0.14.0 release preparations

Fix updating the index when moving a task
Set the list identifier when creating a new task
2020-07-01 17:12:49 +02:00 · 2020-07-01 16:54:18 +02:00 · 2020-07-01 11:17:18 +02:00 · 2020-06-30 20:53:14 +00:00 · 2020-06-30 17:09:18 +02:00 · 2020-06-30 11:29:47 +02:00
1838 changed files with 41923 additions and 754283 deletions
--- a/.drone1.yml
+++ b/.drone1.yml
@@ -2,33 +2,74 @@ kind: pipeline
 name: testing

 workspace:
-  base: /srv/app
+  base: /go
  path: src/code.vikunja.io/api

-clone:
-  depth: 50
-
 services:
-  - name: test-db
+  - name: test-mysql-unit
    image: mariadb:10
    environment:
      MYSQL_ROOT_PASSWORD: vikunjatest
      MYSQL_DATABASE: vikunjatest
+  - name: test-mysql-integration
+    image: mariadb:10
+    environment:
+      MYSQL_ROOT_PASSWORD: vikunjatest
+      MYSQL_DATABASE: vikunjatest
+  - name: test-mysql-migration
+    image: mariadb:10
+    environment:
+      MYSQL_ROOT_PASSWORD: vikunjatest
+      MYSQL_DATABASE: vikunjatest
+  - name: test-postgres-unit
+    image: postgres:12
+    environment:
+      POSTGRES_PASSWORD: vikunjatest
+      POSTGRES_DB: vikunjatest
+  - name: test-postgres-integration
+    image: postgres:12
+    environment:
+      POSTGRES_PASSWORD: vikunjatest
+      POSTGRES_DB: vikunjatest
+  - name: test-postgres-migration
+    image: postgres:12
+    environment:
+      POSTGRES_PASSWORD: vikunjatest
+      POSTGRES_DB: vikunjatest
+
+trigger:
+  branch:
+    include:
+      - master
+  event:
+    include:
+      - push
+      - pull_request

 steps:
  - name: fetch-tags
    image: docker:git
    commands:
      - git fetch --tags
-    when:
-      event: [ tag ]

  - name: build
    image: vikunja/golang-build:latest
    pull: true
    environment:
-      TAGS: bindata sqlite
+      GOPROXY: 'https://goproxy.kolaente.de'
    commands:
+      - make build
+    when:
+      event: [ push, tag, pull_request ]
+
+  - name: lint
+    image: vikunja/golang-build:latest
+    pull: true
+    environment:
+      GOPROXY: 'https://goproxy.kolaente.de'
+    depends_on: [ build ]
+    commands:
+      - make generate
      - make lint
      - make fmt-check
      # - make got-swag # Commented out until we figured out how to get this working on drone
@@ -37,16 +78,83 @@ steps:
      - make goconst-check
      - make gocyclo-check
      - make static-check
-      - make build
+      - wget -O - -q https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s -- -b $GOPATH/bin v2.2.0 # Need to manually install as it does not support being installed via go modules like the rest.
+      - make gosec-check
+    when:
+      event: [ push, tag, pull_request ]
+
+  - name: test-migration-prepare
+    image: kolaente/toolbox:latest
+    pull: true
+    commands:
+      # Get the latest version
+      - wget https://dl.vikunja.io/api/master/vikunja-master-linux-amd64-full.zip -q -O vikunja-latest.zip
+      - unzip vikunja-latest.zip vikunja-master-linux-amd64
+
+  - name: test-migration-sqlite
+    image: kolaente/toolbox:latest
+    pull: true
+    depends_on: [ test-migration-prepare, build ]
+    environment:
+      VIKUNJA_DATABASE_TYPE: sqlite
+      VIKUNJA_DATABASE_PATH: ./vikunja-migration-test.db
+      VIKUNJA_LOG_DATABASE: stdout
+      VIKUNJA_LOG_DATABASELEVEL: debug
+    commands:
+      - ./vikunja-master-linux-amd64 migrate
+      # Run the migrations from the binary build in the step before
+      - ./vikunja migrate
+    when:
+      event: [ push, tag, pull_request ]
+
+  - name: test-migration-mysql
+    image: kolaente/toolbox:latest
+    pull: true
+    depends_on: [ test-migration-prepare, build ]
+    environment:
+      VIKUNJA_DATABASE_TYPE: mysql
+      VIKUNJA_DATABASE_HOST: test-mysql-migration
+      VIKUNJA_DATABASE_USER: root
+      VIKUNJA_DATABASE_PASSWORD: vikunjatest
+      VIKUNJA_DATABASE_DATABASE: vikunjatest
+      VIKUNJA_LOG_DATABASE: stdout
+      VIKUNJA_LOG_DATABASELEVEL: debug
+    commands:
+      - ./vikunja-master-linux-amd64 migrate
+      # Run the migrations from the binary build in the step before
+      - ./vikunja migrate
+    when:
+      event: [ push, tag, pull_request ]
+
+  - name: test-migration-psql
+    image: kolaente/toolbox:latest
+    pull: true
+    depends_on: [ test-migration-prepare, build ]
+    environment:
+      VIKUNJA_DATABASE_TYPE: postgres
+      VIKUNJA_DATABASE_HOST: test-postgres-migration
+      VIKUNJA_DATABASE_USER: postgres
+      VIKUNJA_DATABASE_PASSWORD: vikunjatest
+      VIKUNJA_DATABASE_DATABASE: vikunjatest
+      VIKUNJA_DATABASE_SSLMODE: disable
+      VIKUNJA_LOG_DATABASE: stdout
+      VIKUNJA_LOG_DATABASELEVEL: debug
+    commands:
+      - ./vikunja-master-linux-amd64 migrate
+      # Run the migrations from the binary build in the step before
+      - ./vikunja migrate
    when:
      event: [ push, tag, pull_request ]

  - name: test
    image: vikunja/golang-build:latest
    pull: true
+    environment:
+      GOPROXY: 'https://goproxy.kolaente.de'
    commands:
+      - make generate
      - make test
-    depends_on: [ build ]
+    depends_on: [ fetch-tags ]
    when:
      event: [ push, tag, pull_request ]

@@ -54,11 +162,13 @@ steps:
    image: vikunja/golang-build:latest
    pull: true
    environment:
+      GOPROXY: 'https://goproxy.kolaente.de'
      VIKUNJA_TESTS_USE_CONFIG: 1
      VIKUNJA_DATABASE_TYPE: sqlite
    commands:
+      - make generate
      - make test
-    depends_on: [ build ]
+    depends_on: [ fetch-tags ]
    when:
      event: [ push, tag, pull_request ]

@@ -66,83 +176,189 @@ steps:
    image: vikunja/golang-build:latest
    pull: true
    environment:
+      GOPROXY: 'https://goproxy.kolaente.de'
      VIKUNJA_TESTS_USE_CONFIG: 1
      VIKUNJA_DATABASE_TYPE: mysql
-      VIKUNJA_DATABASE_HOST: test-db
+      VIKUNJA_DATABASE_HOST: test-mysql-unit
      VIKUNJA_DATABASE_USER: root
      VIKUNJA_DATABASE_PASSWORD: vikunjatest
      VIKUNJA_DATABASE_DATABASE: vikunjatest
    commands:
+      - make generate
      - make test
-    depends_on: [ build ]
+    depends_on: [ fetch-tags ]
+    when:
+      event: [ push, tag, pull_request ]
+
+  - name: test-postgres
+    image: vikunja/golang-build:latest
+    pull: true
+    environment:
+      GOPROXY: 'https://goproxy.kolaente.de'
+      VIKUNJA_TESTS_USE_CONFIG: 1
+      VIKUNJA_DATABASE_TYPE: postgres
+      VIKUNJA_DATABASE_HOST: test-postgres-unit
+      VIKUNJA_DATABASE_USER: postgres
+      VIKUNJA_DATABASE_PASSWORD: vikunjatest
+      VIKUNJA_DATABASE_DATABASE: vikunjatest
+      VIKUNJA_DATABASE_SSLMODE: disable
+    commands:
+      - make generate
+      - make test
+    depends_on: [ fetch-tags ]
+    when:
+      event: [ push, tag, pull_request ]
+
+  - name: integration-test
+    image: vikunja/golang-build:latest
+    pull: true
+    environment:
+      GOPROXY: 'https://goproxy.kolaente.de'
+    commands:
+      - make generate
+      - make integration-test
+    depends_on: [ fetch-tags ]
+    when:
+      event: [ push, tag, pull_request ]
+
+  - name: integration-test-sqlite
+    image: vikunja/golang-build:latest
+    pull: true
+    environment:
+      GOPROXY: 'https://goproxy.kolaente.de'
+      VIKUNJA_TESTS_USE_CONFIG: 1
+      VIKUNJA_DATABASE_TYPE: sqlite
+    commands:
+      - make generate
+      - make integration-test
+    depends_on: [ fetch-tags ]
+    when:
+      event: [ push, tag, pull_request ]
+
+  - name: integration-test-mysql
+    image: vikunja/golang-build:latest
+    pull: true
+    environment:
+      GOPROXY: 'https://goproxy.kolaente.de'
+      VIKUNJA_TESTS_USE_CONFIG: 1
+      VIKUNJA_DATABASE_TYPE: mysql
+      VIKUNJA_DATABASE_HOST: test-mysql-integration
+      VIKUNJA_DATABASE_USER: root
+      VIKUNJA_DATABASE_PASSWORD: vikunjatest
+      VIKUNJA_DATABASE_DATABASE: vikunjatest
+    commands:
+      - make generate
+      - make integration-test
+    depends_on: [ fetch-tags ]
+    when:
+      event: [ push, tag, pull_request ]
+
+  - name: integration-test-postgres
+    image: vikunja/golang-build:latest
+    pull: true
+    environment:
+      GOPROXY: 'https://goproxy.kolaente.de'
+      VIKUNJA_TESTS_USE_CONFIG: 1
+      VIKUNJA_DATABASE_TYPE: postgres
+      VIKUNJA_DATABASE_HOST: test-postgres-integration
+      VIKUNJA_DATABASE_USER: postgres
+      VIKUNJA_DATABASE_PASSWORD: vikunjatest
+      VIKUNJA_DATABASE_DATABASE: vikunjatest
+      VIKUNJA_DATABASE_SSLMODE: disable
+    commands:
+      - make generate
+      - make integration-test
+    depends_on: [ fetch-tags ]
    when:
      event: [ push, tag, pull_request ]

 ---
 ########
-# Build a release when pushing to master
-# We need to copy this because drone currently can't run a pipeline on either a push to master or a tag.
+# Build a release when tagging
 ########

 kind: pipeline
-name: deploy-master
+name: release
+
 depends_on:
  - testing

 workspace:
-  base: /srv/app
+  base: /go
  path: src/code.vikunja.io/api

-clone:
-  depth: 50
-
 trigger:
-  branch:
-    - master
-  event:
-    - push
+  ref:
+    - refs/heads/master
+    - "refs/tags/**"

 steps:
+  # Needed to get the versions right as they depend on tags
+  - name: fetch-tags
+    image: docker:git
+    commands:
+      - git fetch --tags
+
  - name: before-static-build
-    image: karalabe/xgo-latest:latest
+    image: techknowlogick/xgo:latest
    pull: true
    commands:
+      - export PATH=$PATH:$GOPATH/bin
+      - make generate
      - make release-dirs
+    depends_on: [ fetch-tags ]

  - name: static-build-windows
-    image: karalabe/xgo-latest:latest
+    image: techknowlogick/xgo:latest
    pull: true
    environment:
+      # This path does not exist. However, when we set the gopath to /go, the build fails. Not sure why.
+      # Leaving this here until we know how to resolve this properly.
      GOPATH: /srv/app
    commands:
+      - export PATH=$PATH:$GOPATH/bin
      - make release-windows
    depends_on: [ before-static-build ]

  - name: static-build-linux
-    image: karalabe/xgo-latest:latest
+    image: techknowlogick/xgo:latest
    pull: true
    environment:
+      # This path does not exist. However, when we set the gopath to /go, the build fails. Not sure why.
+      # Leaving this here until we know how to resolve this properly.
      GOPATH: /srv/app
    commands:
+      - export PATH=$PATH:$GOPATH/bin
      - make release-linux
    depends_on: [ before-static-build ]

  - name: static-build-darwin
-    image: karalabe/xgo-latest:latest
+    image: techknowlogick/xgo:latest
    pull: true
    environment:
+      # This path does not exist. However, when we set the gopath to /go, the build fails. Not sure why.
+      # Leaving this here until we know how to resolve this properly.
      GOPATH: /srv/app
    commands:
+      - export PATH=$PATH:$GOPATH/bin
      - make release-darwin
    depends_on: [ before-static-build ]

-  - name: after-build-static
-    image: karalabe/xgo-latest:latest
+  - name: after-build-compress
+    image: kolaente/upx
    pull: true
    depends_on:
      - static-build-windows
      - static-build-linux
      - static-build-darwin
+    commands:
+      - make release-compress
+
+  - name: after-build-static
+    image: techknowlogick/xgo:latest
+    pull: true
+    depends_on:
+      - after-build-compress
    commands:
      - make release-copy
      - make release-check
@@ -162,7 +378,7 @@ steps:
        - dist/zip/*
      detach_sign: true

-# Push the releases to our pseudo-s3-bucket
+  # Push the releases to our pseudo-s3-bucket
  - name: release-latest
    image: plugins/s3:1
    pull: true
@@ -176,184 +392,12 @@ steps:
      path_style: true
      strip_prefix: dist/zip/
      source: dist/zip/*
-      target: /master/
+      target: /api/master/
+    trigger:
+      ref:
+        - refs/heads/master
    depends_on: [ sign-release ]

-  # Build a debian package and push it to our bucket
-  - name: build-deb
-    image: kolaente/fpm
-    pull: true
-    commands:
-      - make build-deb
-    depends_on: [ static-build-linux ]
-
-  - name: deb-structure
-    image: kolaente/reprepro
-    pull: true
-    environment:
-      GPG_PRIVATE_KEY:
-        from_secret: gpg_privatekey
-    commands:
-      - export GPG_TTY=$(tty)
-      - gpg -qk
-      - echo "use-agent" >>  ~/.gnupg/gpg.conf
-      - gpgconf --kill gpg-agent
-      - echo $GPG_PRIVATE_KEY > ~/frederik.gpg
-      - gpg --import ~/frederik.gpg
-      - mkdir debian/conf -p
-      - cp build/reprepro-dist-conf debian/conf/distributions
-      - make reprepro
-    depends_on: [ build-deb ]
-
-  # Push the releases to our pseudo-s3-bucket
-  - name: release-deb
-    image: plugins/s3:1
-    pull: true
-    settings:
-      bucket: vikunja-deb
-      access_key:
-        from_secret: aws_access_key_id
-      secret_key:
-        from_secret: aws_secret_access_key
-      endpoint: https://storage.kolaente.de
-      path_style: true
-      strip_prefix: debian
-      source: debian/*/*/*/*/*
-      target: /
-    depends_on: [ deb-structure ]
-
-# Build the docker image and push it to docker hub
-  - name: docker
-    image: plugins/docker
-    pull: true
-    settings:
-      username:
-        from_secret: docker_username
-      password:
-        from_secret: docker_password
-      repo: vikunja/api
-      auto_tag: true
-
-# Update the instance on try.vikunja.io
-  - name: rancher
-    image: peloton/drone-rancher
-    settings:
-      url: http://server01.kolaente.de:8080/v1
-      access_key:
-        from_secret: RANCHER_ACCESS_KEY
-      secret_key:
-        from_secret: RANCHER_SECRET_KEY
-      service: vikunja-dev/api
-      docker_image: vikunja/api
-      confirm: true
-    depends_on: [ docker ]
-
-  - name: telegram
-    image: appleboy/drone-telegram
-    depends_on:
-      - rancher
-      - release-latest
-    settings:
-      token:
-        from_secret: TELEGRAM_TOKEN
-      to:
-        from_secret: TELEGRAM_TO
-      message: >
-        {{repo.owner}}/{{repo.name}}: \[{{build.status}}] Build {{build.number}}
-        {{commit.author}} pushed to {{commit.branch}} {{commit.sha}}: `{{commit.message}}`
-        Build started at {{datetime build.started "2006-Jan-02T15:04:05Z" "GMT+2"}} finished at {{datetime build.finished "2006-Jan-02T15:04:05Z" "GMT+2"}}.
-    when:
-      status:
-        - success
-        - failure
---
-########
-# Build a release when tagging
-# We need to copy this because drone currently can't run a pipeline on either a push to master or a tag.
-########
-
-kind: pipeline
-name: deploy-version
-depends_on:
-  - testing
-
-workspace:
-  base: /srv/app
-  path: src/code.vikunja.io/api
-
-clone:
-  depth: 50
-
-trigger:
-  event:
-    - tag
-
-steps:
-  - name: fetch-tags
-    image: docker:git
-    commands:
-      - git fetch --tags
-
-  - name: before-static-build
-    image: karalabe/xgo-latest:latest
-    pull: true
-    commands:
-      - make release-dirs
-
-  - name: static-build-windows
-    image: karalabe/xgo-latest:latest
-    pull: true
-    environment:
-      GOPATH: /srv/app
-    commands:
-      - make release-windows
-    depends_on: [ before-static-build ]
-
-  - name: static-build-linux
-    image: karalabe/xgo-latest:latest
-    pull: true
-    environment:
-      GOPATH: /srv/app
-    commands:
-      - make release-linux
-    depends_on: [ before-static-build ]
-
-  - name: static-build-darwin
-    image: karalabe/xgo-latest:latest
-    pull: true
-    environment:
-      GOPATH: /srv/app
-    commands:
-      - make release-darwin
-    depends_on: [ before-static-build ]
-
-  - name: after-build-static
-    image: karalabe/xgo-latest:latest
-    pull: true
-    depends_on:
-      - static-build-windows
-      - static-build-linux
-      - static-build-darwin
-    commands:
-      - make release-copy
-      - make release-check
-      - make release-os-package
-      - make release-zip
-
-  - name: sign-release
-    image: plugins/gpgsign:1
-    pull: true
-    depends_on: [ after-build-static ]
-    settings:
-      key:
-        from_secret: gpg_privkey
-      passphrase:
-        from_secret: gpg_password
-      files:
-        - dist/zip/*
-      detach_sign: true
-
-# Push the releases to our pseudo-s3-bucket
  - name: release-version
    image: plugins/s3:1
    pull: true
@@ -367,7 +411,10 @@ steps:
      path_style: true
      strip_prefix: dist/zip/
      source: dist/zip/*
-      target: /${DRONE_TAG##v}/
+      target: /api/${DRONE_TAG##v}/
+    trigger:
+      ref:
+        - "refs/tags/**"
    depends_on: [ sign-release ]

  # Build a debian package and push it to our bucket
@@ -401,7 +448,7 @@ steps:
    image: plugins/s3:1
    pull: true
    settings:
-      bucket: vikunja-deb
+      bucket: vikunja
      access_key:
        from_secret: aws_access_key_id
      secret_key:
@@ -410,46 +457,15 @@ steps:
      path_style: true
      strip_prefix: debian
      source: debian/*/*/*/*/*
-      target: /
+      target: /deb/
    depends_on: [ deb-structure ]

-# Build the docker image and push it to docker hub
-  - name: docker
-    image: plugins/docker
-    pull: true
-    settings:
-      username:
-        from_secret: docker_username
-      password:
-        from_secret: docker_password
-      repo: vikunja/api
-      auto_tag: true
-
-  - name: telegram
-    image: appleboy/drone-telegram
-    depends_on:
-      - docker
-      - release-version
-    settings:
-      token:
-        from_secret: TELEGRAM_TOKEN
-      to:
-        from_secret: TELEGRAM_TO
-      message: >
-        {{repo.owner}}/{{repo.name}}: \[{{build.status}}] Build {{build.number}}
-        {{commit.author}} pushed to {{commit.branch}} {{commit.sha}}: `{{commit.message}}`
-        Build started at {{datetime build.started "2006-Jan-02T15:04:05Z" "GMT+2"}} finished at {{datetime build.finished "2006-Jan-02T15:04:05Z" "GMT+2"}}.
-    when:
-      status:
-        - success
-        - failure
-
 ---
 kind: pipeline
 name: deploy-docs

 workspace:
-  base: /srv/app
+  base: /go
  path: src/code.vikunja.io/api

 clone:
@@ -468,6 +484,15 @@ steps:
      - git submodule update --init
      - git submodule update --recursive --remote

+  - name: theme
+    image: kolaente/yarn
+    pull: true
+    group: build-static
+    commands:
+      - cd docs/themes/vikunja
+      - yarn --production=false
+      - ./node_modules/.bin/gulp prod
+
  - name: build
    image: monachus/hugo:v0.54.0
    pull: true
@@ -488,14 +513,130 @@ steps:
      context: docs/
      dockerfile: docs/Dockerfile

-  - name: rancher
-    image: peloton/drone-rancher
+---
+kind: pipeline
+type: docker
+name: docker-arm-release
+
+depends_on:
+  - testing
+
+platform:
+  os: linux
+  arch: arm
+
+trigger:
+  ref:
+    - refs/heads/master
+    - "refs/tags/**"
+
+steps:
+  - name: fetch-tags
+    image: docker:git
+    commands:
+      - git fetch --tags
+  - name: docker
+    image: plugins/docker:linux-arm
+    pull: true
    settings:
-      url: http://server01.kolaente.de:8080/v1
-      access_key:
-        from_secret: RANCHER_ACCESS_KEY
-      secret_key:
-        from_secret: RANCHER_SECRET_KEY
-      service: vikunja-website/docs
-      docker_image: vikunja/docs
-      confirm: true
+      username:
+        from_secret: docker_username
+      password:
+        from_secret: docker_password
+      repo: vikunja/api
+      auto_tag: true
+      auto_tag_suffix: linux-arm
+    depends_on: [ fetch-tags ]
+
+---
+kind: pipeline
+type: docker
+name: docker-amd64-release
+
+depends_on:
+  - testing
+
+platform:
+  os: linux
+  arch: amd64
+
+trigger:
+  ref:
+    - refs/heads/master
+    - "refs/tags/**"
+
+steps:
+  - name: fetch-tags
+    image: docker:git
+    commands:
+      - git fetch --tags
+  - name: docker
+    image: plugins/docker:linux-amd64
+    pull: true
+    settings:
+      username:
+        from_secret: docker_username
+      password:
+        from_secret: docker_password
+      repo: vikunja/api
+      auto_tag: true
+      auto_tag_suffix: linux-amd64
+    depends_on: [ fetch-tags ]
+
+---
+kind: pipeline
+type: docker
+name: docker-manifest
+
+trigger:
+  ref:
+    - refs/heads/master
+    - "refs/tags/**"
+
+depends_on:
+  - docker-amd64-release
+  - docker-arm-release
+
+steps:
+  - name: manifest
+    pull: always
+    image: plugins/manifest
+    settings:
+      auto_tag: true
+      ignore_missing: true
+      spec: docker-manifest.tmpl
+      password:
+        from_secret: docker_password
+      username:
+        from_secret: docker_username
+
+---
+kind: pipeline
+type: docker
+name: notify
+
+trigger:
+  ref:
+    - refs/heads/master
+    - "refs/tags/**"
+
+depends_on:
+  - release
+  - docker-manifest
+
+steps:
+  - name: telegram
+    image: appleboy/drone-telegram
+    settings:
+      token:
+        from_secret: TELEGRAM_TOKEN
+      to:
+        from_secret: TELEGRAM_TO
+      message: >
+        {{repo.owner}}/{{repo.name}}: \[{{build.status}}] Build {{build.number}}
+        {{commit.author}} pushed to {{commit.branch}} {{commit.sha}}: `{{commit.message}}`
+        Build started at {{datetime build.started "2006-Jan-02T15:04:05Z" "GMT+2"}} finished at {{datetime build.finished "2006-Jan-02T15:04:05Z" "GMT+2"}}.
+    when:
+      status:
+        - success
+        - failure
--- a/.gitea/pull_request_template.md
+++ b/.gitea/pull_request_template.md
@@ -5,7 +5,6 @@
 # Checklist

