Defect #32774
closed
Creating time tracking entry for other user through rest API fails with 403
0%
Description
Trying to create a time tracking entry for another user through rest API with admin user without a role not a member on the project.
I'm getting a forbidden 403 return.
Maybe this is related to #3848.
However, through the user interface it works ok.
I've created an workaround for my scripts with the following patch.
--- app/controllers/timelog_controller.rb
+++ app/controllers/timelog_controller.rb
@@ -256,16 +256,13 @@
render_403
return false
end
end
def authorize_logging_time_for_other_users
- if !User.current.allowed_to?(:log_time_for_other_users, @project) && params['time_entry'].present? && params['time_entry']['user_id'].present? && params['time_entry']['user_id'].to_i != User.current.id
- render_error :message => l(:error_not_allowed_to_log_time_for_other_users), :status => 403
- return false
- end
+ return true
end
def find_time_entries
@time_entries = TimeEntry.where(:id => params[:id] || params[:ids]).
preload(:project => :time_entry_activities).
preload(:user).to_a
Files
Related issues
Updated by Marius BĂLTEANU over 5 years ago
- Related to Feature #6486: Log time for other users added
Updated by Marius BĂLTEANU over 5 years ago
- Related to deleted (Feature #6486: Log time for other users)
Updated by Marius BĂLTEANU over 5 years ago
- Related to Feature #3848: Permission to log time for another user added
Updated by Marius BĂLTEANU over 5 years ago
- Status changed from New to Confirmed
- Assignee set to Marius BĂLTEANU
- Target version set to 4.1.1
Updated by Marius BĂLTEANU over 5 years ago
- File 0001-Fix-creating-time-tracking-entry-through-rest-API-do.patch 0001-Fix-creating-time-tracking-entry-through-rest-API-do.patch added
- Assignee deleted (
Marius BĂLTEANU)
authorize_logging_time_for_other_users returns false because @project is not set yet. Both methods find_optional_issue and find_optional_project from TimelogController expects :issue_id and :project_id only as root params, not nested params (inside :time_entry).
The fix strictly for this case was to override method find_optional_project in order to accept also params[:time_entry][:project_id]. All tests pass.
Jean-Philippe, could your review the fix, please? Also, we should do the same change for find_optional_issue as well?
Valdir Stiebe Junior, thanks for detecting and reporting the issue. Could you try the fix from the patch?
Updated by Marius BĂLTEANU over 5 years ago
- Subject changed from Creating time tracking entry through rest API doesn't behaviour like the user interface to Creating time tracking entry for other user through rest API doesn't work
Updated by Valdir Stiebe Junior over 5 years ago
Valdir Stiebe Junior, thanks for detecting and reporting the issue. Could you try the fix from the patch?
It works for us. Thank you!
Updated by
Updated by Jean-Philippe Lang over 5 years ago
- Subject changed from Creating time tracking entry for other user through rest API doesn't work to Creating time tracking entry for other user through rest API fails with 403
- Status changed from Confirmed to Resolved
- Resolution set to Fixed
Committed, thanks.
Marius BALTEANU wrote:
Also, we should do the same change for
find_optional_issueas well?
Good point, I've fixed find_optional_issue in r19670.
Updated by Jean-Philippe Lang over 5 years ago
- Status changed from Resolved to New
- Resolution deleted (
Fixed)
I've reverted the change and will work on another fix.
We should not respond with 403 when submitting the form at /time_entries/new with an project or issue that is not OK.
Updated by Marius BĂLTEANU over 5 years ago
Jean-Philippe Lang wrote:
I've reverted the change and will work on another fix.
We should not respond with 403 when submitting the form at /time_entries/new with an project or issue that is not OK.
Ok, please let me know if you need my help on this.
Updated by Jean-Philippe Lang over 5 years ago
- Status changed from New to Closed
- Resolution set to Fixed
Fix committed.
Updated by Marius BĂLTEANU over 5 years ago
Jean-Philippe Lang wrote:
Fix committed.
Thanks Jean-Philippe for fixing this issue, it seems that I've added some bad lines of code. I'll add in the following weeks a patch to remove the method set_author_if_nil from TimeEntry model.