Commit Graph

23 Commits

Author SHA1 Message Date
kolaente 70393f38d2
feat: add Atom feed for user notifications with API token auth (#2758) 2026-05-15 17:25:09 +02:00
kolaente 6a0f39b252 fix(security): enforce HTTP method and path in scoped API token matcher
CanDoAPIRoute's non-CRUD fallback branch compared a path-derived
permission name to the token's permission strings without checking
the request method. A token with projects.background (registered for
GET /projects/:project/background) could therefore invoke DELETE on
the same path. The same method-confusion affected the whole
/projects/:project/views/:view/buckets[/:bucket] cluster, where a
token with projects.views_buckets (registered for GET) authorized
PUT, POST, and DELETE on any accessible view's buckets.

The matcher also leaked CRUD permissions between parent and nested
sub-resource groups. When the request targeted a nested CRUD resource
(e.g. projects_teams, projects_shares, projects_users, projects_views,
projects_webhooks, projects_views_tasks, tasks_assignees, tasks_labels,
tasks_comments, tasks_relations, tasks_attachments, teams_members),
the matcher fell back from the specific group to the parent's permission
list but then looked the permission name up inside the sub-resource's
RouteDetail map. The effect was that a token holding only projects.read_all
also authorized GET on every nested projects_* list endpoint, and the
same held for create/update/delete and for the tasks.* family.

Rewrite the matcher to iterate the token's own permissions and accept
only when the stored RouteDetail's (Path, Method) matches the request.
This removes all the path-derived group guessing and makes the stored
detail the single source of truth. Preserve the tasks.read_all quirk
(one permission, two list endpoints) as an explicit two-path allowlist
inside the loop.

Extract a GetAPITokenRoutes accessor so the new property-based webtest
can consume the same snapshot served by GET /api/v1/routes.

Add TestAPITokenMethodMatching in pkg/webtests: using the live echo
router and the live apiTokenRoutes map, it iterates every advertised
permission against every registered route and asserts the matcher
accepts iff the stored (Path, Method) matches. Any future collision
introduced by a new non-CRUD route on a shared path will be caught.

After this change, previously-dead permissions like
projects.background_delete, projects.views_buckets_{put,post,delete},
other.avatar, other.ws and caldav.access start working as their UI
labels imply. Tokens that relied on the over-broad background /
views_buckets grants, or on cross-cluster CRUD bleed-through, will
lose the extra access - that is the fix.

Refs: GHSA-v479-vf79-mg83
2026-04-09 15:17:20 +00:00
kolaente b0b7c52b15 feat: register caldav permission group for API tokens 2026-03-30 12:09:53 +00:00
kolaente e19bea8e3a fix: register bulk label route correctly for API token permissions
The tasks_labels_bulk route was not recognized as a CRUD route by
isStandardCRUDRoute, causing it to be processed as a non-CRUD route
and registered in the wrong apiTokenRoutes group. API tokens with
tasks_labels permissions could not access the bulk endpoint, resulting
in a 401 error.

Fixes https://github.com/go-vikunja/vikunja/issues/2375
2026-03-10 23:58:44 +01:00
renovate[bot] 9a61453e86
fix(deps): update module github.com/labstack/echo/v4 to v5 (#2131)
Closes https://github.com/go-vikunja/vikunja/pull/2133

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: kolaente <k@knt.li>
2026-01-24 20:38:32 +01:00
kolaente a81a3ee0e5
feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
Dominik Pschenitschni 296577a875
fix: correct license header references (#882)
See originals:
- https://www.gnu.org/licenses/agpl-3.0.txt
- https://www.gnu.org/licenses/gpl-3.0.txt
2025-06-10 12:18:38 +02:00
Dominik Pschenitschni 47538ca810 fix: method name 2025-01-17 13:59:12 +01:00
kolaente abae6f05e0
fix(auth): move read all notifications to notification group
Resolves
https://kolaente.dev/vikunja/vikunja/issues/2977
2025-01-17 12:52:42 +01:00
kolaente 45ec1a4c47
fix(auth): make sure routes from the "other" group work as intended
Resolves
https://kolaente.dev/vikunja/vikunja/issues/2977
2025-01-17 11:06:00 +01:00
kolaente 3e9c41cfc6
fix(api): allow api tokens to retrieve the user who created the token
Resolves https://kolaente.dev/vikunja/vikunja/issues/2644
2024-10-13 16:02:53 +02:00
kolaente 8b028dbc4b
feat(api): add bulk endpoints to api tokens
Previously, the bulk api endpoint were explicitly filtered out. This meant that you couldn't use them with api tokens.
This change adds them to their "parent" token types as another option, allowing users to select and use them when creating api tokens.

Resolves https://community.vikunja.io/t/help-with-bulk-api-complete/2461
2024-06-18 14:33:57 +02:00
kolaente 99a67e09b1
feat(api): all usable routes behind authentication now have permissions
Previously, only routes which were coming from crudable entities could be used with an api token because there was no way to assign permissions to them. This change implements a more flexible structure for api permissions under the hood, allowing to add permissions for these routes and making them usable with an api token.

Resolves https://github.com/go-vikunja/vikunja/issues/266
2024-06-03 21:35:09 +02:00
kolaente 415c6380a5
feat(api tokens): add task attachment to api scopes
This explicitly adds download and upload of task attachments. Because these are not handled with the usual CRUDables, they were not picked up automatically.

Resolves https://github.com/go-vikunja/vikunja/issues/112
2024-02-14 15:00:16 +01:00
kolaente 2c84688a40
fix: lint 2024-01-14 22:23:33 +01:00
kolaente 514ea71d93
fix(api): make sure permission to read all tasks work for reading all tasks per project
Resolves https://github.com/go-vikunja/api/issues/105
2024-01-14 22:17:22 +01:00
kolaente b2866ca3da
feat(api): enable notifications for api token routes 2023-11-07 14:58:46 +01:00
kolaente b8e73f4fa5
fix: lint 2023-09-06 10:52:30 +02:00
kolaente bfb01898c2
fix(api tokens)!: make sure task create routes are available to use with the api
BREAKING CHANGE: The api route to create a new task is now /projects/:project/tasks instead of /projects/:project
2023-09-06 10:33:52 +02:00
kolaente 14c5a8ca5b
fix(api tokens): make sure read one routes show up in routes endpoint 2023-09-01 12:58:29 +02:00
kolaente e3c5a93f4f
chore(api tokens): remove updated date from tokens as it can't be updated anyway 2023-09-01 11:16:36 +02:00
kolaente d9bfcdab8e
feat(api tokens): add tests 2023-09-01 10:19:31 +02:00
kolaente e3dac16398
feat(api tokens): check permissions when saving 2023-09-01 08:52:57 +02:00
Renamed from pkg/routes/api_routes.go (Browse further)