Commit Graph

93 Commits

Author SHA1 Message Date
kolaente 589d2a5556 test: add cross-project task relation fixture for authz test 2026-03-23 16:26:37 +00:00
kolaente d0606eadea fix: check child project's own IsArchived flag in CheckIsArchived
CheckIsArchived() previously skipped checking a child project's own
IsArchived flag when ParentProjectID > 0, immediately recursing to
only check the parent. This allowed write operations on individually
archived child projects whose parent was not archived.

Now the function loads the project from the database first, checks its
own IsArchived flag, and only then recurses to check parent projects.
2026-03-23 14:13:53 +00:00
kolaente 198322c8e1 test: add API token fixture for disabled user 2026-03-23 12:06:16 +00:00
kolaente acafa6db10 fix: update TOTP reuse test to use user10 matching rebased fixture 2026-03-23 10:34:49 +00:00
kolaente de58f630ee test: add TOTP fixture and load it in user test bootstrap
Add a TOTP fixture for user1 with a known secret to enable
testing TOTP validation logic. Update InitTests to load the
totp fixture alongside users and user_tokens.
2026-03-23 10:34:49 +00:00
kolaente 1f2aef776c test: verify CalDAV token auth bypasses TOTP check
Add a CalDAV token fixture (kind=4) for user10 who has TOTP enabled,
and implement the previously-skipped test proving token-based auth
still works when TOTP is active.
2026-03-20 12:22:27 +00:00
kolaente 1ed813caf0 fix: update TOTP fixtures and tests to avoid conflicts with existing enrollment tests
- user10 gets enabled TOTP (for CalDAV 2FA test)
- user1 gets enrolled-but-not-enabled TOTP (for existing QR/settings tests)
- TOTP enrollment test uses user2 (no TOTP fixture) instead of user1
2026-03-20 12:22:27 +00:00
kolaente 659e73af05 fix: use user10 instead of user1 for TOTP fixture to avoid breaking login tests 2026-03-20 12:22:27 +00:00
kolaente 27ef92b9bf test: add TOTP fixture data for user1 2026-03-20 12:22:27 +00:00
kolaente f60f3af70b test: add failing test for project background delete with read-only access
Proves that a user with read-only access to a project can delete its
background image. The test expects a 403 Forbidden but the operation
proceeds because RemoveProjectBackground only checks CanRead.

Adds fixture entry giving user 15 read-only access to project 35
(which has a background_file_id).

Ref: GHSA-564f-wx8x-878h
2026-03-20 11:41:28 +00:00
kolaente 241b0e80b6 test: add tests for disabled user password reset prevention 2026-03-20 11:23:21 +00:00
kolaente d4577c660f feat: add user_id to webhooks and user-directed event infrastructure
Add user_id column to webhooks table (nullable, for user-level webhooks
vs project-level). Extend webhook model, permissions, and listener to
support user-level webhooks that fire for user-directed events like
task reminders and overdue task notifications.

