User with read-write access can edit favorites of another user #914
Labels
No Label
dependencies
duplicate
help wanted
invalid
kind/bug
kind/feature
needs reproduction
question
security
wontfix
No Milestone
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: vikunja/vikunja#914
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Step to reproduce
Suppose there are two users:
owner
andeditor
.owner
and add some taskseditor
editor
, open the shared list and click the favorite ⭐ buttonExpected behavior
One of:
editor
's favoritesActual behavior
The task is added to the
owner
's favorites.P.S. I also noticed that the frontend sends a lot of unnecessary data when clicking the favorite button (created, created_by, updated etc.)
Given that the favorite state is only an attribute of a task/list without any distiction between users this makes a lot of sense. Interesting I didn't think of that when implementing it.
To fix this, I think the favorite attribute from lists/tasks should be moved to a new table which has entries specific for a user.
Fixed in vikunja/api#915 - feel free to reopen if you have any issues.