Merge r24443 from trunk to 5.1-stable (#43830).

git-svn-id: https://svn.redmine.org/redmine/branches/5.1-stable@24479 e93f8b46-1217-0410-a6f0-8f06a7374b81

app/controllers/timelog_controller.rb

@@ -261,6 +261,8 @@ class TimelogController < ApplicationController
 
   def find_time_entry
     @time_entry = TimeEntry.find(params[:id])
+    raise Unauthorized unless @time_entry.visible?
+
     @project = @time_entry.project
   rescue ActiveRecord::RecordNotFound
     render_404

test/integration/api_test/time_entries_test.rb

@@ -57,6 +57,12 @@ class Redmine::ApiTest::TimeEntriesTest < Redmine::ApiTest::Base
     assert_response 404
   end
 
+  test "GET /time_entries/:id.xml with non visible time entry should 403 " do
+    Role.non_member.update(:time_entries_visibility => 'own')
+    get '/time_entries/4.xml', :headers => credentials('jsmith')
+    assert_response :forbidden
+  end
+
   test "POST /time_entries.xml with issue_id should create time entry" do
     assert_difference 'TimeEntry.count' do
       post(