Add TasksOverdueEvent for dispatching overdue notifications via webhooks.
Update webhook permissions to handle both user-level and project-level
ownership. Add webhook test fixture and register webhooks table in test
fixture loader.
2026-03-08 19:45:53 +01:00
kolaente 275f714224 test: add fixture task with compound word for prefix search testing 2026-03-05 13:57:05 +01:00
kolaente 64e455a613 test: add user 11 to external team 14 for discoverability tests 2026-03-04 20:32:11 +01:00
kolaente 9e050fe40e test: add orphaned project fixture for repair-projects command 2026-02-25 11:56:25 +01:00
kolaente b3d0b2f697 feat: add Session model with CRUD, permissions, and cleanup cron
- Session struct with UUID primary key, hashed refresh token, device
  info, IP address, and last-active tracking
- Token generation via generateHashedToken (SHA-256, 128 random bytes)
- CreateSession, GetSessionByRefreshToken, GetSessionByID
- Atomic RotateRefreshToken with WHERE on old hash to prevent replays
- ReadAll scoped to authenticated user (link shares rejected)
- Delete scoped to owning user (link shares rejected)
- Hourly cleanup cron for expired sessions based on is_long_session
- ErrSessionNotFound error type with HTTP 404 mapping
2026-02-25 10:30:25 +01:00
kolaente 6733ac4e22 test: add task #47 with reminders outside window for bug #2245
Add a second reminder to task 2 (in 2019, outside the test window)
and create task #47 with two reminders that straddle the test window
(2018-08-01 and 2019-03-01) but neither falls inside it. This exposes
the multi-row matching bug where separate EXISTS subqueries can match
different rows in the same sub-table.
2026-02-19 12:40:29 +01:00
Biagio00 5b42724205
fix(kanban): repeating tasks dates won't update when moved in done bucket (#1638) 2025-11-14 16:57:53 +00:00
kolaente a81a3ee0e5
feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
kolaente 4042f66efa
feat: show user export status in settings (#1200) 2025-07-30 15:50:26 +00:00
kolaente 4faf50a91f
fix(user): ensure deletion tokens can only be used by the user who created them 2025-07-23 11:18:37 +02:00
kolaente 7985a6500a fix: use assertions which are more specific 2025-07-18 23:18:04 +02:00
kolaente a571d42f46 chore: refactor searching for link shares 2025-07-18 23:18:04 +02:00
Dominik Pschenitschni 5b9d4fcc72
chore: add missing eof newlines (#969) 2025-06-17 09:11:32 +00:00
kolaente b010e3851c
fix(project): add position in test fixtures 2025-03-20 14:00:18 +01:00
kolaente 7e1aba7606
fix(kanban): correctly set default bucket id when duplicating project
Partially resolves https://community.vikunja.io/t/bugs-around-project-duplication-with-kanban-buckets/3433
2025-03-19 17:28:59 +01:00
kolaente 62beb3db2d feat(auth): rename oidc_id to external_id 2025-03-18 16:36:00 +00:00
kolaente 6673adf0b5
fix(filter): do not show tasks in filter results when they are filtered out by labels
This fixes a bug where tasks which were filtered out by their label would still be shown. That was caused by the way the filter query was translated to sql under the hood.

Resolves https://github.com/go-vikunja/vikunja/issues/394
2025-01-20 14:05:42 +01:00
kolaente a88124cfce
feat: make used bcrypt rounds configurable
This allows to configure the used bcrypt rounds and set it to 4 in tests, greatly speeding up the tests. It's not really required to set this to another value but it might be in the future as computers get faster.
2024-10-13 15:38:04 +02:00
kolaente 06305eb6b3
fix(subscriptions): correctly inherit subscriptions
Resolves https://community.vikunja.io/t/e-mail-notification-twice/2740/20
2024-09-03 22:04:11 +02:00
kolaente fa6546b6b2
feat(tasks): add tests for moving a task out of the done bucket 2024-06-18 13:40:41 +02:00
kolaente 9075a45cb8
fix(views): update test fixtures for new structure 2024-03-19 00:47:51 +01:00
kolaente a5c51d4b1e feat: emoji reactions for tasks and comments (#2196)
This PR adds reactions for tasks and comments, similar to what you can do on Gitea, GitHub, Slack and plenty of other tools.

Reviewed-on: https://kolaente.dev/vikunja/vikunja/pulls/2196
Co-authored-by: kolaente <k@knt.li>
Co-committed-by: kolaente <k@knt.li>
2024-03-12 19:25:58 +00:00
waza-ari ffa82556e0 feat(teams): add public flags to teams to allow easier sharing with other teams (#2179)
Resolves #2173
Co-authored-by: Daniel Herrmann <daniel.herrmann1@gmail.com>
Reviewed-on: https://kolaente.dev/vikunja/vikunja/pulls/2179
Reviewed-by: konrad <k@knt.li>
Co-authored-by: waza-ari <daniel.herrmann@makerspace-darmstadt.de>
Co-committed-by: waza-ari <daniel.herrmann@makerspace-darmstadt.de>
2024-03-10 14:04:32 +00:00
kolaente 9624cc9e97
fix(filter): translate all tests 2024-03-09 19:06:35 +01:00
waza-ari a3154e805c fix(auth): use (issuer, name) to check for uniqueness of oidc teams (#2152)
The change introduced in #2150 introduces a bug where a Team would be re-created every time a user logs in, as the check if a team already exists was based on both the unique `oidcID` and the `name`. This PR proposes to only base the check on the ID, as this should be unique.

