vikunja/pkg
kolaente 9efe1fadba fix: block link share users from listing link shares in ReadAll
Link share authenticated users could call ReadAll on link shares,
which leaked hash credentials for other shares on the same project.
This allowed permission escalation from read-only to write/admin.

Add a check at the top of ReadAll() that rejects link-share-authenticated
callers, mirroring the pattern in CanRead() and canDoLinkShare().
Update tests to expect 403 Forbidden for all link share permission levels.

Fixes GHSA-8hp8-9fhr-pfm9
2026-03-23 16:34:40 +00:00
..
caldav fix(caldav): parse timestamps in configured timezone 2026-03-03 12:18:48 +01:00
cmd refactor(user): export IsErrUserStatusError for use across packages 2026-03-23 12:06:16 +00:00
config feat: add outgoingrequests config keys for centralized SSRF protection 2026-03-23 16:34:22 +00:00
cron fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
db test: add attachment fixture on inaccessible task for IDOR test 2026-03-23 16:34:07 +00:00
doctor chore(lint): suppress additional gosec false positives 2026-03-23 16:40:07 +01:00
e2etests test(webhooks): allow non-routable IPs in E2E tests 2026-03-19 15:18:06 +01:00
events feat: add InitEventsForTesting and Unfake for real event dispatch in tests 2026-03-05 12:49:27 +01:00
files refactor: replace afero with FileStorage interface 2026-03-20 10:59:44 +01:00
health feat: introduce shared health check logic (#1073) 2025-07-02 21:01:41 +00:00
i18n chore(i18n): update translations via Crowdin 2026-03-21 01:09:32 +00:00
initialize refactor: remove typesense support 2026-02-25 12:15:28 +01:00
log fix(log): write each log category to its own file (#2206) 2026-02-08 15:22:58 +00:00
mail fix(mail): disable queue when mailer disabled (#2069) 2026-01-08 15:51:31 +01:00
metrics fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
migration feat: add user_id to webhooks and user-directed event infrastructure 2026-03-08 19:45:53 +01:00
models fix: block link share users from listing link shares in ReadAll 2026-03-23 16:34:40 +00:00
modules chore(lint): suppress gosec false positives on SSRF-safe HTTP client calls 2026-03-23 16:34:22 +00:00
notifications test: add tests for conversational email system 2026-03-08 16:03:47 +01:00
plugins fix(deps): update module github.com/labstack/echo/v4 to v5 (#2131) 2026-01-24 20:38:32 +01:00
red fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
routes refactor(user): export IsErrUserStatusError for use across packages 2026-03-23 12:06:16 +00:00
swagger [skip ci] Updated swagger docs 2026-03-19 09:26:05 +00:00
user fix(user): use unique error code for ErrCodeAccountLocked 2026-03-23 12:06:16 +00:00
utils chore(lint): suppress gosec false positives on SSRF-safe HTTP client calls 2026-03-23 16:34:22 +00:00
version fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
web feat(handlers): dispatch pending events after transaction commit 2026-03-03 12:46:34 +01:00
webtests fix: block link share users from listing link shares in ReadAll 2026-03-23 16:34:40 +00:00