Closed jigarius closed 6 years ago
The line @user.allowed_to?(:log_time, @time_entry.project)
should return false
for people who are not a member of a project (unless the permissions are very generous).
To overcome this problem, an explicit check has been added to see if a user is a member of a project like:
!@project.members.pluck(:user_id).include?(@user.id)
I've tested this to be working fine, so I'm marking it as closed.
Due to some reason Redmine web services let you log time against projects you are not a member of.