Commit Graph

80 Commits

Author SHA1 Message Date
kolaente 8d10e053d4 fix(caldav): store markdown descriptions as HTML, skip spurious updates
Incoming CalDAV descriptions are markdown; convert them back to canonical HTML
(rebuilding mentions) before persisting. Skip the conversion when the markdown
is unchanged from the stored HTML so a passthrough sync doesn't churn the value
or bump the ETag.
2026-06-29 08:12:35 +02:00
kolaente f33cde82e2 feat(audit): attribute failed logins to the originating request
Thread the request context through CheckUserCredentials so the
LoginFailedEvent carries IP, user agent and request id — without it,
failed logins were the one auth event useless for brute-force tracing.
All four callers have the request at hand.
2026-06-12 08:56:08 +00:00
kolaente 9da51f5096 refactor(events): pass context to DispatchPending directly
Every DispatchPending caller either has the request context in scope or
is genuinely request-less, so passing it as a parameter replaces the
stored-context mechanism on the pending queue and satisfies
contextcheck. Also fixes lint findings in the audit package.
2026-06-12 08:56:08 +00:00
Rémi Lapeyre 069685f2a7
fix(caldav): return 404 when trying to access a project that cannot exist with CalDAV (#2796) 2026-05-28 08:14:52 +02:00
kolaente 2e6bcec72a feat(caldav): reject basic auth for bot users 2026-05-01 14:44:10 +00:00
kolaente 879462d717 fix(caldav): enforce URL project match in GetResourcesByList
Multiget REPORT requests would happily return tasks from projects
different from the one in the href, even though GetTasksByUIDs now
filters by access. Drop any returned task whose real project_id does
not match the project ID parsed from the href path segment.

Hardening for GHSA-48ch-p4gq-x46x.
2026-04-09 16:07:32 +00:00
kolaente 200b787c16 fix(caldav): reject GetResource when URL project mismatches task project
Even with the GetTasksByUIDs authz filter in place, a user with access
to multiple projects could read a task from project B by requesting it
under project A's URL. Enforce that the task's real project_id matches
the project ID parsed from the CalDAV URL path and 404 otherwise.

Adjusts the Delete Subtask test to use the correct URL project for
uid-caldav-test-child-task-2 (which lives in project 38, not 36);
the previous URL only worked because of the authz gap being closed.

Hardening for GHSA-48ch-p4gq-x46x.
2026-04-09 16:07:32 +00:00
kolaente 9884d933fc refactor: extract shared API token validation into ValidateTokenAndGetOwner 2026-03-30 12:09:53 +00:00
kolaente 6207705928 feat: accept API tokens for CalDAV basic auth 2026-03-30 12:09:53 +00:00
surfingbytes 8e8ffac016
fix(caldav): add tags and sync token to collections (#2482)
Fixes #2401
2026-03-26 10:42:39 +00:00
kolaente 8409bdb120 refactor(user): export IsErrUserStatusError for use across packages
Make isErrUserStatusError public and replace all verbose
!IsErrAccountDisabled(err) && !IsErrAccountLocked(err) checks
with the shorter IsErrUserStatusError(err) call.
2026-03-23 12:06:16 +00:00
kolaente 8b614a4cb3 test: verify disabled user is rejected via CalDAV auth
Also fix BasicAuth to check for status errors from checkUserCaldavTokens
before falling through to password-based auth.
2026-03-23 12:06:16 +00:00
kolaente cdf5d30a42 fix: reject CalDAV basic auth when TOTP is enabled 2026-03-20 12:22:27 +00:00
Henry Cole e7f1e99878
fix(caldav): use /dav/projects/ as home to make iOS/MacOS reminders work (#2417)
Resolves issue #475 by modifying CalDAV discovery so Apple Reminders can
use /dav/projects/ as the home set without exposing that synthetic path
as a real task list, preserving the existing principal-based flow. This
is because Apple Reminders defaults back to the /dav/projects/ URL,
rather than accepting the /dav/principals/username/ URL specified in
Vikunja.

Resolves #475
2026-03-20 09:33:56 +00:00
Tink ada2ebab9e
fix: preserve CalDAV inverse relations when parent has no RELATED-TO (#2389)
- Fixes `removeStaleRelations` in CalDAV storage provider to only remove
relations of kinds explicitly declared in the incoming VTODO's
`RELATED-TO` properties
- When a VTODO has no `RELATED-TO` at all (e.g., a parent task from
Tasks.org), no relations are removed — they were auto-created as
inverses by child tasks
- When a VTODO declares specific relation kinds (e.g.,
`RELATED-TO;RELTYPE=PARENT`), only relations of that kind are checked
for staleness; other kinds (like auto-created `subtask` inverses) are
preserved

Fixes #2383

---------

Co-authored-by: kolaente <k@knt.li>
2026-03-11 09:40:09 +01:00
kolaente 924eef58d1 fix(events): dispatch pending events in CalDAV handlers after commit
CalDAV handlers manage their own database sessions. Now that model
methods use DispatchOnCommit, the CalDAV handlers must call
DispatchPending after commit and CleanupPending on rollback.

