vikunja/pkg/models
kolaente 6a0f39b252 fix(security): enforce HTTP method and path in scoped API token matcher
CanDoAPIRoute's non-CRUD fallback branch compared a path-derived
permission name to the token's permission strings without checking
the request method. A token with projects.background (registered for
GET /projects/:project/background) could therefore invoke DELETE on
the same path. The same method-confusion affected the whole
/projects/:project/views/:view/buckets[/:bucket] cluster, where a
token with projects.views_buckets (registered for GET) authorized
PUT, POST, and DELETE on any accessible view's buckets.

The matcher also leaked CRUD permissions between parent and nested
sub-resource groups. When the request targeted a nested CRUD resource
(e.g. projects_teams, projects_shares, projects_users, projects_views,
projects_webhooks, projects_views_tasks, tasks_assignees, tasks_labels,
tasks_comments, tasks_relations, tasks_attachments, teams_members),
the matcher fell back from the specific group to the parent's permission
list but then looked the permission name up inside the sub-resource's
RouteDetail map. The effect was that a token holding only projects.read_all
also authorized GET on every nested projects_* list endpoint, and the
same held for create/update/delete and for the tasks.* family.

Rewrite the matcher to iterate the token's own permissions and accept
only when the stored RouteDetail's (Path, Method) matches the request.
This removes all the path-derived group guessing and makes the stored
detail the single source of truth. Preserve the tasks.read_all quirk
(one permission, two list endpoints) as an explicit two-path allowlist
inside the loop.

Extract a GetAPITokenRoutes accessor so the new property-based webtest
can consume the same snapshot served by GET /api/v1/routes.

Add TestAPITokenMethodMatching in pkg/webtests: using the live echo
router and the live apiTokenRoutes map, it iterates every advertised
permission against every registered route and asserts the matcher
accepts iff the stored (Path, Method) matches. Any future collision
introduced by a new non-CRUD route on a shared path will be caught.

After this change, previously-dead permissions like
projects.background_delete, projects.views_buckets_{put,post,delete},
other.avatar, other.ws and caldav.access start working as their UI
labels imply. Tokens that relied on the over-broad background /
views_buckets grants, or on cross-cluster CRUD bleed-through, will
lose the extra access - that is the fix.

