Creating time tracking entry for other user through rest API fails with 403 (#32774).

Patch by Marius BALTEANU.

git-svn-id: http://svn.redmine.org/redmine/trunk@19669 e93f8b46-1217-0410-a6f0-8f06a7374b81

app/controllers/timelog_controller.rb

@@ -288,6 +288,14 @@ class TimelogController < ApplicationController
     end
   end
 
+  def find_optional_project
+    if params[:project_id].present? || params[:time_entry].present? && params[:time_entry][:project_id].present?
+      project_id = params[:project_id] || params[:time_entry][:project_id]
+      find_project(project_id)
+    end
+    authorize_global
+  end
+
   # Returns the TimeEntry scope for index and report actions
   def time_entry_scope(options={})
     @query.results_scope(options)

test/integration/api_test/time_entries_test.rb

@@ -144,6 +144,27 @@ class Redmine::ApiTest::TimeEntriesTest < Redmine::ApiTest::Base
     assert_select 'errors error', :text => "Hours cannot be blank"
   end
 
+  test "POST /time_entries.xml for other user" do
+    Role.find_by_name('Manager').add_permission! :log_time_for_other_users
+
+    assert_difference 'TimeEntry.count' do
+      post(
+        '/time_entries.xml',
+        :params =>
+          {:time_entry =>
+            {:project_id => '1', :spent_on => '2010-12-02', :user_id => '3',
+             :hours => '3.5', :activity_id => '11'}},
+        :headers => credentials('jsmith'))
+    end
+    assert_response :created
+
+    assert_equal 'application/xml', @response.content_type
+
+    entry = TimeEntry.order('id DESC').first
+    assert_equal 3, entry.user_id
+    assert_equal 2, entry.author_id
+  end
+
   test "PUT /time_entries/:id.xml with valid parameters should update time entry" do
     assert_no_difference 'TimeEntry.count' do
       put(