From 59dc1034920af574738d970ff8e5805f0a627a13 Mon Sep 17 00:00:00 2001
From: Holger Just <h.just@finn.de>
Date: Mon, 28 Nov 2011 20:44:05 +0100
Subject: [PATCH] [#735] Don't allow time entry creation with only edit
 permission

Based on a patch by Jean-Philippe Lang.
---
 lib/redmine.rb                             |  4 ++--
 test/functional/timelog_controller_test.rb | 12 ++++++++++++
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/lib/redmine.rb b/lib/redmine.rb
index bd5ad7007..716fb4a9c 100644
--- a/lib/redmine.rb
+++ b/lib/redmine.rb
@@ -102,8 +102,8 @@ Redmine::AccessControl.map do |map|
   map.project_module :time_tracking do |map|
     map.permission :log_time, {:timelog => [:new, :create]}, :require => :loggedin
     map.permission :view_time_entries, :timelog => [:index, :show], :time_entry_reports => [:report]
-    map.permission :edit_time_entries, {:timelog => [:new, :create, :edit, :update, :destroy]}, :require => :member
-    map.permission :edit_own_time_entries, {:timelog => [:new, :create, :edit, :update, :destroy]}, :require => :loggedin
+    map.permission :edit_time_entries, {:timelog => [:edit, :update, :destroy]}, :require => :member
+    map.permission :edit_own_time_entries, {:timelog => [:edit, :update, :destroy]}, :require => :loggedin
     map.permission :manage_project_activities, {:project_enumerations => [:update, :destroy]}, :require => :member
   end
 
diff --git a/test/functional/timelog_controller_test.rb b/test/functional/timelog_controller_test.rb
index a869e66de..103c1ca45 100644
--- a/test/functional/timelog_controller_test.rb
+++ b/test/functional/timelog_controller_test.rb
@@ -111,6 +111,18 @@ class TimelogControllerTest < ActionController::TestCase
     assert_equal 3, t.user_id
   end
 
+  def test_create_without_log_time_permission_should_be_denied
+    @request.session[:user_id] = 2
+    Role.find_by_name('Manager').remove_permission! :log_time
+    post :create, :project_id => 1,
+                :time_entry => {:activity_id => '11',
+                                :issue_id => '',
+                                :spent_on => '2008-03-14',
+                                :hours => '7.3'}
+
+    assert_response 403
+  end
+
   def test_update
     entry = TimeEntry.find(1)
     assert_equal 1, entry.issue_id
-- 
GitLab