The v-if in App.vue switches to the authenticated layout (navbar +
sidebar) as soon as authStore.authUser becomes truthy. But Vue's
reactivity flush runs before the await continuation in submit(), so
the layout swaps while the route is still /login, causing the login
form to flash inside the authenticated shell for ~250ms.
Fix by adding a route check: don't show the authenticated layout while
the current route is an auth page (login, register, password reset,
openid). The NoAuthWrapper stays visible until redirectIfSaved()
navigates away, then the authenticated layout renders cleanly.
When Login.vue re-mounts inside the authenticated layout after a
successful login, its onBeforeMount hook fires again. If it calls
redirectIfSaved(), it clears the saved route from localStorage before
the submit() handler's redirectIfSaved() can use it, causing a redirect
to home instead of the saved route. Use router.push({name: 'home'})
directly since the only purpose here is to redirect already-authenticated
users away from the login page.
When the first regex match is a rejected middle-of-text date, continue
searching for subsequent matches instead of returning null. This fixes
cases like "The 9/11 Report due 10/12" where 9/11 is rejected but
10/12 at the end should still be parsed.
Reworked matchDateAtBoundary() to use a single regex pass instead of
two-pass start/end anchoring. Middle-of-text matches are now accepted
when followed by a time expression (at/@ prefix), so inputs like
"meeting 9/11 at 10:00" still parse correctly while "The 9/11 Report"
is rejected.
Adds user-select, touch-action, and webkit-touch-callout CSS to the list
view's draggable task items, matching what KanbanCard.vue already has.
Without these properties, the browser's native long-press text selection
fires before SortableJS's 1-second touch delay expires, preventing drag
from ever starting on mobile devices.
Ref: https://community.vikunja.io/t/missing-positioning-option-in-list-view/4278
When running Vikunja as a systemd service without HOME set, the AWS SDK's
init() function calls os/user.Current() which uses CGO's getpwuid_r().
This can cause a SIGFPE crash in certain restricted environments.
Adding the osusergo build tag forces Go to use its pure implementation
that parses /etc/passwd directly, avoiding the problematic CGO call.
Fixes#2170
This PR adds support for detecting and handling Linux user namespaces (commonly used in rootless Docker containers) and improves error diagnostics when file storage validation fails.
Docs PR: https://github.com/go-vikunja/website/pull/289
---------
Co-authored-by: Claude <noreply@anthropic.com>
When using local file storage, the doctor command now reports:
- Whether the files directory exists
- Directory permissions (octal mode)
- Directory owner and group with uid/gid (Unix)
- Ownership mismatch warning if Vikunja runs as a different user
- Total number of stored files and their combined size
---------
Co-authored-by: Claude <noreply@anthropic.com>
Use v-show instead of v-if for EditorToolbar and BubbleMenu to avoid
a race condition between Vue's DOM reconciliation and tiptap's internal
DOM manipulation during unmount. This fixes the "Cannot read properties
of null (reading 'insertBefore')" error that occurred when saving a
task description.
Adds regression test to verify the fix.
Upstream issue: https://github.com/ueberdosis/tiptap/issues/7342
Fixes: https://github.com/go-vikunja/vikunja/issues/1770
Adds a pre-submission checklist to both bug report and feature request
templates requiring users to confirm they have searched for existing
issues before opening a new one.
In Echo v5, the 404 error for unmatched routes implements the
HTTPStatusCoder interface but is not a *HTTPError. This caused
the static middleware to fail to catch 404s and serve index.html
for SPA routes, leading to reloading SPA routes returning 404.
Caused by regression introduced in 9a61453e8.
Fixes#2149Fixes#2152
This allows external integrations to link directly to the API token creation page with pre-selected title and permission scopes. URLs can now use `?title=Name&scopes=group:perm,group:perm` format to pre-populate the form.
Example URL:
```
/user/settings/api-tokens?title=My%20Integration&scopes=tasks:create,tasks:delete,projects:read_all
```
Fixes a bug where the webhook HTTP client was mutating `http.DefaultClient` (the global singleton), causing ALL HTTP requests in the application to use the webhook proxy. This broke OIDC authentication and other external HTTP calls when webhook proxy was configured.
Fixes#2144
Adds a `viewFilters` Pinia store that stores query params per view ID to sync Gantt filters to the store whenever they change. This persists the custom date ranges when switching between views.
Fixes#2124
Fixes webhook payloads for deletion events that were previously
containing incomplete or empty entity data. This occurred because
entities were being deleted from the database before the webhook event
was dispatched.
## Changes
This PR implements four targeted fixes to ensure complete entity data in
deletion event webhooks:
### 1. TaskAssignee Deletion (`pkg/models/listeners.go`)
- Extended `reloadEventData()` to fetch full assignee user data by ID
- Webhook payload now includes complete user object (username, email,
timestamps, etc.)
### 2. TaskComment Deletion (`pkg/models/task_comments.go`)
- Modified `Delete()` to call `ReadOne()` before deletion
- Ensures comment text, author, and timestamps are included in webhook
payload
- Follows the same pattern used by `Task.Delete()` and
`TaskAttachment.Delete()`
### 3. TaskAttachment Deletion (`pkg/models/task_attachment.go`)
- Extended `ReadOne()` to fetch the `CreatedBy` user
- Webhook payload now includes file creator information
### 4. TaskRelation Deletion (`pkg/models/task_relation.go`)
- Modified `Delete()` to fetch complete relation including `CreatedBy`
user before deletion
- Webhook payload now includes relation timestamps and creator
information
Fixes#2125