 * [ ] I added or improved tests
-* [ ] I pushed new or updated dependencies to the repo using `go mod vendor`
 * [ ] I added or improved docs for my feature
  * [ ] Swagger (including `make do-the-swag`)
  * [ ] Error codes
--- a/.gitignore
+++ b/.gitignore
@@ -17,3 +17,8 @@ debian/
 logs/
 docs/public/
 docs/resources/
+pkg/static/templates_vfsdata.go
+files/
+!pkg/files/
+vikunja-dump*
+vendor/
--- a/.gitmodules
+++ b/.gitmodules
@@ -1,3 +1,3 @@
 [submodule "docs/themes/vikunja"]
 	path = docs/themes/vikunja
-    url = https://git.kolaente.de/vikunja/theme.git
+	url = ../theme.git
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -0,0 +1,505 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+All releases can be found on https://code.vikunja.io/api/releases.
+
+## [0.14.0] - 2020-07-01
+
+### Added 
+
+* Add ability to run the docker container with configurable user and group ids
+* Add better errors if the sqlite db file is not writable
+* Add cache for initial unsplash collection
+* Add docker setup guide from start to finish
+* Add docs for restore
+* Add dump command (#592)
+* Add section to full-docker-example.md for Caddy v2 (#595)
+* Add go version to version command
+* Add list background information when getting all lists
+* Add logging if downloading an image from unsplash fails
+* Add migration test in drone (#585)
+* Add option to disable totp for everyone
+* Add plausible to docs
+* Add restarting commands to all example docker compose files
+* Add seperate docker pipeline for amd64 and arm
+* Add test mail command (#571)
+* Add todoist migrator to available migrators in info endpoint if it is enabled
+* Add unsplash image proxy for images and thumbnails
+* Add returning unsplash info when searching
+* Don't return all tasks when a user has no lists
+* Duplicate Lists (#603)
+* Enable upload backgrounds by default
+* Generate a random list identifier based on the list title
+* List Backgrounds (#568)
+* List Background upload (#582)
+* Repeat tasks after completion (#587)
+* Restore command (#593)
+* Sentry integration (#591)
+* Todoist Migration (#566)
+
+### Fixed
+
+* Ensure consistent naming of title fields (#528)
+* Ensure task dates are in the future if a task has a repeating interval (#586)
+* Fix caching of initial unsplash results per page
+* Fix case-insensitive task search for postgresql (#524)
+* Fix docker manifest build
+* Fix docker multiarch build
+* Fix docs theme build
+* Fix getting unsplash thumbnails for non "photo-*" urls
+* Fix migration 20200425182634
+* Fix migration 20200516123847
+* Fix migration to add position to task
+* Fix misspell
+* Fix namespace title not being updated
+* Fix not loading timezones on all operating systems
+* Fix proxying unsplash images (security)
+* Fix removing existing sqlite files
+* Fix resetting list, label & namespace colors
+* Fix searching for unsplash pictures with words that contain a space
+* Fix setting a list identifier to empty
+* Fix sqlite db not working when creating a new one
+* Fix sqlite path in default config
+* Fix swagger docs
+* Fix updating the index when moving a task
+* Prevent crashing when trying to register with an empty payload
+* Properly ping unsplash when using unsplash images
+* Return errors when dumping
+* Set the list identifier when creating a new task
+
+### Changed
+
+* Expose namespace id when querying lists
+* Improve getting all namespaces performance (#526)
+* Improve memory usage of dump by not loading all files in memory prior to adding them to the zip
+* Improve metrics performance
+* Load the list when setting a background
+* Make the db timezone migration mysql compatible
+* Make the `_unix` suffix optional when sorting tasks
+* Migrate all timestamps to real iso dates (#594)
+* Make sure docker images are only built when tests pass
+* Remove build date from binary
+* Remove dependencies on build step to speed up test pipeline (#521)
+* Remove go mod vendor todo from pr template now that we don't keep dependencies in the repo anymore
+* Remove migration dependency to models
+* Remove min length for labels, lists, namespaces, tasks and teams
+* Remove vendored dependencies
+* Reorganize cmd init functions
+* Set unsplash empty collection caching to one hour
+* Simplify pipeline & add docker manifest step
+* Update alpine Docker tag to v3.12 (#573)
+* Update and fix staticcheck
+* Update dependency github.com/mattn/go-sqlite3 to v1.14.0
+* Update github.com/shurcooL/vfsgen commit hash to 92b8a71 (#599)
+* Update golang.org/x/crypto commit hash to 279210d (#577)
+* Update golang.org/x/crypto commit hash to 70a84ac (#578)
+* Update golang.org/x/crypto commit hash to 75b2880 (#596)
+* Update module go-redis/redis/v7 to v7.3.0 (#565)
+* Update module go-redis/redis/v7 to v7.4.0 (#579)
+* Update module go-testfixtures/testfixtures/v3 to v3.3.0 (#600)
+* Update module lib/pq to v1.6.0 (#572)
+* Update module lib/pq to v1.7.0 (#581)
+* Update module prometheus/client_golang to v1.7.0 (#589)
+* Update module prometheus/client_golang to v1.7.1 (#597)
+* Update module spf13/afero to v1.3.0 (#588)
+* Update module spf13/afero to v1.3.1 (#602)
+* Update module spf13/cobra to v1 (#511)
+* Update module src.techknowlogick.com/xormigrate to v1.2.1 (#574)
+* Update module src.techknowlogick.com/xormigrate to v1.3.0 (#590)
+* Update module stretchr/testify to v1.6.0 (#570)
+* Update module stretchr/testify to v1.6.1 (#580)
+* Update module swaggo/swag to v1.6.7 (#601)
+* Update src.techknowlogick.com/xgo commit hash to 209a5cf (#523)
+* Update src.techknowlogick.com/xgo commit hash to a09175e (#576)
+* Update src.techknowlogick.com/xgo commit hash to eeb7c0a (#575)
+* update theme
+* Update theme
+* Update web handler
+* Update xorm.io/xorm 1.0.1 -> 1.0.2
+* Use the db logger instance for logging migration related stuff
+
+## [0.13.1] - 2020-05-19
+
+### Fixed
+
+* Don't get all tasks if a user has no lists
+
+## [0.13] - 2020-05-12
+
+#### Added
+
+* Add 2fa for authentification (#383)
+* Add categories to error docs
+* Add changing email for users
+* Add community link
+* Add configuration options for log level
+* Add creating a new first bucket when creating a new list
+* Add docs for changing frontend url
+* Add endpoint to disable totp auth
+* Add endpoint to get the current users totp status
+* Add explanation to docs about cors
+* Add github token for renovate (#164)
+* Add gosec static analysis
+* Add moving tasks between lists (#389)
+* Add real buckets for tasks which don't have one (#446)
+* Add traefik 2 example configuration
+* Configure Renovate (#159)
+* Kanban (#393)
+* Task filters (#243)
+* Task Position (#412)
+
+#### Fixed
+
+* Add checking and logging when trying to put a task into a nonexisting bucket
+* Fix bucket ID being reset with no need to do so
+* Fix creating new things with a link share auth
+* Fix dependencies
+* Fix gosec in drone
+* Fix link share creation & creating admin link shares without admin rights
+* Fix moving tasks back into the empty (ID: 0) bucket
+* Fix moving tasks in buckets
+* Fix not moving its bucket when moving a task between lists
+* Fix pagination count for task collection
+* Fix parsing array style comparators by query param
+* Fix reference to reverse proxies in docs
+* Fix removing the last bucket
+* Fix replace statements for tail
+* Fix team rights not updating for namespace rights
+* Fix tests after renaming json fields to snake_case
+* Fix total label count when getting all labels (#477)
+* Remove setting task bucket to 0
+* Task Filter Fixes (#495)
+
+#### Changed
+
+* Change all json fields to snake_case
+* Change totp secret datatype from varchar to text
+* Update alpine Docker tag to v3.11 (#160)
+* Update docs theme
+* Update github.com/c2h5oh/datasize commit hash to 28bbd47 (#212)
+* Update github.com/gordonklaus/ineffassign commit hash to 7953dde (#233)
+* Update github.com/jgautheron/goconst commit hash to cda7ea3 (#228)
+* Update github.com/shurcooL/httpfs commit hash to 8d4bc4b (#229)
+* Update golang.org/x/crypto commit hash to 056763e (#222)
+* Update golang.org/x/crypto commit hash to 06a226f (#504)
+* Update golang.org/x/crypto commit hash to 0848c95 (#371)
+* Update golang.org/x/crypto commit hash to 3c4aac8 (#419)
+* Update golang.org/x/crypto commit hash to 44a6062 (#429)
+* Update golang.org/x/crypto commit hash to 4b2356b (#475)
+* Update golang.org/x/crypto commit hash to 4bdfaf4 (#438)
+* Update golang.org/x/crypto commit hash to 729f1e8 (#458)
+* Update golang.org/x/crypto commit hash to a76a400 (#411)
+* Update golang.org/x/lint commit hash to 738671d (#223)
+* Update module go-redis/redis to v6.15.7 (#234)
+* Update module go-redis/redis to v6.15.7 (#290)
+* Update module go-redis/redis to v7 (#277)
+* Update module go-redis/redis to v7 (#309)
+* Update module go-testfixtures/testfixtures/v3 to v3.1.2 (#457)
+* Update module go-testfixtures/testfixtures/v3 to v3.2.0 (#505)
+* Update module imdario/mergo to v0.3.9 (#238)
+* Update module labstack/echo/v4 to v4.1.16 (#241)
+* Update module lib/pq to v1.4.0 (#428)
+* Update module lib/pq to v1.5.0 (#476)
+* Update module lib/pq to v1.5.1 (#485)
+* Update module lib/pq to v1.5.2 (#491)
+* Update module olekukonko/tablewriter to v0.0.4 (#240)
+* Update module prometheus/client_golang to v0.9.4 (#245)
+* Update module prometheus/client_golang to v1
+* Update module prometheus/client_golang to v1.6.0 (#463)
+* Update module spf13/cobra to v0.0.7 (#271)
+* Update module spf13/viper to v1.6.2 (#272)
+* Update module spf13/viper to v1.6.3 (#291)
+* Update module spf13/viper to v1.7.0 (#494)
+* Update module stretchr/testify to v1.5.1 (#274)
+* Update Renovate Configuration (#161)
+* Update src.techknowlogick.com/xgo commit hash to bb0faa3 (#279)
+* Update src.techknowlogick.com/xgo commit hash to c43d4c4 (#224)
+* Update xorm redis cacher to use the xorm logger instead of a special seperate one
+* Update xorm to v1 (#323)
+
+## [0.12] - 2020-04-04
+
+#### Added 
+
+* Add support for archiving lists and namespaces (#152)
+* Colors for lists and namespaces (#155)
+* Add build time to compile flags
+* Add proxying gravatar requests for user avatars (#148)
+* Add empty avatar provider (#149)
+* expand relative path ~/.config/vikunja to $HOME/.config/vikunja **WINDOWS** (#147)
+* Show lists as archived if their namespace is archived
+
+#### Fixed
+
+* Workaround for timezones on windows (#151)
+* Fix getting one namespace
+* Fix getting the authenticated user with caldav
+* Fix searching for config in home directories
+* Fix updating lists with an identifier
+
+#### Changed
+
+* Change release bucket
+
+## [0.11] - 2020-03-01
+
+### Added 
+
+* Add config options for cors handling (#124)
+* Add config options for task attachments (#125)
+* Add generate as a make dependency for make build
+* Add logging for invalid model errors (#126)
+* Add more logging to web handler methods
+* Add postgres support (#135)
+* Add rate limit by ip for non-authenticated routes (#127)
+* Better efficency for loading teams (#128)
+* Expand relative path ~/.config/vikunja to $HOME/.config/vikunja (#146)
+* Task Comments (#138)
+
+### Fixed
+
+* Fix typo in docker-compose example (#140)
+* Fix frontend url for wunderlist migration in docs
+* Fix inserting task structure with related tasks (#142)
+* Fix time zone settings not working in Docker
+* Fix updating dates when marking a task as done (#145)
+* Make sure the author is returned when creating a new comment
+* Remove double user field
+
+### Changed
+
+* Explicitly disable wunderlist migration by default (#141)
+* Migration Improvements (#122)
+* Refactor User and DB handling (#123)
+* Return iso dates for everything date related from the api (#130)
+* Update copyright header
+* Update theme
+* Update xorm to use the new import path (#133)
+* Use relative url in .gitmodules (#132)
+
+## [0.10] - 2020-01-19
+
+### Added
+
+* Migration (#120)
+* Endpoint to get tasks on a list (#108)
+* Sort Order for tasks (#110)
+* Add files volume to docker compose docs
+* Add motd config option to docs
+* Add option to disable registration (#117)
+* Add task identifier (#115)
+* Add tests for md5 generation (#111)
+* Add user token renew (#113)
+
+### Fixed
+
+* Fix new tasks not getting a new task index (#116)
+* Fix owner field being null for user shared namespaces (#119)
+* Fix passing sort_by and order_by as query path arrays
+* Fix sorting tasks by bool values
+* Fix task collection tests
+* Consistent copyright text in file headers (#112)
+
+### Changed
+
+* Task collection improvements (#109)
+* Update copyright year (#118)
+* Update docs with a traefik configuration
+* Use redis INCRBY and DECRBY when updating metrics values (#121)
+* Use utf8mb4 instead of plain utf8 (#114)
+* Update docs theme
+
+## [0.9] - 2019-11-24
+
+### Added 
+
+* Task Attachments (#104)
+* Task Relations (#103)
+* Add endpoint to get a single task (#106)
+* Add file volume to the docker image
+* Added extra depth to logging to correctly show the functions calling the logger in logs
+* Added more infos to a link share auth (#98)
+* Added percent done to tasks (#102)
+
+### Fixed
+
+* Fix default logging settings (#107)
+* Fixed a bug where adding assignees or reminders via an update would re-create them and not respect already inserted ones, leaving a lot of garbage
+* Fixed a bug where deleting an attachment would cause a nil panic
+* Fixed building docs theme
+* Fixed error when setting max file size on 32-Bit systems
+* Fixed labels being displayed multiple times if they were associated with more than one task (#99)
+* Fixed metrics on/off setting
+* Fixed migration for task relations
+* Fixed not getting all labels when retrieving a list with all tasks
+* Fixed panic when using link share and metrics
+* Fixed rate limit panic when authenticating with a link share auth token (#97)
+* Fixed removing reminders
+* Small link share fixes (#96)
+
+### Changed 
+
+* Improve pagination (#105)
+* Moved `teams_{namespace|list}_*` to `{namespace|list}_teams_*` for better consistency (#101)
+* Refactored getting all lists for a namespace (#100)
+* Refactored getting task IDs for labels
+* Switched default logger to stdout instead of stderr
+* update docs theme
+
+### Misc
+
+* Move from markdown lists to Vikunja for roadmap
+
+## [0.8] - 2019-09-01
+
+### Added
+
+* Better Caldav support (#73)
+* Added settings for max open/idle connections and max connection lifetime (#74)
+* /info endpoint (#85)
+* Added http endpoint to list all users on a list (#87)
+* Rate limits (#91)
+* Sharing of lists via public links (#94)
+
+### Changed
+
+* Reminders now use an extra table (#75)
+* Use the username instead of a full user object when adding a user to a team or giving it rights (#76)
+* Add the md5-hashed user email to user objects for use with gravatar (#78)
+* Use the auth methods to get IDs to avoid unneeded casts
+* Better config handling with constants (#83)
+* Statically compile templates in the final binary (#84)
+* Use longtext instead of varchar(1000) on description fields (#88)
+* Logger refactoring (#90)
+
+### Fixed
+
+* Fixed `listID` not being returned in tasks
+* Fixed tests (#72)
+* Fixed metrics endpoint not working
+* Fixed check if the user really exists before updating/deleting its rights (#77)
+* Fixed duedate spelling issue (#79)
+
+### Misc
+
+* Integration tests (#71)
+* Make sure the version works when building in drone
+* Switched to another version of xgo
+* Simplified the docker image (#80)
+* Update echo (#82)
+* Compress binaries after building them (#81)
+* Simplify structure by having less files (#86)
+* Limit the test pipeline to run only on pull requests (#89)
+* GetUser now returns a pointer (#93)
+* Refactor ListTask to Task (#92)
+
+## [0.7] - 2019-04-05
+
+### Added
+
+* DB migrations (#67)
+* More cli options for Vikunja (#66 #68)
+* Use query params to sort tasks instead of url params (#61)
+* More config paths (#55)
+
+### Fixed
+
+* Fixed Priority not updating when setting it to 0
+* Fixed getting lists by namespace
+* Fixed rights check (#70 #62)
+* Fixed labels not being queried correctly on tasks
+* Fixed bulk update label tasks
+
+### Changed
+
+* Hide a user's email address everywhere (#69)
+* Refactored `canRead()` to get the list before checking rights #65
+* Let rights methods return errors (#64 #63)
+* Improved Swagger docs for label tasks
+* Docs improvements (#58)
+* Logging Handling (#57)
+* Rights performance improvements (#54)
+
+### Misc
+
+* Releases also as Debian packages (#56)
+
+## [0.6] - 2019-01-16
+
+### Added
+
+* Added prometheus endpoint to get metrics (#33)
+* More unit tests (#34)
+* Tests can now use config files (#36)
+* Redoc for swagger ui (#39, #46)
+* Start and end dates for tasks (#40)
+* Get tasks between a date range (#41)
+* Bulk edit for tasks (#42)
+* More ci checks (#43)
+* Task assignees (#44, #47)
+* Task labels (#45, #48)
+
+### Fixed
+
+* Fixed path to get all tasks (echo bug)
+* Explicitly get the peudonamespace with all shared lists (#32)
+* Properly init tabels Redis
+* unexpected EOF when using metrics (#35)
+* Task sorting in lists (#36)
+* Various user fixes (#38)
+* Fixed a bug where updating a list would update it with the same values it had
+
+### Changed
+
+* Simplified list rights check (#50)
+* Refactored some structs to not expose unneded values via json (#52)
+
+### Misc
+
+* Updated libraries
+* Updated drone to version 1
+* Releases are now signed with our pgp key (more info about this on [the download page](https://vikunja.io/en/download/)).
+
+## [0.5] - 2018-12-02
+
+### Added
+
+* Shared lists are now shown in a pseudonamespace with all other namespaces, has the ID -1
+* Tasks can have multiple reminders
+* Tasks can have subtasks. Subtasks are fully-fleged tasks, but not shown in the task list of a list.
+* Tasks can have priorities
+
+### Changed
+
+* Validation not so verbose anymore
+* [License](https://git.kolaente.de/vikunja/api/src/branch/master/LICENSE) is now GPLv3
+* The crudhandler now has its [own repo](https://git.kolaente.de/vikunja/web) - you can use it in your own projects!
+
+## [0.4] - 2018-11-16
+
+#### Added
+
+* Get all tasks for the authenticated user sorted by their due date
+* CalDAV support
+* Pagination for everything which returns an array
+* Search all the things
+* More validation for most of the structs
+* Improved Swagger docs (available on `/api/v1/swagger`)
+
+## [0.3] - 2018-11-02
+
+### Added 
+
+* Password reset
+* Email verification when registering
+
+Misc bugfixes and improvements to the build process
+
+## [0.2] - 2018-10-17
+
+## [0.1] - 2018-09-20
+
--- a/61
+++ b/61
@@ -1,45 +1,50 @@

-###################################
-#Build stage
-FROM golang:1.11-alpine AS build-env
+##############
+# Build stage
+FROM golang:1-alpine AS build-env

 ARG VIKUNJA_VERSION
 ENV TAGS "sqlite"
 ENV GO111MODULE=on
-ENV GOFLAGS=-mod=vendor

-#Build deps
+# Build deps
 RUN apk --no-cache add build-base git

-#Setup repo
+# Setup repo
 COPY . ${GOPATH}/src/code.vikunja.io/api
 WORKDIR ${GOPATH}/src/code.vikunja.io/api

-#Checkout version if set
+# Checkout version if set
 RUN if [ -n "${VIKUNJA_VERSION}" ]; then git checkout "${VIKUNJA_VERSION}"; fi \
- && make clean build
+ && make clean generate build

-FROM alpine:3.7
+###################
+# The actual image
+# Note: I wanted to use the scratch image here, but unfortunatly the go-sqlite bindings require cgo and
+# because of this, the container would not start when I compiled the image without cgo.
+FROM alpine:3.12
 LABEL maintainer="maintainers@vikunja.io"

-EXPOSE 3456
-
-RUN apk --no-cache add \
-    bash \
-    ca-certificates \
-    curl \
-    gettext \
-    linux-pam \
-    s6 \
-    sqlite \
-    su-exec \
-    tzdata
-
-COPY docker /
-COPY --from=build-env /go/src/code.vikunja.io/api/templates /app/vikunja/templates
-COPY --from=build-env /go/src/code.vikunja.io/api/vikunja /app/vikunja/vikunja
-
+WORKDIR /app/vikunja/
+COPY --from=build-env /go/src/code.vikunja.io/api/vikunja .
 ENV VIKUNJA_SERVICE_ROOTPATH=/app/vikunja/

