vikunja/pkg/webtests
kolaente 9efe1fadba fix: block link share users from listing link shares in ReadAll
Link share authenticated users could call ReadAll on link shares,
which leaked hash credentials for other shares on the same project.
This allowed permission escalation from read-only to write/admin.

Add a check at the top of ReadAll() that rejects link-share-authenticated
callers, mirroring the pattern in CanRead() and canDoLinkShare().
Update tests to expect 403 Forbidden for all link share permission levels.

Fixes GHSA-8hp8-9fhr-pfm9
2026-03-23 16:34:40 +00:00
..
_test.go.tpl chore: rename API test suites (#938) 2025-06-13 08:23:17 +00:00
api_tokens_test.go fix(auth): reject disabled/locked users in API token middleware 2026-03-23 12:06:16 +00:00
archived_test.go fix: correct comments 2025-07-02 17:46:21 +02:00
background_test.go fix: use require.Error instead of assert.Error for error assertions 2026-03-20 11:41:28 +00:00
caldav_test.go test: verify disabled user is rejected via CalDAV auth 2026-03-23 12:06:16 +00:00
error_responses_test.go feat: add session-based auth with refresh token rotation 2026-02-25 10:30:25 +01:00
healthcheck_test.go feat: introduce shared health check logic (#1073) 2025-07-02 21:01:41 +00:00
integrations.go test: add tests for external team user discoverability bypass 2026-03-04 20:32:11 +01:00
kanban_test.go refactor: centralize HTTP error handling (#2062) 2026-01-08 10:02:59 +00:00
label_task_test.go test: add web tests for bulk label task endpoint 2026-03-10 23:58:44 +01:00
link_share_avatar_test.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
link_sharing_auth_test.go chore: rename API test suites (#938) 2025-06-13 08:23:17 +00:00
link_sharing_test.go fix: block link share users from listing link shares in ReadAll 2026-03-23 16:34:40 +00:00
login_test.go chore: rename API test suites (#938) 2025-06-13 08:23:17 +00:00
main_test.go refactor: use Go idioms for running tests 2026-02-17 18:01:05 +01:00
project_test.go fix: update ParadeDB search test count for new fixture 2026-03-23 14:13:53 +00:00
register_test.go chore: rename API test suites (#938) 2025-06-13 08:23:17 +00:00
sessions_test.go test: add session lifecycle tests 2026-02-25 10:30:25 +01:00
task_attachment_idor_test.go test: add IDOR test for task attachment ReadOne (GHSA-jfmm-mjcp-8wq2) 2026-03-23 16:34:07 +00:00
task_attachment_upload_test.go feat: add session-based auth with refresh token rotation 2026-02-25 10:30:25 +01:00
task_collection_test.go test: add web tests for prefix/substring search (#2346) 2026-03-05 13:57:05 +01:00
task_comment_test.go fix: use require.Error instead of assert.Error for error assertions 2026-03-20 11:41:28 +00:00
task_test.go test: add web integration tests for task duplication 2026-03-04 17:20:26 +01:00
token_test.go chore: rename API test suites (#938) 2025-06-13 08:23:17 +00:00
user_change_password_test.go test(api): add tests for password validation in reset and update flows 2026-02-25 13:44:56 +01:00
user_confirm_email_test.go refactor: centralize HTTP error handling (#2062) 2026-01-08 10:02:59 +00:00
user_export_download_test.go refactor: centralize HTTP error handling (#2062) 2026-01-08 10:02:59 +00:00
user_export_status_test.go feat: show user export status in settings (#1200) 2025-07-30 15:50:26 +00:00
user_password_request_token_test.go refactor: centralize HTTP error handling (#2062) 2026-01-08 10:02:59 +00:00
user_password_reset_test.go test: add web test for disabled user password reset rejection 2026-03-20 11:23:21 +00:00
user_project_test.go test: verify email masking for external team name search 2026-03-04 20:32:11 +01:00
user_show_test.go chore: rename API test suites (#938) 2025-06-13 08:23:17 +00:00
user_totp_test.go fix: update TOTP fixtures and tests to avoid conflicts with existing enrollment tests 2026-03-20 12:22:27 +00:00