From 854d33dc0089481c2bd54297eabbcccdeb131699 Mon Sep 17 00:00:00 2001
From: Jens Ulferts <j.ulferts@finn.de>
Date: Fri, 12 Feb 2016 13:26:23 +0100
Subject: [PATCH] fix viewing own time entries

This harmonizes the permission check accros other permission checks (e.g. scopes)
---
 .../costs/patches/time_entry_patch.rb         |  3 +-
 spec/models/time_entry_spec.rb                | 48 +++++++++++++++++++
 2 files changed, 50 insertions(+), 1 deletion(-)

diff --git a/lib/open_project/costs/patches/time_entry_patch.rb b/lib/open_project/costs/patches/time_entry_patch.rb
index e0dfc1971d..1fa3d3e7b8 100644
--- a/lib/open_project/costs/patches/time_entry_patch.rb
+++ b/lib/open_project/costs/patches/time_entry_patch.rb
@@ -126,7 +126,8 @@ module OpenProject::Costs::Patches::TimeEntryPatch
     end
 
     def visible_by?(usr)
-      usr.allowed_to?(:view_time_entries, project)
+      usr.allowed_to?(:view_time_entries, project) ||
+        (user_id == usr.id && usr.allowed_to?(:view_own_time_entries, project))
     end
 
     def costs_visible_by?(usr)
diff --git a/spec/models/time_entry_spec.rb b/spec/models/time_entry_spec.rb
index 2532d14323..ea786b39e2 100644
--- a/spec/models/time_entry_spec.rb
+++ b/spec/models/time_entry_spec.rb
@@ -295,6 +295,54 @@ describe TimeEntry, type: :model do
     end
   end
 
+  describe 'visible_by?' do
+    context 'when not having the necessary permissions' do
+      before do
+        is_member(project, user, [])
+      end
+
+      it 'is visible' do
+        expect(time_entry.visible_by?(user)).to be_falsey
+      end
+    end
+
+    context 'when having the view_time_entries permission' do
+      before do
+        is_member(project, user, [:view_time_entries])
+      end
+
+      it 'is visible' do
+        expect(time_entry.visible_by?(user)).to be_truthy
+      end
+    end
+
+    context 'when having the view_own_time_entries permission ' +
+      'and being the owner of the time entry' do
+      before do
+        is_member(project, user, [:view_own_time_entries])
+
+        time_entry.user = user
+      end
+
+      it 'is visible' do
+        expect(time_entry.visible_by?(user)).to be_truthy
+      end
+    end
+
+    context 'when having the view_own_time_entries permission ' +
+      'and not being the owner of the time entry' do
+      before do
+        is_member(project, user, [:view_own_time_entries])
+
+        time_entry.user = FactoryGirl.build :user
+      end
+
+      it 'is visible' do
+        expect(time_entry.visible_by?(user)).to be_falsey
+      end
+    end
+  end
+
   describe 'class' do
     describe '#visible' do
       describe "WHEN having the view_time_entries permission