diff --git a/pkg/models/task_duplicate.go b/pkg/models/task_duplicate.go
index 175834c7a..ed737a507 100644
--- a/pkg/models/task_duplicate.go
+++ b/pkg/models/task_duplicate.go
@@ -32,7 +32,7 @@ type TaskDuplicate struct {
TaskID int64 `json:"-" param:"projecttask"`
// The duplicated task
- Task *Task `json:"duplicated_task,omitempty"`
+ Task *Task `json:"duplicated_task,omitempty" readOnly:"true" doc:"The newly created duplicate task, populated by the server in the response."`
web.Permissions `json:"-"`
web.CRUDable `json:"-"`
diff --git a/pkg/routes/api/v2/task_duplicate.go b/pkg/routes/api/v2/task_duplicate.go
new file mode 100644
index 000000000..3340994bd
--- /dev/null
+++ b/pkg/routes/api/v2/task_duplicate.go
@@ -0,0 +1,58 @@
+// Vikunja is a to-do list application to facilitate your life.
+// Copyright 2018-present Vikunja and contributors. All rights reserved.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program. If not, see .
+
+package apiv2
+
+import (
+ "context"
+ "net/http"
+
+ "code.vikunja.io/api/pkg/models"
+ "code.vikunja.io/api/pkg/web/handler"
+
+ "github.com/danielgtaylor/huma/v2"
+)
+
+// RegisterTaskDuplicateRoutes wires the task-duplicate action onto the Huma API.
+// TaskDuplicate is a CRUDable Create, so the handler reuses handler.DoCreate
+// (its CanCreate enforces read-source + write-project); the only custom part is
+// taking TaskID from the path rather than a request body.
+func RegisterTaskDuplicateRoutes(api huma.API) {
+ tags := []string{"tasks"}
+
+ Register(api, huma.Operation{
+ OperationID: "tasks-duplicate",
+ Summary: "Duplicate a task",
+ Description: "Copies a task — including its labels, assignees, attachments and reminders — into the same project, and records a \"copied from\" relation back to the original. The authenticated user needs read access to the source task and write access to its project. Returns the newly created duplicate.",
+ Method: http.MethodPost,
+ Path: "/tasks/{projecttask}/duplicate",
+ Tags: tags,
+ }, tasksDuplicate)
+}
+
+func tasksDuplicate(ctx context.Context, in *struct {
+ TaskID int64 `path:"projecttask" doc:"The numeric id of the task to duplicate."`
+}) (*singleBody[models.TaskDuplicate], error) {
+ a, err := authFromCtx(ctx)
+ if err != nil {
+ return nil, err
+ }
+ td := &models.TaskDuplicate{TaskID: in.TaskID}
+ if err := handler.DoCreate(ctx, td, a); err != nil {
+ return nil, translateDomainError(err)
+ }
+ return &singleBody[models.TaskDuplicate]{Body: td}, nil
+}
diff --git a/pkg/routes/routes.go b/pkg/routes/routes.go
index 3511a9e52..5b00b1362 100644
--- a/pkg/routes/routes.go
+++ b/pkg/routes/routes.go
@@ -395,6 +395,7 @@ func registerAPIRoutesV2(e *echo.Echo, a *echo.Group) {
// Resource registrations.
apiv2.RegisterLabelRoutes(api)
+ apiv2.RegisterTaskDuplicateRoutes(api)
// AutoPatch must run AFTER all GET/PUT pairs are registered so it can
// synthesize their PATCH counterparts.
diff --git a/pkg/webtests/huma_task_duplicate_test.go b/pkg/webtests/huma_task_duplicate_test.go
new file mode 100644
index 000000000..85d9a108d
--- /dev/null
+++ b/pkg/webtests/huma_task_duplicate_test.go
@@ -0,0 +1,85 @@
+// Vikunja is a to-do list application to facilitate your life.
+// Copyright 2018-present Vikunja and contributors. All rights reserved.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program. If not, see .
+
+package webtests
+
+import (
+ "encoding/json"
+ "net/http"
+ "testing"
+
+ "github.com/stretchr/testify/assert"
+ "github.com/stretchr/testify/require"
+)
+
+// TestTaskDuplicateV2 covers POST /tasks/{projecttask}/duplicate. It drives the
+// Echo+Huma stack directly (humaRequest/humaTokenFor) because webHandlerTestV2's
+// buildURL only models base[/{id}] paths, not action sub-paths.
+func TestTaskDuplicateV2(t *testing.T) {
+ t.Run("duplicates an accessible task", func(t *testing.T) {
+ e, err := setupTestEnv()
+ require.NoError(t, err)
+ token := humaTokenFor(t, &testuser1)
+
+ // Task 2 lives in project 1, which testuser1 owns.
+ const sourceTaskID int64 = 2
+ rec := humaRequest(t, e, http.MethodPost, "/api/v2/tasks/2/duplicate", ``, token, "")
+ require.Equal(t, http.StatusCreated, rec.Code, "body: %s", rec.Body.String())
+ assert.Contains(t, rec.Body.String(), `"duplicated_task"`)
+ assert.Contains(t, rec.Body.String(), `"title":"task #2 done"`)
+
+ // A returned original task would also pass the title check above; assert a new id.
+ var resp struct {
+ DuplicatedTask struct {
+ ID int64 `json:"id"`
+ } `json:"duplicated_task"`
+ }
+ require.NoError(t, json.Unmarshal(rec.Body.Bytes(), &resp))
+ assert.NotZero(t, resp.DuplicatedTask.ID, "duplicated task should have an id")
+ assert.NotEqual(t, sourceTaskID, resp.DuplicatedTask.ID, "duplicated task must have a new id, not the source task's")
+ })
+
+ t.Run("nonexistent source task", func(t *testing.T) {
+ e, err := setupTestEnv()
+ require.NoError(t, err)
+ token := humaTokenFor(t, &testuser1)
+
+ rec := humaRequest(t, e, http.MethodPost, "/api/v2/tasks/99999/duplicate", `{}`, token, "")
+ // Missing source task yields ErrTaskDoesNotExist (404), not the 403 of the permission cases below.
+ require.Equal(t, http.StatusNotFound, rec.Code, "body: %s", rec.Body.String())
+ })
+
+ t.Run("no read on source task is forbidden", func(t *testing.T) {
+ e, err := setupTestEnv()
+ require.NoError(t, err)
+ // testuser15 cannot read task 1 (project 1, owned by testuser1).
+ token := humaTokenFor(t, &testuser15)
+
+ rec := humaRequest(t, e, http.MethodPost, "/api/v2/tasks/1/duplicate", `{}`, token, "")
+ require.Equal(t, http.StatusForbidden, rec.Code, "body: %s", rec.Body.String())
+ })
+
+ t.Run("read but no write on source project is forbidden", func(t *testing.T) {
+ e, err := setupTestEnv()
+ require.NoError(t, err)
+ // Task 32 lives in project 3, on which testuser1 has read-only access:
+ // CanRead passes, CanUpdate on the project fails, so CanCreate denies.
+ token := humaTokenFor(t, &testuser1)
+
+ rec := humaRequest(t, e, http.MethodPost, "/api/v2/tasks/32/duplicate", `{}`, token, "")
+ require.Equal(t, http.StatusForbidden, rec.Code, "body: %s", rec.Body.String())
+ })
+}