Creating time tracking entry for other user through rest API fails with 403 (#32774).

git-svn-id: http://svn.redmine.org/redmine/trunk@19676 e93f8b46-1217-0410-a6f0-8f06a7374b81
2025-12-16 05:20:28 +01:00 · 2020-04-05 18:39:05 +00:00
parent d955672a7d
commit 99df2c5c58
4 changed files with 46 additions and 16 deletions
--- a/test/functional/timelog_controller_test.rb
+++ b/test/functional/timelog_controller_test.rb
@@ -383,7 +383,7 @@ class TimelogControllerTest < Redmine::ControllerTest
    assert_equal 2, t.author_id
  end

-  def test_create_for_other_user_should_deny_for_user_without_permission
+  def test_create_for_other_user_should_fail_without_permission
    Role.find_by_name('Manager').remove_permission! :log_time_for_other_users
    @request.session[:user_id] = 2

@@ -399,8 +399,8 @@ class TimelogControllerTest < Redmine::ControllerTest
      }
    }

-    assert_response 403
-    assert_select 'p[id=?]', 'errorExplanation', :text => I18n.t(:error_not_allowed_to_log_time_for_other_users)
+    assert_response :success
+    assert_select_error /User is invalid/
  end

  def test_create_and_continue_at_project_level
@@ -668,7 +668,7 @@ class TimelogControllerTest < Redmine::ControllerTest
    assert_select_error /Issue is invalid/
  end

-  def test_update_should_deny_changing_user_for_user_without_permission
+  def test_update_should_fail_when_changing_user_without_permission
    Role.find_by_name('Manager').remove_permission! :log_time_for_other_users
    @request.session[:user_id] = 2

@@ -679,8 +679,8 @@ class TimelogControllerTest < Redmine::ControllerTest
      }
    }

-    assert_response 403
-    assert_select 'p[id=?]', 'errorExplanation', :text => I18n.t(:error_not_allowed_to_log_time_for_other_users)
+    assert_response :success
+    assert_select_error /User is invalid/
  end

  def test_update_should_allow_updating_existing_entry_logged_on_a_locked_user
--- a/test/integration/api_test/time_entries_test.rb
+++ b/test/integration/api_test/time_entries_test.rb
@@ -144,6 +144,40 @@ class Redmine::ApiTest::TimeEntriesTest < Redmine::ApiTest::Base
    assert_select 'errors error', :text => "Hours cannot be blank"
  end

+  test "POST /time_entries.xml with :project_id for other user" do
+    Role.find_by_name('Manager').add_permission! :log_time_for_other_users
+
+    entry = new_record(TimeEntry) do
+      post(
+        '/time_entries.xml',
+        :params =>
+          {:time_entry =>
+            {:project_id => '1', :spent_on => '2010-12-02', :user_id => '3',
+             :hours => '3.5', :activity_id => '11'}},
+        :headers => credentials('jsmith'))
+    end
+    assert_response :created
+    assert_equal 3, entry.user_id
+    assert_equal 2, entry.author_id
+  end
+
+  test "POST /time_entries.xml with :issue_id for other user" do
+    Role.find_by_name('Manager').add_permission! :log_time_for_other_users
+
+    entry = new_record(TimeEntry) do
+      post(
+        '/time_entries.xml',
+        :params =>
+          {:time_entry =>
+            {:issue_id => '1', :spent_on => '2010-12-02', :user_id => '3',
+             :hours => '3.5', :activity_id => '11'}},
+        :headers => credentials('jsmith'))
+    end
+    assert_response :created
+    assert_equal 3, entry.user_id
+    assert_equal 2, entry.author_id
+  end
+
  test "PUT /time_entries/:id.xml with valid parameters should update time entry" do
    assert_no_difference 'TimeEntry.count' do
      put(