vikunja/pkg/models
kolaente cae89caef2 feat(api/v2): add bot user CRUD on /api/v2
Port the BotUser resource from /api/v1's /user/bots routes to the
Huma-backed /api/v2, preserving every v1 behavior:

- Full CRUD at /user/bots and /user/bots/{bot} with v2 verbs (POST
  creates, PUT updates; PATCH is synthesised by AutoPatch).
- ReadAll returns only the caller's own bots; read/update/delete of an
  unowned or missing bot is refused with 403, since ownership is resolved
  by loading the user (no existence disclosure, no 404 branch).
- Create requires a real user account and rejects link shares, the
  bot- username prefix is enforced, and bots are created without an
  email or password — all delegated to the unchanged model layer.
- ReadOne surfaces max_permission via the shared value-embed pattern and
  carries an ETag for conditional requests.

doc/readOnly tags are added to the exposed user.User fields the bot
response surfaces, and to BotUser.Status, so the v2 OpenAPI schema is
documented. The model and v1 routes are untouched.

The webtest ports the v1 model-level permission matrix to the v2 HTTP
surface and adds the v2-only ETag/304 and merge-patch coverage.
2026-06-05 08:51:39 +00:00
..
admin_bypass.go feat(permissions): site admins bypass all Can* checks (license-gated) 2026-04-20 18:55:06 +00:00
admin_bypass_test.go feat(permissions): site admins bypass all Can* checks (license-gated) 2026-04-20 18:55:06 +00:00
admin_project_list.go feat(admin): add users/projects list endpoints and is_admin patch 2026-04-20 18:55:06 +00:00
api_routes.go fix(models): validate API token permissions against v1+v2 route union 2026-05-31 12:56:57 +00:00
api_routes_test.go feat(models): accept v2 PATCH as alias for PUT in API token matcher 2026-05-31 12:56:57 +00:00
api_tokens.go docs(models): tag APIToken fields for v2 OpenAPI reflection 2026-06-05 08:49:23 +00:00
api_tokens_expiry_cron.go test: add tests for API token expiry notifications and cron 2026-03-30 12:28:15 +00:00
api_tokens_expiry_cron_test.go test: add tests for API token expiry notifications and cron 2026-03-30 12:28:15 +00:00
api_tokens_expiry_notification.go feat: add Atom feed for user notifications with API token auth (#2758) 2026-05-15 17:25:09 +02:00
api_tokens_expiry_notification_test.go test: add tests for API token expiry notifications and cron 2026-03-30 12:28:15 +00:00
api_tokens_permissions.go feat(api): bot token support via /tokens CRUD and bot_users_enabled flag 2026-05-01 14:44:10 +00:00
api_tokens_test.go feat: add Atom feed for user notifications with API token auth (#2758) 2026-05-15 17:25:09 +02:00
bot_users.go feat(api/v2): add bot user CRUD on /api/v2 2026-06-05 08:51:39 +00:00
bot_users_permissions.go feat(models): add BotUser CRUD wrapper 2026-05-01 14:44:10 +00:00
bot_users_test.go feat(models): add BotUser CRUD wrapper 2026-05-01 14:44:10 +00:00
bulk_task.go feat: share logic for bulk update (#1456) 2025-09-10 16:40:59 +00:00
bulk_task_test.go chore(deps): update golangci-lint to 2.6.0 (#1737) 2025-10-31 17:28:52 +00:00
comment_quotes.go feat(comments): treat quoted comment authors as implicit mentions 2026-05-20 21:02:14 +00:00
comment_quotes_test.go feat(comments): treat quoted comment authors as implicit mentions 2026-05-20 21:02:14 +00:00
error.go feat(tasks): cap repeat_after at 10 years to harden repeating-task handler 2026-04-09 16:07:48 +00:00
events.go feat(webhook): add WebhookDeliveryEvent for per-webhook fan out 2026-04-09 09:26:04 +00:00
export.go chore(lint): suppress known gosec false positives 2026-03-23 16:23:15 +01:00
favorites.go fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
kanban.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
kanban_permissions.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
kanban_task_bucket.go fix(kanban): skip upsert when repeating task already in default bucket (#2573) 2026-04-09 10:45:34 +00:00
kanban_task_bucket_test.go test(kanban): add failing test for repeating task bucket routing on done (#2573) 2026-04-09 10:45:34 +00:00
kanban_test.go fix: prevent session leaks and visibility issues in model tests 2026-02-25 11:03:02 +01:00
label.go docs(api/v2): mark server-controlled label and user fields read-only 2026-05-31 15:27:44 +02:00
label_permissions.go fix(labels): report owner-level max_permission 2026-06-04 21:16:51 +00:00
label_task.go feat(api/v2): add task labels (create/list/delete) on /api/v2 2026-06-05 08:33:47 +00:00
label_task_permissions.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
label_task_test.go fix: prevent session leaks and visibility issues in model tests 2026-02-25 11:03:02 +01:00
label_test.go fix(labels): report owner-level max_permission 2026-06-04 21:16:51 +00:00
link_sharing.go fix(security): validate link share JWTs against DB on every request 2026-04-09 15:38:07 +00:00
