Creating time tracking entry for other user through rest API fails with 403 (#32774).

git-svn-id: http://svn.redmine.org/redmine/trunk@19670 e93f8b46-1217-0410-a6f0-8f06a7374b81
2025-11-09 06:46:01 +01:00 · 2020-04-05 14:28:06 +00:00
parent ba27fe1b4e
commit 3fcaff3670
2 changed files with 23 additions and 5 deletions
--- a/test/integration/api_test/time_entries_test.rb
+++ b/test/integration/api_test/time_entries_test.rb
@@ -144,7 +144,7 @@ class Redmine::ApiTest::TimeEntriesTest < Redmine::ApiTest::Base
    assert_select 'errors error', :text => "Hours cannot be blank"
  end

-  test "POST /time_entries.xml for other user" do
+  test "POST /time_entries.xml with :project_id for other user" do
    Role.find_by_name('Manager').add_permission! :log_time_for_other_users

    assert_difference 'TimeEntry.count' do
@@ -155,10 +155,27 @@ class Redmine::ApiTest::TimeEntriesTest < Redmine::ApiTest::Base
            {:project_id => '1', :spent_on => '2010-12-02', :user_id => '3',
             :hours => '3.5', :activity_id => '11'}},
        :headers => credentials('jsmith'))
+      assert_response :created
    end
-    assert_response :created

-    assert_equal 'application/xml', @response.content_type
+    entry = TimeEntry.order('id DESC').first
+    assert_equal 3, entry.user_id
+    assert_equal 2, entry.author_id
+  end
+
+  test "POST /time_entries.xml with :issue_id for other user" do
+    Role.find_by_name('Manager').add_permission! :log_time_for_other_users
+
+    assert_difference 'TimeEntry.count' do
+      post(
+        '/time_entries.xml',
+        :params =>
+          {:time_entry =>
+            {:issue_id => '1', :spent_on => '2010-12-02', :user_id => '3',
+             :hours => '3.5', :activity_id => '11'}},
+        :headers => credentials('jsmith'))
+      assert_response :created
+    end

    entry = TimeEntry.order('id DESC').first
    assert_equal 3, entry.user_id