From ed4ae0cd43f44adca7c6134bf16c4673f6816be5 Mon Sep 17 00:00:00 2001 From: kolaente Date: Sun, 7 Jun 2026 12:09:04 +0200 Subject: [PATCH] feat(api/v2): add saved filter CRUD on /api/v2 --- pkg/routes/api/v2/saved_filters.go | 137 ++++++++++++++++++ pkg/webtests/huma_saved_filter_test.go | 185 +++++++++++++++++++++++++ 2 files changed, 322 insertions(+) create mode 100644 pkg/routes/api/v2/saved_filters.go create mode 100644 pkg/webtests/huma_saved_filter_test.go diff --git a/pkg/routes/api/v2/saved_filters.go b/pkg/routes/api/v2/saved_filters.go new file mode 100644 index 000000000..bc82776f5 --- /dev/null +++ b/pkg/routes/api/v2/saved_filters.go @@ -0,0 +1,137 @@ +// Vikunja is a to-do list application to facilitate your life. +// Copyright 2018-present Vikunja and contributors. All rights reserved. +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Affero General Public License for more details. +// +// You should have received a copy of the GNU Affero General Public License +// along with this program. If not, see . + +package apiv2 + +import ( + "context" + "net/http" + + "code.vikunja.io/api/pkg/models" + "code.vikunja.io/api/pkg/web/handler" + + "github.com/danielgtaylor/huma/v2" + "github.com/danielgtaylor/huma/v2/conditional" +) + +// RegisterSavedFilterRoutes wires saved filter CRUD onto the Huma API. +// No list operation, by design — v1 has none either. +func RegisterSavedFilterRoutes(api huma.API) { + tags := []string{"filters"} + + Register(api, huma.Operation{ + OperationID: "filters-read", + Summary: "Get a saved filter", + Description: "Returns a single saved filter. Only the owner may see it. Sends an ETag; pass it as If-None-Match on a later read to get a 304 Not Modified.", + Method: http.MethodGet, + Path: "/filters/{filter}", + Tags: tags, + }, savedFiltersRead) + + Register(api, huma.Operation{ + OperationID: "filters-create", + Summary: "Create a saved filter", + Description: "Creates a saved filter; the authenticated user becomes its owner. The filter query is validated before it is stored.", + Method: http.MethodPost, + Path: "/filters", + Tags: tags, + }, savedFiltersCreate) + + Register(api, huma.Operation{ + OperationID: "filters-update", + Summary: "Update a saved filter", + Description: "Replaces all of a saved filter's fields — only the owner may update it. Use PATCH for a partial update.", + Method: http.MethodPut, + Path: "/filters/{filter}", + Tags: tags, + }, savedFiltersUpdate) + + Register(api, huma.Operation{ + OperationID: "filters-delete", + Summary: "Delete a saved filter", + Description: "Deletes a saved filter. Only the owner may delete it.", + Method: http.MethodDelete, + Path: "/filters/{filter}", + Tags: tags, + }, savedFiltersDelete) +} + +func init() { AddRouteRegistrar(RegisterSavedFilterRoutes) } + +type savedFilterReadBody struct { + models.SavedFilter + MaxPermission models.Permission `json:"max_permission" readOnly:"true" doc:"The maximum permission the requesting user has on this saved filter (0=read, 1=read/write, 2=admin). Filters are owner-only, so this is always 2 for a successful read."` +} + +func savedFiltersRead(ctx context.Context, in *struct { + ID int64 `path:"filter"` + conditional.Params +}) (*singleReadBody[savedFilterReadBody], error) { + a, err := authFromCtx(ctx) + if err != nil { + return nil, err + } + filter := &models.SavedFilter{ID: in.ID} + maxPermission, err := handler.DoReadOne(ctx, filter, a) + if err != nil { + return nil, translateDomainError(err) + } + body := &savedFilterReadBody{SavedFilter: *filter, MaxPermission: models.Permission(maxPermission)} + return conditionalReadResponse(&in.Params, body, filter.Updated, maxPermission) +} + +func savedFiltersCreate(ctx context.Context, in *struct { + Body models.SavedFilter +}) (*singleBody[models.SavedFilter], error) { + a, err := authFromCtx(ctx) + if err != nil { + return nil, err + } + if err := handler.DoCreate(ctx, &in.Body, a); err != nil { + return nil, translateDomainError(err) + } + return &singleBody[models.SavedFilter]{Body: &in.Body}, nil +} + +// Body matches the read shape so AutoPatch's GET→PUT echo of max_permission validates. +func savedFiltersUpdate(ctx context.Context, in *struct { + ID int64 `path:"filter"` + Body savedFilterReadBody +}) (*singleBody[models.SavedFilter], error) { + a, err := authFromCtx(ctx) + if err != nil { + return nil, err + } + filter := &in.Body.SavedFilter + filter.ID = in.ID // URL wins over body + if err := handler.DoUpdate(ctx, filter, a); err != nil { + return nil, translateDomainError(err) + } + return &singleBody[models.SavedFilter]{Body: filter}, nil +} + +func savedFiltersDelete(ctx context.Context, in *struct { + ID int64 `path:"filter"` +}) (*emptyBody, error) { + a, err := authFromCtx(ctx) + if err != nil { + return nil, err + } + if err := handler.DoDelete(ctx, &models.SavedFilter{ID: in.ID}, a); err != nil { + return nil, translateDomainError(err) + } + return &emptyBody{}, nil +} diff --git a/pkg/webtests/huma_saved_filter_test.go b/pkg/webtests/huma_saved_filter_test.go new file mode 100644 index 000000000..acb5f1256 --- /dev/null +++ b/pkg/webtests/huma_saved_filter_test.go @@ -0,0 +1,185 @@ +// Vikunja is a to-do list application to facilitate your life. +// Copyright 2018-present Vikunja and contributors. All rights reserved. +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Affero General Public License for more details. +// +// You should have received a copy of the GNU Affero General Public License +// along with this program. If not, see . + +package webtests + +import ( + "encoding/json" + "net/http" + "net/http/httptest" + "strings" + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +// TestHumaSavedFilter ports the owner-only matrix from saved_filters_test.go +// onto the HTTP surface; v1 has no /filters webtest, so this is the only one. +// Fixture: filter #1 is owned by user1 (saved_filters.yml). +func TestHumaSavedFilter(t *testing.T) { + testHandler := webHandlerTestV2{ + user: &testuser1, + basePath: "/api/v2/filters", + idParam: "filter", + t: t, + } + require.NoError(t, testHandler.ensureEnv()) + // Share the one Echo (and its single fixture load) as user2; v2 doesn't + // reload fixtures per request, so Update/Delete of #1 are ordered last. + otherUserHandler := webHandlerTestV2{ + user: &testuser2, + basePath: "/api/v2/filters", + idParam: "filter", + t: t, + e: testHandler.e, + } + + t.Run("ReadOne", func(t *testing.T) { + t.Run("Normal", func(t *testing.T) { + rec, err := testHandler.testReadOneWithUser(nil, map[string]string{"filter": "1"}) + require.NoError(t, err) + assert.Contains(t, rec.Body.String(), `"title":"testfilter1"`) + // Owner-only resource → admin permission for a successful read. + assert.Contains(t, rec.Body.String(), `"max_permission":2`) + assert.NotEmpty(t, rec.Result().Header.Get("ETag")) + }) + t.Run("Nonexisting", func(t *testing.T) { + // canDoFilter loads the filter, so a missing id surfaces 404. + _, err := testHandler.testReadOneWithUser(nil, map[string]string{"filter": "9999"}) + require.Error(t, err) + assert.Equal(t, http.StatusNotFound, getHTTPErrorCode(err)) + }) + t.Run("Forbidden - not owner", func(t *testing.T) { + // #1 is user1's; saved filters are owner-only, so user2 is refused. + _, err := otherUserHandler.testReadOneWithUser(nil, map[string]string{"filter": "1"}) + require.Error(t, err) + assert.Equal(t, http.StatusForbidden, getHTTPErrorCode(err)) + }) + }) + + t.Run("Create", func(t *testing.T) { + t.Run("Normal", func(t *testing.T) { + rec, err := testHandler.testCreateWithUser(nil, nil, + `{"title":"Lorem","description":"Ipsum","filters":{"filter":"done = true"}}`) + require.NoError(t, err) + assert.Equal(t, http.StatusCreated, rec.Code) + assert.Contains(t, rec.Body.String(), `"title":"Lorem"`) + assert.Contains(t, rec.Body.String(), `"description":"Ipsum"`) + }) + t.Run("Empty title", func(t *testing.T) { + // 422 (not Huma's schema 400): central govalidator on `valid:"required"`. + _, err := testHandler.testCreateWithUser(nil, nil, + `{"title":"","filters":{"filter":"done = true"}}`) + require.Error(t, err) + assert.Equal(t, http.StatusUnprocessableEntity, getHTTPErrorCode(err)) + }) + t.Run("Invalid filter string", func(t *testing.T) { + // 400 from the model's filter parser, not the 422 validation path. + _, err := testHandler.testCreateWithUser(nil, nil, + `{"title":"BadFilter","filters":{"filter":"foo = bar"}}`) + require.Error(t, err) + assert.Equal(t, http.StatusBadRequest, getHTTPErrorCode(err)) + }) + }) + + t.Run("Update", func(t *testing.T) { + t.Run("Normal", func(t *testing.T) { + rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"filter": "1"}, + `{"title":"NewTitle","filters":{"filter":"done = true"}}`) + require.NoError(t, err) + assert.Contains(t, rec.Body.String(), `"title":"NewTitle"`) + }) + t.Run("Nonexisting", func(t *testing.T) { + _, err := testHandler.testUpdateWithUser(nil, map[string]string{"filter": "9999"}, + `{"title":"NewTitle","filters":{"filter":"done = true"}}`) + require.Error(t, err) + assert.Equal(t, http.StatusNotFound, getHTTPErrorCode(err)) + }) + t.Run("Empty title", func(t *testing.T) { + _, err := testHandler.testUpdateWithUser(nil, map[string]string{"filter": "1"}, + `{"title":"","filters":{"filter":"done = true"}}`) + require.Error(t, err) + assert.Equal(t, http.StatusUnprocessableEntity, getHTTPErrorCode(err)) + }) + t.Run("Forbidden - not owner", func(t *testing.T) { + _, err := otherUserHandler.testUpdateWithUser(nil, map[string]string{"filter": "1"}, + `{"title":"NewTitle","filters":{"filter":"done = true"}}`) + require.Error(t, err) + assert.Equal(t, http.StatusForbidden, getHTTPErrorCode(err)) + }) + }) + + // Normal is last: it removes #1, which the negatives above still need. + t.Run("Delete", func(t *testing.T) { + t.Run("Nonexisting", func(t *testing.T) { + _, err := testHandler.testDeleteWithUser(nil, map[string]string{"filter": "9999"}) + require.Error(t, err) + assert.Equal(t, http.StatusNotFound, getHTTPErrorCode(err)) + }) + t.Run("Forbidden - not owner", func(t *testing.T) { + _, err := otherUserHandler.testDeleteWithUser(nil, map[string]string{"filter": "1"}) + require.Error(t, err) + assert.Equal(t, http.StatusForbidden, getHTTPErrorCode(err)) + }) + t.Run("Normal", func(t *testing.T) { + rec, err := testHandler.testDeleteWithUser(nil, map[string]string{"filter": "1"}) + require.NoError(t, err) + assert.Equal(t, http.StatusNoContent, rec.Code) + assert.Empty(t, rec.Body.String()) + }) + }) +} + +// v2-only behaviour, no v1 counterpart: ETag/304 and AutoPatch. + +func TestHumaSavedFilter_ETagReturns304(t *testing.T) { + e, err := setupTestEnv() + require.NoError(t, err) + token := humaTokenFor(t, &testuser1) + + rec := humaRequest(t, e, http.MethodGet, "/api/v2/filters/1", "", token, "") + require.Equal(t, http.StatusOK, rec.Code, "body: %s", rec.Body.String()) + etag := rec.Header().Get("ETag") + require.NotEmpty(t, etag, "GET must return an ETag header") + + req := httptest.NewRequest(http.MethodGet, "/api/v2/filters/1", strings.NewReader("")) + req.Header.Set("Content-Type", "application/json") + req.Header.Set("Authorization", "Bearer "+token) + req.Header.Set("If-None-Match", etag) + rec = httptest.NewRecorder() + e.ServeHTTP(rec, req) + require.Equal(t, http.StatusNotModified, rec.Code, "body: %s", rec.Body.String()) +} + +func TestHumaSavedFilter_PATCHMergePatch(t *testing.T) { + e, err := setupTestEnv() + require.NoError(t, err) + token := humaTokenFor(t, &testuser1) + + // PATCH only the title; AutoPatch must leave the description alone. + rec := humaRequest(t, e, http.MethodPatch, "/api/v2/filters/1", + `{"title":"patched"}`, token, "application/merge-patch+json") + require.Equal(t, http.StatusOK, rec.Code, "body: %s", rec.Body.String()) + + rec = humaRequest(t, e, http.MethodGet, "/api/v2/filters/1", "", token, "") + require.Equal(t, http.StatusOK, rec.Code, "body: %s", rec.Body.String()) + var after struct { + Title string `json:"title"` + } + require.NoError(t, json.Unmarshal(rec.Body.Bytes(), &after)) + assert.Equal(t, "patched", after.Title) +}