fix: register bulk label route correctly for API token permissions

The tasks_labels_bulk route was not recognized as a CRUD route by
isStandardCRUDRoute, causing it to be processed as a non-CRUD route
and registered in the wrong apiTokenRoutes group. API tokens with
tasks_labels permissions could not access the bulk endpoint, resulting
in a 401 error.

Fixes https://github.com/go-vikunja/vikunja/issues/2375
This commit is contained in:
kolaente 2026-03-10 23:49:12 +01:00
parent 554593cdb6
commit e19bea8e3a
1 changed files with 8 additions and 0 deletions

View File

@ -152,6 +152,14 @@ func isStandardCRUDRoute(routeGroupName string, routeParts []string, _ string) b
return true
}
// Check if this is a bulk variant of a known CRUD resource
if strings.HasSuffix(routeGroupName, "_bulk") {
parent := strings.TrimSuffix(routeGroupName, "_bulk")
if crudResources[parent] {
return true
}
}
// Also check the base resource for nested paths
if len(routeParts) > 0 && crudResources[routeParts[0]] {
// For single-segment paths, it's CRUD if it's a known resource