-ENTRYPOINT ["/bin/s6-svscan", "/etc/services.d"]
-CMD []
+# Dynamic permission changing stuff
+ENV PUID 1000
+ENV PGID 1000
+RUN apk --no-cache add shadow && \
+  addgroup -g ${PGID} vikunja && \
+  adduser -s /bin/sh -D -G vikunja -u ${PUID} vikunja -h /app/vikunja -H && \
+  chown vikunja -R /app/vikunja
+COPY run.sh /run.sh
+
+# Fix time zone settings not working
+RUN apk --no-cache add tzdata
+
+# Files permissions
+RUN mkdir /app/vikunja/files && \
+  chown -R vikunja /app/vikunja/files
+VOLUME /app/vikunja/files
+
+CMD ["/run.sh"]
+EXPOSE 3456
--- a/Featurecreep.md
+++ b/Featurecreep.md
@@ -1,263 +0,0 @@
-# Featurecreep
-
-This is the place where I write down ideas to work on at some point. 
-Sorry for some of them being in German, I'll tranlate them at some point.
-
-## Feature Ideas
-
-* [x] Priorities
-* [x] Repeating tasks
-* [x] Get all tasks which are due between two given dates
-* [x] Subtasks
-
-## Anderes
-
-* [x] Refactor!!!! Delete everything not being used anymore, simplify. 
-* [x] Drone
-* [x] Tests
-* [x] Find a nme
-* [x] Move packages to a better structure
-* [x] Swagger UI
-+ [x] Fix CORS
-* [x] Use echo.NewHTTPError instead of c.JSON(Message{})
-* [x] Better error messages when the model which is sent to the server is wrong
-* [x] Better error handling to show useful error messages and status codes
-* [x] Viper for config instead of ini
-* [x] Docs for installing
-* [x] Tests for rights managemnt
-* [x] Rights checks:
-      * [x] Create lists
-      * [x] Edit lists
-      * [x] Add tasks
-      * [x] Edit tasks
-* [x] The -1 namespace should also be accessible seperately
-
-### Short Term
-
-* [x] Cacher configurable
-* [x] Should throw an error when an id < 1
-* [x] /users should also return the rights
-* [x] Extra endpoint /teams/members /list/users to update rights without needing to remove and re-add them
-* [x] namespaces & listen update does not work, returns 500
-* [x] Logging for all errors somewhere
-* [x] Ne extra funktion für list exists machen, damit die nicht immer über GetListByID gehen, um sql-abfragen zu sparen
-* [x] Rausfinden warum xorm teilweise beim einfügen IDs mit einfügen will -> Das schlägt dann wegen duplicate fehl
-* [x] Bei den Structs "AfterLoad" raus, das verbraucht bei Gruppenabfragen zu viele SQL-Abfragen -> Die sollen einfach die entsprechenden Read()-Methoden verwenden (Krassestes bsp. ist GET /namespaces mit so ca 50 Abfragen)
-* [x] General search endpoints
-* [x] Validation der ankommenden structs, am besten mit https://github.com/go-validator/validator oder mit dem Ding von echo
-* [x] Pagination
-	* Sollte in der Config definierbar sein, wie viel pro Seite angezeigt werden soll, die CRUD-Methoden übergeben dann ein "gibt mir die Seite sowieso" an die CRUDable-Funktionenen, die müssen das dann Auswerten. Geht leider nicht anders, wenn man erst 2342352 Einträge hohlt und die dann nachträglich auf 200 begrenzt ist das ne massive Ressourcenverschwendung.
-* [x] Testen, ob man über die Routen methode von echo irgendwie ein swagger spec generieren könnte -> Andere Swagger library
-* [ ] CalDAV
-  * [x] Basics
-  * [x] Reminders
-  * [ ] Discovery, stichwort PROPFIND 
-* [x] Wir brauchen noch ne gute idee, wie man die listen kriegt, auf die man nur so Zugriff hat (ohne namespace)
-    * Dazu am Besten nen pseudonamespace anlegen (id -1 oder so), der hat das dann alles
-* [x] Testing mit locust: https://locust.io/
-* [ ] Endpoint to get all users who have access to a list - regardless of via team, user share or via namespace
-
-#### Userstuff
-
-* [x] Userstuff aufräumen
-	-> Soweit es geht und Sinnvoll ist auf den neuen Handler umziehen
-		-> Login/Register/Password-reset geht natürlich nicht
-		-> Bleibt noch Profile abrufen und Einstellungen -> Macht also keinen Sinn das auf den neuen Handler umzuziehen
-* [x] Email-Verifizierung beim Registrieren
-* [x] Password Reset -> Link via email oder so
-* [ ] Settings
-  * [ ] Password update
-  * [ ] Email update
-  * [ ] Ob man über email oder Benutzernamen gefunden werden darf
-
-### Bugfixes
-
-* [x] Panic wenn mailer nicht erreichbar -> Als workaround mailer deaktivierbar machen, bzw keine mails verschicken
-* [x] "unexpected EOF"
-* [x] Beim Login & Password reset gibt die API zurück dass der Nutzer nicht existiert
-* [x] Re-check rights checks to see if all information which is compared against is properly read from the db and not only based on user input
-  * [x] Lists
-  * [x] List users
-  * [x] List Teams
-  * [x] Labels
-  * [x] Tasks
-  * [x] Namespaces
-  * [x] Namespace users
-  * [x] Namespace teams
-  * [x] Teams
-  * [x] Team member handling
-  * [x] Also check `ReadOne()` for unnessecary database operations since the inital query is already done in `CanRead()`
-* [x] Add a `User.AfterLoad()` which obfuscates the email address
-* [x] Fix priority not updating to 0
-
-### Docs
-
-* [x] Readme
-  * [x] Auch noch nen "link" zum Featurecreep
-  * [x] ToC
-  * [x] Logo
-  * [x] How to build -> Docs
-  * [x] How to dev -> Docs
-  * [x] License
-  * [x] Contributing
-* [x] Redocs
-* [x] Swaggerdocs verbessern
-  * [x] Descriptions in structs
-  * [x] Maxlength specify etc. (see swaggo docs)
-* [x] Rights
-* [x] API
-* [x] Anleitung zum Makefile
-* [x] How to build from source
-* [x] Struktur erklären
-* [x] Deploy in die docs
-  * [x] Docker
-  * [x] Native (systemd + nginx/apache)
-* [x] Backups
-* [x] Docs aufsetzen
-
-### Tasks
-
-* [x] Start/Enddatum für Tasks
-* [x] Timeline/Calendar view -> Dazu tasks die in einem Bestimmten Bereich due sind, macht dann das Frontend
-* [x] Tasks innerhalb eines definierbarem Bereich, sollte aber trotzdem der server machen, so à la "Gib mir alles für diesen Monat"
-* [x] Bulk-edit -> Transactions
-* [x] Assignees
-  * [x] Check if something changed at all before running everything
-  * [x] Don't use `list.ReadOne()`, gets too much unnessecary shit
-  * [x] Wegen Performance auf eigene endpoints umziehen, wie labels
-  * [x] "One endpoint to rule them all" -> Array-addable
-* [x] Labels
-  * [x] Check if something changed at all before running everything
-  * [x] Editable via task edit, like assignees
-  * [x] "One endpoint to rule them all" -> Array-addable
-* [ ] Attachments
-* [ ] Task-Templates innerhalb namespaces und Listen (-> Mehrere, die auswählbar sind)
-* [ ] Ein Task muss von mehreren Assignees abgehakt werden bis er als done markiert wird
-* [ ] Besseres Rechtesystem, damit man so fine-graded sachen machen kann wie "Der da darf aber nur Tasks hinzufügen, aber keine abhaken"
-  * [ ] Roles which enable or disable chaning certain fields of a task -> includes custm fields
-* [ ] Custom fields: Templates at List > Namespace > Global level, overwriting each other
-* [ ] Related tasks -> settable with a "kind" of relation like blocked, or just related or so
-* [ ] Description should be longtext
-
-### General features
-
-* [x] Deps nach mod umziehen
-* [x] Performance bei rechtchecks verbessern
-  * User & Teamright sollte sich für n rechte in einer Funktion testen lassen
-* [ ] Endpoint um die Rechte mit Beschreibung und code zu kriegen
-* [ ] "Smart Lists", Listen nach bestimmten Kriterien gefiltert -> speichern und im pseudonamespace
-* [ ] "Performance-Statistik" -> Wie viele Tasks man in bestimmten Zeiträumen so geschafft hat etc
-* [ ] IMAP-Integration -> Man schickt eine email an Vikunja und es macht daraus dann nen task -> Achtung missbrauchsmöglichkeiten
-* [ ] In und Out webhooks, mit Templates vom Payload
-* [ ] Reminders via mail
-* [ ] Activity Feed, so à la "der und der hat das und das gemacht etc"
-  * [ ] Per list
-  * [ ] For the current user
-* [ ] ~~Websockets~~ SSE https://github.com/kljensen/golang-html5-sse-example
-  * User authenticates (with jwt)
-  * When updating/creating/etc an event struct is sent to the broker
-  * The broker has a list of subscribed users
-  * It then checks who is allowed to the see the event it recieved and sends it
-  * [ ] Being able to define filters for notifications or turn them silent completely -> Probably frontend only
-* [ ] mgl. zum Emailmaskieren haben (in den Nutzereinstellungen, wenn man seine Email nicht an alle Welt rausposaunen will)
-* [ ] Mgl. zum Accountlöschen haben (so richtig krass mit emailverifiezierung und dass alle Privaten Listen gelöscht werden und man alle geteilten entweder wem übertragen muss oder  auf privat stellen)
-* [ ] /info endpoint, in dem dann zb die limits und version etc steht
-* [ ] Deprecate /namespaces/{id}/lists in favour of namespace.ReadOne() <-- should also return the lists
-* [ ] Bindata for templates
-* [ ] `GetUserByID` and the likes should return pointers
-* [ ] Colors for lists and namespaces -> Up to the frontend to implement these
-* [ ] Some kind of milestones for tasks
-* [ ] Create tasks from a text/markdown file (probably frontend only)
-* [ ] Label-view: Get a bunch of tasks by label
-* [ ] Better caldav support (VTODO)
-* [ ] Debian package should have a service file
-* [ ] Downloads should be served via nginx (with theme?), minio should only be used for pushing artifacts.
-* [ ] User struct should have a field for the avatar url (-> gravatar md5 calculated by the backend)
-* [ ] All `ReadAll` methods should return the number of items per page, the number of items on this page, the total pages and the items
-      -> Check if there's a way to do that efficently. Maybe only implementing it in the web handler.
-
-### Refactor 
-
-* [x] ListTaskRights, sollte überall gleich funktionieren, gibt ja mittlerweile auch eine Methode um liste von nem Task aus zu kriegen oder so
-* [x] Re-check all `{List|Namespace}{User|Team}` if really all parameters need to be exposed via json or are overwritten via param anyway.
-* [x] Things like list/task order should use queries and not url params
-* [x] Fix lint errors
-* [ ] Reminders should use an extra table so we can make reverse lookups aka "give me all tasks with reminders in this period" which we'll need for things like email reminders notifications
-* [ ] Teams and users should also have uuids (for users these can be the username)
-* [ ] When giving a team or user access to a list/namespace, they should be reffered to by uuid, not numeric id
-* [ ] Adding users to a team should also use uuid
-* [ ] Check if the team/user really exist before updating them on lists/namespaces
-* [ ] Check if the email is properly obfuscated everywhere -> alter GetUser() and add a new method GetUserWithEmail
-
-### Linters
-
-* [x] goconst
-* [x] Staticcheck
-* [x] gocyclo-check
-* [ ] gosec-check -> waiting for mod
-* [x] goconst-check
-* [ ] golangci -> docker in drone, will probably make all other linters obsolete
-
-### More server settings
-
-* [ ] Caldav disable/enable
-* [ ] Assignees disable/enable
-* [ ] List/Namespace limits
-* [ ] Attachements disable/enable
-* [ ] Attachements size
-* [ ] Templates disable/enable
-* [ ] Stats disable/enable
-* [ ] Activity notifications disable/enable
-* [ ] IMAP integration disable/enable
-* [ ] Reminders via mail disable/enable
-
-### Later
-
-* [ ] Plugins
-* [ ] Rename Namespaces?
-* [ ] Namespaces to collections and n-n (one list can be in multiple collections)?
-* [ ] Per-User limits of lists/namespaces
-* [ ] Admin-Interface to do stuff like settings and user management
-  * [ ] Enable/Disable users
-  * [ ] Better rights, fine-graded
-  * [ ] Enable/disable allowing user adding to lists/namespaces for specific lists or namespaces
-  * [ ] Admins should be able to see and mange all the boards
-* [ ] Limit registration to users with a defined email domain
-* [ ] Close the instance, either no registration or only one with defined email
-* [ ] 2fa
-* [ ] Custom fields for tasks
-* [ ] Sorting lists by members, tasks, teams, last modified, etc
-* [ ] "Favourite lists" -> A user can favourize boards which will then show up in a pseudonamespace
-* [ ] Public lists
-* [ ] Internal lists -> Only registered users can see the list
-* [ ] Rights management for both public and internal lists
-* [ ] Add new users via to a list which don't have an account yet, they'd get a link to sign up for vikunja.
-  * [ ]  Respect registration email domain limits
-* [ ] Export all data from Vikunja to json
-* [ ] Watch a (n internal) list -> Will get notification for everything
-* [ ] Archive a task instead of deleting
-* [ ] Task dependencies
-* [ ] Time tracking (possible plugin)
-* [ ] IFTTT
-* [ ] More sharing features (all of these with the already existing permissions)
-  * [ ] Invite users per mail
-  * [ ] Share a link with/without password
-* [ ] Comments on tasks
-* [ ] @mention users in tasks or comments to get them notified
-* [ ] Summary of tasks to do in a configurable interval (every day/week or so)
-* [ ] Importer (maybe frontend only)
-  * [ ] Trello
-  * [ ] Wunderlist
-  * [ ] Zenkit
-  * [ ] Asana
-  * [ ] Microsoft Todo
-  * [ ] Nozbe
-  * [ ] Lanes
-  * [ ] Nirvana
-  * [ ] Good ol' Caldav (Tasks)
-* [ ] More auth providers
-  * [ ] LDAP/AD
-  * [ ] Kerberos
-  * [ ] SAML (what?)
-  * [ ] smtp
-  * [ ] OpenID
--- a/71
+++ b/71
@@ -13,15 +13,15 @@ else
 	endif
 endif

-GOFILES := $(shell find . -name "*.go" -type f ! -path "./vendor/*" ! -path "*/bindata.go")
+GOFILES := $(shell find . -name "*.go" -type f ! -path "*/bindata.go")
 GOFMT ?= gofmt -s

-GOFLAGS := -v -mod=vendor
+GOFLAGS := -v
 EXTRA_GOFLAGS ?=

-LDFLAGS := -X "code.vikunja.io/api/pkg/cmd.Version=$(shell git describe --tags --always --abbrev=10 | sed 's/-/+/' | sed 's/^v//' | sed 's/-g/-/')" -X "main.Tags=$(TAGS)"
+LDFLAGS := -X "code.vikunja.io/api/pkg/version.Version=$(shell git describe --tags --always --abbrev=10 | sed 's/-/+/' | sed 's/^v//' | sed 's/-g/-/')" -X "main.Tags=$(TAGS)"

-PACKAGES ?= $(filter-out code.vikunja.io/api/integrations,$(shell go list -mod=vendor ./... | grep -v /vendor/))
+PACKAGES ?= $(filter-out code.vikunja.io/api/pkg/integrations,$(shell go list))
 SOURCES ?= $(shell find . -name "*.go" -type f)

 TAGS ?=
@@ -54,8 +54,6 @@ else
    PKGVERSION := $(VERSION)
 endif

-VERSION := $(shell echo $(VERSION) | sed 's/\//\-/g')
-
 .PHONY: all
 all: build

@@ -66,9 +64,18 @@ clean:

 .PHONY: test
 test:
-	VIKUNJA_SERVICE_ROOTPATH=$(shell pwd) go test $(GOFLAGS) -cover -coverprofile cover.out $(PACKAGES)
+    # We run everything sequentially and not in parallel to prevent issues with real test databases
+	VIKUNJA_SERVICE_ROOTPATH=$(shell pwd) go test $(GOFLAGS) -p 1 -cover -coverprofile cover.out $(PACKAGES)
+
+.PHONY: test-coverage
+test-coverage: test
 	go tool cover -html=cover.out -o cover.html

+.PHONY: integration-test
+integration-test:
+    # We run everything sequentially and not in parallel to prevent issues with real test databases
+	VIKUNJA_SERVICE_ROOTPATH=$(shell pwd) go test $(GOFLAGS) -p 1 code.vikunja.io/api/pkg/integrations
+
 .PHONY: lint
 lint:
 	@hash golint > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
@@ -91,11 +98,19 @@ fmt-check:
 	fi;

 .PHONY: build
-build: $(EXECUTABLE)
+build: generate $(EXECUTABLE)
+
+.PHONY: generate
+generate:
+	go generate code.vikunja.io/api/pkg/static

 $(EXECUTABLE): $(SOURCES)
 	go build $(GOFLAGS) $(EXTRA_GOFLAGS) -tags '$(TAGS)' -ldflags '-s -w $(LDFLAGS)' -o $@

+.PHONY: compress-build
+compress-build:
+	upx -9 $(EXECUTABLE)
+
 .PHONY: release
 release: release-dirs release-windows release-linux release-darwin release-copy release-check release-os-package release-zip

@@ -106,7 +121,7 @@ release-dirs:
 .PHONY: release-windows
 release-windows:
 	@hash xgo > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
-		go install $(GOFLAGS) github.com/karalabe/xgo; \
+		go install $(GOFLAGS) src.techknowlogick.com/xgo; \
 	fi
 	xgo -dest $(DIST)/binaries -tags 'netgo $(TAGS)' -ldflags '-linkmode external -extldflags "-static" $(LDFLAGS)' -targets 'windows/*' -out vikunja-$(VERSION) .
 ifneq ($(DRONE_WORKSPACE),'')
@@ -116,7 +131,7 @@ endif
 .PHONY: release-linux
 release-linux:
 	@hash xgo > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
-		go install $(GOFLAGS) github.com/karalabe/xgo; \
+		go install $(GOFLAGS) src.techknowlogick.com/xgo; \
 	fi
 	xgo -dest $(DIST)/binaries -tags 'netgo $(TAGS)' -ldflags '-linkmode external -extldflags "-static" $(LDFLAGS)' -targets 'linux/*' -out vikunja-$(VERSION) .
 ifneq ($(DRONE_WORKSPACE),'')
@@ -126,18 +141,21 @@ endif
 .PHONY: release-darwin
 release-darwin:
 	@hash xgo > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
-		go install $(GOFLAGS) github.com/karalabe/xgo; \
+		go install $(GOFLAGS) src.techknowlogick.com/xgo; \
 	fi
 	xgo -dest $(DIST)/binaries -tags 'netgo $(TAGS)' -ldflags '$(LDFLAGS)' -targets 'darwin/*' -out vikunja-$(VERSION) .
 ifneq ($(DRONE_WORKSPACE),'')
 	mv /build/* $(DIST)/binaries
 endif

+# Compresses all releases made by make release-* but not mips* releases since upx can't handle these.
+.PHONY: release-compress
+release-compress:
+	$(foreach file,$(filter-out $(wildcard $(wildcard $(DIST)/binaries/$(EXECUTABLE)-*mips*)),$(wildcard $(DIST)/binaries/$(EXECUTABLE)-*)), upx -9 $(file);)
+
 .PHONY: release-copy
 release-copy:
 	$(foreach file,$(wildcard $(DIST)/binaries/$(EXECUTABLE)-*),cp $(file) $(DIST)/release/$(notdir $(file));)
-	mkdir $(DIST)/release/templates -p
-	cp templates/ $(DIST)/templates/ -R

 .PHONY: release-check
 release-check:
@@ -145,7 +163,7 @@ release-check:

 .PHONY: release-os-package
 release-os-package:
-	$(foreach file,$(filter-out %.sha256,$(wildcard $(DIST)/release/$(EXECUTABLE)-*)),mkdir $(file)-full;mv $(file) $(file)-full/;	mv $(file).sha256 $(file)-full/; cp config.yml.sample $(file)-full/config.yml; cp $(DIST)/release/templates $(file)-full/ -R; cp LICENSE $(file)-full/; )
+	$(foreach file,$(filter-out %.sha256,$(wildcard $(DIST)/release/$(EXECUTABLE)-*)),mkdir $(file)-full;mv $(file) $(file)-full/;	mv $(file).sha256 $(file)-full/; cp config.yml.sample $(file)-full/config.yml; cp LICENSE $(file)-full/; )

 .PHONY: release-zip
 release-zip:
@@ -154,7 +172,7 @@ release-zip:
 # Builds a deb package using fpm from a previously created binary (using make build)
 .PHONY: build-deb
 build-deb:
-	fpm -s dir -t deb --url https://vikunja.io -n vikunja -v $(PKGVERSION) --license GPLv3 --directories /opt/vikunja --after-install ./build/after-install.sh --description 'Vikunja is an open-source todo application, written in Go. It lets you create lists,tasks and share them via teams or directly between users.' -m maintainers@vikunja.io ./$(BINLOCATION)=/opt/vikunja/vikunja ./templates=/opt/vikunja ./config.yml.sample=/etc/vikunja/config.yml;
+	fpm -s dir -t deb --url https://vikunja.io -n vikunja -v $(PKGVERSION) --license GPLv3 --directories /opt/vikunja --after-install ./build/after-install.sh --description 'Vikunja is an open-source todo application, written in Go. It lets you create lists,tasks and share them via teams or directly between users.' -m maintainers@vikunja.io ./$(BINLOCATION)=/opt/vikunja/vikunja ./config.yml.sample=/etc/vikunja/config.yml;

 .PHONY: reprepro
 reprepro:
@@ -174,13 +192,12 @@ do-the-swag:
 	@hash swag > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
 		go install $(GOFLAGS) github.com/swaggo/swag/cmd/swag; \
 	fi
-	swag init -g pkg/routes/routes.go -s ./pkg/swagger;
+	swag init -g pkg/routes/routes.go --parseDependency -o ./pkg/swagger;
 	# Fix the generated swagger file, currently a workaround until swaggo can properly use go mod
-	sed -i '/"definitions": {/a "code.vikunja.io.web.HTTPError": {"type": "object","properties": {"code": {"type": "integer"},"message": {"type": "string"}}},' docs/docs.go;
-	sed -i 's/code.vikunja.io\/web.HTTPError/code.vikunja.io.web.HTTPError/g' docs/docs.go;
-	sed -i 's/package\ docs/package\ swagger/g' docs/docs.go;
-	sed -i 's/` + \\"`\\" + `/` + "`" + `/g' docs/docs.go;
-	mv ./docs/docs.go ./pkg/swagger/docs.go;
+	sed -i '/"definitions": {/a "code.vikunja.io.web.HTTPError": {"type": "object","properties": {"code": {"type": "integer"},"message": {"type": "string"}}},' pkg/swagger/docs.go;
+	sed -i 's/code.vikunja.io\/web.HTTPError/code.vikunja.io.web.HTTPError/g' pkg/swagger/docs.go;
+	sed -i 's/package\ docs/package\ swagger/g' pkg/swagger/docs.go;
+	sed -i 's/` + \\"`\\" + `/` + "`" + `/g' pkg/swagger/docs.go;

 .PHONY: misspell-check
 misspell-check:
@@ -202,7 +219,7 @@ gocyclo-check:
 	    go get -u github.com/fzipp/gocyclo; \
 		go install $(GOFLAGS) github.com/fzipp/gocyclo; \
 	fi
-	for S in $(GOFILES); do gocyclo -over 17 $$S || exit 1; done;
+	for S in $(GOFILES); do gocyclo -over 47 $$S || exit 1; done;

 .PHONY: static-check
 static-check:
@@ -214,15 +231,17 @@ static-check:

 .PHONY: gosec-check
 gosec-check:
-	@hash ./bin/gosec > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
-		curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s 1.2.0; \
+	@hash gosec > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
+		echo "Please manually install gosec by running"; \
+		echo "curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | bash -s -- -b $GOPATH/bin v2.2.0"; \
+		exit 1; \
 	fi
-	for S in $(PACKAGES); do ./bin/gosec $$S || exit 1; done;
+	gosec ./...

