Commit Graph

13871 Commits

Author SHA1 Message Date
renovate[bot] 7caaa9a16a chore(deps): update dev-dependencies 2026-05-15 10:28:16 +00:00
Tink bot 2ad7efb669 fix(kanban): prevent task taps from leaking through the sticky add-task footer on touch devices
The sticky bucket footer had no z-index, so the absolutely positioned
`.handle` overlays on each task (z-index: 1, used to capture taps on
touch devices) stacked above the Add Task button. Tapping the button
where a task scrolled behind it would open that task instead of opening
the new-task input.
2026-05-15 10:27:38 +00:00
renovate[bot] 57a0b8fee4 chore(deps): update dev-dependencies to v4.3.0 2026-05-11 21:21:39 +00:00
Tink bot f495a792b2 feat(frontend): apply quick add magic when creating related tasks
Route the create flow through taskStore.createNewTask so titles typed
into the related-task input get parsed for labels, priority, assignees,
due dates and cross-project targets - matching the main add-task input.
Also surface the quick-add-magic hint next to the field.
2026-05-11 21:21:11 +00:00
renovate[bot] 572edd431d chore(deps): update dev-dependencies 2026-05-11 06:05:06 +00:00
Frederick [Bot] c19b310b22 chore(i18n): update translations via Crowdin 2026-05-08 02:05:11 +00:00
Tink bot aa1956e1aa fix(oauth2server): accept all loopback redirect forms
Hardcoding the three exact strings localhost / 127.0.0.1 / ::1 rejected
legitimate loopback redirects like 127.0.0.2:1234 (anywhere in 127.0.0.0/8)
or [0:0:0:0:0:0:0:1]:1234 (expanded IPv6 loopback). Use net.IP.IsLoopback()
to cover the full loopback ranges, and match "localhost" case-insensitively.
0.0.0.0 stays rejected as it is not a loopback address.

https://claude.ai/code/session_01LsTDrCJ7trE6WQ4FYf78UB
2026-05-07 22:03:49 +00:00
Tink bot c6bda7a2dd feat(oauth2server): accept loopback redirect URIs
Previously the OAuth server rejected every redirect_uri that did not start
with a vikunja- custom scheme. Native apps that cannot register a custom
scheme (e.g. CLIs, desktop tools) need loopback redirects per RFC 8252, so
also allow http://localhost, http://127.0.0.1 and http://[::1] (any port).
Non-loopback http:// and https:// targets remain rejected.

https://claude.ai/code/session_01LsTDrCJ7trE6WQ4FYf78UB
2026-05-07 22:03:49 +00:00
renovate[bot] 812fa11b9b chore(deps): update dependency vite to v7.3.3 2026-05-07 07:38:48 +00:00
MidoriKurage beaf4e9e65 fix(static): Correct the API_URL value to replace in index.html 2026-05-06 16:31:48 +00:00
kolaente 7800102f93
fix(models): allow user-delete cascade to complete for disabled creators
TaskAttachment.ReadOne now swallows ErrAccountDisabled/ErrAccountLocked
from the creator lookup, matching the existing ErrUserDoesNotExist
swallow. Without this, deleting a disabled user that owned a project
with task attachments would fail when the cascade re-loaded the
attachment to delete it.
2026-05-06 16:08:16 +02:00
dependabot[bot] fc9a9a6c71 chore(deps): bump axios from 1.15.0 to 1.15.2 in /frontend
Bumps [axios](https://github.com/axios/axios) from 1.15.0 to 1.15.2.
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](https://github.com/axios/axios/compare/v1.15.0...v1.15.2)

---
updated-dependencies:
- dependency-name: axios
  dependency-version: 1.15.2
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-05-06 12:37:48 +00:00
renovate[bot] 4754230ef0 chore(deps): update dev-dependencies 2026-05-06 12:37:26 +00:00
kolaente 3d594db725 fix(frontend): scope checkbox hit-area pseudo to the task row
The pseudo-element that extends the checkbox hit target also covered
label text content, which broke Playwright actionability checks for
clicks on text inside wider FancyCheckbox labels (e.g. the "Show
Archived" toggle on the projects list page).

