Defect #32774
closed
Creating time tracking entry for other user through rest API fails with 403
Added by Valdir Stiebe Junior almost 5 years ago.
Updated almost 5 years ago.
Description
Trying to create a time tracking entry for another user through rest API with admin user without a role not a member on the project.
I'm getting a forbidden 403 return.
Maybe this is related to #3848.
However, through the user interface it works ok.
I've created an workaround for my scripts with the following patch.
--- app/controllers/timelog_controller.rb
+++ app/controllers/timelog_controller.rb
@@ -256,16 +256,13 @@
render_403
return false
end
end
def authorize_logging_time_for_other_users
- if !User.current.allowed_to?(:log_time_for_other_users, @project) && params['time_entry'].present? && params['time_entry']['user_id'].present? && params['time_entry']['user_id'].to_i != User.current.id
- render_error :message => l(:error_not_allowed_to_log_time_for_other_users), :status => 403
- return false
- end
+ return true
end
def find_time_entries
@time_entries = TimeEntry.where(:id => params[:id] || params[:ids]).
preload(:project => :time_entry_activities).
preload(:user).to_a
Files
- Related to Feature #3848: Permission to log time for another user added
- Status changed from New to Confirmed
- Assignee set to Marius BĂLTEANU
- Target version set to 4.1.1
authorize_logging_time_for_other_users returns false because @project is not set yet. Both methods find_optional_issue and find_optional_project from TimelogController expects :issue_id and :project_id only as root params, not nested params (inside :time_entry).
The fix strictly for this case was to override method find_optional_project in order to accept also params[:time_entry][:project_id]. All tests pass.
Jean-Philippe, could your review the fix, please? Also, we should do the same change for find_optional_issue as well?
Valdir Stiebe Junior, thanks for detecting and reporting the issue. Could you try the fix from the patch?
- Subject changed from Creating time tracking entry through rest API doesn't behaviour like the user interface to Creating time tracking entry for other user through rest API doesn't work
Valdir Stiebe Junior, thanks for detecting and reporting the issue. Could you try the fix from the patch?
It works for us. Thank you!
- Assignee set to Jean-Philippe Lang
- Subject changed from Creating time tracking entry for other user through rest API doesn't work to Creating time tracking entry for other user through rest API fails with 403
- Status changed from Confirmed to Resolved
- Resolution set to Fixed
Committed, thanks.
Marius BALTEANU wrote:
Also, we should do the same change for find_optional_issue as well?
Good point, I've fixed find_optional_issue in r19670.
- Status changed from Resolved to New
- Resolution deleted (
Fixed)
I've reverted the change and will work on another fix.
We should not respond with 403 when submitting the form at /time_entries/new with an project or issue that is not OK.
Jean-Philippe Lang wrote:
I've reverted the change and will work on another fix.
We should not respond with 403 when submitting the form at /time_entries/new with an project or issue that is not OK.
Ok, please let me know if you need my help on this.
- Status changed from New to Closed
- Resolution set to Fixed
Jean-Philippe Lang wrote:
Fix committed.
Thanks Jean-Philippe for fixing this issue, it seems that I've added some bad lines of code. I'll add in the following weeks a patch to remove the method set_author_if_nil from TimeEntry model.
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by