 .PHONY: goconst-check
 goconst-check:
 	@hash goconst > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
 		go get -u github.com/jgautheron/goconst/cmd/goconst; \
 		go install $(GOFLAGS) github.com/jgautheron/goconst/cmd/goconst; \
-	fi
+	fi;
 	for S in $(PACKAGES); do goconst $$S || exit 1; done;
--- a/README.md
+++ b/README.md
@@ -2,11 +2,10 @@

 [![Build Status](https://drone1.kolaente.de/api/badges/vikunja/api/status.svg)](https://drone1.kolaente.de/vikunja/api)
 [![License: GPL v3](https://img.shields.io/badge/License-GPL%20v3-blue.svg)](LICENSE)
-[![Download](https://img.shields.io/badge/download-v0.7-brightgreen.svg)](https://storage.kolaente.de/minio/vikunja/)
+[![Download](https://img.shields.io/badge/download-v0.14.0-brightgreen.svg)](https://dl.vikunja.io)
 [![Docker Pulls](https://img.shields.io/docker/pulls/vikunja/api.svg)](https://hub.docker.com/r/vikunja/api/)
 [![Swagger Docs](https://img.shields.io/badge/swagger-docs-brightgreen.svg)](https://try.vikunja.io/api/v1/docs)
 [![Go Report Card](https://goreportcard.com/badge/git.kolaente.de/vikunja/api)](https://goreportcard.com/report/git.kolaente.de/vikunja/api)
-[![cover.run](https://cover.run/go/code.vikunja.io/api.svg?style=flat&tag=golang-1.10)](https://cover.run/go?tag=golang-1.10&repo=code.vikunja.io%2Fapi) 

 # Vikunja API

@@ -26,8 +25,10 @@
  * Reminder for tasks
 * Namespaces: A "group" which bundels multiple lists
 * Share lists and namespaces with teams and users with granular permissions
+* Plenty of details for tasks

-Try it on [try.vikunja.io](https://try.vikunja.io)!
+See [the features page](https://vikunja.io/en/features/) on our website for a more exaustive list or 
+try it on [try.vikunja.io](https://try.vikunja.io)!

 ## Docs

@@ -50,11 +51,12 @@ All docs can be found on [the vikunja home page](https://vikunja.io/docs/).
 * [x] Get all your tasks for an interval (day/month/period)
 * [x] Labels for tasks
 * [x] Assign users to tasks
-* [ ] Attachments on tasks
-* [ ] More sharing features
+* [x] Attachments on tasks
+* [x] More sharing features
  * [x] Share with individual users
-  * [ ] Share via a world-readable link with or without password, like Nextcloud
-* [ ] Read-only websocket to notify multiple clients of updates when something was changed
+  * [x] Share via a world-readable link with or without password, like Nextcloud
+* [x] Disable registration, making an instance "invite-only" 
+* [ ] SSE to notify multiple clients of updates when something was changed
 * [ ] "Smart Lists" - Create lists based on filters
 * [ ] IMAP-Integration - Send an email to Vikunja to create a new task
 * [ ] Webhooks - Trigger other events when an action is done (like completing a task)
@@ -63,9 +65,8 @@ All docs can be found on [the vikunja home page](https://vikunja.io/docs/).
 * [ ] Bulk-edit multiple tasks at once
 * [ ] Team-efforts - Requiring a task to be marked as done by multiple members until it's done
 * [ ] Global limits for namespaces/lists/tasks
-* [ ] Disable registration, making an instance "invite-only" 

-See [Featurecreep.md](Featurecreep.md) for even more! (mostly ideas, for now)
+See [our roadmap](https://my.vikunja.cloud/share/QFyzYEmEYfSyQfTOmIRSwLUpkFjboaBqQCnaPmWd/auth) (hosted on Vikunja!) for even more!

 * [ ] [Mobile apps](https://code.vikunja.io/app) (seperate repo) *In Progress*
 * [ ] [Webapp](https://code.vikunja.io/frontend) (seperate repo) *In Progress*
--- a/REST-Tests/attachment_from_scratch.sh
+++ b/REST-Tests/attachment_from_scratch.sh
@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+curl -X POST http://localhost:3456/api/v1/register -H 'Content-Type: application/json' -d '{"username":"demo","password":"demo","email":"demo@vikunja.io"}'
+BEARER=`curl -X POST -H 'Content-Type: application/json' -d '{"username": "demo", "password":"demo"}' localhost:3456/api/v1/login | jq -r '.token'`
+
+echo "Bearer: $BEARER"
+
+curl -X POST localhost:3456/api/v1/tokenTest -H "Authorization: Bearer $BEARER"
+
+curl -X PUT localhost:3456/api/v1/namespaces/1/lists  -H 'Content-Type: application/json' -H "Authorization: Bearer $BEARER" -d '{"title":"lorem"}'
+curl -X PUT localhost:3456/api/v1/lists/1  -H 'Content-Type: application/json' -H "Authorization: Bearer $BEARER" -d '{"text":"lorem"}'
+curl -X PUT -H "Authorization: Bearer $BEARER" localhost:3456/api/v1/tasks/1/attachments -F 'files=@/home/konrad/Pictures/Wallpaper/greg-rakozy-_Q4mepyyjMw-unsplash.jpg'
--- a/REST-Tests/auth.http
+++ b/REST-Tests/auth.http
@@ -3,7 +3,7 @@ POST http://localhost:8080/api/v1/login
 Content-Type: application/json

 {
-  "username": "user",
+  "username": "user3",
  "password": "1234"
 }

@@ -21,3 +21,9 @@ Content-Type: application/json
 }

 ###
+# Token test
+POST http://localhost:8080/api/v1/tokenTest
+Authorization: Bearer {{auth_token}}
+Content-Type: application/json
+
+###
--- a/REST-Tests/lists.http
+++ b/REST-Tests/lists.http
@@ -5,7 +5,7 @@ Authorization: Bearer {{auth_token}}
 ###

 # Get one list
-GET http://localhost:8080/api/v1/lists/1172
+GET http://localhost:8080/api/v1/lists/3
 Authorization: Bearer {{auth_token}}

 ###
@@ -82,11 +82,11 @@ Authorization: Bearer {{auth_token}}
 ###

 # Give a user access to that list
-PUT http://localhost:8080/api/v1/lists/1172/users
+PUT http://localhost:8080/api/v1/lists/3/users
 Authorization: Bearer {{auth_token}}
 Content-Type: application/json

-{"user_id":1, "right":1}
+{"userID":"user4", "right":1}

 ###

@@ -169,3 +169,9 @@ Content-Type: application/json
 }

 ###
+
+# Get all users who have access to a list
+GET http://localhost:8080/api/v1/lists/3/users
+Authorization: Bearer {{auth_token}}
+
+###
--- a/config.yml.sample
+++ b/config.yml.sample
@@ -11,14 +11,32 @@ service:
  # Vikunja will also look in this path for a config file, so you could provide only this variable to point to a folder
  # with a config file which will then be used.
  rootpath: <rootpath>
-  # The number of items which gets returned per page
-  pagecount: 50
+  # The max number of items which can be returned per page
+  maxitemsperpage: 50
  # If set to true, enables a /metrics endpoint for prometheus to collect metrics about the system
  # You'll need to use redis for this in order to enable common metrics over multiple nodes
  enablemetrics: false
+  # Enable the caldav endpoint, see the docs for more details
+  enablecaldav: true
+  # Set the motd message, available from the /info endpoint
+  motd: ""
+  # Enable sharing of lists via a link
+  enablelinksharing: true
+  # Whether to let new users registering themselves or not
+  enableregistration: true
+  # Whether to enable task attachments or not
+  enabletaskattachments: true
+  # The time zone all timestamps are in
+  timezone: GMT
+  # Whether task comments should be enabled or not
+  enabletaskcomments: true
+  # Whether totp is enabled. In most cases you want to leave that enabled.
+  enabletotp: true
+  # If not empty, enables logging of crashes and unhandled errors in sentry.
+  sentrydsn: ''

 database:
-  # Database type to use. Supported types are mysql and sqlite.
+  # Database type to use. Supported types are mysql, postgres and sqlite.
  type: "sqlite"
  # Database user which is used to connect to the database.
  user: "vikunja"
@@ -29,9 +47,16 @@ database:
  # Databse to use
  database: "vikunja"
  # When using sqlite, this is the path where to store the data
-  Path: "./vikunja.db"
-  # Sets the max open connections to the database. Only used when using mysql.
-  openconnections: 100
+  path: "./vikunja.db"
+  # Sets the max open connections to the database. Only used when using mysql and postgres.
+  maxopenconnections: 100
+  # Sets the maximum number of idle connections to the db.
+  maxidleconnections: 50
+  # The maximum lifetime of a single db connection in miliseconds.
+  maxconnectionlifetime: 10000
+  # Secure connection mode. Only used with postgres.
+  # (see https://pkg.go.dev/github.com/lib/pq?tab=doc#hdr-Connection_String_Parameters)
+  sslmode: disable

 cache:
  # If cache is enabled or not
@@ -51,6 +76,17 @@ redis:
  # 0 means default database
  db: 0

+cors:
+  # Whether to enable or disable cors headers.
+  # Note: If you want to put the frontend and the api on seperate domains or ports, you will need to enable this.
+  #       Otherwise the frontend won't be able to make requests to the api through the browser.
+  enable: true
+  # A list of origins which may access the api.
+  origins:
+    - "*"
+  # How long (in seconds) the results of a preflight request can be cached.
+  maxage: 0
+
 mailer:
  # Whether to enable the mailer or not. If it is disabled, all users are enabled right away and password reset is not possible.
  enabled: false
@@ -76,13 +112,92 @@ log:
  path: <rootpath>logs
  # Whether to show any logging at all or none
  enabled: true
-  # Where the error log should go. Possible values are stdout, stderr, file or off to disable error logging.
-  errors: "stdout"
  # Where the normal log should go. Possible values are stdout, stderr, file or off to disable standard logging.
  standard: "stdout"
+  # Change the log level. Possible values (case-insensitive) are CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG.
+  level: "INFO"
  # Whether or not to log database queries. Useful for debugging. Possible values are stdout, stderr, file or off to disable database logging.
  database: "off"
+  # The log level for database log messages. Possible values (case-insensitive) are CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG.
+  databaselevel: "WARNING"
  # Whether to log http requests or not. Possible values are stdout, stderr, file or off to disable http logging.
  http: "stdout"
  # Echo has its own logging which usually is unnessecary, which is why it is disabled by default. Possible values are stdout, stderr, file or off to disable standard logging.
-  echo: "off"
+  echo: "off"
+
+ratelimit:
+  # whether or not to enable the rate limit
+  enabled: false
+  # The kind on which rates are based. Can be either "user" for a rate limit per user or "ip" for an ip-based rate limit.
+  kind: user
+  # The time period in seconds for the limit
+  period: 60
+  # The max number of requests a user is allowed to do in the configured time period
+  limit: 100
+  # The store where the limit counter for each user is stored. Possible values are "memory" or "redis"
+  store: memory
+
+files:
+  # The path where files are stored
+  basepath: ./files # relative to the binary
+  # The maximum size of a file, as a human-readable string.
+  # Warning: The max size is limited 2^64-1 bytes due to the underlying datatype
+  maxsize: 20MB
+
+migration:
+  # These are the settings for the wunderlist migrator
+  wunderlist:
+    # Wheter to enable the wunderlist migrator or not
+    enable: false
+    # The client id, required for making requests to the wunderlist api
+    # You need to register your vikunja instance at https://developer.wunderlist.com/apps/new to get this
+    clientid:
+    # The client secret, also required for making requests to the wunderlist api
+    clientsecret:
+    # The url where clients are redirected after they authorized Vikunja to access their wunderlist stuff.
+    # This needs to match the url you entered when registering your Vikunja instance at wunderlist.
+    # This is usually the frontend url where the frontend then makes a request to /migration/wunderlist/migrate
+    # with the code obtained from the wunderlist api.
+    # Note that the vikunja frontend expects this to be /migrate/wunderlist
+    redirecturl:
+  todoist:
+    # Wheter to enable the todoist migrator or not
+    enable: false
+    # The client id, required for making requests to the wunderlist api
+    # You need to register your vikunja instance at https://developer.todoist.com/appconsole.html to get this
+    clientid:
+    # The client secret, also required for making requests to the todoist api
+    clientsecret:
+    # The url where clients are redirected after they authorized Vikunja to access their todoist items.
+    # This needs to match the url you entered when registering your Vikunja instance at todoist.
+    # This is usually the frontend url where the frontend then makes a request to /migration/todoist/migrate
+    # with the code obtained from the todoist api.
+    # Note that the vikunja frontend expects this to be /migrate/todoist
+    redirecturl:
+
+avatar:
+  # Switch between avatar providers. Possible values are gravatar and default.
+  #   gravatar will fetch the avatar based on the user email.
+  #   default will return a default avatar for every request.
+  provider: gravatar
+  # When using gravatar, this is the duration in seconds until a cached gravatar user avatar expires
+  gravatarexpiration: 3600
+
+backgrounds:
+  # Whether to enable backgrounds for lists at all.
+  enabled: true
+  providers:
+    upload:
+      # Whethere to enable uploaded list backgrounds
+      enabled: true
+    unsplash:
+      # Whether to enable setting backgrounds from unsplash as list backgrounds
+      enabled: false
+      # You need to create an application for your installation at https://unsplash.com/oauth/applications/new
+      # and set the access token below.
+      accesstoken:
+      # The unsplash application id is only used for pingback and required as per their api guidelines.
+      # You can find the Application ID in the dashboard for your API application. It should be a numeric ID.
+      # It will only show in the UI if your application has been approved for Enterprise usage, therefore if
+      # you’re in Demo mode, you can also find the ID in the URL at the end: https://unsplash.com/oauth/applications/:application_id
+      applicationid:
--- a/docker-manifest.tmpl
+++ b/docker-manifest.tmpl
@@ -0,0 +1,18 @@
+image: vikunja/api:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}latest{{/if}}
+{{#if build.tags}}
+tags:
+{{#each build.tags}}
+  - {{this}}
+{{/each}}
+{{/if}}
+manifests:
+  -
+    image: vikunja/api:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-amd64
+    platform:
+      architecture: amd64
+      os: linux
+  -
+    image: vikunja/api:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm
+    platform:
+      architecture: arm
+      os: linux
--- a/docker/etc/services.d/.s6-svscan/crash
+++ b/docker/etc/services.d/.s6-svscan/crash
@@ -1,2 +0,0 @@
-#!/bin/sh
-/bin/true
--- a/docker/etc/services.d/.s6-svscan/finish
+++ b/docker/etc/services.d/.s6-svscan/finish
@@ -1,2 +0,0 @@
-#!/bin/sh
-/bin/true
--- a/docker/etc/services.d/vikunja/run
+++ b/docker/etc/services.d/vikunja/run
@@ -1,2 +0,0 @@
-#!/bin/execlineb -P
-/app/vikunja/vikunja
--- a/docs/config.yml
+++ b/docs/config.yml
@@ -16,9 +16,9 @@ params:
  description: The to-do app to organize your life
  author: The Vikunja Authors
  website: https://vikunja.io
-  fanthomEnabled: false
-  fathomUrl: fathom.kolaente.de
-  fathomSiteID: RYKSD
+  plausibleEnabled: true
+  plausibleDomain: vikunja.io
+  plausibleURL: https://analytics.kolaente.de

 menu:
  page:
@@ -37,3 +37,6 @@ menu:
    - name: Code
      url: https://code.vikunja.io/
      weight: 50
+    - name: Community
+      url: https://community.vikunja.io/
+      weight: 60
--- a/docs/content/doc/development/db-migrations.md
+++ b/docs/content/doc/development/db-migrations.md
--- a/docs/content/doc/development/development.md
+++ b/docs/content/doc/development/development.md
@@ -32,9 +32,6 @@ See [testing]({{< ref "test.md">}}).

 If you're able to use go modules, you can clone the project wherever you want to and work from there.

-However, when building or running tests, please supply the `-mod=vendor` flag to go so it builds using the 
-dependencies from the `vendor/` folder.
-
 #### Development-setup without go modules

 Some internal packages are referenced using their respective package URL. This can become problematic. 
@@ -59,3 +56,10 @@ which will build a vikunja binary into the working directory. Writing test cases
 is highly encouraged and helps developers sleep at night.

 That’s it! You are ready to hack on Vikunja. Test changes, push them to the repository, and open a pull request.
+
+## Static assets
+
+Each Vikunja release contains all static assets directly compiled into the binary.
+To prevent this during development, use the `dev` tag when developing.
+
+See the [make docs](make.md#statically-compile-all-templates-into-the-binary) about how to compile with static assets for a release.
--- a/docs/content/doc/development/make.md
+++ b/docs/content/doc/development/make.md
@@ -22,6 +22,7 @@ These tasks are automatically run in our CI every time someone pushes to master
 * `make ineffassign-check`
 * `make misspell-check`
 * `make goconst-check`
+* `make generate`
 * `make build`

 ### clean
@@ -64,10 +65,27 @@ make build

 Builds a `vikunja`-binary in the root directory of the repo for the platform it is run on.

+### Statically compile all templates into the binary
+
+{{< highlight bash >}}
+make generate
+{{< /highlight >}}
+
+This generates static code with all templates, meaning no template need to be referenced at runtime.
+
+### Compress the built binary
+
+{{< highlight bash >}}
+make compress-build
+{{< /highlight >}}
+
+Go binaries are very big.
+To make the vikunja binary smaller, we can compress it using [upx](https://upx.github.io/).
+
 ### Build Releases

 {{< highlight bash >}}
-make build
+make release
 {{< /highlight >}}

 Builds binaries for all platforms and zips them with a copy of the `templates/` folder.
@@ -75,7 +93,7 @@ All built zip files are stored into `dist/zips/`. Binaries are stored in `dist/b
 binaries bundled with `templates` are stored in `dist/releases/`.

 All cross-platform binaries built using this series of commands are built with the help of 
-[xgo](https://github.com/karalabe/xgo). The make command will automatically install the
+[xgo](https://github.com/techknowlogick/xgo). The make command will automatically install the
 binary to be able to use it.

 `make release` is actually just a shortcut to execute `make release-dirs release-windows release-linux release-darwin release-copy release-check release-os-package release-zip`.
@@ -85,6 +103,7 @@ binary to be able to use it.
 * `release-copy` bundles binaries with a copy of `templates/` to then be zipped
 * `release-check` creates sha256 checksums for each binary which will be included in the zip file
 * `release-os-package` bundles a binary with a copy of the `templates/` folder, the `sha256` checksum file, a sample `config.yml` and a copy of the license in a folder for each architecture
+* `release-compress` compresses all build binaries, see `compress-build`
 * `release-zip` makes a zip file for the files created by `release-os-package`

 ### Build debian packages
--- a/docs/content/doc/development/migration.md
+++ b/docs/content/doc/development/migration.md
@@ -0,0 +1,96 @@
+---
+date: "2020-01-19:16:00+02:00"
+title: "Migrations"
+draft: false
+type: "doc"
+menu:
+  sidebar:
+    parent: "development"
+---
+
+# Writing a migrator for Vikunja
+
+It is possible to migrate data from other to-do services to Vikunja.
+To make this easier, we have put together a few helpers which are documented on this page.
+
+In general, each migrator implements a migrator interface which is then called from a client.
+The interface makes it possible to use helper methods which handle http an focus only on the implementation of the migrator itself.
+
+### Structure
+
+All migrator implementations live in their own package in `pkg/modules/migration/<name-of-the-service>`.
+When creating a new migrator, you should place all related code inside that module.
+
+### Migrator interface
+
+The migrator interface is defined as follows:
+
+```go
+// Migrator is the basic migrator interface which is shared among all migrators
+type Migrator interface {
+	// Migrate is the interface used to migrate a user's tasks from another platform to vikunja.
+	// The user object is the user who's tasks will be migrated.
+	Migrate(user *models.User) error
+	// AuthURL returns a url for clients to authenticate against.
+	// The use case for this are Oauth flows, where the server token should remain hidden and not
+	// known to the frontend.
+	AuthURL() string
+	// Name holds the name of the migration.
+	// This is used to show the name to users and to keep track of users who already migrated.
+	Name() string
+}
+```
+
+### Defining http routes
+
+Once your migrator implements the migration interface, it becomes possible to use the helper http handlers.
+Their usage is very similar to the [general web handler](https://kolaente.dev/vikunja/web#user-content-defining-routes-using-the-standard-web-handler):
+
+The `RegisterRoutes(m)` method registers all routes with the scheme `/[MigratorName]/(auth|migrate|status)` for the 
+authUrl, Status and Migrate methods.
+
+```go
+// This is an example for the Wunderlist migrator
+if config.MigrationWunderlistEnable.GetBool() {
+    wunderlistMigrationHandler := &migrationHandler.MigrationWeb{
+		MigrationStruct: func() migration.Migrator {
+			return &wunderlist.Migration{}
+		},
+	}
+    wunderlistMigrationHandler.RegisterRoutes(m)
+}
+```
+
+You should also document the routes with [swagger annotations]({{< ref "../practical-instructions/swagger-docs.md" >}}).
+
+### Insertion helper method
+
+There is a method available in the `migration` package which takes a fully nested Vikunja structure and creates it with all relations. 
+This means you start by adding a namespace, then add lists inside of that namespace, then tasks in the lists and so on.
+
+The root structure must be present as `[]*models.NamespaceWithLists`.
+
+Then call the method like so:
+
+```go
+fullVikunjaHierachie, err := convertWunderlistToVikunja(wContent)
+if err != nil {
+    return
+}
+
+err = migration.InsertFromStructure(fullVikunjaHierachie, user)
+```
+
+### Configuration
+
+You should add at least an option to enable or disable the migration.
+Chances are, you'll need some more options for things like client ID and secret 
+(if the other service uses oAuth as an authentication flow).
+
+The easiest way to implement an on/off switch is to check whether your migration service is enabled or not when 
+registering the routes, and then simply don't registering the routes in the case it is disabled.
+
+#### Making the migrator public in `/info` 
+
+You should make your migrator available in the `/info` endpoint so that frontends can display options to enable them or not.
+To do this, add an entry to `pkg/routes/api/v1/info.go`.
--- a/docs/content/doc/development/structure.md
+++ b/docs/content/doc/development/structure.md
@@ -16,17 +16,29 @@ In general, this api repo has the following structure:
 * `docs`
 * `pkg`
  * `caldav`
+  * `cmd`
  * `config`
+  * `db`
+    * `fixtures`
+  * `files`
+  * `integration`
  * `log`
  * `mail`
  * `metrics`
  * `migration`
  * `models`
+  * `modules`
+    * `migration`
+      * `handler`
+      * `wunderlist`
  * `red`
  * `routes`
    * `api/v1`
+  * `static`
  * `swagger`
+  * `user`
  * `utils`
+  * `version`
 * `REST-Tests`
 * `templates`
 * `vendor`
@@ -66,6 +78,21 @@ how to interpret which env variables for config etc.

 If you want to add a new config parameter, you should add default value in this package.

