Vote #80587
完了Creating time tracking entry for other user through rest API fails with 403
0%
説明
Trying to create a time tracking entry for another user through rest API with admin user without a role not a member on the project.
I'm getting a forbidden 403 return.
Maybe this is related to #3848.
However, through the user interface it works ok.
I've created an workaround for my scripts with the following patch.
--- app/controllers/timelog_controller.rb
+++ app/controllers/timelog_controller.rb
@@ -256,16 +256,13 @@
render_403
return false
end
end
def authorize_logging_time_for_other_users
- if !User.current.allowed_to?(:log_time_for_other_users, @project) && params['time_entry'].present? && params['time_entry']['user_id'].present? && params['time_entry']['user_id'].to_i != User.current.id
- render_error :message => l(:error_not_allowed_to_log_time_for_other_users), :status => 403
- return false
- end
+ return true
end
def find_time_entries
@time_entries = TimeEntry.where(:id => params[:id] || params[:ids]).
preload(:project => :time_entry_activities).
preload(:user).to_a
journals
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
@authorize_logging_time_for_other_users@ returns false because @@project@ is not set yet. Both methods @find_optional_issue@ and @find_optional_project@ from @TimelogController@ expects @:issue_id@ and @:project_id@ only as root params, not nested params (inside @:time_entry@).
The fix strictly for this case was to override method @find_optional_project@ in order to accept also @params[:time_entry][:project_id]@. All "tests":https://gitlab.com/redmine-org/redmine/pipelines/108752345 pass.
Jean-Philippe, could your review the fix, please? Also, we should do the same change for @find_optional_issue@ as well?
Valdir Stiebe Junior, thanks for detecting and reporting the issue. Could you try the fix from the patch?
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
> Valdir Stiebe Junior, thanks for detecting and reporting the issue. Could you try the fix from the patch?
It works for us. Thank you!
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Committed, thanks.
Marius BALTEANU wrote:
> Also, we should do the same change for @find_optional_issue@ as well?
Good point, I've fixed @find_optional_issue@ in r19670.
--------------------------------------------------------------------------------
I've reverted the change and will work on another fix.
We should not respond with 403 when submitting the form at /time_entries/new with an project or issue that is not OK.
--------------------------------------------------------------------------------
Jean-Philippe Lang wrote:
> I've reverted the change and will work on another fix.
> We should not respond with 403 when submitting the form at /time_entries/new with an project or issue that is not OK.
Ok, please let me know if you need my help on this.
--------------------------------------------------------------------------------
Fix committed.
--------------------------------------------------------------------------------
Jean-Philippe Lang wrote:
> Fix committed.
Thanks Jean-Philippe for fixing this issue, it seems that I've added some bad lines of code. I'll add in the following weeks a patch to remove the method @set_author_if_nil@ from @TimeEntry@ model.
--------------------------------------------------------------------------------
related_issues
relates,Closed,3848,Permission to log time for another user