Fixes #4844 - Time Accounting prevents update with note on ticket handover.

Co-authored-by: Rolf Schmidt <rolf.schmidt@zammad.com>

app/policies/ticket/time_accounting_policy.rb

@@ -6,11 +6,15 @@ class Ticket::TimeAccountingPolicy < ApplicationPolicy
       return not_authorized __('Time Accounting is not enabled')
     end
 
-    ticket_update_access?
+    ticket_create_access? || ticket_update_access?
   end
 
   private
 
+  def ticket_create_access?
+    TicketPolicy.new(user, record.ticket).create?
+  end
+
   def ticket_update_access?
     TicketPolicy.new(user, record.ticket).update?
   end

spec/policies/ticket/time_accounting_policy_spec.rb

@@ -31,4 +31,28 @@ describe Ticket::TimeAccountingPolicy do
 
     it { is_expected.to forbid_actions(:create) }
   end
+
+  context 'when user has no access to the ticket by having read permission' do
+    let(:user) { create(:agent) }
+
+    before { user.user_groups.create! group: ticket.group, access: 'read' }
+
+    it { is_expected.to forbid_actions(:create) }
+  end
+
+  context 'when user has access to the ticket by having create permission' do
+    let(:user) { create(:agent) }
+
+    before { user.user_groups.create! group: ticket.group, access: 'create' }
+
+    it { is_expected.to permit_actions(:create) }
+  end
+
+  context 'when user has access to the ticket by having change permission' do
+    let(:user) { create(:agent) }
+
+    before { user.user_groups.create! group: ticket.group, access: 'change' }
+
+    it { is_expected.to permit_actions(:create) }
+  end
 end