search

jigarius / toggl2redmine

Import time from Toggl 2 Redmine.
GNU General Public License v3.0
26 stars 6 forks source link

User can log time on projects they're not a member of #33

Closed jigarius closed 6 years ago

jigarius commented 6 years ago

Due to some reason Redmine web services let you log time against projects you are not a member of.

jigarius commented 6 years ago

The line @user.allowed_to?(:log_time, @time_entry.project) should return false for people who are not a member of a project (unless the permissions are very generous).

To overcome this problem, an explicit check has been added to see if a user is a member of a project like:

  !@project.members.pluck(:user_id).include?(@user.id)
jigarius commented 6 years ago

I've tested this to be working fine, so I'm marking it as closed.