Refs: GHSA-v479-vf79-mg83
2026-04-09 15:17:20 +00:00
..
api_routes.go fix(security): enforce HTTP method and path in scoped API token matcher 2026-04-09 15:17:20 +00:00
api_routes_test.go test: add failing test for bulk label API token route registration 2026-03-10 23:58:44 +01:00
api_tokens.go refactor: extract shared API token validation into ValidateTokenAndGetOwner 2026-03-30 12:09:53 +00:00
api_tokens_expiry_cron.go test: add tests for API token expiry notifications and cron 2026-03-30 12:28:15 +00:00
api_tokens_expiry_cron_test.go test: add tests for API token expiry notifications and cron 2026-03-30 12:28:15 +00:00
api_tokens_expiry_notification.go test: add tests for API token expiry notifications and cron 2026-03-30 12:28:15 +00:00
api_tokens_expiry_notification_test.go test: add tests for API token expiry notifications and cron 2026-03-30 12:28:15 +00:00
api_tokens_permissions.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
api_tokens_test.go feat: add HasCaldavAccess method to APIToken 2026-03-30 12:09:53 +00:00
bulk_task.go feat: share logic for bulk update (#1456) 2025-09-10 16:40:59 +00:00
bulk_task_test.go chore(deps): update golangci-lint to 2.6.0 (#1737) 2025-10-31 17:28:52 +00:00
error.go feat: add OAuth 2.0 authorization code model and migration 2026-03-27 23:05:04 +00:00
events.go feat(webhook): add WebhookDeliveryEvent for per-webhook fan out 2026-04-09 09:26:04 +00:00
export.go chore(lint): suppress known gosec false positives 2026-03-23 16:23:15 +01:00
favorites.go fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
kanban.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
kanban_permissions.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
kanban_task_bucket.go fix(kanban): skip upsert when repeating task already in default bucket (#2573) 2026-04-09 10:45:34 +00:00
kanban_task_bucket_test.go test(kanban): add failing test for repeating task bucket routing on done (#2573) 2026-04-09 10:45:34 +00:00
kanban_test.go fix: prevent session leaks and visibility issues in model tests 2026-02-25 11:03:02 +01:00
label.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
label_permissions.go fix: propagate is_archived from parent to child projects in ReadAll CTE 2026-03-25 09:06:33 +00:00
label_task.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
label_task_permissions.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
label_task_test.go fix: prevent session leaks and visibility issues in model tests 2026-02-25 11:03:02 +01:00
label_test.go test: update expected results for archived project propagation 2026-03-25 09:06:33 +00:00
link_sharing.go fix: require admin access to list link shares 2026-03-23 20:39:31 +00:00
link_sharing_permissions.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
link_sharing_test.go fix: require admin access to list link shares 2026-03-23 20:39:31 +00:00
listeners.go fix(webhook): order matching webhooks by id for deterministic fan-out 2026-04-09 09:26:04 +00:00
main_test.go refactor: remove environment variable requirements for go test 2026-02-17 18:01:05 +01:00
mentions.go feat: format user mentions with display names in email notifications (#1930) 2025-12-10 12:39:05 +01:00
mentions_test.go test: add tests for conversational email system 2026-03-08 16:03:47 +01:00
message.go fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
models.go feat: add OAuth 2.0 authorization code model and migration 2026-03-27 23:05:04 +00:00
notifications.go refactor(models): use shared GetMailDomain in getThreadID 2026-04-03 18:30:39 +00:00
notifications_database.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
notifications_test.go fix(mail): guard log calls in GetMailDomain and fix hostname-dependent tests 2026-04-03 18:30:39 +00:00
oauth_codes.go feat: add OAuth 2.0 authorization code model and migration 2026-03-27 23:05:04 +00:00
permissions.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
project.go feat(models): add ClearProjectBackground for scoped column update 2026-04-08 09:07:15 +00:00
project_duplicate.go refactor: replace afero with FileStorage interface 2026-03-20 10:59:44 +01:00
project_duplicate_test.go fix: clear error when duplicating project with uploaded background (#1926) 2025-12-04 10:16:16 +01:00
project_permissions.go fix(sharing): use the highest team sharing permission when sharing the same project with multiple teams (#1894) 2025-11-27 22:25:06 +01:00
project_permissions_multiple_teams_test.go fix: prevent session leaks and visibility issues in model tests 2026-02-25 11:03:02 +01:00
project_repair.go feat: add repair-projects CLI command 2026-02-25 11:56:25 +01:00
project_repair_test.go feat: add repair-projects CLI command 2026-02-25 11:56:25 +01:00
project_team.go fix(events): defer event dispatch for project operations 2026-03-03 12:46:34 +01:00
project_team_permissions.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
project_team_test.go fix: prevent session leaks and visibility issues in model tests 2026-02-25 11:03:02 +01:00
project_test.go fix: use recursive CTE in accessibleProjectIDsSubquery for inherited project permissions 2026-04-05 12:20:35 +00:00
project_users.go refactor(user): export IsErrUserStatusError for use across packages 2026-03-23 12:06:16 +00:00
project_users_permissions.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
project_users_permissions_test.go fix: prevent session leaks and visibility issues in model tests 2026-02-25 11:03:02 +01:00
project_users_test.go fix: prevent session leaks and visibility issues in model tests 2026-02-25 11:03:02 +01:00
project_view.go fix(views): assign default position when creating new project views 2026-03-02 08:35:35 +01:00
project_view_permissions.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
reaction.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
reaction_permissions.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
reaction_test.go fix: prevent session leaks and visibility issues in model tests 2026-02-25 11:03:02 +01:00