Move the rule out of BaseCheckbox and into SingleTaskInProject's deep
override, where the label slot is already hidden via display: none, so
no neighboring content can be intercepted.
2026-05-05 15:42:10 +00:00
kolaente 9bea92bb6f fix(frontend): skip task detail on label and checkbox clicks
Defense in depth for the list-view row click handler: a click that
lands on a label or checkbox input no longer bubbles up to open the
task detail.
2026-05-05 15:42:10 +00:00
kolaente 1ea5675e1b fix(frontend): extend checkbox hit target to 44x44
A pseudo-element on the label provides a 44x44 minimum hit area
centered on the visible icon. Visible size and surrounding layout
are unchanged. Addresses misclicks on the task list view checkbox
where ~50% of taps would open the task detail instead of toggling
done.
2026-05-05 15:42:10 +00:00
kolaente 469ee8f364 fix(frontend): respect user's 12h/24h time format in date pickers
The flatpickr time inputs hardcoded `time_24hr: true`, so users who
selected the 12-hour format in their settings still got a 24-hour
picker — even though the displayed dates respected the preference.

Bind `time_24hr` to the existing `useTimeFormat` composable in:
- DatepickerInline (start/end/due dates and absolute reminders)
- DeferTask (defer due date)
- ApiTokenForm (API token expiry)

Reported at https://community.vikunja.io/t/4492.
2026-05-05 14:47:24 +00:00
kolaente 926e163089 chore(deps): bump workbox-precaching to 7.4.1 to match workbox-cli 2026-05-05 08:31:42 +00:00
renovate[bot] 7ed0e3ecd6 chore(deps): update dev-dependencies 2026-05-05 08:31:42 +00:00
Frederick [Bot] 65a6fc7b4b chore(i18n): update translations via Crowdin 2026-05-05 01:57:03 +00:00
kolaente 459dbe71ca
Improve modal responsive sizing with inline-size constraints (#2716) 2026-05-04 15:33:59 +02:00
Frederick [Bot] 6a604dd949 [skip ci] Updated swagger docs 2026-05-04 11:19:21 +00:00
renovate[bot] 55e96018f3 chore(deps): update dev-dependencies 2026-05-04 10:55:46 +00:00
Claude d9a5958bb8 feat: always enable bot users
Removes the `service.enablebotusers` config flag, the matching
`bot_users_enabled` field on /info, and the now-unused
`ErrBotUsersDisabled` error. Bot user routes and the frontend
settings tab are now always available.

https://claude.ai/code/session_01VhAR6xnoCdG1fpX52bzaCC
2026-05-04 10:38:53 +00:00
renovate[bot] 0f1bf6fab2 chore(deps): update dev-dependencies 2026-05-04 10:21:25 +00:00
Frederick [Bot] 935c950942 chore(i18n): update translations via Crowdin 2026-05-04 01:56:28 +00:00
Frederick [Bot] 0adf85dc2d [skip ci] Updated swagger docs 2026-05-01 15:01:51 +00:00
kolaente 22d82e292b feat(user): always include own bots in user search
User search previously filtered bots only when they happened to match the
search string. That produced two bad behaviours:

1. Bots owned by other users could surface on an exact-username match,
   leaking them into assignee pickers and similar UI.
2. A user could not reliably find their own bots by typing a partial
   name, so bots became awkward to assign to tasks.

