vikunja/pkg/models
kolaente 49419619bd fix: only enforce task_id check when TaskID is provided
Internal callers (reactions) look up comments by ID without knowing
the task. The IDOR protection is still effective because ReadOne
always has TaskID set from the URL parameter.
2026-03-20 11:41:28 +00:00
..
api_routes.go fix: register bulk label route correctly for API token permissions 2026-03-10 23:58:44 +01:00
api_routes_test.go test: add failing test for bulk label API token route registration 2026-03-10 23:58:44 +01:00
api_tokens.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
api_tokens_permissions.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
api_tokens_test.go fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
bulk_task.go feat: share logic for bulk update (#1456) 2025-09-10 16:40:59 +00:00
bulk_task_test.go chore(deps): update golangci-lint to 2.6.0 (#1737) 2025-10-31 17:28:52 +00:00
error.go feat: add Session model with CRUD, permissions, and cleanup cron 2026-02-25 10:30:25 +01:00
events.go feat: add user_id to webhooks and user-directed event infrastructure 2026-03-08 19:45:53 +01:00
export.go fix: eliminate nested database sessions to prevent table locks 2026-02-25 11:03:02 +01:00
favorites.go fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
kanban.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
kanban_permissions.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
kanban_task_bucket.go fix: prevent nil pointer panic in mention notification listeners 2026-03-04 10:29:16 +01:00
kanban_task_bucket_test.go fix: prevent session leaks and visibility issues in model tests 2026-02-25 11:03:02 +01:00
kanban_test.go fix: prevent session leaks and visibility issues in model tests 2026-02-25 11:03:02 +01:00
label.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
label_permissions.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
label_task.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
label_task_permissions.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
label_task_test.go fix: prevent session leaks and visibility issues in model tests 2026-02-25 11:03:02 +01:00
label_test.go fix: prevent session leaks and visibility issues in model tests 2026-02-25 11:03:02 +01:00
link_sharing.go fix(auth): use checked type assertions for all JWT claims 2026-02-25 13:01:00 +01:00
link_sharing_permissions.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
link_sharing_test.go fix: prevent session leaks and visibility issues in model tests 2026-02-25 11:03:02 +01:00
listeners.go feat: add user_id to webhooks and user-directed event infrastructure 2026-03-08 19:45:53 +01:00
main_test.go refactor: remove environment variable requirements for go test 2026-02-17 18:01:05 +01:00
mentions.go feat: format user mentions with display names in email notifications (#1930) 2025-12-10 12:39:05 +01:00
mentions_test.go test: add tests for conversational email system 2026-03-08 16:03:47 +01:00
message.go fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
models.go feat: register Vikunja tables with db package at init 2026-03-04 15:37:54 +01:00
notifications.go feat: add user_id to webhooks and user-directed event infrastructure 2026-03-08 19:45:53 +01:00
notifications_database.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
notifications_test.go feat: add thread IDs to task notification emails for client-side threading (#1826) 2025-11-15 18:58:32 +01:00
permissions.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
project.go fix(events): defer event dispatch for project operations 2026-03-03 12:46:34 +01:00
project_duplicate.go refactor: replace afero with FileStorage interface 2026-03-20 10:59:44 +01:00
project_duplicate_test.go fix: clear error when duplicating project with uploaded background (#1926) 2025-12-04 10:16:16 +01:00
project_permissions.go fix(sharing): use the highest team sharing permission when sharing the same project with multiple teams (#1894) 2025-11-27 22:25:06 +01:00
project_permissions_multiple_teams_test.go fix: prevent session leaks and visibility issues in model tests 2026-02-25 11:03:02 +01:00
project_repair.go feat: add repair-projects CLI command 2026-02-25 11:56:25 +01:00
project_repair_test.go feat: add repair-projects CLI command 2026-02-25 11:56:25 +01:00
project_team.go fix(events): defer event dispatch for project operations 2026-03-03 12:46:34 +01:00
project_team_permissions.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
project_team_test.go fix: prevent session leaks and visibility issues in model tests 2026-02-25 11:03:02 +01:00
project_test.go test: add result count assertions for ParadeDB search tests 2026-03-05 13:57:05 +01:00
project_users.go fix(events): defer event dispatch for project operations 2026-03-03 12:46:34 +01:00
project_users_permissions.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
project_users_permissions_test.go fix: prevent session leaks and visibility issues in model tests 2026-02-25 11:03:02 +01:00
project_users_test.go fix: prevent session leaks and visibility issues in model tests 2026-02-25 11:03:02 +01:00
project_view.go fix(views): assign default position when creating new project views 2026-03-02 08:35:35 +01:00
project_view_permissions.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
reaction.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
reaction_permissions.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
reaction_test.go fix: prevent session leaks and visibility issues in model tests 2026-02-25 11:03:02 +01:00
saved_filter_positions_test.go fix(filters): ensure saved filter views never have position=0 (#1996) 2025-12-16 22:13:40 +00:00