Refs #2315
2026-03-03 12:46:34 +01:00
kolaente 39acdac531 fix(caldav): eliminate nested db session in CalDAV auth
checkUserCaldavTokens called user.GetCaldavTokens which creates its own
db.NewSession(), while the caller (BasicAuth) already holds an open
session. With SQLite this caused a deadlock because the second session
blocks on the write lock held by the first session in the same goroutine.

Add GetCaldavTokensWithSession that accepts an existing session and use
it from checkUserCaldavTokens.
2026-03-03 10:41:19 +01:00
kolaente 2f718206f9 fix: add TestMain to caldav tests and fix session conflicts
Add a proper main_test.go for the caldav test package that initializes
the logger, config, test database, and event system. Previously, these
were initialized inline in TestSubTask_Create and TestSubTask_Update
relied on running after it (fragile test ordering).

Fix session handling in TestSubTask_Update: close the read session
before calling UpdateResource (which creates its own internal session)
to avoid SQLite lock conflicts from concurrent transactions.
2026-02-25 11:03:02 +01:00
renovate[bot] 9a61453e86
fix(deps): update module github.com/labstack/echo/v4 to v5 (#2131)
Closes https://github.com/go-vikunja/vikunja/pull/2133

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: kolaente <k@knt.li>
2026-01-24 20:38:32 +01:00
kolaente da0822c3f4 feat(caldav): add more error logging 2025-12-04 10:54:31 +01:00
kolaente 31c1f98270
fix(caldav): remove METHOD:PUBLISH from caldav exports (#1576) 2025-09-30 18:16:07 +00:00
kolaente a81a3ee0e5
feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
Vlad Yarotsky d4347f00f6
fix(caldav): make CalDAV REPORT request properly respond with VTODO objects (#1116) 2025-07-14 21:57:55 +00:00
Dominik Pschenitschni d48d88d442 fix: comment typo and misspellings 2025-07-02 17:46:21 +02:00
Dominik Pschenitschni 296577a875
fix: correct license header references (#882)
See originals:
- https://www.gnu.org/licenses/agpl-3.0.txt
- https://www.gnu.org/licenses/gpl-3.0.txt
2025-06-10 12:18:38 +02:00
das_j 989a40ad42 fix(caldav): return other status codes than 500 when projects are not found (#3065)
This allows CalDav clients to behave properly. In particular, DavX5 will error out on syncing the collections list rather than removing deleted projects from its local cache.

Resolves: https://community.vikunja.io/t/deleting-a-project-breaks-caldav/3315/3
Co-authored-by: Janne Heß <janne@hess.ooo>
Reviewed-on: https://kolaente.dev/vikunja/vikunja/pulls/3065
Reviewed-by: konrad <k@knt.li>
Co-authored-by: das_j <das_j@noreply.kolaente.dev>
Co-committed-by: das_j <das_j@noreply.kolaente.dev>
2025-02-06 12:38:27 +00:00
kolaente 7ac2c42e4d
fix(caldav): fetch saved filter
This fixes a bug which caused fetching saved filter and favorite projects to crash, because the respective project ID is not a valid project id without special handling.
2024-12-11 17:05:51 +01:00
kolaente 5abca0927b
fix(caldav): do not crash with error 400 when fetching the list of all projects
Because the "all projects" handler is the same as the one to fetch a single project, the handler would fail because no project was specified. However, it should return an empty project instead so that it later fetches all projects.

Resolves https://community.vikunja.io/t/http-400-when-trying-to-connect-via-caldav/3054
2024-12-11 16:51:30 +01:00
kolaente d081cf80fc
chore(caldav): refactor fetching projects 2024-10-30 08:37:27 +01:00
jd 84dbc5fd84 fix: partial fix to allow list tasks in ios reminders app (#2717)
This PR introduces a partial fix for the CalDAV task listing bug (#753) when handling PROPFIND requests with `Depth: 1`, improving task visibility in the iOS Reminders app.

Notes:
* This might make Thunderbird somewhat usable when interacting with tasks using the `/dav/projects/{id} url`.
* This does not fully resolve the issue where the Reminders app will only display the last project after some time when adding the URL.

This is my first time working with Golang and CalDAV, so I’d really appreciate any feedback or suggestions on the code structure, style, or any improvements I could make.

