vikunja/pkg
kolaente 6a0f39b252 fix(security): enforce HTTP method and path in scoped API token matcher
CanDoAPIRoute's non-CRUD fallback branch compared a path-derived
permission name to the token's permission strings without checking
the request method. A token with projects.background (registered for
GET /projects/:project/background) could therefore invoke DELETE on
the same path. The same method-confusion affected the whole
/projects/:project/views/:view/buckets[/:bucket] cluster, where a
token with projects.views_buckets (registered for GET) authorized
PUT, POST, and DELETE on any accessible view's buckets.

The matcher also leaked CRUD permissions between parent and nested
sub-resource groups. When the request targeted a nested CRUD resource
(e.g. projects_teams, projects_shares, projects_users, projects_views,
projects_webhooks, projects_views_tasks, tasks_assignees, tasks_labels,
tasks_comments, tasks_relations, tasks_attachments, teams_members),
the matcher fell back from the specific group to the parent's permission
list but then looked the permission name up inside the sub-resource's
RouteDetail map. The effect was that a token holding only projects.read_all
also authorized GET on every nested projects_* list endpoint, and the
same held for create/update/delete and for the tasks.* family.

Rewrite the matcher to iterate the token's own permissions and accept
only when the stored RouteDetail's (Path, Method) matches the request.
This removes all the path-derived group guessing and makes the stored
detail the single source of truth. Preserve the tasks.read_all quirk
(one permission, two list endpoints) as an explicit two-path allowlist
inside the loop.

Extract a GetAPITokenRoutes accessor so the new property-based webtest
can consume the same snapshot served by GET /api/v1/routes.

Add TestAPITokenMethodMatching in pkg/webtests: using the live echo
router and the live apiTokenRoutes map, it iterates every advertised
permission against every registered route and asserts the matcher
accepts iff the stored (Path, Method) matches. Any future collision
introduced by a new non-CRUD route on a shared path will be caught.

After this change, previously-dead permissions like
projects.background_delete, projects.views_buckets_{put,post,delete},
other.avatar, other.ws and caldav.access start working as their UI
labels imply. Tokens that relied on the over-broad background /
views_buckets grants, or on cross-cluster CRUD bleed-through, will
lose the extra access - that is the fix.

Refs: GHSA-v479-vf79-mg83
2026-04-09 15:17:20 +00:00
..
caldav fix(caldav): parse timestamps in configured timezone 2026-03-03 12:18:48 +01:00
caldavtests fix(caldav): skip tests for known CalDAV bugs and fix timing issues 2026-04-02 11:34:55 +00:00
cmd refactor(user): export IsErrUserStatusError for use across packages 2026-03-23 12:06:16 +00:00
config fix: add timeouts to Gravatar, Unsplash, and SSRF-safe HTTP clients 2026-04-09 07:31:08 +00:00
cron fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
db test: add tests for SSO avatar provider reset on empty picture URL 2026-04-08 09:49:14 +00:00
doctor feat(auth): enforce OpenID Connect issuer uniqueness across providers 2026-03-30 22:41:50 +00:00
e2etests test(webhook): assert bad webhook is retried in no-duplicate test 2026-04-09 09:26:04 +00:00
events feat: add InitEventsForTesting and Unfake for real event dispatch in tests 2026-03-05 12:49:27 +01:00
files refactor: replace afero with FileStorage interface 2026-03-20 10:59:44 +01:00
health feat: introduce shared health check logic (#1073) 2025-07-02 21:01:41 +00:00
i18n chore(i18n): update translations via Crowdin 2026-04-08 01:25:14 +00:00
initialize feat(websocket): add HTTP upgrade handler and /api/v1/ws route 2026-04-02 16:30:23 +00:00
log fix(mail): guard log calls in GetMailDomain and fix hostname-dependent tests 2026-04-03 18:30:39 +00:00
mail fix(mail): guard log calls in GetMailDomain and fix hostname-dependent tests 2026-04-03 18:30:39 +00:00
metrics fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
migration feat: add OAuth 2.0 authorization code model and migration 2026-03-27 23:05:04 +00:00
models fix(security): enforce HTTP method and path in scoped API token matcher 2026-04-09 15:17:20 +00:00
modules fix: add timeouts to Gravatar, Unsplash, and SSRF-safe HTTP clients 2026-04-09 07:31:08 +00:00
notifications feat(websocket): add notification event with XORM AfterInsert dispatch 2026-04-02 16:30:23 +00:00
plugins test(plugins): add yaegi plugin integration tests 2026-03-30 20:44:46 +00:00
red fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
routes feat(migration): add generic CSV import with column mapping 2026-04-07 15:20:06 +00:00
swagger [skip ci] Updated swagger docs 2026-04-07 15:45:50 +00:00
user fix: add ORDER BY to ListUsers query for deterministic ordering 2026-03-27 23:05:04 +00:00
utils fix: add timeouts to Gravatar, Unsplash, and SSRF-safe HTTP clients 2026-04-09 07:31:08 +00:00
version fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
web feat(handlers): dispatch pending events after transaction commit 2026-03-03 12:46:34 +01:00
websocket feat(websocket): add notification event with XORM AfterInsert dispatch 2026-04-02 16:30:23 +00:00
webtests fix(security): enforce HTTP method and path in scoped API token matcher 2026-04-09 15:17:20 +00:00
yaegi_symbols test(plugins): add yaegi plugin integration tests 2026-03-30 20:44:46 +00:00