fix(filters): don't escape valid escaped in queries

pkg/models/task_collection.go

@@ -36,7 +36,7 @@ type TaskCollection struct {
 	// The filter query to match tasks by. Check out https://vikunja.io/docs/filters for a full explanation of the feature.
 	Filter string `query:"filter" json:"filter"`
 	// The time zone which should be used for date match (statements like "now" resolve to different actual times)
-	FilterTimezone string `query:"filter_timezone" json:"filter_timezone"`
+	FilterTimezone string `query:"filter_timezone" json:"-"`
 
 	// If set to true, the result will also include null values
 	FilterIncludeNulls bool `query:"filter_include_nulls" json:"filter_include_nulls"`
@@ -158,6 +158,14 @@ func (tf *TaskCollection) ReadAll(s *xorm.Session, a web.Auth, search string, pa
 		sf.Filters.OrderBy = orderby
 		sf.Filters.OrderByArr = nil
 
+		if sf.Filters.FilterTimezone == "" {
+			u, err := user.GetUserByID(s, a.GetID())
+			if err != nil {
+				return nil, 0, 0, err
+			}
+			sf.Filters.FilterTimezone = u.Timezone
+		}
+
 		return sf.getTaskCollection().ReadAll(s, a, search, page, perPage)
 	}
 

pkg/models/task_collection_filter.go

@@ -155,7 +155,7 @@ func getTaskFiltersFromFilterString(filter string, filterTimezone string) (filte
 	filter = strings.ReplaceAll(filter, " in ", " ?= ")
 
 	// Replaces all occurrences with in with a string so that it passes the filter
-	pattern := `\?=\s+([^&|]+)`
+	pattern := `\?=\s+([^&|']+)`
 	re := regexp.MustCompile(pattern)
 
 	filter = re.ReplaceAllStringFunc(filter, func(match string) string {

pkg/models/task_collection_test.go

@@ -1044,6 +1044,18 @@ func TestTaskCollection_ReadAll(t *testing.T) {
 			},
 			wantErr: false,
 		},
+		{
+			name: "filter in keyword without quotes",
+			fields: fields{
+				Filter: "id in 1,2,34", // user does not have permission to access task 34
+			},
+			args: defaultArgs,
+			want: []*Task{
+				task1,
+				task2,
+			},
+			wantErr: false,
+		},
 		{
 			name: "filter in",
 			fields: fields{