Co-authored-by: JD <43763092+jdw1023@users.noreply.github.com>
Reviewed-on: https://kolaente.dev/vikunja/vikunja/pulls/2717
Reviewed-by: konrad <k@knt.li>
Co-authored-by: jd <jd@noreply.kolaente.dev>
Co-committed-by: jd <jd@noreply.kolaente.dev>
2024-09-28 09:06:32 +00:00
kolaente 1085a6583b
fix(caldav): reject invalid project id with error 400
Resolves https://vikunja.sentry.io/share/issue/6fc18edefa0e4db3b2e10efe36deeaa4/
2024-09-10 17:32:35 +02:00
kolaente 329de3aab3
chore(web): remove unused echo context 2024-08-29 16:20:39 +02:00
kolaente 2063da9eec
chore(web): move web handler package to Vikunja 2024-08-29 16:15:28 +02:00
kolaente 7a7e97770c
chore(errors): always add internal error to echo error 2024-08-29 15:39:34 +02:00
kolaente e7041f02d0
fix(caldav): do not crash for wrong parameters 2024-06-06 11:05:32 +02:00
kolaente 741370b613
fix(caldav): return more than 1000 tasks
Resolves https://kolaente.dev/vikunja/vikunja/issues/2302
2024-04-25 13:37:04 +02:00
kolaente 574c7f218e
fix(labels): allow link shares to add existing labels to a task
Resolves https://github.com/go-vikunja/vikunja/issues/252
2024-04-21 15:12:27 +02:00
kolaente 7f46914d5e
fix(project): pass user id to error message 2024-01-31 13:50:21 +01:00
kolaente c05f51b923
chore(deps): update golangci-lint rules 2023-12-19 13:34:31 +01:00
Miguel Arroyo 225d65268d feat(caldav): Add support for subtasks (i.e. `RELATED-TO` property) in CalDAV (#1634)
As I mentioned [here](https://kolaente.dev/vikunja/api/pulls/1442#issuecomment-55215), this is mainly a cleanup of @zewaren 's original [PR](https://kolaente.dev/vikunja/api/pulls/1442).

It adds support for the `RELATED-TO` property in CalDAV's `VTODO` and the `RELTYPE=PARENT` and `RELTYPE=CHILD` relationships. In other words, it allows for `ParentTask->SubTask` relations to be handled supported through CalDAV.

In addition to the included tests, this has been tested by both @zewaren & myself with DAVx5 & Tasks (Android) and it's been working great.

Resolves https://kolaente.dev/vikunja/api/issues/1345

Co-authored-by: Miguel A. Arroyo <miguel@codeheads.dev>
Co-authored-by: Erwan Martin <public@fzwte.net>
Reviewed-on: https://kolaente.dev/vikunja/api/pulls/1634
Reviewed-by: konrad <k@knt.li>
Co-authored-by: Miguel Arroyo <mayanez@noreply.kolaente.de>
Co-committed-by: Miguel Arroyo <mayanez@noreply.kolaente.de>
2023-11-10 22:44:03 +00:00
kolaente 56625b0b90
fix: lint 2023-10-10 20:35:43 +02:00
kolaente c5c74e9537
chore(caldav): improve trimming .ics file ending 2023-09-07 15:52:37 +02:00
kolaente e518fb1191
chore: remove year from copyright headers
Resolves https://kolaente.dev/vikunja/api/pulls/1483
2023-09-01 08:32:28 +02:00
cernst 5961e56d16 fix(caldav): Do not create label if it exists by title (#1444)
Resolves https://kolaente.dev/vikunja/api/issues/1435

Co-authored-by: ce72 <christoph.ernst72@googlemail.com>
Reviewed-on: https://kolaente.dev/vikunja/api/pulls/1444
Co-authored-by: cernst <ce72@noreply.kolaente.de>
Co-committed-by: cernst <ce72@noreply.kolaente.de>
2023-03-24 18:34:48 +00:00
kolaente 4d5ad8f50e
chore(deps): update golangci-lint to 1.52.1 2023-03-24 19:17:45 +01:00
kolaente 349e6a5905
feat: rename lists to projects 2023-03-13 14:28:06 +01:00
kolaente 077baba2ea
fix: lint 2023-03-05 14:34:34 +01:00
kolaente 066c26f83e
fix(caldav): make sure only labels where the user has permission to use them are used
Follow-up for a62b57ac62
2023-03-05 14:03:09 +01:00
cernst a62b57ac62 feat(caldav): import caldav categories as Labels (#1413)
Resolves #1274

Co-authored-by: ce72 <christoph.ernst72@googlemail.com>
Reviewed-on: https://kolaente.dev/vikunja/api/pulls/1413
Reviewed-by: konrad <k@knt.li>
Co-authored-by: cernst <ce72@noreply.kolaente.de>
Co-committed-by: cernst <ce72@noreply.kolaente.de>
2023-03-02 15:25:26 +00:00
kolaente 534d04a1db
fix(task): correctly load tasks by id and uuid in caldav
Partially reverts 1afc72e190
2023-03-01 22:18:59 +01:00