vikunja/pkg/routes/caldav
kolaente 879462d717 fix(caldav): enforce URL project match in GetResourcesByList
Multiget REPORT requests would happily return tasks from projects
different from the one in the href, even though GetTasksByUIDs now
filters by access. Drop any returned task whose real project_id does
not match the project ID parsed from the href path segment.

Hardening for GHSA-48ch-p4gq-x46x.
2026-04-09 16:07:32 +00:00
..
auth.go refactor: extract shared API token validation into ValidateTokenAndGetOwner 2026-03-30 12:09:53 +00:00
handler.go fix(caldav): use /dav/projects/ as home to make iOS/MacOS reminders work (#2417) 2026-03-20 09:33:56 +00:00
listStorageProvider.go fix(caldav): enforce URL project match in GetResourcesByList 2026-04-09 16:07:32 +00:00
listStorageProvider_test.go fix(caldav): enforce URL project match in GetResourcesByList 2026-04-09 16:07:32 +00:00
main_test.go fix: add TestMain to caldav tests and fix session conflicts 2026-02-25 11:03:02 +01:00