+### db
+
+This package contains the db connection handling and db fixtures for testing.
+Each other package gets its db connection object from this package.
+
+### files
+
+This package is responsible for all file-related things.
+This means it handles saving and retrieving files from the db and the underlying file system.
+
+### integration
+
+All integration tests live here.
+See [integration tests]({{< ref "test.md" >}}#integration-tests) for more details.
+
 ### log

 Similar to `config`, this will set up the logging, based on differen logging backends.
@@ -85,7 +112,7 @@ To learn how it works and how to add new metrics, take a look at [how metrics wo
 This package handles all migrations.
 All migrations are stored and executed here.

-To learn more, take a look at the [migrations docs]({{< ref "../development/migrations.md">}}).
+To learn more, take a look at the [migrations docs]({{< ref "../development/db-migrations.md">}}).

 ### models

@@ -97,6 +124,12 @@ Because this package is pretty huge, there are several documents and how-to's ab
 * [Adding a feature]({{< ref "../practical-instructions/feature.md">}})
 * [Making calls to the database]({{< ref "../practical-instructions/database.md">}})

+### modules
+
+#### migration
+
+See [writing a migrator]({{< ref "migration.md" >}}).
+
 ### red (redis)

 This package initializes a connection to a redis server.
@@ -117,11 +150,19 @@ To add a new route, see [adding a new route]({{< ref "../practical-instructions/
 This is where all http-handler functions for the api are stored. 
 Every handler function which does not use the standard web handler should live here.

+### static
+
+All static files generated by `make generate` live here.
+
 ### swagger

 This is where the [generated]({{< ref "make.md#generate-swagger-definitions-from-code-comments">}} [api docs]({{< ref "../usage/api.md">}}) live. 
 You usually don't need to touch this package.

+### user
+
+All user-related things like registration etc. live in this package.
+
 ### utils

 A small package, containing some helper functions:
@@ -131,6 +172,12 @@ A small package, containing some helper functions:

 See their function definitions for instructions on how to use them. 

+### version
+
+The single purpouse of this package is to hold the current vikunja version which gets overridden through build flags 
+each time `make release` or `make build` is run.
+It is a seperate package to avoid import cycles with other packages.
+
 ## REST-Tests

 Holds all kinds of test files to directly test the api from inside of [jetbrains ide's](https://www.jetbrains.com/help/idea/http-client-in-product-code-editor.html).
--- a/docs/content/doc/development/test.md
+++ b/docs/content/doc/development/test.md
@@ -24,4 +24,47 @@ To use the normal config set the enviroment variable `VIKUNJA_TESTS_USE_CONFIG=1

 ### Show sql queries

-When `UNIT_TESTS_VERBOSE=1` is set, all sql queries will be shown when tests are run.
+When `UNIT_TESTS_VERBOSE=1` is set, all sql queries will be shown when tests are run.
+
+### Fixtures
+
+All tests are run against a set of db fixtures.
+These fixtures are defined in `pkg/models/fixtures` in YAML-Files which represent the database structure.
+
+When you add a new test case which requires new database entries to test against, update these files.
+
+# Integration tests
+
+All integration tests live in `pkg/integrations`.
+You can run them by executing `make integration-test`.
+
+The integration tests use the same config and fixtures as the unit tests and therefor have the same options available,
+see at the beginning of this document.
+
+To run integration tests, use `make integration-test`.
+
+# Initializing db fixtures when writing tests
+
+All db fixtures for all tests live in the `pkg/db/fixtures/` folder as yaml files.
+Each file has the same name as the table the fixtures are for.
+You should put new fixtures in this folder.
+
+When initializing db fixtures, you are responsible for defining which tables your package needs in your test init function.
+Usually, this is done as follows (this code snippet is taken from the `user` package):
+
+```go
+err = db.InitTestFixtures("users")
+if err != nil {
+	log.Fatal(err)
+}
+```
+
+In your actual tests, you then load the fixtures into the in-memory db like so:
+
+```go
+db.LoadAndAssertFixtures(t)
+```
+
+This will load all fixtures you defined in your test init method.
+You should always use this method to load fixtures, the only exception is when your package tests require extra test 
+fixtures other than db fixtures (like files).
--- a/docs/content/doc/practical-instructions/feature.md
+++ b/docs/content/doc/practical-instructions/feature.md
@@ -27,7 +27,7 @@ You can feed this function directly into xorm's `Limit`-Function like so:

 {{< highlight golang >}}
 lists := []List{}
-err := x.Limit(getLimitFromPageIndex(pageIndex)).Find(&lists)
+err := x.Limit(getLimitFromPageIndex(pageIndex, itemsPerPage)).Find(&lists)
 {{< /highlight >}}

 // TODO: Add a full example from start to finish, like a tutorial on how to create a new endpoint?
--- a/docs/content/doc/setup/backups.md
+++ b/docs/content/doc/setup/backups.md
@@ -29,6 +29,24 @@ To restore it, simply pipe it back into the `mysql` command:
 mysql -u <user> -p -h <db-host> <database> < vkunja-backup.sql
 {{< /highlight >}}

+## PostgreSQL
+
+To create a backup from PostgreSQL use the `pg_dump` command:
+
+{{< highlight bash >}}
+pg_dump -U <user> -h <db-host> <database> > vikunja-backup.sql
+{{< /highlight >}}
+
+You might be prompted for the password of the database user.
+
+To restore it, simply pipe it back into the `psql` command:
+
+{{< highlight bash >}}
+psql -U <user> -h <db-host> <database> < vikunja-backup.sql
+{{< /highlight >}}
+
+For more information, please visit the [relevant PostgreSQL documentation](https://www.postgresql.org/docs/12/backup-dump.html).
+
 ## SQLite

 To backup sqllite databases, it is enough to copy the database elsewhere.
--- a/docs/content/doc/setup/build-from-source.md
+++ b/docs/content/doc/setup/build-from-source.md
@@ -18,6 +18,10 @@ All libraries are bundeled inside the repo in the `vendor/` folder, so all it bo
 3. Clone the repo with `git clone https://code.vikunja.io/api`
 3. Run `make build` in the source of this repo. This will build a binary in the root of the repo which will be able to run on your system.

+*Note:* Static ressources such as email templates are built into the binary.
+For these to work, you may need to run `make generate` before building the vikunja binary.
+When builing entirely with `make`, you dont need to do this, `make generate` will be run automatically when running `make build`.
+
 # Build for different architectures

 To build for other platforms and architectures than the one you're currently on, simply run `make release` or `make release-{linux|windows|darwin}`.
--- a/docs/content/doc/setup/config.md
+++ b/docs/content/doc/setup/config.md
@@ -54,14 +54,32 @@ service:
  # Vikunja will also look in this path for a config file, so you could provide only this variable to point to a folder
  # with a config file which will then be used.
  rootpath: <the path of the executable>
-  # The number of items which gets returned per page
-  pagecount: 50
+  # The max number of items which can be returned per page
+  maxitemsperpage: 50
  # If set to true, enables a /metrics endpoint for prometheus to collect metrics about the system
  # You'll need to use redis for this in order to enable common metrics over multiple nodes
  enablemetrics: false
+  # Enable the caldav endpoint, see the docs for more details
+  enablecaldav: true
+  # Set the motd message, available from the /info endpoint
+  motd: ""
+  # Enable sharing of lists via a link
+  enablelinksharing: true
+  # Whether to let new users registering themselves or not
+  enableregistration: true
+  # Whether to enable task attachments or not
+  enabletaskattachments: true
+  # The time zone all timestamps are in
+  timezone: GMT
+  # Whether task comments should be enabled or not
+  enabletaskcomments: true
+  # Whether totp is enabled. In most cases you want to leave that enabled.
+  enabletotp: true
+  # If not empty, enables logging of crashes and unhandled errors in sentry.
+  sentrydsn: ''

 database:
-  # Database type to use. Supported types are mysql and sqlite.
+  # Database type to use. Supported types are mysql, postgres and sqlite.
  type: "sqlite"
  # Database user which is used to connect to the database.
  user: "vikunja"
@@ -72,9 +90,16 @@ database:
  # Databse to use
  database: "vikunja"
  # When using sqlite, this is the path where to store the data
-  Path: "./vikunja.db"
-  # Sets the max open connections to the database. Only used when using mysql.
-  openconnections: 100
+  path: "./vikunja.db"
+  # Sets the max open connections to the database. Only used when using mysql and postgres.
+  maxopenconnections: 100
+  # Sets the maximum number of idle connections to the db.
+  maxidleconnections: 50
+  # The maximum lifetime of a single db connection in miliseconds.
+  maxconnectionlifetime: 10000
+  # Secure connection mode. Only used with postgres.
+  # (see https://pkg.go.dev/github.com/lib/pq?tab=doc#hdr-Connection_String_Parameters)
+  sslmode: disable

 cache:
  # If cache is enabled or not
@@ -94,6 +119,17 @@ redis:
  # 0 means default database
  db: 0

+cors:
+  # Whether to enable or disable cors headers.
+  # Note: If you want to put the frontend and the api on seperate domains or ports, you will need to enable this.
+  #       Otherwise the frontend won't be able to make requests to the api through the browser.
+  enable: true
+  # A list of origins which may access the api.
+  origins:
+    - *
+  # How long (in seconds) the results of a preflight request can be cached.
+  maxage: 0
+
 mailer:
  # Whether to enable the mailer or not. If it is disabled, all users are enabled right away and password reset is not possible.
  enabled: false
@@ -119,14 +155,93 @@ log:
  path: <rootpath>logs
  # Whether to show any logging at all or none
  enabled: true
-  # Where the error log should go. Possible values are stdout, stderr, file or off to disable error logging.
-  errors: "stdout"
  # Where the normal log should go. Possible values are stdout, stderr, file or off to disable standard logging.
  standard: "stdout"
+  # Change the log level. Possible values (case-insensitive) are CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG.
+  level: "INFO"
  # Whether or not to log database queries. Useful for debugging. Possible values are stdout, stderr, file or off to disable database logging.
  database: "off"
+  # The log level for database log messages. Possible values (case-insensitive) are CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG.
+  databaselevel: "WARNING"
  # Whether to log http requests or not. Possible values are stdout, stderr, file or off to disable http logging.
  http: "stdout"
  # Echo has its own logging which usually is unnessecary, which is why it is disabled by default. Possible values are stdout, stderr, file or off to disable standard logging.
  echo: "off"
+  
+ratelimit:
+  # whether or not to enable the rate limit
+  enabled: false
+  # The kind on which rates are based. Can be either "user" for a rate limit per user or "ip" for an ip-based rate limit.
+  kind: user
+  # The time period in seconds for the limit
+  period: 60
+  # The max number of requests a user is allowed to do in the configured time period
+  limit: 100
+  # The store where the limit counter for each user is stored. Possible values are "memory" or "redis"
+  store: memory
+
+files:
+  # The path where files are stored
+  basepath: ./files # relative to the binary
+  # The maximum size of a file, as a human-readable string.
+  # Warning: The max size is limited 2^64-1 bytes due to the underlying datatype
+  maxsize: 20MB
+
+migration:
+  # These are the settings for the wunderlist migrator
+  wunderlist:
+    # Wheter to enable the wunderlist migrator or not
+    enable: false
+    # The client id, required for making requests to the wunderlist api
+    # You need to register your vikunja instance at https://developer.wunderlist.com/apps/new to get this
+    clientid:
+    # The client secret, also required for making requests to the wunderlist api
+    clientsecret:
+    # The url where clients are redirected after they authorized Vikunja to access their wunderlist stuff.
+    # This needs to match the url you entered when registering your Vikunja instance at wunderlist.
+    # This is usually the frontend url where the frontend then makes a request to /migration/wunderlist/migrate
+    # with the code obtained from the wunderlist api.
+    # Note that the vikunja frontend expects this to be /migrate/wunderlist
+    redirecturl:
+  todoist:
+    # Wheter to enable the todoist migrator or not
+    enable: false
+    # The client id, required for making requests to the wunderlist api
+    # You need to register your vikunja instance at https://developer.todoist.com/appconsole.html to get this
+    clientid:
+    # The client secret, also required for making requests to the todoist api
+    clientsecret:
+    # The url where clients are redirected after they authorized Vikunja to access their todoist items.
+    # This needs to match the url you entered when registering your Vikunja instance at todoist.
+    # This is usually the frontend url where the frontend then makes a request to /migration/todoist/migrate
+    # with the code obtained from the todoist api.
+    # Note that the vikunja frontend expects this to be /migrate/todoist
+    redirecturl:
+
+avatar:
+  # Switch between avatar providers. Possible values are gravatar and default.
+  #   gravatar will fetch the avatar based on the user email.
+  #   default will return a default avatar for every request.
+  provider: gravatar
+  # When using gravatar, this is the duration in seconds until a cached gravatar user avatar expires
+  gravatarexpiration: 3600
+
+backgrounds:
+  # Whether to enable backgrounds for lists at all.
+  enabled: true
+  providers:
+    upload:
+      # Whethere to enable uploaded list backgrounds
+      enabled: true
+    unsplash:
+      # Whether to enable setting backgrounds from unsplash as list backgrounds
+      enabled: false
+      # You need to create an application for your installation at https://unsplash.com/oauth/applications/new 
+      # and set the access token below.
+      accesstoken:
+      # The unsplash application id is only used for pingback and required as per their api guidelines.
+      # You can find the Application ID in the dashboard for your API application. It should be a numeric ID.
+      # It will only show in the UI if your application has been approved for Enterprise usage, therefore if
+      # you’re in Demo mode, you can also find the ID in the URL at the end: https://unsplash.com/oauth/applications/:application_id
+      applicationid:
 {{< /highlight >}}
--- a/docs/content/doc/setup/docker-start-to-finish.md
+++ b/docs/content/doc/setup/docker-start-to-finish.md
@@ -0,0 +1,221 @@
+---
+date: "2020-05-24:00:00+02:00"
+title: "Docker Walkthrough"
+draft: false
+type: "doc"
+menu:
+  sidebar:
+    parent: "setup"
+---
+
+# Setup with docker from start to finish
+
+This tutorial assumes basic knowledge of docker.
+It is aimed at beginners and should get you up and running quickly.
+
+We'll use [docker compose](https://docs.docker.com/compose/) to make handling the bunch of containers easier.
+
+> If you have any issues setting up vikunja, please don't hesitate to reach out to us via [matrix](https://riot.im/app/#/room/!dCRiCiLaCCFVNlDnYs:matrix.org?via=matrix.org), the [community forum](https://community.vikunja.io/) or even [email](mailto:hello@vikunja.io).
+
+## Preparations (optional)
+
+Create a directory for the project where all data and the compose file will live in.
+
+## Create all necessary files
+
+Create a `docker-compose.yml` file with the following contents in your directory:
+
+{{< highlight yaml >}}
+version: '3'
+
+services:
+  db:
+    image: mariadb:10
+    environment:
+      MYSQL_ROOT_PASSWORD: supersecret
+      MYSQL_DATABASE: vikunja
+    volumes:
+      - ./db:/var/lib/mysql
+    restart: unless-stopped
+  api:
+    image: vikunja/api
+    environment:
+      VIKUNJA_DATABASE_HOST: db
+      VIKUNJA_DATABASE_PASSWORD: supersecret
+      VIKUNJA_DATABASE_TYPE: mysql
+      VIKUNJA_DATABASE_USER: root
+      VIKUNJA_DATABASE_DATABASE: vikunja
+    volumes: 
+      - ./files:/app/vikunja/files
+    depends_on:
+      - db
+    restart: unless-stopped
+  frontend:
+    image: vikunja/frontend
+    restart: unless-stopped
+  proxy:
+    image: nginx
+    ports:
+      - 80:80
+    volumes:
+      - ./nginx.conf:/etc/nginx/conf.d/default.conf:ro
+    depends_on:
+      - api
+      - frontend
+    restart: unless-stopped
+{{< /highlight >}}
+
+This defines four services, each with their own container:
+
+* An api service which runs the vikunja api. Most of the core logic lives here.
+* The frontend which will make vikunja actually usable for most people.
+* A database container which will store all lists, tasks, etc. We're using mariadb here, but you're free to use mysql or postgres if you want.
+* A proxy service which makes the frontend and api available on the same port, redirecting all requests to `/api` to the api container. 
+If you already have a proxy on your host, you may want to check out the [reverse proxy examples]() to use that.
+By default, it uses port 80 on the host.
+To change to something different, you'll need to change the `ports` section in the service definition.
+The number before the colon is the host port - This is where you can reach vikunja from the outside once all is up and running.
+
+For the proxy service we'll need another bit of configuration.
+Create an `nginx.conf` in your directory (next to the `docker-compose.yml` file) and add the following contents to it:
+
+{{< highlight conf >}}
+server {
+    listen 80;
+
+    location / {
+        proxy_pass http://frontend:80;
+    }
+
+    location /api/ {
+        proxy_pass http://api:3456;
+    }
+}
+{{< /highlight >}}
+
+This is a simple proxy configuration which will forward all requests to `/api/` to the api container and everything else to the frontend.
+
+**Note:** Even if you want to make your installation available under a different port, you don't need to change anything in this configuration.
+
+## Run it
+
+Run `sudo docker-compose up` in your directory and take a look at the output you get.
+When first started, Vikunja will set up the database and run all migrations etc.
+Once it is ready, you should see a message like this one in your console:
+
+```
+api_1       | 2020-05-24T11:15:37.560386009Z: INFO	▶ cmd/func1 025 Vikunja version 0.13.1+19-e9bc3246ce, built at Sun, 24 May 2020 11:10:36 +0000
+api_1       | ⇨ http server started on [::]:3456
+```
+
+This indicates all setup has been successful.
+If you get any errors, see below:
+
+### Troubleshooting
+
+Vikunja might not run on the first try.
+There are a few potential issues that could be causing this.
+
+#### No connection to the database
+
+Indicated by an error message like this one from the api container:
+
+```
+2020/05/23 15:37:59 Config File "config" Not Found in "[/app/vikunja /etc/vikunja /app/vikunja/.config/vikunja]"
+2020/05/23 15:37:59 Using default config.
+2020-05-23T15:37:59.974435725Z: CRITICAL	▶ migration/Migrate 002 Migration failed: dial tcp 172.19.0.2:3306: connect: connection refused
+```
+
+Especially when using mysql, this can happen on first start, because the mysql database container will take a few seconds to start.
+Vikunja does not know the container is not ready, therefore it will just try to connect to the db, fail since it is not ready and exit.
+
+If you're using the docker compose example from above, you may notice the `restart: unless-stopped` option at the api service.
+This tells docker to restart the api container if it exits, unless you explicitly stop it.
+Therefore, it should "magically fix itself" by automatically restarting the container.
+
+After a few seconds (or minutes) you should see a log message like this one from the mariadb container:
+
+```
+2020-05-24 11:42:15 0 [Note] mysqld: ready for connections.
+Version: '10.4.12-MariaDB-1:10.4.12+maria~bionic'  socket: '/var/run/mysqld/mysqld.sock'  port: 3306  mariadb.org binary distribution
+```
+
+The next restart of Vikunja should be successful.
+If not, there might be a different error or a bug with Vikunja, please reach out to us in that case.
+
+(If you have an idea about how we could improve this, we'd like to hear it!)
+
+#### "Not a directory"
+
+If you get an error like this one:
+
+```
+ERROR: for vikunja_proxy_1 Cannot start service proxy: OCI runtime create failed: container_linux.go:349: starting container process caused "process_linux.go:449: container init caused \"rootfs_linux.go:58: mounting \\\"vikunja/nginx.conf\\\" to rootfs \\\"/var/lib/docker/overlay2/9c8b8f9419c29dad0d1233fbb0a3c36cf403dabd7a55d6f0a47b0c1dd6029994/merged\\\" at \\\"/var/lib/docker/overlay2/9c8b8f9419c29dad0d1233fbb0a3c36cf403dabd7a55d6f0a47b0c1dd6029994/merged/etc/nginx/conf.d/default.conf\\\" caused \\\"not a directory\\\"\"": unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type
+```
+
+this means docker tried to mount a directory from the host to a file in the container.
+This can happen if you did not create the `nginx.conf` file.
+Because there is a volume mount for it in the `docker-compose.yml`, Docker will create a folder because non exists, assuming you want to mount a folder into the container.
+
+To fix this, create the file and restart the containers again.
+
+#### Migration failed: commands out of sync
+
+If you get an error like this one:
+
+```
+2020/05/23 15:53:38 Config File "config" Not Found in "[/app/vikunja /etc/vikunja /app/vikunja/.config/vikunja]"
+2020/05/23 15:53:38 Using default config.
+2020-05-23T15:53:38.762747276Z: CRITICAL	▶ migration/Migrate 002 Migration failed: commands out of sync. Did you run multiple statements at once?
+```
+
+This is a mysql issue.
+Currently, we don't have a better solution than to completely wipe the database files and start over.
+To do this, first stop everything by running `sudo docker-compose down`, then remove the `db/` folder in your current folder with `sudo rm -rf db` and start the whole stack again with `sudo docker-compose up -d`.
+
+## Try it
+
+Head over to `http://<host-ip or url>/api/v1/info` in a browser.
+You should see something like this:
+
+{{< highlight json >}}
+{
+  "version": "0.13.1+19-e9bc3246ce",
+  "frontend_url": "http://localhost:8080/",
+  "motd": "test",
+  "link_sharing_enabled": true,
+  "max_file_size": "20MB",
+  "registration_enabled": true,
+  "available_migrators": [
+    "wunderlist",
+    "todoist"
+  ],
+  "task_attachments_enabled": true
+}
+{{< /highlight >}}
+
+This shows you can reach the api through the api proxy.
+
+Now head over to `http://<host-ip or url>/` which should show the login mask.
+
+## Make it persistent
+
+Currently, Vikunja runs in foreground in your terminal.
+For a real-world scenario this is not the best way.
+
+Back in your terminal, stop the stack by pressing `CTRL-C` on your keyboard.
+Then run `sudo docker-compose up -d` in your again.
+The `-d` flag at the end of the command will tell docker to run the containers in the background.
+If you need to check the logs after that, you can run `sudo docker-compose logs`.
+
+Vikunja does not have any default users, you'll need to register and account.
+After that, you can use it.
+
+## Tear it all down
+
+If you want to completely stop all containers run `sudo docker-compose down` in your terminal.
+
+## Improve this guide
+
+We'll happily accept suggestions and improvements for this guide.
+Please [reach out to us](https://vikunja.io/contact/) if you have any.
--- a/docs/content/doc/setup/full-docker-example.md
+++ b/docs/content/doc/setup/full-docker-example.md
@@ -11,7 +11,154 @@ menu:
 # Full docker example

