Commit Graph

72 Commits

Author SHA1 Message Date
kolaente 4b91e5efa1 refactor: rename checkProjectBackgroundWriteRights to checkProjectBackgroundWritePermissions 2026-03-20 11:41:28 +00:00
kolaente f066eb3ea4 fix: require CanUpdate for project background deletion
RemoveProjectBackground previously used checkProjectBackgroundRights
which only checks CanRead, allowing read-only users to delete project
backgrounds. Added checkProjectBackgroundWriteRights that checks
CanUpdate and use it in RemoveProjectBackground.

Ref: GHSA-564f-wx8x-878h
2026-03-20 11:41:28 +00:00
kolaente 0e1f44e57e refactor: replace afero with FileStorage interface
Replace the github.com/spf13/afero dependency with a purpose-built
FileStorage interface (Open, Write, Stat, Remove, MkdirAll) with three
implementations: localStorage (with basePath), s3Storage (with key
prefix), and memStorage (for tests).

Each implementation owns its base path — callers pass only file IDs.
Delete s3fs.go, change File.File from afero.File to io.ReadCloser,
and fix duplication flows to buffer content for seeking.
2026-03-20 10:59:44 +01:00
Weijie Zhao 54d977532e
fix: allow browser caching for file downloads (#2349) 2026-03-04 17:43:03 +01:00
kolaente 2a10b22c5c fix: use session-aware file creation to avoid nested transactions
files.Create() and files.CreateWithMime() internally create their own
sessions and transactions. When called from within an existing
transaction (now that db.NewSession() auto-begins), this creates nested
transactions that deadlock on SQLite.

Switch to files.CreateWithSession() and files.CreateWithMimeAndSession()
to participate in the caller's existing transaction instead.
2026-02-25 11:03:02 +01:00
kolaente 49bba7f830 fix: eliminate nested database sessions to prevent table locks
Refactor functions that created their own sessions when called from
within existing transactions, which caused "database table is locked"
errors in SQLite's shared-cache mode.

Changes:
- Add files.CreateWithSession() to reuse caller's session
- Refactor DeleteBackgroundFileIfExists() to accept session parameter
- Add variadic session parameter to notifications.Notify() and
  Notifiable.ShouldNotify() interface
- Update all Notify callers (~17 sites) to pass their session through
- Use files.CreateWithSession in SaveBackgroundFile and NewAttachment
- Fix test code to commit sessions before assertions
2026-02-25 11:03:02 +01:00
kolaente c9c250fb1c fix: add missing Commit() to write callers
After NewSession() auto-begins a transaction, callers that perform
writes must explicitly call Commit() for changes to persist. Without
this, writes are silently rolled back when Close() is called.

Affected callers:
- user deletion notification cron
- caldav token generation/deletion
- token cleanup cron
- mark-all-notifications-read endpoint
- saved filter view cron
- project background delete
- typesense reindex
- export cleanup cron
- task last-updated listener
- saved filter view listener
- SSO team cleanup cron
- migration status start/finish
- background set/remove handlers
- orphaned task position cleanup
- file creation
2026-02-25 11:03:02 +01:00
kolaente bcfde14b14 fix(backgrounds): stream unsplash download to temp file instead of memory
Use a temp file instead of io.ReadAll to avoid buffering the entire
Unsplash image in RAM, which could cause OOM with large images or
high maxsize configuration.
2026-02-08 15:31:25 +01:00
kolaente 56a0ea44cf fix(backgrounds): avoid integer overflow in max size calculation
Keep maxSize as uint64 and cast safely when comparing with
resp.ContentLength to avoid potential integer overflow.
2026-02-08 15:31:25 +01:00
kolaente 19f6e4b7c9 fix(backgrounds): enforce max file size for unsplash downloads
Check Content-Length and use io.LimitReader to prevent OOM from
unexpectedly large unsplash responses before buffering into memory.
2026-02-08 15:31:25 +01:00
kolaente dbd74491c4 fix(files): update all callers to provide seekable readers for S3 uploads
Update all code paths that pass file content to the storage layer to
provide io.ReadSeeker instead of io.Reader:

