feat(api/v2): add saved filter CRUD on /api/v2

This commit is contained in:
kolaente 2026-06-07 12:09:04 +02:00 committed by kolaente
parent a52ee1593a
commit ed4ae0cd43
2 changed files with 322 additions and 0 deletions

View File

@ -0,0 +1,137 @@
// Vikunja is a to-do list application to facilitate your life.
// Copyright 2018-present Vikunja and contributors. All rights reserved.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <https://www.gnu.org/licenses/>.
package apiv2
import (
"context"
"net/http"
"code.vikunja.io/api/pkg/models"
"code.vikunja.io/api/pkg/web/handler"
"github.com/danielgtaylor/huma/v2"
"github.com/danielgtaylor/huma/v2/conditional"
)
// RegisterSavedFilterRoutes wires saved filter CRUD onto the Huma API.
// No list operation, by design — v1 has none either.
func RegisterSavedFilterRoutes(api huma.API) {
tags := []string{"filters"}
Register(api, huma.Operation{
OperationID: "filters-read",
Summary: "Get a saved filter",
Description: "Returns a single saved filter. Only the owner may see it. Sends an ETag; pass it as If-None-Match on a later read to get a 304 Not Modified.",
Method: http.MethodGet,
Path: "/filters/{filter}",
Tags: tags,
}, savedFiltersRead)
Register(api, huma.Operation{
OperationID: "filters-create",
Summary: "Create a saved filter",
Description: "Creates a saved filter; the authenticated user becomes its owner. The filter query is validated before it is stored.",
Method: http.MethodPost,
Path: "/filters",
Tags: tags,
}, savedFiltersCreate)
Register(api, huma.Operation{
OperationID: "filters-update",
Summary: "Update a saved filter",
Description: "Replaces all of a saved filter's fields — only the owner may update it. Use PATCH for a partial update.",
Method: http.MethodPut,
Path: "/filters/{filter}",
Tags: tags,
}, savedFiltersUpdate)
Register(api, huma.Operation{
OperationID: "filters-delete",
Summary: "Delete a saved filter",
Description: "Deletes a saved filter. Only the owner may delete it.",
Method: http.MethodDelete,
Path: "/filters/{filter}",
Tags: tags,
}, savedFiltersDelete)
}
func init() { AddRouteRegistrar(RegisterSavedFilterRoutes) }
type savedFilterReadBody struct {
models.SavedFilter
MaxPermission models.Permission `json:"max_permission" readOnly:"true" doc:"The maximum permission the requesting user has on this saved filter (0=read, 1=read/write, 2=admin). Filters are owner-only, so this is always 2 for a successful read."`
}
func savedFiltersRead(ctx context.Context, in *struct {
ID int64 `path:"filter"`
conditional.Params
}) (*singleReadBody[savedFilterReadBody], error) {
a, err := authFromCtx(ctx)
if err != nil {
return nil, err
}
filter := &models.SavedFilter{ID: in.ID}
maxPermission, err := handler.DoReadOne(ctx, filter, a)
if err != nil {
return nil, translateDomainError(err)
}
body := &savedFilterReadBody{SavedFilter: *filter, MaxPermission: models.Permission(maxPermission)}
return conditionalReadResponse(&in.Params, body, filter.Updated, maxPermission)
}
func savedFiltersCreate(ctx context.Context, in *struct {
Body models.SavedFilter
}) (*singleBody[models.SavedFilter], error) {
a, err := authFromCtx(ctx)
if err != nil {
return nil, err
}
if err := handler.DoCreate(ctx, &in.Body, a); err != nil {
return nil, translateDomainError(err)
}
return &singleBody[models.SavedFilter]{Body: &in.Body}, nil
}
// Body matches the read shape so AutoPatch's GET→PUT echo of max_permission validates.
func savedFiltersUpdate(ctx context.Context, in *struct {
ID int64 `path:"filter"`
Body savedFilterReadBody
}) (*singleBody[models.SavedFilter], error) {
a, err := authFromCtx(ctx)
if err != nil {
return nil, err
}
filter := &in.Body.SavedFilter
filter.ID = in.ID // URL wins over body
if err := handler.DoUpdate(ctx, filter, a); err != nil {
return nil, translateDomainError(err)
}
return &singleBody[models.SavedFilter]{Body: filter}, nil
}
func savedFiltersDelete(ctx context.Context, in *struct {
ID int64 `path:"filter"`
}) (*emptyBody, error) {
a, err := authFromCtx(ctx)
if err != nil {
return nil, err
}
if err := handler.DoDelete(ctx, &models.SavedFilter{ID: in.ID}, a); err != nil {
return nil, translateDomainError(err)
}
return &emptyBody{}, nil
}

