From 98e463e3425d6ec0ce8c71270a0d5d6bd569741d Mon Sep 17 00:00:00 2001
From: Marius Balteanu <marius.balteanu@zitec.com>
Date: Sun, 22 Feb 2026 03:17:02 +0000
Subject: [PATCH] Merge r24443 from trunk to 6.0-stable (#43830).

git-svn-id: https://svn.redmine.org/redmine/branches/6.0-stable@24446 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/controllers/timelog_controller.rb          | 2 ++
 test/integration/api_test/time_entries_test.rb | 6 ++++++
 2 files changed, 8 insertions(+)

diff --git a/app/controllers/timelog_controller.rb b/app/controllers/timelog_controller.rb
index 13c8ff26a..0195c8ced 100644
--- a/app/controllers/timelog_controller.rb
+++ b/app/controllers/timelog_controller.rb
@@ -261,6 +261,8 @@ class TimelogController < ApplicationController
 
   def find_time_entry
     @time_entry = TimeEntry.find(params[:id])
+    raise Unauthorized unless @time_entry.visible?
+
     @project = @time_entry.project
   rescue ActiveRecord::RecordNotFound
     render_404
diff --git a/test/integration/api_test/time_entries_test.rb b/test/integration/api_test/time_entries_test.rb
index abd634506..395873666 100644
--- a/test/integration/api_test/time_entries_test.rb
+++ b/test/integration/api_test/time_entries_test.rb
@@ -60,6 +60,12 @@ class Redmine::ApiTest::TimeEntriesTest < Redmine::ApiTest::Base
     assert_response :not_found
   end
 
+  test "GET /time_entries/:id.xml with non visible time entry should 403 " do
+    Role.non_member.update(:time_entries_visibility => 'own')
+    get '/time_entries/4.xml', :headers => credentials('jsmith')
+    assert_response :forbidden
+  end
+
   test "POST /time_entries.xml with issue_id should create time entry" do
     assert_difference 'TimeEntry.count' do
       post(