link_sharing_permissions.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
link_sharing_test.go fix(security): validate link share JWTs against DB on every request 2026-04-09 15:38:07 +00:00
listeners.go refactor(metrics): drop the project/task/team/attachment count listeners 2026-05-30 13:48:01 +00:00
main_test.go refactor: remove environment variable requirements for go test 2026-02-17 18:01:05 +01:00
mentions.go feat: format user mentions with display names in email notifications (#1930) 2025-12-10 12:39:05 +01:00
mentions_test.go test: add tests for conversational email system 2026-03-08 16:03:47 +01:00
message.go feat(api/v2): upload user avatar via multipart 2026-06-02 11:55:25 +00:00
metrics_count_test.go test(metrics): verify counts are read from the right table 2026-05-30 13:48:01 +00:00
models.go feat: add OAuth 2.0 authorization code model and migration 2026-03-27 23:05:04 +00:00
notifications.go feat: add Atom feed for user notifications with API token auth (#2758) 2026-05-15 17:25:09 +02:00
notifications_database.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
notifications_test.go feat: add Atom feed for user notifications with API token auth (#2758) 2026-05-15 17:25:09 +02:00
oauth_codes.go feat: add OAuth 2.0 authorization code model and migration 2026-03-27 23:05:04 +00:00
permissions.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
project.go feat(api/v2): gate admin routes by feature + instance admin 2026-06-02 07:38:08 +00:00
project_duplicate.go refactor(files): derive attachment size from content in sibling callers 2026-04-09 16:22:56 +00:00
project_duplicate_test.go fix: clear error when duplicating project with uploaded background (#1926) 2025-12-04 10:16:16 +01:00
project_permissions.go feat(permissions): site admins bypass all Can* checks (license-gated) 2026-04-20 18:55:06 +00:00
project_permissions_multiple_teams_test.go fix: prevent session leaks and visibility issues in model tests 2026-02-25 11:03:02 +01:00
project_repair.go feat: add repair-projects CLI command 2026-02-25 11:56:25 +01:00
project_repair_test.go feat: add repair-projects CLI command 2026-02-25 11:56:25 +01:00
project_team.go fix(events): defer event dispatch for project operations 2026-03-03 12:46:34 +01:00
project_team_permissions.go feat(permissions): site admins bypass all Can* checks (license-gated) 2026-04-20 18:55:06 +00:00
project_team_test.go fix: prevent session leaks and visibility issues in model tests 2026-02-25 11:03:02 +01:00
project_test.go test(project): pin archived propagation aggregation in ReadAll CTE 2026-04-11 17:20:53 +00:00
project_users.go refactor(user): export IsErrUserStatusError for use across packages 2026-03-23 12:06:16 +00:00
project_users_permissions.go feat(permissions): site admins bypass all Can* checks (license-gated) 2026-04-20 18:55:06 +00:00
project_users_permissions_test.go fix: prevent session leaks and visibility issues in model tests 2026-02-25 11:03:02 +01:00
project_users_test.go fix: prevent session leaks and visibility issues in model tests 2026-02-25 11:03:02 +01:00
project_view.go fix(api/v2): scope project view delete to its parent project 2026-06-01 13:04:34 +00:00
project_view_permissions.go feat(permissions): site admins bypass all Can* checks (license-gated) 2026-04-20 18:55:06 +00:00
reaction.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
reaction_permissions.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
reaction_test.go fix: prevent session leaks and visibility issues in model tests 2026-02-25 11:03:02 +01:00
saved_filter_positions_test.go refactor: use per-view IN clause for filter task deletion instead of batching 2026-04-09 07:25:57 +00:00
saved_filters.go refactor: use per-view IN clause for filter task deletion instead of batching 2026-04-09 07:25:57 +00:00
saved_filters_permissions.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
saved_filters_test.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
sessions.go docs(models): add doc and readOnly tags to Session fields for v2 2026-06-05 08:21:48 +00:00
sessions_permissions.go feat: add Session model with CRUD, permissions, and cleanup cron 2026-02-25 10:30:25 +01:00
setup_tests.go feat(comments): treat quoted comment authors as implicit mentions 2026-05-20 21:02:14 +00:00
subscription.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
subscription_permissions.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
subscription_test.go fix: prevent session leaks and visibility issues in model tests 2026-02-25 11:03:02 +01:00
task_assignees.go fix(assignees): use db.ILIKE helper for assignee search count query 2026-05-26 19:43:16 +00:00
task_assignees_permissions.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