Change ListUsers to treat bot ownership explicitly: the existing match
branch excludes rows owned by someone else, and a second branch always
returns bots owned by the calling user. The own-bots branch also
respects any AdditionalCond passed in so project-scoped listings don't
start leaking bots from outside the project.
2026-05-01 14:44:10 +00:00
kolaente 999e28435e feat(avatar): use distinct marble palette for bot users
Bot users now render with a cool-toned (blue/cyan/violet/teal/indigo)
marble variant so they're visually distinguishable from human users.
Marble's rendering logic is parameterized with a palette; the route
forces the bot palette whenever the resolved user is a bot, overriding
whatever avatar provider they'd otherwise inherit.
2026-05-01 14:44:10 +00:00
kolaente d467a06e72 feat(frontend): add bot settings page and services 2026-05-01 14:44:10 +00:00
kolaente c4e5f55b6d feat(frontend): add bot user model support and badge 2026-05-01 14:44:10 +00:00
kolaente 05acc2b660 feat(api): bot token support via /tokens CRUD and bot_users_enabled flag 2026-05-01 14:44:10 +00:00
kolaente 3415981d1c feat(models): add BotUser CRUD wrapper 2026-05-01 14:44:10 +00:00
kolaente 74af7af2e3 refactor(api_tokens): preserve pre-set OwnerID in Create 2026-05-01 14:44:10 +00:00
kolaente 2e6bcec72a feat(caldav): reject basic auth for bot users 2026-05-01 14:44:10 +00:00
kolaente 8d3ac47605 feat(auth): reject password login for bot users 2026-05-01 14:44:10 +00:00
kolaente 1637ecd0c7 feat(user): add CreateBotUser 2026-05-01 14:44:10 +00:00
kolaente 506bfa2549 feat(user): reserve bot- username prefix for regular signup 2026-05-01 14:44:10 +00:00
kolaente a262c6a848 feat(user): add bot-related error types 2026-05-01 14:44:10 +00:00
kolaente c239834070 feat(migration): add bot_owner_id column to users 2026-05-01 14:44:10 +00:00
kolaente 83c5190c9b feat(user): add BotOwnerID field and IsBot helper 2026-05-01 14:44:10 +00:00
kolaente 4c3f0231e9 feat(config): add service.enablebotusers flag 2026-05-01 14:44:10 +00:00
kolaente 3d75ca049b
fix(auth): don't panic on /token/test with API token
The JWT skipper bypassed validation entirely for /token/test when the
bearer was an API token, leaving "user" unset in the context. CheckToken
then type-asserted it to *jwt.Token and panicked.

Validate the API token in the skipper but skip the route permission
check (since /token/test is not exposed in the API token route registry,
no token can hold explicit permission for it). Drop the now-redundant
JWT assertion in CheckToken — auth has already passed by the time the
handler runs.
2026-05-01 11:13:12 +02:00
Claude 01fff665c6 fix(frontend): focus quick actions input after modal opens
The Modal mounts the <dialog> via v-if and calls showModal() in a
follow-up flush, so v-focus runs while the dialog is still closed and
its focus() call is dropped. The existing rAF retry was gated on
quick-add mode, leaving Ctrl+K in the regular app with no focused
input. Run the retry whenever the quick actions become active and keep
the command pre-selection scoped to quick-add mode.
2026-04-30 14:06:07 +00:00
kolaente 12f07529e5
chore: update stale workflow 2026-04-29 09:10:09 +02:00
Frederick [Bot] 304ff5a4aa chore(i18n): update translations via Crowdin 2026-04-29 02:01:56 +00:00
Timh e97b629d6c feat: support filter_include_nulls in project view configuration 2026-04-28 14:16:51 +00:00
kolaente 9852aff4ee fix(frontend): add postcss-html as explicit devDependency
Stylelint 17.9.0 resolves customSyntax modules relative to the
stylelint package, so the transitive postcss-html pulled in via
stylelint-config-recommended-vue is no longer reachable and lint
fails with "Could not find postcss-html".
2026-04-27 09:22:01 +00:00
renovate[bot] 519b65b96e chore(deps): update dev-dependencies 2026-04-27 09:22:01 +00:00
dependabot[bot] ff2bab3d1f chore(deps): bump go.opentelemetry.io/otel from 1.40.0 to 1.41.0
Bumps [go.opentelemetry.io/otel](https://github.com/open-telemetry/opentelemetry-go) from 1.40.0 to 1.41.0.
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.40.0...v1.41.0)

---
updated-dependencies:
- dependency-name: go.opentelemetry.io/otel
  dependency-version: 1.41.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-04-27 09:06:51 +00:00