vikunja/pkg/db
kolaente fc216c38af fix(labels): derive label max permission from accessible tasks only
The previous hasAccessToLabel implementation ran `Get(ll)` against a
label_tasks LEFT JOIN with no ORDER BY, which meant the database was
free to pick any matching row. When a label had multiple attachments,
or when access was granted via the creator branch while the label also
had label_tasks rows pointing at inaccessible tasks, the picked row
could belong to a task the caller could not actually read.

That led to two concrete problems reported on the follow-up review of
GHSA-hj5c-mhh2-g7jq:

  1. maxPermission (exposed as the x-max-permission response header)
     could be derived from a task the caller has no access to, ending
     up as 0 or lower than the caller's real best permission on the
     label.
  2. Task.CanRead on a dangling/inaccessible task could return an
     error and surface as a 500, even though the label itself was
     perfectly readable via the creator branch.

Split the logic instead:

  * Use `Exist` for the boolean access check, using the same carefully
    grouped `And(Eq{labels.id}, Or(accessibleTask, creator))` cond.
  * Compute maxPermission by selecting the label_tasks rows whose
    task lives in a project the caller can access, then iterating
    those tasks with `Task.CanRead` and taking the maximum.
  * Fall back to PermissionRead when the access was granted via the
    creator branch and no accessible task attachment exists.
2026-04-09 15:43:04 +00:00
..
fixtures fix(labels): derive label max permission from accessible tasks only 2026-04-09 15:43:04 +00:00
db.go refactor: use xorm's TableInfo to resolve table names 2026-03-24 15:33:26 +00:00
db_path_test.go refactor(db): extract testable ResolveDatabasePath function (#2193) 2026-02-08 10:47:57 +00:00
dump.go feat: add TruncateAllTables function for e2e test isolation 2026-04-05 09:48:09 +00:00
helpers.go fix: use ParadeDB v2 fuzzy prefix matching for search (#2346) 2026-03-05 13:57:05 +01:00
helpers_test.go test: call real MultiFieldSearch function and branch on db engine 2026-03-05 13:57:05 +01:00
test.go refactor: remove environment variable requirements for go test 2026-02-17 18:01:05 +01:00
test_fixtures.go refactor: remove environment variable requirements for go test 2026-02-17 18:01:05 +01:00