vikunja/pkg/user
kolaente cae89caef2 feat(api/v2): add bot user CRUD on /api/v2
Port the BotUser resource from /api/v1's /user/bots routes to the
Huma-backed /api/v2, preserving every v1 behavior:

- Full CRUD at /user/bots and /user/bots/{bot} with v2 verbs (POST
  creates, PUT updates; PATCH is synthesised by AutoPatch).
- ReadAll returns only the caller's own bots; read/update/delete of an
  unowned or missing bot is refused with 403, since ownership is resolved
  by loading the user (no existence disclosure, no 404 branch).
- Create requires a real user account and rejects link shares, the
  bot- username prefix is enforced, and bots are created without an
  email or password — all delegated to the unchanged model layer.
- ReadOne surfaces max_permission via the shared value-embed pattern and
  carries an ETag for conditional requests.

doc/readOnly tags are added to the exposed user.User fields the bot
response surfaces, and to BotUser.Status, so the v2 OpenAPI schema is
documented. The model and v1 routes are untouched.

The webtest ports the v1 model-level permission matrix to the v2 HTTP
surface and adds the v2-only ETag/304 and merge-patch coverage.
2026-06-05 08:51:39 +00:00
..
caldav_token.go fix(caldav): eliminate nested db session in CalDAV auth 2026-03-03 10:41:19 +01:00
db.go feat: register Vikunja tables with db package at init 2026-03-04 15:37:54 +01:00
delete.go fix: address review comments on session lifecycle 2026-02-25 11:03:02 +01:00
error.go feat: always enable bot users 2026-05-04 10:38:53 +00:00
error_test.go feat: always enable bot users 2026-05-04 10:38:53 +00:00
events.go fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
is_admin_test.go feat(user): extract last-admin guard and close invariant gaps 2026-04-20 18:55:06 +00:00
main_test.go feat: move to slog for logging 2025-07-21 18:15:39 +02:00
notifications.go fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
test.go test: add TOTP fixture and load it in user test bootstrap 2026-03-23 10:34:49 +00:00
token.go fix(auth): correctly delete older password reset tokens in cron 2026-02-27 14:44:26 +01:00
totp.go fix(security): persist TOTP lockout across login rollback 2026-04-09 16:08:26 +00:00
totp_test.go test(user): cover TOTP lockout persistence and password-reset unlock 2026-04-09 16:08:26 +00:00
update_email.go fix: eliminate nested database sessions to prevent table locks 2026-02-25 11:03:02 +01:00
update_email_test.go fix(user): persist status on email updates (#1084) 2025-08-04 14:07:00 +00:00
user.go feat(api/v2): add bot user CRUD on /api/v2 2026-06-05 08:51:39 +00:00
user_claims_test.go feat(user): extract last-admin guard and close invariant gaps 2026-04-20 18:55:06 +00:00
user_create.go feat(user): add CreateBotUser 2026-05-01 14:44:10 +00:00
user_email_confirm.go fix(user): handle status errors in pkg/user callers, remove redundant checks 2026-03-23 12:06:16 +00:00
user_email_confirm_test.go fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
user_password_reset.go fix(user): handle status errors in pkg/user callers, remove redundant checks 2026-03-23 12:06:16 +00:00
user_test.go feat(user): add CreateBotUser 2026-05-01 14:44:10 +00:00
users_project.go feat(user): always include own bots in user search 2026-05-01 14:44:10 +00:00
validator.go feat(api): enforce password validation on reset and update flows 2026-02-25 13:44:56 +01:00