saved_filter_positions_test.go refactor: use per-view IN clause for filter task deletion instead of batching 2026-04-09 07:25:57 +00:00
saved_filters.go refactor: use per-view IN clause for filter task deletion instead of batching 2026-04-09 07:25:57 +00:00
saved_filters_permissions.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
saved_filters_test.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
sessions.go fix: commit transaction in session cleanup cron 2026-02-25 11:03:02 +01:00
sessions_permissions.go feat: add Session model with CRUD, permissions, and cleanup cron 2026-02-25 10:30:25 +01:00
setup_tests.go feat: add OAuth 2.0 authorization code model and migration 2026-03-27 23:05:04 +00:00
subscription.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
subscription_permissions.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
subscription_test.go fix: prevent session leaks and visibility issues in model tests 2026-02-25 11:03:02 +01:00
task_assignees.go fix(events): defer event dispatch for task sub-entities 2026-03-03 12:46:34 +01:00
task_assignees_permissions.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
task_attachment.go fix: use RememberValue for task attachment preview cache 2026-04-08 08:56:22 +00:00
task_attachment_permissions.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
task_attachment_test.go fix: adapt image preview DoS protection to new FileStorage interface 2026-03-20 11:34:41 +00:00
task_collection.go fix(tasks): support both expand and expand[] query parameter formats (#2415) 2026-03-19 09:18:11 +00:00
task_collection_filter.go fix(filter): recover from datemath panic on malformed date filter values 2026-02-26 16:09:13 +01:00
task_collection_filter_test.go fix(filter): recover from datemath panic on malformed date filter values 2026-02-26 16:09:13 +01:00
task_collection_sort.go fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
task_collection_sort_test.go fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
task_collection_test.go test: update expected results for archived project propagation 2026-03-25 09:06:33 +00:00
task_comment_permissions.go fix(sharing): make editing link share comments work 2025-10-09 10:53:18 +02:00
task_comments.go docs: correct task comment endpoint description and title (#2498) 2026-03-29 00:43:58 +01:00
task_comments_test.go test: update event assertions to work with deferred dispatch 2026-03-03 12:46:34 +01:00
task_duplicate.go refactor: replace afero with FileStorage interface 2026-03-20 10:59:44 +01:00
task_duplicate_test.go feat: add task duplicate backend model and tests 2026-03-04 17:20:26 +01:00
task_overdue_reminder.go feat: extend WebhookListener for user-level webhooks 2026-03-08 19:45:53 +01:00
task_overdue_reminder_test.go feat: extend WebhookListener for user-level webhooks 2026-03-08 19:45:53 +01:00
task_position.go fix: catch ErrNeedsFullRecalculation in task creation position conflict resolution 2026-04-09 07:25:57 +00:00
task_position_test.go fix: catch ErrNeedsFullRecalculation in task creation position conflict resolution 2026-04-09 07:25:57 +00:00
task_relation.go fix(events): defer event dispatch for task sub-entities 2026-03-03 12:46:34 +01:00
task_relation_authz_test.go fix: use recursive CTE in accessibleProjectIDsSubquery for inherited project permissions 2026-04-05 12:20:35 +00:00
task_relation_permissions.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
task_relation_test.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
task_reminder.go feat: extend WebhookListener for user-level webhooks 2026-03-08 19:45:53 +01:00
task_reminder_test.go feat: extend WebhookListener for user-level webhooks 2026-03-08 19:45:53 +01:00
task_search.go fix(tasks): include tasks with deleted parents in subtask-expanded queries 2026-04-02 16:30:23 +00:00
task_search_bench_test.go refactor: remove typesense support 2026-02-25 12:15:28 +01:00
task_search_test.go fix(kanban): make bucket query fixed per-view (#1007) 2025-06-25 11:38:24 +00:00
task_unread_statuses.go feat: task unread tracking (#1857) 2025-11-27 15:14:42 +01:00
tasks.go fix(tasks): route repeating tasks to default bucket when marked done (#2573) 2026-04-09 10:45:34 +00:00
tasks_permissions.go fix(tasks): support both expand and expand[] query parameter formats (#2415) 2026-03-19 09:18:11 +00:00
tasks_test.go test(tasks): add failing test for repeating task bucket routing via Task.Update (#2573) 2026-04-09 10:45:34 +00:00
team_members.go refactor(user): export IsErrUserStatusError for use across packages 2026-03-23 12:06:16 +00:00
team_members_permissions.go refactor(user): export IsErrUserStatusError for use across packages 2026-03-23 12:06:16 +00:00
team_members_test.go fix: cleanup team memberships, assignments and subscriptions when users lose access to a project 2025-10-09 13:33:27 +02:00
team_sync.go fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
teams.go fix(events): defer event dispatch for team operations 2026-03-03 12:46:34 +01:00
teams_permissions.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
teams_permissions_test.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
teams_test.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
unsplash.go fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
user_delete.go fix: send account deletion notification before deleting user row 2026-03-10 23:44:53 +01:00
user_delete_test.go fix: prevent session leaks and visibility issues in model tests 2026-02-25 11:03:02 +01:00
user_list_test.go fix: update user list test expectations for new fixture user 2026-04-08 09:49:14 +00:00
user_project.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
user_project_test.go feat: show user export status in settings (#1200) 2025-07-30 15:50:26 +00:00
users.go fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
webhooks.go fix(webhook): return error from sendWebhookPayload on non-2xx responses 2026-04-09 09:26:04 +00:00
webhooks_permissions.go feat: add user_id to webhooks and user-directed event infrastructure 2026-03-08 19:45:53 +01:00