On JIRA OnDemand v6.3-OD-08-005-WN (also here!) it's possible to get worklog by it's ID even if this worklog does not belong to issue passed in API url.

Example:
On our OnDemand instance I have access rights to <issue>. When I add worklog to this issue via REST API, I get its id (<worklog>). Now, when I call GET issue/<issue>/worklog/<worklog> (simplified) I get something like:

{"self":".../rest/api/2/issue/15156/worklog/12928","author":{"self":"...","name":"...","emailAddress":"...","avatarUrls":{"16x16":"...","24x24":"...","32x32":"...","48x48":"..."},"displayName":"...","active":true},"updateAuthor":{"self":"...","name":"...","emailAddress":"...","avatarUrls":{"16x16":"...","24x24":"...","32x32":"...","48x48":"..."},"displayName":"...","active":true},"comment":"","created":"2014-07-15T14:34:49.813+0200","updated":"2014-07-15T14:34:49.813+0200","started":"2014-07-15T14:34:00.000+0200","timeSpent":"2h 30m","timeSpentSeconds":9000,"id":"12928"}

At this moment <issue> = 15156 and <worklog> = 12928.

Now I change worklog ID to random value, for example 12929 and call: GET issue/<issue>/worklog/12929 and I get worklog from entirely different issue than my <issue>. In request response, in self I see ID of that other issue (in this case 15336), so I can call GET issue/15336/worklog/12929 and ok, I still see valid response. But when I call GET issue/15336 I see:

{"errorMessages":["You do not have the permission to see the specified issue."],"errors":{}}

So, two problems:

• /rest/api/2/issue/<issueIdOrKey>/worklog/<id> should not allow to get worklog if worklog <id> does not belong to issue <issueIdOrKey>
• /rest/api/2/issue/<issueIdOrKey>/worklog/<id> should not allow to get worklog if user does not have permission to issue <issueIdOrKey>