From 8d6933590d7c2b3ddd5214b077eb1eda2dfeaa91 Mon Sep 17 00:00:00 2001
From: Markus Kahl <machisuji@gmail.com>
Date: Fri, 9 Feb 2024 16:49:54 +0000
Subject: [PATCH 1/2] fix time entries endpoint to return ongoing time entries
 while lacking log own time permission

---
 modules/costs/app/models/time_entries/scopes/ongoing.rb | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/modules/costs/app/models/time_entries/scopes/ongoing.rb b/modules/costs/app/models/time_entries/scopes/ongoing.rb
index 4a52c40b0e0c..7ef8dc360f2e 100644
--- a/modules/costs/app/models/time_entries/scopes/ongoing.rb
+++ b/modules/costs/app/models/time_entries/scopes/ongoing.rb
@@ -37,7 +37,12 @@ def ongoing
 
       def visible_ongoing(user = User.current)
         TimeEntry
-          .where(work_package_id: WorkPackage.allowed_to(user, :log_own_time), user:, ongoing: true)
+          .where(work_package_id: visible_work_packages(user).select(:id), user:, ongoing: true)
+      end
+
+      def visible_work_packages(user)
+        WorkPackage.allowed_to(user, :log_own_time).or(
+          WorkPackage.where(project_id: Project.allowed_to(User.current, :log_time)))
       end
 
       def not_ongoing

From a1e06605224de6283ea89d1381e271b57cf6eee7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Oliver=20G=C3=BCnther?= <mail@oliverguenther.de>
Date: Wed, 6 Mar 2024 14:41:17 +0100
Subject: [PATCH 2/2] Add spec

---
 .../time_entries/time_entry_query_integration_spec.rb     | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/modules/costs/spec/models/queries/time_entries/time_entry_query_integration_spec.rb b/modules/costs/spec/models/queries/time_entries/time_entry_query_integration_spec.rb
index 37c0e98b6070..f98ddcfda3c0 100644
--- a/modules/costs/spec/models/queries/time_entries/time_entry_query_integration_spec.rb
+++ b/modules/costs/spec/models/queries/time_entries/time_entry_query_integration_spec.rb
@@ -55,6 +55,14 @@
       it 'only returns the users own time entries' do
         expect(subject).to contain_exactly(user_timer)
       end
+
+      context 'when user has log_time permission' do
+        let(:user) { create(:user, member_with_permissions: { project => %i[log_time] }) }
+
+        it 'still returns the users own time entries' do
+          expect(subject).to contain_exactly(user_timer)
+        end
+      end
     end
   end
 end