fix(api): make sure permission to read all tasks work for reading all tasks per project

Resolves https://github.com/go-vikunja/api/issues/105

pkg/models/api_routes.go

@@ -17,6 +17,7 @@
 package models
 
 import (
+	"code.vikunja.io/api/pkg/log"
 	"net/http"
 	"strings"
 
@@ -166,12 +167,19 @@ func CanDoAPIRoute(c echo.Context, token *APIToken) (can bool) {
 		route = "delete"
 	}
 
+	// The tasks read_all route is available as /:project/tasks and /tasks/all - therefore we need this workaround here.
+	if routeGroupName == "tasks" && path == "/api/v1/projects/:project/tasks" && c.Request().Method == http.MethodGet {
+		route = "read_all"
+	}
+
 	for _, p := range group {
 		if p == route {
 			return true
 		}
 	}
 
+	log.Debugf("[auth] Token %d tried to use route %s which requires permission %s but has only %v", token.ID, path, route, token.Permissions)
+
 	return false
 }
 

pkg/routes/api_tokens.go

@@ -23,6 +23,7 @@ import (
 
 	"code.vikunja.io/api/pkg/config"
 	"code.vikunja.io/api/pkg/db"
+	"code.vikunja.io/api/pkg/log"
 	"code.vikunja.io/api/pkg/models"
 
 	echojwt "github.com/labstack/echo-jwt/v4"
@@ -66,6 +67,7 @@ func checkAPITokenAndPutItInContext(tokenHeaderValue string, c echo.Context) err
 	}
 
 	if time.Now().After(token.ExpiresAt) {
+		log.Debugf("[auth] Tried authenticating with token %d but it expired on %s", token.ID, token.ExpiresAt.String())
 		return echo.NewHTTPError(http.StatusUnauthorized)
 	}