 This docker compose configuration will run Vikunja with backend and frontend with a mariadb as database.
-It uses an nginx container to proxy backend and frontend into a single port.
+It uses an nginx container or traefik on the host to proxy backend and frontend into a single port.
+
+For all available configuration options, see [configuration]({{< ref "config.md">}}).
+
+### Redis
+
+To use redis, you'll need to add this to the config examples below:
+
+{{< highlight yaml >}}
+version: '3'
+
+services:
+  api:
+    image: vikunja/api
+    environment:
+      VIKUNJA_REDIS_ENABLED: 1
+      VIKUNJA_REDIS_HOST: 'redis:6379'
+      VIKUNJA_CACHE_ENABLED: 1
+      VIKUNJA_CACHE_TYPE: redis
+    volumes:
+      - ./files:/app/vikunja/files
+  redis:
+    image: redis
+{{< /highlight >}}
+
+## Example with traefik 2
+
+This example assumes [traefik](https://traefik.io) version 2 installed and configured to [use docker as a configuration provider](https://docs.traefik.io/providers/docker/).
+
+We also make a few assumtions here which you'll most likely need to adjust for your traefik setup:
+
+* Your domain is `vikunja.example.com`
+* The entrypoint you want to make vikunja available from is called `https`
+* The tls cert resolver is called `acme`
+
+{{< highlight yaml >}}
+version: '3'
+
+services:
+  api:
+    image: vikunja/api
+    environment:
+      VIKUNJA_DATABASE_HOST: db
+      VIKUNJA_DATABASE_PASSWORD: supersecret
+      VIKUNJA_DATABASE_TYPE: mysql
+      VIKUNJA_DATABASE_USER: vikunja
+      VIKUNJA_DATABASE_DATABASE: vikunja
+    volumes: 
+      - ./files:/app/vikunja/files
+    networks:
+      - web
+      - default
+    depends_on:
+      - db
+    restart: unless-stopped
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.vikunja-api.rule=Host(`vikunja.example.com`) && PathPrefix(`/api/v1`)"
+      - "traefik.http.routers.vikunja-api.entrypoints=https"
+      - "traefik.http.routers.vikunja-api.tls.certResolver=acme"
+  frontend:
+    image: vikunja/frontend
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.vikunja-frontend.rule=Host(`vikunja.example.com`)"
+      - "traefik.http.routers.vikunja-frontend.entrypoints=https"
+      - "traefik.http.routers.vikunja-frontend.tls.certResolver=acme"
+    networks:
+      - web
+      - default
+    restart: unless-stopped
+  db:
+    image: mariadb:10
+    environment:
+      MYSQL_ROOT_PASSWORD: supersupersecret 
+      MYSQL_USER: vikunja
+      MYSQL_PASSWORD: supersecret
+      MYSQL_DATABASE: vikunja
+    volumes:
+      - ./db:/var/lib/mysql
+    restart: unless-stopped
+    command: --max-connections=1000
+
+networks:
+  web:
+    external: true
+{{< /highlight >}}
+
+## Example with traefik 1
+
+This example assumes [traefik](https://traefik.io) in version 1 installed and configured to [use docker as a configuration provider](https://docs.traefik.io/v1.7/configuration/backends/docker/).
+
+{{< highlight yaml >}}
+version: '3'
+
+services:
+  api:
+    image: vikunja/api
+    environment:
+      VIKUNJA_DATABASE_HOST: db
+      VIKUNJA_DATABASE_PASSWORD: supersecret
+      VIKUNJA_DATABASE_TYPE: mysql
+      VIKUNJA_DATABASE_USER: vikunja
+      VIKUNJA_DATABASE_DATABASE: vikunja
+    volumes: 
+      - ./files:/app/vikunja/files
+    networks:
+      - web
+      - default
+    depends_on:
+      - db
+    restart: unless-stopped
+    labels:
+      - "traefik.docker.network=web"
+      - "traefik.enable=true"
+      - "traefik.frontend.rule=Host:vikunja.example.com;PathPrefix:/api/v1"
+      - "traefik.port=3456"
+      - "traefik.protocol=http"
+  frontend:
+    image: vikunja/frontend
+    labels:
+      - "traefik.docker.network=web"
+      - "traefik.enable=true"
+      - "traefik.frontend.rule=Host:vikunja.example.com;PathPrefix:/"
+      - "traefik.port=80"
+      - "traefik.protocol=http"
+    networks:
+      - web
+      - default
+    restart: unless-stopped
+  db:
+    image: mariadb:10
+    environment:
+      MYSQL_ROOT_PASSWORD: supersupersecret 
+      MYSQL_USER: vikunja
+      MYSQL_PASSWORD: supersecret
+      MYSQL_DATABASE: vikunja
+    volumes:
+      - ./db:/var/lib/mysql
+    restart: unless-stopped
+    command: --max-connections=1000
+
+networks:
+  web:
+    external: true
+{{< /highlight >}}
+
+## Example with nginx as proxy

 You'll need to save this nginx configuration on your host under `nginx.conf` 
 (or elsewhere, but then you'd need to adjust the proxy mount at the bottom of the compose file):
@@ -30,7 +177,7 @@ server {
 }
 {{< /highlight >}}

-### Without redis
+`docker-compose.yml` config:

 {{< highlight yaml >}}
 version: '3'
@@ -43,6 +190,7 @@ services:
      MYSQL_DATABASE: vikunja
    volumes:
      - ./db:/var/lib/mysql
+    restart: unless-stopped
  api:
    image: vikunja/api
    environment:
@@ -51,10 +199,14 @@ services:
      VIKUNJA_DATABASE_TYPE: mysql
      VIKUNJA_DATABASE_USER: root
      VIKUNJA_DATABASE_DATABASE: vikunja
+    volumes: 
+      - ./files:/app/vikunja/files
    depends_on:
      - db
+    restart: unless-stopped
  frontend:
    image: vikunja/frontend
+    restart: unless-stopped
  proxy:
    image: nginx
    ports:
@@ -64,9 +216,21 @@ services:
    depends_on:
      - api
      - frontend
+    restart: unless-stopped
 {{< /highlight >}}

-### With redis
+## Example with Caddy v2 as proxy
+
+You will need the following `Caddyfile` on your host (or elsewhere, but then you'd need to adjust the proxy mount at the bottom of the compose file):
+
+{{< highlight conf >}}
+vikunja.example.com {
+    reverse_proxy /api/* api:3456
+    reverse_proxy frontend:80
+}
+{{< /highlight >}}
+
+`docker-compose.yml` config:

 {{< highlight yaml >}}
 version: '3'
@@ -79,8 +243,7 @@ services:
      MYSQL_DATABASE: vikunja
    volumes:
      - ./db:/var/lib/mysql
-  redis:
-    image: redis
+    restart: unless-stopped
  api:
    image: vikunja/api
    environment:
@@ -89,22 +252,23 @@ services:
      VIKUNJA_DATABASE_TYPE: mysql
      VIKUNJA_DATABASE_USER: root
      VIKUNJA_DATABASE_DATABASE: vikunja
-      VIKUNJA_REDIS_ENABLED: 1
-      VIKUNJA_REDIS_HOST: 'redis:6379'
-      VIKUNJA_CACHE_ENABLED: 1
-      VIKUNJA_CACHE_TYPE: redis
+    volumes: 
+      - ./files:/app/vikunja/files
    depends_on:
      - db
-      - redis
+    restart: unless-stopped
  frontend:
    image: vikunja/frontend
-  proxy:
-    image: nginx
+    restart: unless-stopped
+  caddy:
+    image: caddy
+    restart: unless-stopped
    ports:
-      - 80:80
-    volumes:
-      - ./nginx.conf:/etc/nginx/conf.d/default.conf:ro
+        - "80:80"
+        - "443:443"
    depends_on:
      - api
      - frontend
-{{< /highlight >}}
+    volumes:
+        - ./Caddyfile:/etc/caddy/Caddyfile:ro
+{{< /highlight >}}
--- a/docs/content/doc/setup/install-backend.md
+++ b/docs/content/doc/setup/install-backend.md
@@ -55,6 +55,7 @@ After=network.target
 # Depending on how you configured Vikunja, you may want to uncomment these:
 #Requires=mysql.service
 #Requires=mariadb.service
+#Requires=postgresql.service
 #Requires=redis.service

 [Service]
@@ -105,7 +106,7 @@ docker run -p 3456:3456 vikunja/api
 {{< /highlight >}}

 to run with a standard configuration.
-This will expose 
+This will expose vikunja on port `3456` on the host running the container.

 You can mount a local configuration like so:

@@ -116,6 +117,18 @@ docker run -p 3456:3456 -v /path/to/config/on/host.yml:/app/vikunja/config.yml:r
 Though it is recommended to use eviroment variables or `.env` files to configure Vikunja in docker.
 See [config]({{< ref "config.md">}}) for a list of available configuration options.

+### Files volume
+
+By default the container stores all files uploaded and used through vikunja inside of `/app/vikunja/files` which is created as a docker volume.
+You should mount the volume somewhere to the host to permanently store the files and don't loose them if the container restarts.
+
+### Setting user and group id of the user running vikunja
+
+You can set the user and group id of the user running vikunja with the `PUID` and `PGID` evironment variables.
+This follows the pattern used by [the linuxserver.io](https://docs.linuxserver.io/general/understanding-puid-and-pgid) docker images.
+
+This is useful to solve general permission problems when host-mounting volumes such as the volume used for task attachments.
+
 ### Docker compose

 To run the backend with a mariadb database you can use this example [docker-compose](https://docs.docker.com/compose/) file:
@@ -131,13 +144,15 @@ services:
      VIKUNJA_DATABASE_TYPE: mysql
      VIKUNJA_DATABASE_USER: root
      VIKUNJA_SERVICE_JWTSECRET: <generated secret>
+    volumes:
+      - ./files:/app/vikunja/files
  db:
    image: mariadb:10
    environment:
      MYSQL_ROOT_PASSWORD: supersecret
      MYSQL_DATABASE: vikunja
    volumes:
-    - ./db:/var/lib/mysql
+      - ./db:/var/lib/mysql
 {{< /highlight >}}

 See [full docker example]({{< ref "full-docker-example.md">}}) for more varations of this config.
--- a/docs/content/doc/setup/install-frontend.md
+++ b/docs/content/doc/setup/install-frontend.md
@@ -17,6 +17,20 @@ Unzip them and store them somewhere your server can access them.

 You also need to configure a rewrite condition to internally redirect all requests to `index.html` which handles all urls. 

+## API URL configuration
+
+By default, the frontend assumes it can reach the api at `/api/v1` relative to the frontend url.
+This means that if you make the frontend available at, say `https://vikunja.example.com`, it tries to reach the api
+at `https://vikunja.example.com/api/v1`.
+In this scenario it is not possible for the frontend and the api to live on seperate servers or even just seperate 
+ports on the same server with [the use of a reverse proxy]({{< ref "reverse-proxies.md">}}).
+
+To make configurations like this possible, the api url can be set in the `index.html` file of the frontend releases.
+Just open the file with a text editor - there are comments which will explain how to set the url.
+
+**Note:** This needs to be done again after every update. 
+(If you have a good idea for a better solution than this, we'd love to [hear it](https://vikunja.io/contact/))
+
 ## Docker

 The docker image is based on nginx and just contains all nessecary files for the frontend.
@@ -31,6 +45,16 @@ which will run the docker image and expose port 80 on the host.

 See [full docker example]({{< ref "full-docker-example.md">}}) for more varations of this config.

+### Setting user and group id of the user running vikunja
+
+You can set the user and group id of the user running vikunja with the `PUID` and `PGID` evironment variables.
+This follows the pattern used by [the linuxserver.io](https://docs.linuxserver.io/general/understanding-puid-and-pgid) docker images.
+
+### API URL configuration in docker
+
+When running the frontend with docker, it is possible to set the environment variable `$VIKUNJA_API_URL` to the api url.
+It is therefore not needed to change the url manually inside the docker container.
+
 ## NGINX

 Below are two example configurations which you can put in your `nginx.conf`:
--- a/docs/content/doc/usage/caldav.md
+++ b/docs/content/doc/usage/caldav.md
@@ -0,0 +1,140 @@
+---
+date: "2019-05-12:00:00+01:00"
+title: "Caldav"
+draft: false
+type: "doc"
+menu:
+  sidebar:
+    parent: "usage"
+---
+
+# Caldav
+
+> **Warning:** The caldav integration is in an early alpha stage and has bugs. 
+> It works well with some clients while having issues with others.
+> If you encounter issues, please [report them](https://code.vikunja.io/api/issues/new?body=[caldav]) 
+
+Vikunja supports managing tasks via the [caldav VTODO](https://tools.ietf.org/html/rfc5545#section-3.6.2) extension.
+
+## URLs
+
+All urls are located under the `/dav` subspace.
+
+Urls are:
+
+* `/principals/<username>/`: Returns urls for list discovery. *Use this url to initially make connections to new clients.*
+* `/lists/`: Used to manage lists
+* `/lists/<List ID>/`: Used to manage a single list
+* `/lists/<List ID>/<Task UID>`: Used to manage a task on a list
+
+## Supported properties
+
+Vikunja currently supports the following properties:
+
+* `UID`
+* `SUMMARY`
+* `DESCRIPTION`
+* `PRIORITY`
+* `COMPLETED`
+* `DUE`
+* `DTSTART`
+* `DURATION`
+* `ORGANIZER`
+* `RELATED-TO`
+* `CREATED`
+* `DTSTAMP`
+* `LAST-MODIFIED`
+
+Vikunja **currently does not** support these properties:
+
+* `ATTACH`
+* `CATEGORIES`
+* `CLASS`
+* `COMMENT`
+* `GEO`
+* `LOCATION`
+* `PERCENT-COMPLETE`
+* `RESOURCES`
+* `STATUS`
+* `CONTACT`
+* `RECURRENCE-ID`
+* `URL`
+* Recurrence
+* `SEQUENCE`
+
+## Tested Clients
+
+#### Working
+
+* [Evolution](https://wiki.gnome.org/Apps/Evolution/)
+
+#### Not working
+
+* [Tasks (Android)](https://tasks.org/)
+
+## Dev logs
+
+The whole thing is not optimized at all and probably pretty inefficent.
+
+Request body and headers are logged if the debug output is enabled.
+
+```
+Creating a new task:
+PUT /dav/lists/1/cd4dd0e1b3c19cc9d787829b6e08be536e3df3a4.ics
+
+Body:
+
+BEGIN:VCALENDAR
+CALSCALE:GREGORIAN
+PRODID:-//Ximian//NONSGML Evolution Calendar//EN
+VERSION:2.0
+BEGIN:VTODO
+UID:cd4dd0e1b3c19cc9d787829b6e08be536e3df3a4
+DTSTAMP:20190508T134538Z
+SUMMARY:test2000
+PRIORITY:0
+CLASS:PUBLIC
+CREATED:20190508T134710Z
+LAST-MODIFIED:20190508T134710Z
+END:VTODO
+END:VCALENDAR
+
+
+Marking a task as done:
+
+BEGIN:VCALENDAR
+CALSCALE:GREGORIAN
+PRODID:-//Ximian//NONSGML Evolution Calendar//EN
+VERSION:2.0
+BEGIN:VTODO
+UID:3ada92f28b4ceda38562ebf047c6ff05400d4c572352a
+DTSTAMP:20190511T183631
+DTSTART:19700101T000000
+DTEND:19700101T000000
+SUMMARY:sdgs
+ORGANIZER;CN=:user
+CREATED:20190511T183631
+PRIORITY:0
+LAST-MODIFIED:20190512T193428Z
+COMPLETED:20190512T193428Z
+PERCENT-COMPLETE:100
+STATUS:COMPLETED
+END:VTODO
+END:VCALENDAR
+
+Requests from the app:::
+
+[CALDAV] Request Body: <?xml version="1.0" encoding="UTF-8" ?><propfind xmlns="DAV:" xmlns:CAL="urn:ietf:params:xml:ns:caldav" xmlns:CARD="urn:ietf:params:xml:ns:carddav"><prop><current-user-principal /></prop></propfind>
+[CALDAV] GetResources: rpath: /dav/
+2019-05-18T23:25:49.971140654+02:00: WEB 	▶ 192.168.1.134  PROPFIND 207 /dav/ 1.021705664s - okhttp/3.12.2
+
+[CALDAV] Request Body: <?xml version="1.0" encoding="UTF-8" ?><propfind xmlns="DAV:" xmlns:CAL="urn:ietf:params:xml:ns:caldav" xmlns:CARD="urn:ietf:params:xml:ns:carddav"><prop><CAL:calendar-home-set /></prop></propfind>
+[CALDAV] GetResources: rpath: /dav/
+2019-05-18T23:25:52.166996113+02:00: WEB 	▶ 192.168.1.134  PROPFIND 207 /dav/ 1.042834467s - okhttp/3.12.2
+
+And then it just stops.
+... and complains about not being able to find the home set
+... without even requesting it...
+
+
+```
--- a/docs/content/doc/usage/cli.md
+++ b/docs/content/doc/usage/cli.md
@@ -81,4 +81,23 @@ Starts Vikunja's REST api server.
 Usage:
 {{< highlight bash >}}
 $ vikunja web    
-{{< /highlight >}}
+{{< /highlight >}}
+
+### `dump`
+
+Creates a zip file with all vikunja-related files.
+This includes config, version, all files and the full database.
+
+Usage:
+{{< highlight bash >}}
+$ vikunja dump
+{{< /highlight >}}
+
+### `restore`
+
+Restores a previously created dump from a zip file, see `dump`.
+
+Usage:
+{{< highlight bash >}}
+$ vikunja restore <path to dump zip file>
+{{< /highlight >}}
--- a/docs/content/doc/usage/errors.md
+++ b/docs/content/doc/usage/errors.md
@@ -12,6 +12,14 @@ menu:

 This document describes the different errors Vikunja can return.

+### Generic
+
+| ErrorCode | HTTP Status Code | Description |
+|-----------|------------------|-------------|
+| 0001 | 403 | Generic forbidden error. |
+
+### User
+
 | ErrorCode | HTTP Status Code | Description |
 |-----------|------------------|-------------|
 | 1001 | 400 | A user with this username already exists. |
@@ -24,31 +32,102 @@ This document describes the different errors Vikunja can return.
 | 1010 | 412 | Invalid email confirm token. |
 | 1011 | 412 | Wrong username or password. |
 | 1012 | 412 | Email address of the user not confirmed. |
+| 1013 | 412 | New password is empty. |
+| 1014 | 412 | Old password is empty. |
+| 1015 | 412 | Totp is already enabled for this user. |
+| 1016 | 412 | Totp is not enabled for this user. |
+| 1017 | 412 | The provided Totp passcode is invalid. |
+
+### Validation
+
+| ErrorCode | HTTP Status Code | Description |
+|-----------|------------------|-------------|
 | 2001 | 400 | ID cannot be empty or 0. |
 | 2002 | 400 | Some of the request data was invalid. The response contains an aditional array with all invalid fields. |
+
+### List
+
+| ErrorCode | HTTP Status Code | Description |
+|-----------|------------------|-------------|
 | 3001 | 404 | The list does not exist. |
 | 3004 | 403 | The user needs to have read permissions on that list to perform that action. |
 | 3005 | 400 | The list title cannot be empty. |
+| 3006 | 404 | The list share does not exist. |
+| 3007 | 400 | A list with this identifier already exists. |
+| 3008 | 412 | The list is archived and can therefore only be accessed read only. This is also true for all tasks associated with this list. |
+
+### Task
+
+| ErrorCode | HTTP Status Code | Description |
+|-----------|------------------|-------------|
 | 4001 | 400 | The list task text cannot be empty. |
 | 4002 | 404 | The list task does not exist. |
 | 4003 | 403 | All bulk editing tasks must belong to the same list. |
 | 4004 | 403 | Need at least one task when bulk editing tasks. |
 | 4005 | 403 | The user does not have the right to see the task. |
+| 4006 | 403 | The user tried to set a parent task as the task itself. |
+| 4007 | 400 | The user tried to create a task relation with an invalid kind of relation. |
+| 4008 | 409 | The user tried to create a task relation which already exists. |
+| 4009 | 404 | The task relation does not exist. | 
+| 4010 | 400 | Cannot relate a task with itself. |
+| 4011 | 404 | The task attachment does not exist. |
+| 4012 | 400 | The task attachment is too large. |
+| 4013 | 400 | The task sort param is invalid. |
+| 4014 | 400 | The task sort order is invalid. |
+| 4015 | 404 | The task comment does not exist. |
+| 4016 | 403 | Invalid task field. |
+| 4017 | 403 | Invalid task filter comparator. |
+| 4018 | 403 | Invalid task filter concatinator. |
+| 4019 | 403 | Invalid task filter value. |
+
+### Namespace
+
+| ErrorCode | HTTP Status Code | Description |
+|-----------|------------------|-------------|
 | 5001 | 404 | The namspace does not exist. | 
 | 5003 | 403 | The user does not have access to the specified namespace. |
 | 5006 | 400 | The namespace name cannot be empty. |
 | 5009 | 403 | The user needs to have namespace read access to perform that action. |
 | 5010 | 403 | This team does not have access to that namespace. |
 | 5011 | 409 | This user has already access to that namespace. |
+| 5012 | 412 | The namespace is archived and can therefore only be accessed read only. |
+
+### Team
+
+| ErrorCode | HTTP Status Code | Description |
+|-----------|------------------|-------------|
 | 6001 | 400 | The team name cannot be emtpy. |
 | 6002 | 404 | The team does not exist. |
 | 6004 | 409 | The team already has access to that namespace or list. |
 | 6005 | 409 | The user is already a member of that team. |
 | 6006 | 400 | Cannot delete the last team member. |
 | 6007 | 403 | The team does not have access to the list to perform that action. |
+
+### User List Access
+
+| ErrorCode | HTTP Status Code | Description |
+|-----------|------------------|-------------|
 | 7002 | 409 | The user already has access to that list. |
 | 7003 | 403 | The user does not have access to that list. |
+
+### Label
+
+| ErrorCode | HTTP Status Code | Description |
+|-----------|------------------|-------------|
 | 8001 | 403 | This label already exists on that task. |
 | 8002 | 404 | The label does not exist. |
 | 8003 | 403 | The user does not have access to this label. |
-| 9001 | 403 | The right is invalid. | 
+
+### Right
+
+| ErrorCode | HTTP Status Code | Description |
+|-----------|------------------|-------------|
+| 9001 | 403 | The right is invalid. | 
+
+### Kanban
+
+| ErrorCode | HTTP Status Code | Description |
+|-----------|------------------|-------------|
+| 10001 | 404 | The bucket does not exist. | 
+| 10002 | 400 | The bucket does not belong to that list. | 
+| 10003 | 412 | You cannot remove the last bucket on a list. | 
--- a/docs/content/doc/usage/relation_kinds.md
+++ b/docs/content/doc/usage/relation_kinds.md
@@ -0,0 +1,25 @@
+---
+date: "2019-09-25:00:00+02:00"
+title: "Task Relation kinds"
+draft: false
+type: "doc"
+menu:
+  sidebar:
+    parent: "usage"
+---
+
+# Available task relation kinds
+
+| Code | Description |
+|------|-------------|
+| subtask | Task is a subtask of the other task. This is the opposite of `parenttask`. |
+| parenttask | Task is a parent task of the other task. This is the opposite of `subtask`. |
+| related | Both tasks are related to each other. How is not more specified. |
+| duplicateof | Task is a duplicate of the other task. This is the opposite of `duplicates`. |
+| duplicates | Task duplicates the other task. This is the opposite of `duplicateof`. |
+| blocking | Task is blocking the other task. This is the opposite of `blocked`. |
+| blocked | Task is blocked by the other task. This is the opposite of `blocking`. |
+| precedes | Task precedes the other task. This is the opposite of `follows`. |
+| follows | Task follows the other task. This is the opposite of `precedes`. |
+| copiedfrom | Task is copied from the other task. This is the opposite of `copiedto`. |
+| copiedto | Task is copied to the other task. This is the opposite of `copiedfrom`. |
--- a/docs/themes/vikunja
+++ b/docs/themes/vikunja
--- a/go.mod
+++ b/go.mod
@@ -1,4 +1,4 @@
-// Vikunja is a todo-list application to facilitate your life.
+// Vikunja is a to-do list application to facilitate your life.
 // Copyright 2018 Vikunja and contributors. All rights reserved.
 //
 // This program is free software: you can redistribute it and/or modify
@@ -17,61 +17,78 @@
 module code.vikunja.io/api

