From e19bea8e3a2804485479748b1c91dc58719dbe11 Mon Sep 17 00:00:00 2001 From: kolaente Date: Tue, 10 Mar 2026 23:49:12 +0100 Subject: [PATCH] fix: register bulk label route correctly for API token permissions The tasks_labels_bulk route was not recognized as a CRUD route by isStandardCRUDRoute, causing it to be processed as a non-CRUD route and registered in the wrong apiTokenRoutes group. API tokens with tasks_labels permissions could not access the bulk endpoint, resulting in a 401 error. Fixes https://github.com/go-vikunja/vikunja/issues/2375 --- pkg/models/api_routes.go | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/pkg/models/api_routes.go b/pkg/models/api_routes.go index ccb4ee086..5dd7e92e7 100644 --- a/pkg/models/api_routes.go +++ b/pkg/models/api_routes.go @@ -152,6 +152,14 @@ func isStandardCRUDRoute(routeGroupName string, routeParts []string, _ string) b return true } + // Check if this is a bulk variant of a known CRUD resource + if strings.HasSuffix(routeGroupName, "_bulk") { + parent := strings.TrimSuffix(routeGroupName, "_bulk") + if crudResources[parent] { + return true + } + } + // Also check the base resource for nested paths if len(routeParts) > 0 && crudResources[routeParts[0]] { // For single-segment paths, it's CRUD if it's a known resource