Commit Graph

15 Commits

Author SHA1 Message Date
Rémi Lapeyre 069685f2a7
fix(caldav): return 404 when trying to access a project that cannot exist with CalDAV (#2796) 2026-05-28 08:14:52 +02:00
kolaente 879462d717 fix(caldav): enforce URL project match in GetResourcesByList
Multiget REPORT requests would happily return tasks from projects
different from the one in the href, even though GetTasksByUIDs now
filters by access. Drop any returned task whose real project_id does
not match the project ID parsed from the href path segment.

Hardening for GHSA-48ch-p4gq-x46x.
2026-04-09 16:07:32 +00:00
kolaente 200b787c16 fix(caldav): reject GetResource when URL project mismatches task project
Even with the GetTasksByUIDs authz filter in place, a user with access
to multiple projects could read a task from project B by requesting it
under project A's URL. Enforce that the task's real project_id matches
the project ID parsed from the CalDAV URL path and 404 otherwise.

Adjusts the Delete Subtask test to use the correct URL project for
uid-caldav-test-child-task-2 (which lives in project 38, not 36);
the previous URL only worked because of the authz gap being closed.

Hardening for GHSA-48ch-p4gq-x46x.
2026-04-09 16:07:32 +00:00
kolaente 194bec8b9f test: add integration tests for CalDAV API token auth 2026-03-30 12:09:53 +00:00
surfingbytes 8e8ffac016
fix(caldav): add tags and sync token to collections (#2482)
Fixes #2401
2026-03-26 10:42:39 +00:00
kolaente 0b04768d83 test(auth): add comprehensive disabled/locked user auth tests
Add locked user fixture (user18, status=3) and test that both disabled
and locked users are rejected across all auth paths: API tokens,
CalDAV basic auth, CheckUserCredentials.

Ref: GHSA-94xm-jj8x-3cr4
2026-03-23 16:37:26 +00:00
kolaente 8b614a4cb3 test: verify disabled user is rejected via CalDAV auth
Also fix BasicAuth to check for status errors from checkUserCaldavTokens
before falling through to password-based auth.
2026-03-23 12:06:16 +00:00
kolaente 1f2aef776c test: verify CalDAV token auth bypasses TOTP check
Add a CalDAV token fixture (kind=4) for user10 who has TOTP enabled,
and implement the previously-skipped test proving token-based auth
still works when TOTP is active.
2026-03-20 12:22:27 +00:00
kolaente 659e73af05 fix: use user10 instead of user1 for TOTP fixture to avoid breaking login tests 2026-03-20 12:22:27 +00:00
kolaente bda16e770f test: add failing test for CalDAV 2FA bypass via basic auth 2026-03-20 12:22:27 +00:00
Henry Cole e7f1e99878
fix(caldav): use /dav/projects/ as home to make iOS/MacOS reminders work (#2417)
Resolves issue #475 by modifying CalDAV discovery so Apple Reminders can
use /dav/projects/ as the home set without exposing that synthetic path
as a real task list, preserving the existing principal-based flow. This
is because Apple Reminders defaults back to the /dav/projects/ URL,
rather than accepting the /dav/principals/username/ URL specified in
Vikunja.

Resolves #475
2026-03-20 09:33:56 +00:00
Tink ada2ebab9e
fix: preserve CalDAV inverse relations when parent has no RELATED-TO (#2389)
- Fixes `removeStaleRelations` in CalDAV storage provider to only remove
relations of kinds explicitly declared in the incoming VTODO's
`RELATED-TO` properties
- When a VTODO has no `RELATED-TO` at all (e.g., a parent task from
Tasks.org), no relations are removed — they were auto-created as
inverses by child tasks
- When a VTODO declares specific relation kinds (e.g.,
`RELATED-TO;RELTYPE=PARENT`), only relations of that kind are checked
for staleness; other kinds (like auto-created `subtask` inverses) are
preserved

Fixes #2383

---------

Co-authored-by: kolaente <k@knt.li>
2026-03-11 09:40:09 +01:00
kolaente 31c1f98270
fix(caldav): remove METHOD:PUBLISH from caldav exports (#1576) 2025-09-30 18:16:07 +00:00
Vlad Yarotsky d4347f00f6
fix(caldav): make CalDAV REPORT request properly respond with VTODO objects (#1116) 2025-07-14 21:57:55 +00:00
kolaente 6671ce38a8
chore: rename API test suites (#938) 2025-06-13 08:23:17 +00:00
Renamed from pkg/integrations/caldav_test.go (Browse further)