Commit Graph

38 Commits

Author SHA1 Message Date
kolaente 3b7996feef test(project): pin archived propagation aggregation in ReadAll CTE
Regression test for #2589. Locks the contract that getAllProjectsForUser
exposes inherited is_archived for child projects of archived parents and
filters them out when getArchived=false, exercising both the MAX(...)
column expression and the HAVING MAX(...) = 0 filter.
2026-04-11 17:20:53 +00:00
kolaente c03d682f48 test(project): fix ParadeDB search expectation for fixture child
The TestProject_ReadAll/search case on the ParadeDB path was still
expecting 6 results, but adding fixture project 43 (child of project
10) means the recursive CTE now pulls it in as a descendant whenever
the fuzzy search matches project 10. The non-ParadeDB branch was
already updated to account for this (+1, asserting project 43 is in
the result); the ParadeDB branch was missed.

CI was failing with "should have 6 item(s), but has 7" on the
test-api (paradedb, feature) job. Bump the expected length to 7 and
add the matching Contains assertion for project 43.

No fixture or production-code changes.
2026-04-09 16:47:35 +00:00
kolaente 75e1f72c6e fix(security): move reparent Admin gate into UpdateProject
GHSA-2vq4-854f-5c72 / CVE-2026-35595: the recursive permission CTE
cascades Admin from any owned ancestor, so a user with Write on a
shared project could reparent it under an attacker-owned root and
resolve as Admin on the moved project via the new parent.

Require Admin on both the moved project and the new parent whenever
parent_project_id is set to a non-zero value that differs from the
stored value. The gate lives in UpdateProject rather than CanUpdate
because CanUpdate is reused by permission-check-only callers
(buckets, webhooks, task ops) that pass stub &Project{ID:...} values
with ParentProjectID=0 and never commit a reparent — gating there
would spuriously trip the check for every such call.

Only non-zero ParentProjectID is gated: the generic update handler
binds a fresh struct, so an omitted parent_project_id is
indistinguishable from an explicit 0. Detach-to-root via the generic
endpoint is therefore out of scope for this fix and is tracked as a
follow-up (needs a pointer field to disambiguate).
2026-04-09 16:47:35 +00:00
kolaente b6dc0096af test(project): add regression tests for reparent privilege escalation
Covers GHSA-2vq4-854f-5c72 / CVE-2026-35595: attackers with direct or
inherited Write on a project must not be able to reparent it under their
own tree nor detach it to root. Also pins the legitimate rename-with-Write
and owner-detach flows so the upcoming fix does not regress them.
2026-04-09 16:47:35 +00:00
kolaente a3059ba470 test(fixtures): add child project for reparent escalation tests
Adds project 43 as a child of project 10 so tests can exercise the
"inherited Write via parent" path exploited by GHSA-2vq4-854f-5c72.
User 1 has Write on project 10 via users_projects id=4 and therefore
inherits Write on this child via the permission CTE.
2026-04-09 16:47:35 +00:00
kolaente ac76bce5cd fix: use recursive CTE in accessibleProjectIDsSubquery for inherited project permissions
Resolves #2490. Users with team access on a parent project were not seeing
subtask relations for tasks in child projects because getUserProjectsStatement
does not walk the project hierarchy. The fix wraps the base query in a
recursive CTE that traverses child projects via parent_project_id.
2026-04-05 12:20:35 +00:00
kolaente 13be01de9f test: update expected results for archived project propagation
Adjust test assertions to reflect that projects inheriting archived
state from parents are now correctly filtered out of ReadAll results,
task collections, and search results across all database backends.
2026-03-25 09:06:33 +00:00
kolaente d0606eadea fix: check child project's own IsArchived flag in CheckIsArchived
CheckIsArchived() previously skipped checking a child project's own
IsArchived flag when ParentProjectID > 0, immediately recursing to
only check the parent. This allowed write operations on individually
archived child projects whose parent was not archived.

Now the function loads the project from the database first, checks its
own IsArchived flag, and only then recurses to check parent projects.
2026-03-23 14:13:53 +00:00
kolaente c7c63e8ead test: add result count assertions for ParadeDB search tests
Address review feedback: assert exact result counts when ParadeDB is
active. fuzzy(1, prefix=true) broadens matches via edit distance,
returning 6 projects for "TEST10", 14 tasks for "number #17", and
12 projects for "Test1".
2026-03-05 13:57:05 +01:00
kolaente b69705e64b test: fix lint and adjust project search test for ParadeDB fuzzy matching
- Use require.NotEmpty instead of require.Greater for testifylint
- Skip exclusion assertions in web project search test when ParadeDB is
  active, since fuzzy(1, prefix=true) on "Test1" also matches Test2, Test3
2026-03-05 13:57:05 +01:00
kolaente 6268c48f15 test: adjust ParadeDB search tests for fuzzy prefix match broadening
ParadeDB fuzzy(1, prefix=true) returns more results than ILIKE due to
edit-distance tolerance on tokenized terms. Adjust assertions to check
containment rather than exact result sets when ParadeDB is active.
2026-03-05 13:57:05 +01:00
kolaente a7086e5e49 fix: prevent session leaks and visibility issues in model tests
Two categories of fixes:

1. Use defer s.Close() instead of explicit s.Close() to prevent session
   leaks when require.FailNow() triggers runtime.Goexit(), which skips
   explicit close calls but runs deferred functions. Leaked sessions
   hold SQLite write locks that block all subsequent fixture loading.