- Avatar upload: use bytes.NewReader instead of bytes.Buffer
- Background upload handler: use bytes.NewReader instead of bytes.Buffer
- Unsplash background: buffer response body into bytes.NewReader
- Dump restore: buffer zip entry into bytes.NewReader
- Migration structure: pass bytes.NewReader directly instead of wrapping
  in io.NopCloser
- Task attachment: change NewAttachment parameter from io.ReadCloser to
  io.ReadSeeker
2026-02-08 15:31:25 +01:00
renovate[bot] 9a61453e86
fix(deps): update module github.com/labstack/echo/v4 to v5 (#2131)
Closes https://github.com/go-vikunja/vikunja/pull/2133

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: kolaente <k@knt.li>
2026-01-24 20:38:32 +01:00
kolaente 731b7c3001
fix: avoid mutating global http.DefaultClient in webhook proxy (#2145)
Fixes a bug where the webhook HTTP client was mutating `http.DefaultClient` (the global singleton), causing ALL HTTP requests in the application to use the webhook proxy. This broke OIDC authentication and other external HTTP calls when webhook proxy was configured.

Fixes #2144
2026-01-24 13:58:47 +01:00
kolaente 39b4568bc5
refactor: centralize HTTP error handling (#2062)
This changes the error handling to a centralized HTTP error handler in `pkg/routes/error_handler.go` that converts all error types to proper HTTP responses. This simplifies the overall error handling because http handler now only need to return the error instead of calling HandleHTTPError as previously.
It also removes the duplication between handling errors with and without Sentry.