 require (
-	cloud.google.com/go v0.34.0 // indirect
-	code.vikunja.io/web v0.0.0-20190329170935-7dc1f4191c49
-	github.com/BurntSushi/toml v0.3.1 // indirect
-	github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc
-	github.com/asaskevich/govalidator v0.0.0-20180720115003-f9ffefc3facf
+	4d63.com/tz v1.1.0
+	code.vikunja.io/web v0.0.0-20200618164749-a5f3d450d39a
+	gitea.com/xorm/xorm-redis-cache v0.2.0
+	github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751
+	github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a
+	github.com/beevik/etree v1.1.0 // indirect
+	github.com/c2h5oh/datasize v0.0.0-20200112174442-28bbd4740fee
 	github.com/client9/misspell v0.3.4
+	github.com/cweill/gotests v1.5.3
+	github.com/d4l3k/messagediff v1.2.1 // indirect
 	github.com/dgrijalva/jwt-go v3.2.0+incompatible
+	github.com/fsnotify/fsnotify v1.4.9 // indirect
 	github.com/fzipp/gocyclo v0.0.0-20150627053110-6acd4345c835
-	github.com/garyburd/redigo v1.6.0 // indirect
-	github.com/ghodss/yaml v1.0.0 // indirect
-	github.com/go-openapi/spec v0.17.2 // indirect
-	github.com/go-openapi/swag v0.17.2 // indirect
-	github.com/go-redis/redis v6.14.2+incompatible
-	github.com/go-sql-driver/mysql v1.4.1
-	github.com/go-xorm/builder v0.3.2
-	github.com/go-xorm/core v0.6.0
-	github.com/go-xorm/tests v0.5.6 // indirect
-	github.com/go-xorm/xorm v0.7.1
-	github.com/go-xorm/xorm-redis-cache v0.0.0-20180727005610-859b313566b2
-	github.com/gordonklaus/ineffassign v0.0.0-20180909121442-1003c8bd00dc
-	github.com/imdario/mergo v0.3.6
-	github.com/inconshreveable/mousetrap v1.0.0 // indirect
-	github.com/jgautheron/goconst v0.0.0-20170703170152-9740945f5dcb
-	github.com/karalabe/xgo v0.0.0-20181007145344-72da7d1d3970
-	github.com/kisielk/gotool v1.0.0 // indirect
-	github.com/labstack/echo v3.3.10+incompatible
-	github.com/labstack/gommon v0.2.8
-	github.com/mattn/go-colorable v0.1.1 // indirect
-	github.com/mattn/go-isatty v0.0.7 // indirect
-	github.com/mattn/go-oci8 v0.0.0-20181130072307-052f5d97b9b6 // indirect
-	github.com/mattn/go-runewidth v0.0.4 // indirect
-	github.com/mattn/go-sqlite3 v1.10.0
-	github.com/mitchellh/go-homedir v1.1.0 // indirect
-	github.com/mitchellh/mapstructure v1.1.2 // indirect
-	github.com/olekukonko/tablewriter v0.0.1
-	github.com/onsi/ginkgo v1.7.0 // indirect
-	github.com/onsi/gomega v1.4.3 // indirect
+	github.com/getsentry/sentry-go v0.6.1
+	github.com/go-openapi/jsonreference v0.19.3 // indirect
+	github.com/go-openapi/spec v0.19.4 // indirect
+	github.com/go-redis/redis/v7 v7.4.0
+	github.com/go-sql-driver/mysql v1.5.0
+	github.com/go-testfixtures/testfixtures/v3 v3.3.0
+	github.com/gordonklaus/ineffassign v0.0.0-20200309095847-7953dde2c7bf
+	github.com/iancoleman/strcase v0.0.0-20191112232945-16388991a334
+	github.com/imdario/mergo v0.3.9
+	github.com/jgautheron/goconst v0.0.0-20200227150835-cda7ea3bf591
+	github.com/kr/text v0.2.0 // indirect
+	github.com/labstack/echo/v4 v4.1.16
+	github.com/labstack/gommon v0.3.0
+	github.com/laurent22/ical-go v0.1.1-0.20181107184520-7e5d6ade8eef
+	github.com/lib/pq v1.7.0
+	github.com/mailru/easyjson v0.7.0 // indirect
+	github.com/mattn/go-sqlite3 v1.14.0
+	github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect
+	github.com/olekukonko/tablewriter v0.0.4
+	github.com/onsi/ginkgo v1.12.0 // indirect
+	github.com/onsi/gomega v1.9.0 // indirect
 	github.com/op/go-logging v0.0.0-20160315200505-970db520ece7
-	github.com/prometheus/client_golang v0.9.2
-	github.com/spf13/cobra v0.0.3
-	github.com/spf13/viper v1.2.0
-	github.com/stretchr/objx v0.1.1 // indirect
-	github.com/stretchr/testify v1.3.0
-	github.com/swaggo/swag v1.4.1-0.20181210033626-0e12fd5eb026
-	github.com/urfave/cli v1.20.0 // indirect
-	github.com/valyala/fasttemplate v1.0.1 // indirect
-	golang.org/x/crypto v0.0.0-20190325154230-a5d413f7728c
-	golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3
-	golang.org/x/net v0.0.0-20181217023233-e147a9138326 // indirect
-	golang.org/x/sys v0.0.0-20190329044733-9eb1bfa1ce65 // indirect
-	golang.org/x/tools v0.0.0-20181026183834-f60e5f99f081 // indirect
+	github.com/pelletier/go-toml v1.4.0 // indirect
+	github.com/pquerna/otp v1.2.0
+	github.com/prometheus/client_golang v1.7.1
+	github.com/samedi/caldav-go v3.0.0+incompatible
+	github.com/shurcooL/httpfs v0.0.0-20190707220628-8d4bc4ba7749
+	github.com/shurcooL/vfsgen v0.0.0-20200627165143-92b8a710ab6c
+	github.com/spf13/afero v1.3.1
+	github.com/spf13/cobra v1.0.0
+	github.com/spf13/jwalterweatherman v1.1.0 // indirect
+	github.com/spf13/viper v1.7.0
+	github.com/stretchr/testify v1.6.1
+	github.com/swaggo/swag v1.6.7
+	github.com/ulule/limiter/v3 v3.5.0
+	github.com/urfave/cli v1.22.2 // indirect
+	golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9
+	golang.org/x/lint v0.0.0-20200302205851-738671d3881b
+	golang.org/x/net v0.0.0-20200602114024-627f9648deb9 // indirect
+	golang.org/x/text v0.3.3 // indirect
+	golang.org/x/tools v0.0.0-20200410194907-79a7a3126eef // indirect
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
+	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
+	gopkg.in/d4l3k/messagediff.v1 v1.2.1
 	gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df
-	gopkg.in/testfixtures.v2 v2.5.3
-	gopkg.in/yaml.v2 v2.2.2 // indirect
-	honnef.co/go/tools v0.0.0-20190215041234-466a0476246c
-	src.techknowlogick.com/xormigrate v0.0.0-20190321151057-24497c23c09c
+	honnef.co/go/tools v0.0.1-2020.1.4
+	src.techknowlogick.com/xgo v0.0.0-20200602060627-a09175ea9056
+	src.techknowlogick.com/xormigrate v1.3.0
+	xorm.io/builder v0.3.7
+	xorm.io/core v0.7.3
+	xorm.io/xorm v1.0.2
 )
+
+replace (
+	github.com/coreos/bbolt => go.etcd.io/bbolt v1.3.4
+	github.com/coreos/go-systemd => github.com/coreos/go-systemd/v22 v22.0.0
+	github.com/hpcloud/tail => github.com/jeffbean/tail v1.0.1 // See https://github.com/hpcloud/tail/pull/159
+	github.com/samedi/caldav-go => github.com/kolaente/caldav-go v3.0.1-0.20190524174923-9e5cd1688227+incompatible // Branch: feature/dynamic-supported-components, PR: https://github.com/samedi/caldav-go/pull/6 and https://github.com/samedi/caldav-go/pull/7
+	gopkg.in/fsnotify.v1 => github.com/kolaente/fsnotify v1.4.10-0.20200411160148-1bc3c8ff4048 // See https://github.com/fsnotify/fsnotify/issues/328 and https://github.com/golang/go/issues/26904
+)
+
+go 1.13
--- a/go.sum
+++ b/go.sum
--- a/main.go
+++ b/main.go
@@ -1,18 +1,18 @@
-//  Vikunja is a todo-list application to facilitate your life.
-//  Copyright 2018 Vikunja and contributors. All rights reserved.
+// Vikunja is a to-do list application to facilitate your life.
+// Copyright 2018-2020 Vikunja and contributors. All rights reserved.
 //
-//  This program is free software: you can redistribute it and/or modify
-//  it under the terms of the GNU General Public License as published by
-//  the Free Software Foundation, either version 3 of the License, or
-//  (at your option) any later version.
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
 //
-//  This program is distributed in the hope that it will be useful,
-//  but WITHOUT ANY WARRANTY; without even the implied warranty of
-//  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-//  GNU General Public License for more details.
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
 //
-//  You should have received a copy of the GNU General Public License
-//  along with this program.  If not, see <https://www.gnu.org/licenses/>.
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.

 package main

--- a/pkg/caldav/caldav.go
+++ b/pkg/caldav/caldav.go
@@ -1,27 +1,34 @@
-//  Vikunja is a todo-list application to facilitate your life.
-//  Copyright 2018 Vikunja and contributors. All rights reserved.
+// Vikunja is a to-do list application to facilitate your life.
+// Copyright 2018-2020 Vikunja and contributors. All rights reserved.
 //
-//  This program is free software: you can redistribute it and/or modify
-//  it under the terms of the GNU General Public License as published by
-//  the Free Software Foundation, either version 3 of the License, or
-//  (at your option) any later version.
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
 //
-//  This program is distributed in the hope that it will be useful,
-//  but WITHOUT ANY WARRANTY; without even the implied warranty of
-//  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-//  GNU General Public License for more details.
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
 //
-//  You should have received a copy of the GNU General Public License
-//  along with this program.  If not, see <https://www.gnu.org/licenses/>.
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.

 package caldav

 import (
+	"code.vikunja.io/api/pkg/config"
+	"code.vikunja.io/api/pkg/user"
 	"code.vikunja.io/api/pkg/utils"
+	"fmt"
 	"strconv"
+	"strings"
 	"time"
 )

+// DateFormat ist the caldav date format
+const DateFormat = `20060102T150405`
+
 // Event holds a single caldav event
 type Event struct {
 	Summary     string
@@ -29,14 +36,37 @@ type Event struct {
 	UID         string
 	Alarms      []Alarm

-	TimestampUnix int64
-	StartUnix     int64
-	EndUnix       int64
+	Timestamp time.Time
+	Start     time.Time
+	End       time.Time
+}
+
+// Todo holds a single VTODO
+type Todo struct {
+	// Required
+	Timestamp time.Time
+	UID       string
+
+	// Optional
+	Summary      string
+	Description  string
+	Completed    time.Time
+	Organizer    *user.User
+	Priority     int64 // 0-9, 1 is highest
+	RelatedToUID string
+
+	Start    time.Time
+	End      time.Time
+	DueDate  time.Time
+	Duration time.Duration
+
+	Created time.Time
+	Updated time.Time // last-mod
 }

 // Alarm holds infos about an alarm from a caldav event
 type Alarm struct {
-	TimeUnix    int64
+	Time        time.Time
 	Description string
 }

@@ -58,7 +88,7 @@ PRODID:-//` + config.ProdID + `//EN`
 	for _, e := range events {

 		if e.UID == "" {
-			e.UID = makeCalDavTimeFromUnixTime(e.TimestampUnix) + utils.Sha256(e.Summary)
+			e.UID = makeCalDavTimeFromTimeStamp(e.Timestamp) + utils.Sha256(e.Summary)
 		}

 		caldavevents += `
@@ -66,9 +96,9 @@ BEGIN:VEVENT
 UID:` + e.UID + `
 SUMMARY:` + e.Summary + `
 DESCRIPTION:` + e.Description + `
-DTSTAMP:` + makeCalDavTimeFromUnixTime(e.TimestampUnix) + `
-DTSTART:` + makeCalDavTimeFromUnixTime(e.StartUnix) + `
-DTEND:` + makeCalDavTimeFromUnixTime(e.EndUnix)
+DTSTAMP:` + makeCalDavTimeFromTimeStamp(e.Timestamp) + `
+DTSTART:` + makeCalDavTimeFromTimeStamp(e.Start) + `
+DTEND:` + makeCalDavTimeFromTimeStamp(e.End)

 		for _, a := range e.Alarms {
 			if a.Description == "" {
@@ -77,7 +107,7 @@ DTEND:` + makeCalDavTimeFromUnixTime(e.EndUnix)

 			caldavevents += `
 BEGIN:VALARM
-TRIGGER:` + calcAlarmDateFromReminder(e.StartUnix, a.TimeUnix) + `
+TRIGGER:` + calcAlarmDateFromReminder(e.Start, a.Time) + `
 ACTION:DISPLAY
 DESCRIPTION:` + a.Description + `
 END:VALARM`
@@ -92,21 +122,98 @@ END:VCALENDAR` // Need a line break
 	return
 }

-func makeCalDavTimeFromUnixTime(unixtime int64) (caldavtime string) {
-	tz, _ := time.LoadLocation("UTC")
-	tm := time.Unix(unixtime, 0).In(tz)
-	return tm.Format("20060102T150405")
-}
+// ParseTodos returns a caldav vcalendar string with todos
+func ParseTodos(config *Config, todos []*Todo) (caldavtodos string) {
+	caldavtodos = `BEGIN:VCALENDAR
+VERSION:2.0
+METHOD:PUBLISH
+X-PUBLISHED-TTL:PT4H
+X-WR-CALNAME:` + config.Name + `
+PRODID:-//` + config.ProdID + `//EN`

-func calcAlarmDateFromReminder(eventStartUnix, reminderUnix int64) (alarmTime string) {
-	if eventStartUnix > reminderUnix {
-		alarmTime += `-`
+	for _, t := range todos {
+		if t.UID == "" {
+			t.UID = makeCalDavTimeFromTimeStamp(t.Timestamp) + utils.Sha256(t.Summary)
+		}
+
+		caldavtodos += `
+BEGIN:VTODO
+UID:` + t.UID + `
+DTSTAMP:` + makeCalDavTimeFromTimeStamp(t.Timestamp) + `
+SUMMARY:` + t.Summary
+
+		if t.Start.Unix() > 0 {
+			caldavtodos += `
+DTSTART: ` + makeCalDavTimeFromTimeStamp(t.Start)
+		}
+		if t.End.Unix() > 0 {
+			caldavtodos += `
+DTEND: ` + makeCalDavTimeFromTimeStamp(t.End)
+		}
+		if t.Description != "" {
+			caldavtodos += `
+DESCRIPTION:` + t.Description
+		}
+		if t.Completed.Unix() > 0 {
+			caldavtodos += `
+COMPLETED: ` + makeCalDavTimeFromTimeStamp(t.Completed)
+		}
+		if t.Organizer != nil {
+			caldavtodos += `
+ORGANIZER;CN=:` + t.Organizer.Username
+		}
+
+		if t.RelatedToUID != "" {
+			caldavtodos += `
+RELATED-TO:` + t.RelatedToUID
+		}
+
+		if t.DueDate.Unix() > 0 {
+			caldavtodos += `
+DUE:` + makeCalDavTimeFromTimeStamp(t.DueDate)
+		}
+
+		if t.Created.Unix() > 0 {
+			caldavtodos += `
+CREATED:` + makeCalDavTimeFromTimeStamp(t.Created)
+		}
+
+		if t.Duration != 0 {
+			caldavtodos += `
+DURATION:PT` + fmt.Sprintf("%.6f", t.Duration.Hours()) + `H` + fmt.Sprintf("%.6f", t.Duration.Minutes()) + `M` + fmt.Sprintf("%.6f", t.Duration.Seconds()) + `S`
+		}
+
+		if t.Priority != 0 {
+			caldavtodos += `
+PRIORITY:` + strconv.Itoa(int(t.Priority))
+		}
+
+		caldavtodos += `
+LAST-MODIFIED:` + makeCalDavTimeFromTimeStamp(t.Updated)
+
+		caldavtodos += `
+END:VTODO`
 	}
-	alarmTime += `PT`
-	diff := eventStartUnix - reminderUnix
-	if diff < 0 { // Make it positive
-		diff = diff * -1
-	}
-	alarmTime += strconv.Itoa(int(diff/60)) + "M"
+
+	caldavtodos += `
+END:VCALENDAR` // Need a line break
+
+	return
+}
+
+func makeCalDavTimeFromTimeStamp(ts time.Time) (caldavtime string) {
+	return ts.In(config.GetTimeZone()).Format(DateFormat)
+}
+
+func calcAlarmDateFromReminder(eventStart, reminder time.Time) (alarmTime string) {
+	diff := reminder.Sub(eventStart)
+	diffStr := strings.ToUpper(diff.String())
+	if diff < 0 {
+		alarmTime += `-`
+		// We append the - at the beginning of the caldav flag, that would get in the way if the minutes
+		// themselves are also containing it
+		diffStr = diffStr[1:]
+	}
+	alarmTime += `PT` + diffStr
 	return
 }
--- a/pkg/caldav/caldav_test.go
+++ b/pkg/caldav/caldav_test.go
@@ -1,22 +1,27 @@
-//  Vikunja is a todo-list application to facilitate your life.
-//  Copyright 2018 Vikunja and contributors. All rights reserved.
+// Vikunja is a to-do list application to facilitate your life.
+// Copyright 2018-2020 Vikunja and contributors. All rights reserved.
 //
-//  This program is free software: you can redistribute it and/or modify
-//  it under the terms of the GNU General Public License as published by
-//  the Free Software Foundation, either version 3 of the License, or
-//  (at your option) any later version.
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
 //
-//  This program is distributed in the hope that it will be useful,
-//  but WITHOUT ANY WARRANTY; without even the implied warranty of
-//  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-//  GNU General Public License for more details.
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
 //
-//  You should have received a copy of the GNU General Public License
-//  along with this program.  If not, see <https://www.gnu.org/licenses/>.
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.

 package caldav

-import "testing"
+import (
+	"code.vikunja.io/api/pkg/config"
+	"github.com/stretchr/testify/assert"
+	"testing"
+	"time"
+)