2. Add s.Commit() before db.AssertExists/db.AssertMissing calls. These
   assertion helpers query via the global engine (not the test session),
   so they cannot see uncommitted data from the session's transaction.

For block-scoped sessions (kanban_task_bucket_test.go), wrap each block
in an anonymous function so defer runs at block boundary rather than
deferring to the enclosing test function.
2026-02-25 11:03:02 +01:00
kolaente 23176bb8e1 test: add regression test for atomic parent project deletion
Verify that deleting a parent project atomically deletes all child
projects, including archived children and deeply nested hierarchies.
Also add missing defer s.Close() to existing delete test cases.
2026-02-25 11:03:02 +01:00
kolaente 49bba7f830 fix: eliminate nested database sessions to prevent table locks
Refactor functions that created their own sessions when called from
within existing transactions, which caused "database table is locked"
errors in SQLite's shared-cache mode.

Changes:
- Add files.CreateWithSession() to reuse caller's session
- Refactor DeleteBackgroundFileIfExists() to accept session parameter
- Add variadic session parameter to notifications.Notify() and
  Notifiable.ShouldNotify() interface
- Update all Notify callers (~17 sites) to pass their session through
- Use files.CreateWithSession in SaveBackgroundFile and NewAttachment
- Fix test code to commit sessions before assertions
2026-02-25 11:03:02 +01:00
Dominik Pschenitschni 296577a875
fix: correct license header references (#882)
See originals:
- https://www.gnu.org/licenses/agpl-3.0.txt
- https://www.gnu.org/licenses/gpl-3.0.txt
2025-06-10 12:18:38 +02:00
kolaente 9f30a099ee
fix(projects): (un-)archive child projects when archiving parent (#775) 2025-05-15 14:31:56 +00:00
kolaente 4d41a1bd9b
feat(kanban): create To-Do, Doing, Done buckets when creating a new kanban view 2025-03-21 19:16:52 +01:00
kolaente 760f6d6800
fix(projects): adjust test assumptions
This adjusts the test for the changes made in f6bfe2f13c
2025-01-21 12:43:01 +01:00
kolaente fee75e55a3
fix(views): stable assertion for bucket in tests 2024-03-19 17:27:03 +01:00
kolaente 409f9a0cc6
fix(views): test assertions 2024-03-19 00:47:51 +01:00
renovate d7fdefcead chore(deps): update golangci/golangci-lint docker tag to v1.56.2 (#2099)
Co-authored-by: kolaente <k@knt.li>
Reviewed-on: https://kolaente.dev/vikunja/vikunja/pulls/2099
Co-authored-by: renovate <renovatebot@kolaente.de>
Co-committed-by: renovate <renovatebot@kolaente.de>
2024-03-10 13:47:19 +00:00
kolaente 6b1e67485b
feat: fetch all projects with a recursive cte instead of recursive query
This change modifies the fetching of all projects to use a recursive common table expression instead of recursively calling the method.
2024-02-28 13:42:45 +01:00
kolaente c05f51b923
chore(deps): update golangci-lint rules 2023-12-19 13:34:31 +01:00
kolaente bbc8da1e80
fix(tests): pass the map 2023-11-20 12:22:44 +01:00
kolaente b9a54b019d
fix(tests): remove duplicate projects from assertions 2023-11-15 13:17:04 +01:00
kolaente f5ac3abb2a
chore(test): add task deleted assertion to project deletion test 2023-10-03 15:52:38 +02:00
kolaente addcbdd8ca
fix(test): don't check for error 2023-09-13 12:52:42 +02:00
kolaente e518fb1191
chore: remove year from copyright headers
Resolves https://kolaente.dev/vikunja/api/pulls/1483
2023-09-01 08:32:28 +02:00
kolaente 5e8084c194
fix(project): duplicating a project should not create two backlog buckets
Resolves https://community.vikunja.io/t/when-duplicating-a-project-the-resulting-project-has-an-extra-bucket/1524
2023-08-23 16:19:42 +02:00
kolaente 117c569721
fix(projects): return subprojects which were shared from another user 2023-07-03 11:45:29 +02:00
kolaente ef94e0cf86
feat(projects): don't allow deleting or archiving the default project 2023-06-07 21:29:46 +02:00
kolaente 7b7a914560
fix(test): use correct filter id 2023-06-07 20:30:28 +02:00
kolaente db3c7aa8b0
fix: make sure projects are correctly sorted 2023-05-24 15:52:33 +02:00
kolaente d7396fac57
fix(test): adjust fixture id 2023-05-24 15:52:32 +02:00
kolaente 5e6bff20f8
fix(tests): task permissions from parents 2023-05-24 15:51:56 +02:00
kolaente 0cd633981a
fix(project): recursively get all users from all parent projects 2023-05-24 15:51:56 +02:00
kolaente afe756e4c1
fix(tests): make the tests compile again 2023-05-24 15:51:55 +02:00
WofWca 6aadaaaffc chore: rename files (fix typo) 2023-03-21 19:02:05 +00:00
Renamed from pkg/models/prject_test.go (Browse further)