View File

@ -0,0 +1,185 @@
// Vikunja is a to-do list application to facilitate your life.
// Copyright 2018-present Vikunja and contributors. All rights reserved.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <https://www.gnu.org/licenses/>.
package webtests
import (
"encoding/json"
"net/http"
"net/http/httptest"
"strings"
"testing"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
// TestHumaSavedFilter ports the owner-only matrix from saved_filters_test.go
// onto the HTTP surface; v1 has no /filters webtest, so this is the only one.
// Fixture: filter #1 is owned by user1 (saved_filters.yml).
func TestHumaSavedFilter(t *testing.T) {
testHandler := webHandlerTestV2{
user: &testuser1,
basePath: "/api/v2/filters",
idParam: "filter",
t: t,
}
require.NoError(t, testHandler.ensureEnv())
// Share the one Echo (and its single fixture load) as user2; v2 doesn't
// reload fixtures per request, so Update/Delete of #1 are ordered last.
otherUserHandler := webHandlerTestV2{
user: &testuser2,
basePath: "/api/v2/filters",
idParam: "filter",
t: t,
e: testHandler.e,
}
t.Run("ReadOne", func(t *testing.T) {
t.Run("Normal", func(t *testing.T) {
rec, err := testHandler.testReadOneWithUser(nil, map[string]string{"filter": "1"})
require.NoError(t, err)
assert.Contains(t, rec.Body.String(), `"title":"testfilter1"`)
// Owner-only resource → admin permission for a successful read.
assert.Contains(t, rec.Body.String(), `"max_permission":2`)
assert.NotEmpty(t, rec.Result().Header.Get("ETag"))
})
t.Run("Nonexisting", func(t *testing.T) {
// canDoFilter loads the filter, so a missing id surfaces 404.
_, err := testHandler.testReadOneWithUser(nil, map[string]string{"filter": "9999"})
require.Error(t, err)
assert.Equal(t, http.StatusNotFound, getHTTPErrorCode(err))
})
t.Run("Forbidden - not owner", func(t *testing.T) {
// #1 is user1's; saved filters are owner-only, so user2 is refused.
_, err := otherUserHandler.testReadOneWithUser(nil, map[string]string{"filter": "1"})
require.Error(t, err)
assert.Equal(t, http.StatusForbidden, getHTTPErrorCode(err))
})
})
t.Run("Create", func(t *testing.T) {
t.Run("Normal", func(t *testing.T) {
rec, err := testHandler.testCreateWithUser(nil, nil,
`{"title":"Lorem","description":"Ipsum","filters":{"filter":"done = true"}}`)
require.NoError(t, err)
assert.Equal(t, http.StatusCreated, rec.Code)
assert.Contains(t, rec.Body.String(), `"title":"Lorem"`)
assert.Contains(t, rec.Body.String(), `"description":"Ipsum"`)
})
t.Run("Empty title", func(t *testing.T) {
// 422 (not Huma's schema 400): central govalidator on `valid:"required"`.
_, err := testHandler.testCreateWithUser(nil, nil,
`{"title":"","filters":{"filter":"done = true"}}`)
require.Error(t, err)
assert.Equal(t, http.StatusUnprocessableEntity, getHTTPErrorCode(err))
})
t.Run("Invalid filter string", func(t *testing.T) {
// 400 from the model's filter parser, not the 422 validation path.
_, err := testHandler.testCreateWithUser(nil, nil,
`{"title":"BadFilter","filters":{"filter":"foo = bar"}}`)
require.Error(t, err)
assert.Equal(t, http.StatusBadRequest, getHTTPErrorCode(err))
})
})
t.Run("Update", func(t *testing.T) {
t.Run("Normal", func(t *testing.T) {
rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"filter": "1"},