🐰 Hop along, dear errors, no more wrapping today!
We've centralized handlers in a shiny new way,
From scattered to unified, the code flows so clean,
ValidationHTTPError marshals JSON supreme!
Direct propagation hops forward with glee,
A refactor so grand—what a sight to see! 🎉
2026-01-08 10:02:59 +00:00
kolaente a81a3ee0e5
feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
kolaente a5591c1603 fix: correctly cache unsplash background
Resolves
https://vikunja.sentry.io/issues/6753151793/events/3d8773d79b9c4da0bf65140e4b7617b4/
2025-07-18 18:38:12 +02:00
kolaente fcdcdcf46a feat: use keyvalue.Remember where it makes sense 2025-07-17 16:19:13 +02:00
kolaente 4da4bf69ca
fix(background): validate unsupported formats and show error message (#1123) 2025-07-15 13:21:48 +02:00
Dominik Pschenitschni 296577a875
fix: correct license header references (#882)
See originals:
- https://www.gnu.org/licenses/agpl-3.0.txt
- https://www.gnu.org/licenses/gpl-3.0.txt
2025-06-10 12:18:38 +02:00
kolaente 68636f27da
fix(files): use absolute path everywhere 2024-09-06 12:59:48 +02:00
kolaente 329de3aab3
chore(web): remove unused echo context 2024-08-29 16:20:39 +02:00
kolaente 2063da9eec
chore(web): move web handler package to Vikunja 2024-08-29 16:15:28 +02:00
kolaente 7a7e97770c
chore(errors): always add internal error to echo error 2024-08-29 15:39:34 +02:00
kolaente 409822442b
fix(backgrounds): return full project after uploading image 2024-04-22 18:33:43 +02:00
kolaente aec60f3591
feat(backgrounds): resize images to a maximum of 4K
Resolves https://kolaente.dev/vikunja/vikunja/issues/1373#issuecomment-43491
2024-04-22 18:29:58 +02:00
kolaente 8bee5aa806
fix(project): return the full project when setting a background
Related to https://kolaente.dev/vikunja/vikunja/issues/2246
2024-04-07 14:53:57 +02:00
kolaente 1ee243f2bd
fix(project background): add more checks for whether a background file exists when duplicating or deleting a project
Related discussion: https://community.vikunja.io/t/500-internal-server-error-when-selecting-unsplash-background-image/778/18
2023-09-13 11:20:59 +02:00
kolaente e518fb1191
chore: remove year from copyright headers
Resolves https://kolaente.dev/vikunja/api/pulls/1483
2023-09-01 08:32:28 +02:00
kolaente 96a0f5e169
feat: rename lists to projects 2023-05-24 15:51:53 +02:00
Dominik Pschenitschni cca430810d fix(image): json type of struct property (#1469)
Co-authored-by: Dominik Pschenitschni <mail@celement.de>
Co-authored-by: kolaente <k@knt.li>
Reviewed-on: https://kolaente.dev/vikunja/api/pulls/1469
Reviewed-by: konrad <k@knt.li>
Co-authored-by: Dominik Pschenitschni <dpschen@noreply.kolaente.de>
Co-committed-by: Dominik Pschenitschni <dpschen@noreply.kolaente.de>
2023-04-06 09:53:09 +00:00
kolaente 4d5ad8f50e
chore(deps): update golangci-lint to 1.52.1 2023-03-24 19:17:45 +01:00
kolaente 7a9611c2da
chore: cleanup 2023-03-13 14:28:36 +01:00
kolaente 349e6a5905
feat: rename lists to projects 2023-03-13 14:28:06 +01:00
clos afdceb0aff fix(list): when list background is removed, delete file from file system and DB (#1372)
Co-authored-by: testinho.testador <testinho.testador@noreply.kolaente.de>
Reviewed-on: https://kolaente.dev/vikunja/api/pulls/1372
Reviewed-by: konrad <k@knt.li>
Co-authored-by: clos <clos@noreply.kolaente.de>
Co-committed-by: clos <clos@noreply.kolaente.de>
2023-02-01 11:38:23 +00:00
clos f660badc3d feat(background): add Last-Modified header (#1376)
Reviewed-on: https://kolaente.dev/vikunja/api/pulls/1376
Co-authored-by: clos <clos@noreply.kolaente.de>
Co-committed-by: clos <clos@noreply.kolaente.de>
2023-01-29 22:07:46 +00:00
kolaente 96b5e93379
fix: swagger docs 2022-11-11 15:34:26 +01:00
kolaente 8bf0f8bb57
fix: make sure generating blur hashes for bmp, tiff and webp images works 2022-08-15 23:37:05 +02:00
kolaente de97fcbd12 fix: lint 2022-03-30 16:36:07 +00:00
kolaente d3bdafb717 fix: decoding images for blurHash generation 2022-03-30 16:36:07 +00:00
kolaente 6b51fae093 fix: return BlurHash in unsplash search results 2022-03-30 16:36:07 +00:00
kolaente 7fa0865188 fix: lint 2022-03-30 16:36:07 +00:00
kolaente 6df865876d feat: return BlurHash for unsplash search results 2022-03-30 16:36:07 +00:00
kolaente 2ec7d7a8a8 feat: save BlurHash from unsplash when selecting a photo from unsplash 2022-03-30 16:36:07 +00:00
kolaente f83b09af59 feat: generate a BlurHash when uploading a new image 2022-03-30 16:36:07 +00:00
kolaente 88a2cede19
feat: use wallpaper topic for default unsplash background list 2021-11-14 20:47:15 +01:00
kolaente cf05de19b3
fix: updating a list might remove its background
resolves #1039
2021-11-13 17:52:14 +01:00
kolaente d48aa101cf
Refactor & fix storing struct-values in redis keyvalue 2021-05-28 10:52:51 +02:00
kolaente ee436efba3
Add endpoint to remove a list background 2021-03-21 17:49:14 +01:00
kolaente c4a71016b8
Update copyright year 2021-02-02 20:19:13 +01:00
kolaente 2e88600c93
Change keyvalue.Get to return if a value exists or not instead of an error 2021-01-31 12:32:46 +01:00