Co-authored-by: Daniel Herrmann <daniel.herrmann1@gmail.com>
Reviewed-on: https://kolaente.dev/vikunja/vikunja/pulls/2152
Reviewed-by: konrad <k@knt.li>
Co-authored-by: waza-ari <daniel.herrmann@makerspace-darmstadt.de>
Co-committed-by: waza-ari <daniel.herrmann@makerspace-darmstadt.de>
2024-03-04 20:26:45 +00:00
kolaente ac8751e1be
fix(task): move done tasks to the done bucket when they are moved between projects and the new project has a done bucket 2024-03-03 18:13:47 +01:00
viehlieb ed4da96ab1 feat: assign users to teams via OIDC claims (#1393)
This change adds the ability to sync teams via a custom openid claim. Vikunja will automatically create and delete teams as necessary, it will also add and remove users when they log in. These teams are fully managed by Vikunja and cannot be updated by a user.

Co-authored-by: kolaente <k@knt.li>
Reviewed-on: https://kolaente.dev/vikunja/vikunja/pulls/1393
Resolves https://kolaente.dev/vikunja/vikunja/issues/1279
Resolves https://github.com/go-vikunja/vikunja/issues/42
Resolves https://kolaente.dev/vikunja/vikunja/issues/950
Co-authored-by: viehlieb <pf@pragma-shift.net>
Co-committed-by: viehlieb <pf@pragma-shift.net>
2024-03-02 08:47:10 +00:00
kolaente 6b1e67485b
feat: fetch all projects with a recursive cte instead of recursive query
This change modifies the fetching of all projects to use a recursive common table expression instead of recursively calling the method.
2024-02-28 13:42:45 +01:00
Miguel Arroyo 225d65268d feat(caldav): Add support for subtasks (i.e. `RELATED-TO` property) in CalDAV (#1634)
As I mentioned [here](https://kolaente.dev/vikunja/api/pulls/1442#issuecomment-55215), this is mainly a cleanup of @zewaren 's original [PR](https://kolaente.dev/vikunja/api/pulls/1442).

It adds support for the `RELATED-TO` property in CalDAV's `VTODO` and the `RELTYPE=PARENT` and `RELTYPE=CHILD` relationships. In other words, it allows for `ParentTask->SubTask` relations to be handled supported through CalDAV.

In addition to the included tests, this has been tested by both @zewaren & myself with DAVx5 & Tasks (Android) and it's been working great.

Resolves https://kolaente.dev/vikunja/api/issues/1345

Co-authored-by: Miguel A. Arroyo <miguel@codeheads.dev>
Co-authored-by: Erwan Martin <public@fzwte.net>
Reviewed-on: https://kolaente.dev/vikunja/api/pulls/1634
Reviewed-by: konrad <k@knt.li>
Co-authored-by: Miguel Arroyo <mayanez@noreply.kolaente.de>
Co-committed-by: Miguel Arroyo <mayanez@noreply.kolaente.de>
2023-11-10 22:44:03 +00:00
kolaente 60bd5c8a79
feat: make default bucket configurable 2023-09-03 15:17:17 +02:00
kolaente bbbb45d224
feat: move done bucket setting to project 2023-09-03 15:01:35 +02:00
kolaente e3c5a93f4f
chore(api tokens): remove updated date from tokens as it can't be updated anyway 2023-09-01 11:16:36 +02:00
kolaente d9bfcdab8e
feat(api tokens): add tests 2023-09-01 10:19:31 +02:00
kolaente acb03c430e
fix(user): allow deleting a user if they have a default project
Resolves https://github.com/go-vikunja/api/issues/78
2023-08-23 16:10:51 +02:00
kolaente ef94e0cf86
feat(projects): don't allow deleting or archiving the default project 2023-06-07 21:29:46 +02:00
kolaente 4b00f224d9
fix: reminder fixture 2023-05-24 15:52:33 +02:00
kolaente 353279cbff
fix: fetch all tasks for all projects 2023-05-24 15:52:33 +02:00
kolaente 746ac1098f
fix(test): adjust fixture bucket and list ids 2023-05-24 15:52:32 +02:00
kolaente 3b00a5c200
fix(test): fixtures 2023-05-24 15:52:32 +02:00