`{"title":"NewTitle","filters":{"filter":"done = true"}}`)
require.NoError(t, err)
assert.Contains(t, rec.Body.String(), `"title":"NewTitle"`)
})
t.Run("Nonexisting", func(t *testing.T) {
_, err := testHandler.testUpdateWithUser(nil, map[string]string{"filter": "9999"},
`{"title":"NewTitle","filters":{"filter":"done = true"}}`)
require.Error(t, err)
assert.Equal(t, http.StatusNotFound, getHTTPErrorCode(err))
})
t.Run("Empty title", func(t *testing.T) {
_, err := testHandler.testUpdateWithUser(nil, map[string]string{"filter": "1"},
`{"title":"","filters":{"filter":"done = true"}}`)
require.Error(t, err)
assert.Equal(t, http.StatusUnprocessableEntity, getHTTPErrorCode(err))
})
t.Run("Forbidden - not owner", func(t *testing.T) {
_, err := otherUserHandler.testUpdateWithUser(nil, map[string]string{"filter": "1"},
`{"title":"NewTitle","filters":{"filter":"done = true"}}`)
require.Error(t, err)
assert.Equal(t, http.StatusForbidden, getHTTPErrorCode(err))
})
})
// Normal is last: it removes #1, which the negatives above still need.
t.Run("Delete", func(t *testing.T) {
t.Run("Nonexisting", func(t *testing.T) {
_, err := testHandler.testDeleteWithUser(nil, map[string]string{"filter": "9999"})
require.Error(t, err)
assert.Equal(t, http.StatusNotFound, getHTTPErrorCode(err))
})
t.Run("Forbidden - not owner", func(t *testing.T) {
_, err := otherUserHandler.testDeleteWithUser(nil, map[string]string{"filter": "1"})
require.Error(t, err)
assert.Equal(t, http.StatusForbidden, getHTTPErrorCode(err))
})
t.Run("Normal", func(t *testing.T) {
rec, err := testHandler.testDeleteWithUser(nil, map[string]string{"filter": "1"})
require.NoError(t, err)
assert.Equal(t, http.StatusNoContent, rec.Code)
assert.Empty(t, rec.Body.String())
})
})
}
// v2-only behaviour, no v1 counterpart: ETag/304 and AutoPatch.
func TestHumaSavedFilter_ETagReturns304(t *testing.T) {
e, err := setupTestEnv()
require.NoError(t, err)
token := humaTokenFor(t, &testuser1)
rec := humaRequest(t, e, http.MethodGet, "/api/v2/filters/1", "", token, "")
require.Equal(t, http.StatusOK, rec.Code, "body: %s", rec.Body.String())
etag := rec.Header().Get("ETag")
require.NotEmpty(t, etag, "GET must return an ETag header")
req := httptest.NewRequest(http.MethodGet, "/api/v2/filters/1", strings.NewReader(""))
req.Header.Set("Content-Type", "application/json")
req.Header.Set("Authorization", "Bearer "+token)
req.Header.Set("If-None-Match", etag)
rec = httptest.NewRecorder()
e.ServeHTTP(rec, req)
require.Equal(t, http.StatusNotModified, rec.Code, "body: %s", rec.Body.String())
}
func TestHumaSavedFilter_PATCHMergePatch(t *testing.T) {
e, err := setupTestEnv()
require.NoError(t, err)
token := humaTokenFor(t, &testuser1)
// PATCH only the title; AutoPatch must leave the description alone.
rec := humaRequest(t, e, http.MethodPatch, "/api/v2/filters/1",
`{"title":"patched"}`, token, "application/merge-patch+json")
require.Equal(t, http.StatusOK, rec.Code, "body: %s", rec.Body.String())
rec = humaRequest(t, e, http.MethodGet, "/api/v2/filters/1", "", token, "")
require.Equal(t, http.StatusOK, rec.Code, "body: %s", rec.Body.String())
var after struct {
Title string `json:"title"`
}
require.NoError(t, json.Unmarshal(rec.Body.Bytes(), &after))
assert.Equal(t, "patched", after.Title)
}