task_attachment.go fix(models): allow user-delete cascade to complete for disabled creators 2026-05-06 16:08:16 +02:00
task_attachment_permissions.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
task_attachment_test.go fix(files): derive file size from reader at creation boundary 2026-04-09 16:22:56 +00:00
task_collection.go feat(api/v2): add project view routes 2026-06-01 13:04:34 +00:00
task_collection_filter.go fix(filter): recover from datemath panic on malformed date filter values 2026-02-26 16:09:13 +01:00
task_collection_filter_test.go fix(filter): recover from datemath panic on malformed date filter values 2026-02-26 16:09:13 +01:00
task_collection_sort.go fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
task_collection_sort_test.go fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
task_collection_test.go feat(projects): always store identifiers as uppercase (#2775) 2026-05-19 10:35:43 +02:00
task_comment_permissions.go fix(sharing): make editing link share comments work 2025-10-09 10:53:18 +02:00
task_comments.go docs(task-comments): trim comments to the non-obvious why 2026-06-03 19:57:26 +00:00
task_comments_test.go test: update event assertions to work with deferred dispatch 2026-03-03 12:46:34 +01:00
task_duplicate.go feat(api/v2): add task duplicate action (#2815) 2026-06-01 14:13:39 +02:00
task_duplicate_test.go feat: add task duplicate backend model and tests 2026-03-04 17:20:26 +01:00
task_overdue_reminder.go feat: extend WebhookListener for user-level webhooks 2026-03-08 19:45:53 +01:00
task_overdue_reminder_test.go feat: extend WebhookListener for user-level webhooks 2026-03-08 19:45:53 +01:00
task_position.go fix: catch ErrNeedsFullRecalculation in task creation position conflict resolution 2026-04-09 07:25:57 +00:00
task_position_test.go fix: catch ErrNeedsFullRecalculation in task creation position conflict resolution 2026-04-09 07:25:57 +00:00
task_relation.go fix(events): defer event dispatch for task sub-entities 2026-03-03 12:46:34 +01:00
task_relation_authz_test.go fix: use recursive CTE in accessibleProjectIDsSubquery for inherited project permissions 2026-04-05 12:20:35 +00:00
task_relation_permissions.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
task_relation_test.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
task_reminder.go feat: extend WebhookListener for user-level webhooks 2026-03-08 19:45:53 +01:00
task_reminder_test.go feat: extend WebhookListener for user-level webhooks 2026-03-08 19:45:53 +01:00
task_search.go fix(tasks): include tasks with deleted parents in subtask-expanded queries 2026-04-02 16:30:23 +00:00
task_search_bench_test.go refactor: remove typesense support 2026-02-25 12:15:28 +01:00
task_search_test.go fix(kanban): make bucket query fixed per-view (#1007) 2025-06-25 11:38:24 +00:00
task_unread_statuses.go feat: task unread tracking (#1857) 2025-11-27 15:14:42 +01:00
tasks.go refactor(models): remove *Arr helper fields now handled by normalizer 2026-05-31 12:56:57 +00:00
tasks_permissions.go refactor(models): remove *Arr helper fields now handled by normalizer 2026-05-31 12:56:57 +00:00
tasks_test.go feat(tasks): enforce unique (project_id, index) via migration 2026-04-11 20:44:28 +00:00
team_members.go refactor(user): export IsErrUserStatusError for use across packages 2026-03-23 12:06:16 +00:00
team_members_permissions.go feat(permissions): site admins bypass all Can* checks (license-gated) 2026-04-20 18:55:06 +00:00
team_members_test.go fix: cleanup team memberships, assignments and subscriptions when users lose access to a project 2025-10-09 13:33:27 +02:00
team_sync.go fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
teams.go fix(api/v2): keep include_public out of the team body schema 2026-06-03 18:56:12 +00:00
teams_permissions.go feat(permissions): site admins bypass all Can* checks (license-gated) 2026-04-20 18:55:06 +00:00
teams_permissions_test.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
teams_test.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
unsplash.go fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
user_delete.go feat(models): add BotUser CRUD wrapper 2026-05-01 14:44:10 +00:00
user_delete_test.go fix(models): allow user-delete cascade to complete for disabled creators 2026-05-06 16:08:16 +02:00
user_list_test.go feat(user): always include own bots in user search 2026-05-01 14:44:10 +00:00
user_project.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
user_project_test.go feat: show user export status in settings (#1200) 2025-07-30 15:50:26 +00:00
users.go fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
webhooks.go fix(webhook): return error from sendWebhookPayload on non-2xx responses 2026-04-09 09:26:04 +00:00
webhooks_permissions.go feat: add user_id to webhooks and user-directed event infrastructure 2026-03-08 19:45:53 +01:00