issue that is not OK.
Ok, please let me know if you need my help on this.
#12
Updated by Jean-Philippe Lang over 1 year ago
- Status changed from New to Closed
- Resolution set to Fixed
Fix committed.
#13
Updated by Marius BALTEANU over 1 year ago
Jean-Philippe Lang wrote:
Fix committed.
Thanks Jean-Philippe for fixing this issue, it seems that I've added some bad lines of code. I'll add in the following weeks a patch to remove the method set_author_if_nil from TimeEntry model.