saved_filters.go refactor: remove typesense support 2026-02-25 12:15:28 +01:00
saved_filters_permissions.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
saved_filters_test.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
sessions.go fix: commit transaction in session cleanup cron 2026-02-25 11:03:02 +01:00
sessions_permissions.go feat: add Session model with CRUD, permissions, and cleanup cron 2026-02-25 10:30:25 +01:00
setup_tests.go feat: add user_id to webhooks and user-directed event infrastructure 2026-03-08 19:45:53 +01:00
subscription.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
subscription_permissions.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
subscription_test.go fix: prevent session leaks and visibility issues in model tests 2026-02-25 11:03:02 +01:00
task_assignees.go fix(events): defer event dispatch for task sub-entities 2026-03-03 12:46:34 +01:00
task_assignees_permissions.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
task_attachment.go fix: adapt image preview DoS protection to new FileStorage interface 2026-03-20 11:34:41 +00:00
task_attachment_permissions.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
task_attachment_test.go fix: adapt image preview DoS protection to new FileStorage interface 2026-03-20 11:34:41 +00:00
task_collection.go fix(tasks): support both expand and expand[] query parameter formats (#2415) 2026-03-19 09:18:11 +00:00
task_collection_filter.go fix(filter): recover from datemath panic on malformed date filter values 2026-02-26 16:09:13 +01:00
task_collection_filter_test.go fix(filter): recover from datemath panic on malformed date filter values 2026-02-26 16:09:13 +01:00
task_collection_sort.go fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
task_collection_sort_test.go fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
task_collection_test.go test: add result count assertions for ParadeDB search tests 2026-03-05 13:57:05 +01:00
task_comment_permissions.go fix(sharing): make editing link share comments work 2025-10-09 10:53:18 +02:00
task_comments.go fix: only enforce task_id check when TaskID is provided 2026-03-20 11:41:28 +00:00
task_comments_test.go test: update event assertions to work with deferred dispatch 2026-03-03 12:46:34 +01:00
task_duplicate.go refactor: replace afero with FileStorage interface 2026-03-20 10:59:44 +01:00
task_duplicate_test.go feat: add task duplicate backend model and tests 2026-03-04 17:20:26 +01:00
task_overdue_reminder.go feat: extend WebhookListener for user-level webhooks 2026-03-08 19:45:53 +01:00
task_overdue_reminder_test.go feat: extend WebhookListener for user-level webhooks 2026-03-08 19:45:53 +01:00
task_position.go fix(events): defer event dispatch for user creation and task positions 2026-03-03 12:46:34 +01:00
task_position_test.go fix(positions): detect and repair duplicate task positions automatically (#1998) 2025-12-20 19:38:28 +01:00
task_relation.go fix(events): defer event dispatch for task sub-entities 2026-03-03 12:46:34 +01:00
task_relation_permissions.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
task_relation_test.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
task_reminder.go feat: extend WebhookListener for user-level webhooks 2026-03-08 19:45:53 +01:00
task_reminder_test.go feat: extend WebhookListener for user-level webhooks 2026-03-08 19:45:53 +01:00
task_search.go refactor: remove typesense support 2026-02-25 12:15:28 +01:00
task_search_bench_test.go refactor: remove typesense support 2026-02-25 12:15:28 +01:00
task_search_test.go fix(kanban): make bucket query fixed per-view (#1007) 2025-06-25 11:38:24 +00:00
task_unread_statuses.go feat: task unread tracking (#1857) 2025-11-27 15:14:42 +01:00
tasks.go fix(tasks): support both expand and expand[] query parameter formats (#2415) 2026-03-19 09:18:11 +00:00
tasks_permissions.go fix(tasks): support both expand and expand[] query parameter formats (#2415) 2026-03-19 09:18:11 +00:00
tasks_test.go test: add task #48 to expected results in feature tests 2026-03-05 13:57:05 +01:00
team_members.go fix(events): defer event dispatch for team operations 2026-03-03 12:46:34 +01:00
team_members_permissions.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
team_members_test.go fix: cleanup team memberships, assignments and subscriptions when users lose access to a project 2025-10-09 13:33:27 +02:00
team_sync.go fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
teams.go fix(events): defer event dispatch for team operations 2026-03-03 12:46:34 +01:00
teams_permissions.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
teams_permissions_test.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
teams_test.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
unsplash.go fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
user_delete.go fix: send account deletion notification before deleting user row 2026-03-10 23:44:53 +01:00
user_delete_test.go fix: prevent session leaks and visibility issues in model tests 2026-02-25 11:03:02 +01:00
user_list_test.go fix: update test expectations for new disabled user fixture 2026-03-20 11:23:21 +00:00
user_project.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
user_project_test.go feat: show user export status in settings (#1200) 2025-07-30 15:50:26 +00:00
users.go fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
webhooks.go feat(webhooks): add built-in SSRF protection using daenney/ssrf 2026-03-19 15:18:06 +01:00
webhooks_permissions.go feat: add user_id to webhooks and user-directed event infrastructure 2026-03-08 19:45:53 +01:00
webhooks_ssrf_test.go test(webhooks): add SSRF protection tests 2026-03-19 15:18:06 +01:00