From 3435de356ee16aeec45dc76577bd22bdc5b1c037 Mon Sep 17 00:00:00 2001
From: Marius Balteanu <marius.balteanu@zitec.com>
Date: Thu, 5 Mar 2026 02:34:57 +0000
Subject: [PATCH] Merge r24443 from trunk to 5.1-stable (#43830).

git-svn-id: https://svn.redmine.org/redmine/branches/5.1-stable@24479 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/controllers/timelog_controller.rb          | 2 ++
 test/integration/api_test/time_entries_test.rb | 6 ++++++
 2 files changed, 8 insertions(+)

diff --git a/app/controllers/timelog_controller.rb b/app/controllers/timelog_controller.rb
index 9bd1c38c1..2157bad8e 100644
--- a/app/controllers/timelog_controller.rb
+++ b/app/controllers/timelog_controller.rb
@@ -261,6 +261,8 @@ class TimelogController < ApplicationController
 
   def find_time_entry
     @time_entry = TimeEntry.find(params[:id])
+    raise Unauthorized unless @time_entry.visible?
+
     @project = @time_entry.project
   rescue ActiveRecord::RecordNotFound
     render_404
diff --git a/test/integration/api_test/time_entries_test.rb b/test/integration/api_test/time_entries_test.rb
index 0084a9d98..8b8eb6cfa 100644
--- a/test/integration/api_test/time_entries_test.rb
+++ b/test/integration/api_test/time_entries_test.rb
@@ -57,6 +57,12 @@ class Redmine::ApiTest::TimeEntriesTest < Redmine::ApiTest::Base
     assert_response 404
   end
 
+  test "GET /time_entries/:id.xml with non visible time entry should 403 " do
+    Role.non_member.update(:time_entries_visibility => 'own')
+    get '/time_entries/4.xml', :headers => credentials('jsmith')
+    assert_response :forbidden
+  end
+
   test "POST /time_entries.xml with issue_id should create time entry" do
     assert_difference 'TimeEntry.count' do
       post(