vikunja
/
vikunja
6
43
Fork 70
Code Issues 150 Pull Requests 12 Packages Releases 32 Activity

User with read-write access can edit favorites of another user #914

New Issue
Closed
opened 2021-07-08 15:47:18 +00:00 by andreymal · 2 comments
andreymal commented 2021-07-08 15:47:18 +00:00
Contributor
Copy Link

Step to reproduce

Suppose there are two users: owner and editor.

  1. Create a shared list as owner and add some tasks
  2. Add read-write access for editor
  3. As editor, open the shared list and click the favorite button

Expected behavior

One of:

  • the task is added to the editor's favorites
  • the favorite button doesn't appear and all, and api returns 403 when trying to modify the is_favorite attribute

Actual behavior

The task is added to the owner's favorites.

P.S. I also noticed that the frontend sends a lot of unnecessary data when clicking the favorite button (created, created_by, updated etc.)

**Step to reproduce** Suppose there are two users: `owner` and `editor`. 1. Create a shared list as `owner` and add some tasks 2. Add read-write access for `editor` 3. As `editor`, open the shared list and click the favorite ⭐ button **Expected behavior** One of: - the task is added to the `editor`'s favorites - the favorite button doesn't appear and all, and api returns 403 when trying to modify the is_favorite attribute **Actual behavior** The task is added to the `owner`'s favorites. P.S. I also noticed that the frontend sends a lot of unnecessary data when clicking the favorite button (created, created_by, updated etc.)
konrad added the
kind/bug
 label 2021-07-09 15:45:42 +00:00
konrad commented 2021-07-09 15:49:38 +00:00
Owner
Copy Link

Given that the favorite state is only an attribute of a task/list without any distiction between users this makes a lot of sense. Interesting I didn't think of that when implementing it.

To fix this, I think the favorite attribute from lists/tasks should be moved to a new table which has entries specific for a user.

Given that the favorite state is only an attribute of a task/list without any distiction between users this makes a lot of sense. Interesting I didn't think of that when implementing it. To fix this, I think the favorite attribute from lists/tasks should be moved to a new table which has entries specific for a user.
konrad commented 2021-07-10 10:22:16 +00:00
Owner
Copy Link

Fixed in vikunja/api#915 - feel free to reopen if you have any issues.

Fixed in https://kolaente.dev/vikunja/api/pulls/915 - feel free to reopen if you have any issues.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
main
renovate/dev-dependencies
renovate/pnpm-9.x
renovate/lowlight-3.x
renovate/golang.org-x-sync-0.x
renovate/major-dev-dependencies
renovate/github.com-asaskevich-govalidator-11.x
renovate/github.com-wneessen-go-mail-0.x
renovate/golangci-golangci-lint-1.x
feature/better-filter-syntax
fix/tiptap-task-list
renovate/flexsearch-0.x
feature/zod-schema
renovate/github.com-typesense-typesense-go-1.x
renovate/github.com-golang-jwt-jwt-v4-5.x
automatic-year-range-for-go-header-template
feature/hide-forbidden-related-tasks
renovate/golang-1.x
release/0.20
release/0.17
release/0.16
release/0.15
release/0.14
release/0.13
v0.23.0
v0.22.1
v0.22.0
v0.21.0
v0.20.4
v0.20.3
v0.20.2
v0.20.1
v0.20.0
v0.19.2
v0.19.1
v0.19.0
v0.18.1
v0.18.0
v0.17.1
v0.17.0
v0.16.1
v0.16.0
v0.15.1
v0.15.0
v0.14.1
v0.14.0
v0.13.1
v0.13
v0.12
v0.11
v0.10
v0.9
v0.8
v0.7
v0.6
v0.5
v0.4
v0.3
v0.2
v0.1
Labels
Clear labels   
dependencies

   
duplicate

This issue or pull request already exists

  
help wanted

Need some help

  
invalid

Something is wrong

  
kind/bug

Something is not working

  
kind/feature

New feature

  
needs reproduction

   
question

More information is needed

  
security

   
wontfix

This won't be fixed

No Label
dependencies
duplicate
help wanted
invalid
kind/bug
kind/feature
needs reproduction
question
security
wontfix
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: vikunja/vikunja#914
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?