 func TestParseEvents(t *testing.T) {
 	type args struct {
@@ -37,26 +42,26 @@ func TestParseEvents(t *testing.T) {
 				},
 				events: []*Event{
 					{
-						Summary:       "Event #1",
-						Description:   "Lorem Ipsum",
-						UID:           "randommduid",
-						TimestampUnix: 1543626724,
-						StartUnix:     1543626724,
-						EndUnix:       1543627824,
+						Summary:     "Event #1",
+						Description: "Lorem Ipsum",
+						UID:         "randommduid",
+						Timestamp:   time.Unix(1543626724, 0).In(config.GetTimeZone()),
+						Start:       time.Unix(1543626724, 0).In(config.GetTimeZone()),
+						End:         time.Unix(1543627824, 0).In(config.GetTimeZone()),
 					},
 					{
-						Summary:       "Event #2",
-						UID:           "randommduidd",
-						TimestampUnix: 1543726724,
-						StartUnix:     1543726724,
-						EndUnix:       1543738724,
+						Summary:   "Event #2",
+						UID:       "randommduidd",
+						Timestamp: time.Unix(1543726724, 0).In(config.GetTimeZone()),
+						Start:     time.Unix(1543726724, 0).In(config.GetTimeZone()),
+						End:       time.Unix(1543738724, 0).In(config.GetTimeZone()),
 					},
 					{
-						Summary:       "Event #3 with empty uid",
-						UID:           "20181202T0600242aaef4a81d770c1e775e26bc5abebc87f1d3d7bffaa83",
-						TimestampUnix: 1543726824,
-						StartUnix:     1543726824,
-						EndUnix:       1543727000,
+						Summary:   "Event #3 with empty uid",
+						UID:       "20181202T0600242aaef4a81d770c1e775e26bc5abebc87f1d3d7bffaa83",
+						Timestamp: time.Unix(1543726824, 0).In(config.GetTimeZone()),
+						Start:     time.Unix(1543726824, 0).In(config.GetTimeZone()),
+						End:       time.Unix(1543727000, 0).In(config.GetTimeZone()),
 					},
 				},
 			},
@@ -101,47 +106,47 @@ END:VCALENDAR`,
 				},
 				events: []*Event{
 					{
-						Summary:       "Event #1",
-						Description:   "Lorem Ipsum",
-						UID:           "randommduid",
-						TimestampUnix: 1543626724,
-						StartUnix:     1543626724,
-						EndUnix:       1543627824,
+						Summary:     "Event #1",
+						Description: "Lorem Ipsum",
+						UID:         "randommduid",
+						Timestamp:   time.Unix(1543626724, 0).In(config.GetTimeZone()),
+						Start:       time.Unix(1543626724, 0).In(config.GetTimeZone()),
+						End:         time.Unix(1543627824, 0).In(config.GetTimeZone()),
 						Alarms: []Alarm{
-							{TimeUnix: 1543626524},
-							{TimeUnix: 1543626224},
-							{TimeUnix: 1543626024},
+							{Time: time.Unix(1543626524, 0).In(config.GetTimeZone())},
+							{Time: time.Unix(1543626224, 0).In(config.GetTimeZone())},
+							{Time: time.Unix(1543626024, 0)},
 						},
 					},
 					{
-						Summary:       "Event #2",
-						UID:           "randommduidd",
-						TimestampUnix: 1543726724,
-						StartUnix:     1543726724,
-						EndUnix:       1543738724,
+						Summary:   "Event #2",
+						UID:       "randommduidd",
+						Timestamp: time.Unix(1543726724, 0).In(config.GetTimeZone()),
+						Start:     time.Unix(1543726724, 0).In(config.GetTimeZone()),
+						End:       time.Unix(1543738724, 0).In(config.GetTimeZone()),
 						Alarms: []Alarm{
-							{TimeUnix: 1543626524},
-							{TimeUnix: 1543626224},
-							{TimeUnix: 1543626024},
+							{Time: time.Unix(1543626524, 0).In(config.GetTimeZone())},
+							{Time: time.Unix(1543626224, 0).In(config.GetTimeZone())},
+							{Time: time.Unix(1543626024, 0).In(config.GetTimeZone())},
 						},
 					},
 					{
-						Summary:       "Event #3 with empty uid",
-						TimestampUnix: 1543726824,
-						StartUnix:     1543726824,
-						EndUnix:       1543727000,
+						Summary:   "Event #3 with empty uid",
+						Timestamp: time.Unix(1543726824, 0).In(config.GetTimeZone()),
+						Start:     time.Unix(1543726824, 0).In(config.GetTimeZone()),
+						End:       time.Unix(1543727000, 0).In(config.GetTimeZone()),
 						Alarms: []Alarm{
-							{TimeUnix: 1543626524},
-							{TimeUnix: 1543626224},
-							{TimeUnix: 1543626024},
-							{TimeUnix: 1543826824},
+							{Time: time.Unix(1543626524, 0).In(config.GetTimeZone())},
+							{Time: time.Unix(1543626224, 0).In(config.GetTimeZone())},
+							{Time: time.Unix(1543626024, 0).In(config.GetTimeZone())},
+							{Time: time.Unix(1543826824, 0).In(config.GetTimeZone())},
 						},
 					},
 					{
-						Summary:       "Event #4 without any",
-						TimestampUnix: 1543726824,
-						StartUnix:     1543726824,
-						EndUnix:       1543727000,
+						Summary:   "Event #4 without any",
+						Timestamp: time.Unix(1543726824, 0),
+						Start:     time.Unix(1543726824, 0),
+						End:       time.Unix(1543727000, 0),
 					},
 				},
 			},
@@ -159,17 +164,17 @@ DTSTAMP:20181201T011204
 DTSTART:20181201T011204
 DTEND:20181201T013024
 BEGIN:VALARM
-TRIGGER:-PT3M
+TRIGGER:-PT3M20S
 ACTION:DISPLAY
 DESCRIPTION:Event #1
 END:VALARM
 BEGIN:VALARM
-TRIGGER:-PT8M
+TRIGGER:-PT8M20S
 ACTION:DISPLAY
 DESCRIPTION:Event #1
 END:VALARM
 BEGIN:VALARM
-TRIGGER:-PT11M
+TRIGGER:-PT11M40S
 ACTION:DISPLAY
 DESCRIPTION:Event #1
 END:VALARM
@@ -182,17 +187,17 @@ DTSTAMP:20181202T045844
 DTSTART:20181202T045844
 DTEND:20181202T081844
 BEGIN:VALARM
-TRIGGER:-PT1670M
+TRIGGER:-PT27H50M0S
 ACTION:DISPLAY
 DESCRIPTION:Event #2
 END:VALARM
 BEGIN:VALARM
-TRIGGER:-PT1675M
+TRIGGER:-PT27H55M0S
 ACTION:DISPLAY
 DESCRIPTION:Event #2
 END:VALARM
 BEGIN:VALARM
-TRIGGER:-PT1678M
+TRIGGER:-PT27H58M20S
 ACTION:DISPLAY
 DESCRIPTION:Event #2
 END:VALARM
@@ -205,22 +210,22 @@ DTSTAMP:20181202T050024
 DTSTART:20181202T050024
 DTEND:20181202T050320
 BEGIN:VALARM
-TRIGGER:-PT1671M
+TRIGGER:-PT27H51M40S
 ACTION:DISPLAY
 DESCRIPTION:Event #3 with empty uid
 END:VALARM
 BEGIN:VALARM
-TRIGGER:-PT1676M
+TRIGGER:-PT27H56M40S
 ACTION:DISPLAY
 DESCRIPTION:Event #3 with empty uid
 END:VALARM
 BEGIN:VALARM
-TRIGGER:-PT1680M
+TRIGGER:-PT28H0M0S
 ACTION:DISPLAY
 DESCRIPTION:Event #3 with empty uid
 END:VALARM
 BEGIN:VALARM
-TRIGGER:PT1666M
+TRIGGER:PT27H46M40S
 ACTION:DISPLAY
 DESCRIPTION:Event #3 with empty uid
 END:VALARM
@@ -238,9 +243,8 @@ END:VCALENDAR`,
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			if gotCaldavevents := ParseEvents(tt.args.config, tt.args.events); gotCaldavevents != tt.wantCaldavevents {
-				t.Errorf("ParseEvents() = %v, want %v", gotCaldavevents, tt.wantCaldavevents)
-			}
+			gotCaldavevents := ParseEvents(tt.args.config, tt.args.events)
+			assert.Equal(t, gotCaldavevents, tt.wantCaldavevents)
 		})
 	}
 }
--- a/pkg/cmd/cmd.go
+++ b/pkg/cmd/cmd.go
@@ -1,35 +1,27 @@
-//  Vikunja is a todo-list application to facilitate your life.
-//  Copyright 2019 Vikunja and contributors. All rights reserved.
+// Vikunja is a to-do list application to facilitate your life.
+// Copyright 2018-2020 Vikunja and contributors. All rights reserved.
 //
-//  This program is free software: you can redistribute it and/or modify
-//  it under the terms of the GNU General Public License as published by
-//  the Free Software Foundation, either version 3 of the License, or
-//  (at your option) any later version.
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
 //
-//  This program is distributed in the hope that it will be useful,
-//  but WITHOUT ANY WARRANTY; without even the implied warranty of
-//  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-//  GNU General Public License for more details.
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
 //
-//  You should have received a copy of the GNU General Public License
-//  along with this program.  If not, see <https://www.gnu.org/licenses/>.
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.

 package cmd

 import (
-	"code.vikunja.io/api/pkg/config"
 	"fmt"
 	"github.com/spf13/cobra"
 	"os"
 )

-// Version sets the version to be printed to the user. Gets overwritten by "make release" or "make build" with last git commit or tag.
-var Version = "0.1"
-
-func init() {
-	cobra.OnInitialize(config.InitConfig)
-}
-
 var rootCmd = &cobra.Command{
 	Use:   "vikunja",
 	Short: "Vikunja is the to-do app to organize your life.",
@@ -42,7 +34,8 @@ alpine areas of the Andes and a relative of the llama.
 Vikunja is a self-hosted To-Do list application with a web app and mobile apps for all platforms. It is licensed under the GPLv3.

 Find more info at vikunja.io.`,
-	Run: webCmd.Run,
+	PreRun: webCmd.PreRun,
+	Run:    webCmd.Run,
 }

 // Execute starts the application
--- a/pkg/cmd/dump.go
+++ b/pkg/cmd/dump.go
@@ -0,0 +1,43 @@
+// Vikunja is a to-do list application to facilitate your life.
+// Copyright 2018-2020 Vikunja and contributors. All rights reserved.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package cmd
+
+import (
+	"code.vikunja.io/api/pkg/initialize"
+	"code.vikunja.io/api/pkg/log"
+	"code.vikunja.io/api/pkg/modules/dump"
+	"github.com/spf13/cobra"
+	"time"
+)
+
+func init() {
+	rootCmd.AddCommand(dumpCmd)
+}
+
+var dumpCmd = &cobra.Command{
+	Use:   "dump",
+	Short: "Dump all vikunja data into a zip file. Includes config, files and db.",
+	PreRun: func(cmd *cobra.Command, args []string) {
+		initialize.FullInit()
+	},
+	Run: func(cmd *cobra.Command, args []string) {
+		filename := "vikunja-dump_" + time.Now().Format("2006-01-02_15-03-05") + ".zip"
+		if err := dump.Dump(filename); err != nil {
+			log.Critical(err.Error())
+		}
+	},
+}
--- a/pkg/cmd/migrate.go
+++ b/pkg/cmd/migrate.go
@@ -1,22 +1,23 @@
-//   Vikunja is a todo-list application to facilitate your life.
-//   Copyright 2019 Vikunja and contributors. All rights reserved.
+// Vikunja is a to-do list application to facilitate your life.
+// Copyright 2018-2020 Vikunja and contributors. All rights reserved.
 //
-//   This program is free software: you can redistribute it and/or modify
-//   it under the terms of the GNU General Public License as published by
-//   the Free Software Foundation, either version 3 of the License, or
-//   (at your option) any later version.
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
 //
-//   This program is distributed in the hope that it will be useful,
-//   but WITHOUT ANY WARRANTY; without even the implied warranty of
-//   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-//   GNU General Public License for more details.
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
 //
-//   You should have received a copy of the GNU General Public License
-//   along with this program.  If not, see <https://www.gnu.org/licenses/>.
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.

 package cmd

 import (
+	"code.vikunja.io/api/pkg/initialize"
 	"code.vikunja.io/api/pkg/migration"
 	"github.com/spf13/cobra"
 )
@@ -24,7 +25,7 @@ import (
 func init() {
 	migrateCmd.AddCommand(migrateListCmd)
 	migrationRollbackCmd.Flags().StringVarP(&rollbackUntilFlag, "name", "n", "", "The id of the migration you want to roll back until.")
-	migrationRollbackCmd.MarkFlagRequired("name")
+	_ = migrationRollbackCmd.MarkFlagRequired("name")
 	migrateCmd.AddCommand(migrationRollbackCmd)
 	rootCmd.AddCommand(migrateCmd)
 }
@@ -35,6 +36,9 @@ func init() {
 var migrateCmd = &cobra.Command{
 	Use:   "migrate",
 	Short: "Run all database migrations which didn't already run.",
+	PersistentPreRun: func(cmd *cobra.Command, args []string) {
+		initialize.LightInit()
+	},
 	Run: func(cmd *cobra.Command, args []string) {
 		migration.Migrate(nil)
 	},
--- a/pkg/cmd/restore.go
+++ b/pkg/cmd/restore.go
@@ -0,0 +1,42 @@
+// Vikunja is a to-do list application to facilitate your life.
+// Copyright 2018-2020 Vikunja and contributors. All rights reserved.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package cmd
+
+import (
+	"code.vikunja.io/api/pkg/initialize"
+	"code.vikunja.io/api/pkg/log"
+	"code.vikunja.io/api/pkg/modules/dump"
+	"github.com/spf13/cobra"
+)
+
+func init() {
+	rootCmd.AddCommand(restoreCmd)
+}
+
+var restoreCmd = &cobra.Command{
+	Use:   "restore [filename]",
+	Short: "Restores all vikunja data from a vikunja dump.",
+	Args:  cobra.ExactArgs(1),
+	PreRun: func(cmd *cobra.Command, args []string) {
+		initialize.FullInit()
+	},
+	Run: func(cmd *cobra.Command, args []string) {
+		if err := dump.Restore(args[0]); err != nil {
+			log.Critical(err.Error())
+		}
+	},
+}
--- a/pkg/cmd/testmail.go
+++ b/pkg/cmd/testmail.go
@@ -0,0 +1,49 @@
+// Vikunja is a to-do list application to facilitate your life.
+// Copyright 2018-2020 Vikunja and contributors. All rights reserved.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package cmd
+
+import (
+	"code.vikunja.io/api/pkg/initialize"
+	"code.vikunja.io/api/pkg/log"
+	"code.vikunja.io/api/pkg/mail"
+	"github.com/spf13/cobra"
+)
+
+func init() {
+	rootCmd.AddCommand(testmailCmd)
+}
+
+var testmailCmd = &cobra.Command{
+	Use:   "testmail [email]",
+	Short: "Send a test mail using the configured smtp connection",
+	Args:  cobra.ExactArgs(1),
+	PreRun: func(cmd *cobra.Command, args []string) {
+		initialize.LightInit()
+
+		// Start the mail daemon
+		mail.StartMailDaemon()
+	},
+	Run: func(cmd *cobra.Command, args []string) {
+		log.Info("Sending testmail...")
+		email := args[0]
+		if err := mail.SendTestMail(email); err != nil {
+			log.Errorf("Error sending test mail: %s", err.Error())
+			return
+		}
+		log.Info("Testmail successfully sent.")
+	},
+}
--- a/pkg/cmd/version.go
+++ b/pkg/cmd/version.go
@@ -1,24 +1,26 @@
-//   Vikunja is a todo-list application to facilitate your life.
-//   Copyright 2019 Vikunja and contributors. All rights reserved.
+// Vikunja is a to-do list application to facilitate your life.
+// Copyright 2018-2020 Vikunja and contributors. All rights reserved.
 //
-//   This program is free software: you can redistribute it and/or modify
-//   it under the terms of the GNU General Public License as published by
-//   the Free Software Foundation, either version 3 of the License, or
-//   (at your option) any later version.
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
 //
-//   This program is distributed in the hope that it will be useful,
-//   but WITHOUT ANY WARRANTY; without even the implied warranty of
-//   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-//   GNU General Public License for more details.
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
 //
-//   You should have received a copy of the GNU General Public License
-//   along with this program.  If not, see <https://www.gnu.org/licenses/>.
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.

 package cmd

 import (
+	"code.vikunja.io/api/pkg/version"
 	"fmt"
 	"github.com/spf13/cobra"
+	"runtime"
 )

 func init() {
@@ -29,6 +31,7 @@ var versionCmd = &cobra.Command{
 	Use:   "version",
 	Short: "Print the version number of Vikunja",
 	Run: func(cmd *cobra.Command, args []string) {
-		fmt.Println("Vikunja api version " + Version)
+		fmt.Printf("Vikunja api version %s\n", version.Version)
+		fmt.Printf("Built with %s\n", runtime.Version())
 	},
 }
--- a/pkg/cmd/web.go
+++ b/pkg/cmd/web.go
@@ -1,32 +1,30 @@
-//   Vikunja is a todo-list application to facilitate your life.
-//   Copyright 2019 Vikunja and contributors. All rights reserved.
+// Vikunja is a to-do list application to facilitate your life.
+// Copyright 2018-2020 Vikunja and contributors. All rights reserved.
 //
-//   This program is free software: you can redistribute it and/or modify
-//   it under the terms of the GNU General Public License as published by
-//   the Free Software Foundation, either version 3 of the License, or
-//   (at your option) any later version.
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
 //
-//   This program is distributed in the hope that it will be useful,
-//   but WITHOUT ANY WARRANTY; without even the implied warranty of
-//   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-//   GNU General Public License for more details.
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
 //
-//   You should have received a copy of the GNU General Public License
-//   along with this program.  If not, see <https://www.gnu.org/licenses/>.
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.

 package cmd

 import (
+	"code.vikunja.io/api/pkg/config"
+	"code.vikunja.io/api/pkg/initialize"
 	"code.vikunja.io/api/pkg/log"
-	"code.vikunja.io/api/pkg/mail"
-	"code.vikunja.io/api/pkg/migration"
-	"code.vikunja.io/api/pkg/models"
 	"code.vikunja.io/api/pkg/routes"
 	"code.vikunja.io/api/pkg/swagger"
+	"code.vikunja.io/api/pkg/version"
 	"context"
-	"fmt"
 	"github.com/spf13/cobra"
-	"github.com/spf13/viper"
 	"os"
 	"os/signal"
 	"time"
@@ -39,35 +37,23 @@ func init() {
 var webCmd = &cobra.Command{
 	Use:   "web",
 	Short: "Starts the rest api web server",
+	PreRun: func(cmd *cobra.Command, args []string) {
+		initialize.FullInit()
+	},
 	Run: func(cmd *cobra.Command, args []string) {

-		// Set logger
-		log.InitLogger()
-
-		// Run the migrations
-		migration.Migrate(nil)
-
-		// Set Engine
-		err := models.SetEngine()
-		if err != nil {
-			log.Log.Fatal(err.Error())
-		}
-
-		// Start the mail daemon
-		mail.StartMailDaemon()
-
 		// Version notification
-		fmt.Printf("Vikunja version %s\n", Version)
+		log.Infof("Vikunja version %s", version.Version)

 		// Additional swagger information
-		swagger.SwaggerInfo.Version = Version
+		swagger.SwaggerInfo.Version = version.Version

 		// Start the webserver
 		e := routes.NewEcho()
 		routes.RegisterRoutes(e)
 		// Start server
 		go func() {
-			if err := e.Start(viper.GetString("service.interface")); err != nil {
+			if err := e.Start(config.ServiceInterface.GetString()); err != nil {
 				e.Logger.Info("shutting down...")
 			}
 		}()
@@ -79,7 +65,7 @@ var webCmd = &cobra.Command{
 		<-quit
 		ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
 		defer cancel()
-		log.Log.Infof("Shutting down...")
+		log.Infof("Shutting down...")
 		if err := e.Shutdown(ctx); err != nil {
 			e.Logger.Fatal(err)
 		}
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -1,89 +1,286 @@
-//  Vikunja is a todo-list application to facilitate your life.
-//  Copyright 2018 Vikunja and contributors. All rights reserved.
+// Vikunja is a to-do list application to facilitate your life.
+// Copyright 2018-2020 Vikunja and contributors. All rights reserved.
 //
-//  This program is free software: you can redistribute it and/or modify
-//  it under the terms of the GNU General Public License as published by
-//  the Free Software Foundation, either version 3 of the License, or
-//  (at your option) any later version.
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
 //
-//  This program is distributed in the hope that it will be useful,
-//  but WITHOUT ANY WARRANTY; without even the implied warranty of
-//  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-//  GNU General Public License for more details.
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
 //
-//  You should have received a copy of the GNU General Public License
-//  along with this program.  If not, see <https://www.gnu.org/licenses/>.
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.

 package config

 import (
-	"code.vikunja.io/api/pkg/log"
 	"crypto/rand"
 	"fmt"
-	"github.com/spf13/viper"
+	"log"
 	"os"
+	"path"
 	"path/filepath"
 	"strings"
+	"time"
+
+	"4d63.com/tz"
+	"github.com/spf13/viper"
 )

-// InitConfig initializes the config, sets defaults etc.
-func InitConfig() {
+// Key is used as a config key
+type Key string

-	// Set defaults
+// These constants hold all config value keys
+const (
+	// #nosec
+	ServiceJWTSecret             Key = `service.JWTSecret`
+	ServiceInterface             Key = `service.interface`
+	ServiceFrontendurl           Key = `service.frontendurl`
+	ServiceEnableCaldav          Key = `service.enablecaldav`
+	ServiceRootpath              Key = `service.rootpath`
+	ServiceMaxItemsPerPage       Key = `service.maxitemsperpage`
+	ServiceEnableMetrics         Key = `service.enablemetrics`
+	ServiceMotd                  Key = `service.motd`
+	ServiceEnableLinkSharing     Key = `service.enablelinksharing`
+	ServiceEnableRegistration    Key = `service.enableregistration`
+	ServiceEnableTaskAttachments Key = `service.enabletaskattachments`
+	ServiceTimeZone              Key = `service.timezone`
+	ServiceEnableTaskComments    Key = `service.enabletaskcomments`
+	ServiceEnableTotp            Key = `service.enabletotp`
+	ServiceSentryDsn             Key = `service.sentrydsn`
+
+	DatabaseType                  Key = `database.type`
+	DatabaseHost                  Key = `database.host`
+	DatabaseUser                  Key = `database.user`
+	DatabasePassword              Key = `database.password`
+	DatabaseDatabase              Key = `database.database`
+	DatabasePath                  Key = `database.path`
+	DatabaseMaxOpenConnections    Key = `database.maxopenconnections`
+	DatabaseMaxIdleConnections    Key = `database.maxidleconnections`
+	DatabaseMaxConnectionLifetime Key = `database.maxconnectionlifetime`
+	DatabaseSslMode               Key = `database.sslmode`
+
+	CacheEnabled        Key = `cache.enabled`
+	CacheType           Key = `cache.type`
+	CacheMaxElementSize Key = `cache.maxelementsize`
+
+	MailerEnabled       Key = `mailer.enabled`
+	MailerHost          Key = `mailer.host`
+	MailerPort          Key = `mailer.port`
+	MailerUsername      Key = `mailer.username`
+	MailerPassword      Key = `mailer.password`
+	MailerSkipTLSVerify Key = `mailer.skiptlsverify`
+	MailerFromEmail     Key = `mailer.fromemail`
+	MailerQueuelength   Key = `mailer.queuelength`
+	MailerQueueTimeout  Key = `mailer.queuetimeout`
+
+	RedisEnabled  Key = `redis.enabled`
+	RedisHost     Key = `redis.host`
+	RedisPassword Key = `redis.password`
+	RedisDB       Key = `redis.db`
+
+	LogEnabled       Key = `log.enabled`
+	LogStandard      Key = `log.standard`
+	LogLevel         Key = `log.level`
+	LogDatabase      Key = `log.database`
+	LogDatabaseLevel Key = `log.databaselevel`
+	LogHTTP          Key = `log.http`
+	LogEcho          Key = `log.echo`
+	LogPath          Key = `log.path`
+
+	RateLimitEnabled Key = `ratelimit.enabled`
+	RateLimitKind    Key = `ratelimit.kind`
+	RateLimitPeriod  Key = `ratelimit.period`
+	RateLimitLimit   Key = `ratelimit.limit`
+	RateLimitStore   Key = `ratelimit.store`
+
+	FilesBasePath Key = `files.basepath`
+	FilesMaxSize  Key = `files.maxsize`
+
+	MigrationWunderlistEnable       Key = `migration.wunderlist.enable`
+	MigrationWunderlistClientID     Key = `migration.wunderlist.clientid`
+	MigrationWunderlistClientSecret Key = `migration.wunderlist.clientsecret`
+	MigrationWunderlistRedirectURL  Key = `migration.wunderlist.redirecturl`
+	MigrationTodoistEnable          Key = `migration.todoist.enable`
+	MigrationTodoistClientID        Key = `migration.todoist.clientid`
+	MigrationTodoistClientSecret    Key = `migration.todoist.clientsecret`
+	MigrationTodoistRedirectURL     Key = `migration.todoist.redirecturl`
+
+	CorsEnable  Key = `cors.enable`
+	CorsOrigins Key = `cors.origins`
+	CorsMaxAge  Key = `cors.maxage`
+
+	AvatarProvider           Key = `avatar.provider`
+	AvatarGravaterExpiration Key = `avatar.gravatarexpiration`
+
+	BackgroundsEnabled               Key = `backgrounds.enabled`
+	BackgroundsUploadEnabled         Key = `backgrounds.providers.upload.enabled`
+	BackgroundsUnsplashEnabled       Key = `backgrounds.providers.unsplash.enabled`
+	BackgroundsUnsplashAccessToken   Key = `backgrounds.providers.unsplash.accesstoken`
+	BackgroundsUnsplashApplicationID Key = `backgrounds.providers.unsplash.applicationid`
+)
+
+// GetString returns a string config value
+func (k Key) GetString() string {
+	return viper.GetString(string(k))
+}
+
+// GetBool returns a bool config value
+func (k Key) GetBool() bool {
+	return viper.GetBool(string(k))
+}
+
+// GetInt returns an int config value
+func (k Key) GetInt() int {
+	return viper.GetInt(string(k))
+}
+
+// GetInt64 returns an int64 config value
+func (k Key) GetInt64() int64 {
+	return viper.GetInt64(string(k))
+}
+
+// GetDuration returns a duration config value
+func (k Key) GetDuration() time.Duration {
+	return viper.GetDuration(string(k))
+}
+
+// GetStringSlice returns a string slice from a config option
+func (k Key) GetStringSlice() []string {
+	return viper.GetStringSlice(string(k))
+}
+
+var timezone *time.Location
+
+// GetTimeZone returns the time zone configured for vikunja
+// It is a separate function and not done through viper because that makes handling
+// it way easier, especially when testing.
+func GetTimeZone() *time.Location {
+	if timezone == nil {
+		loc, err := tz.LoadLocation(ServiceTimeZone.GetString())
+		if err != nil {
+			fmt.Printf("Error parsing time zone: %s", err)
+			os.Exit(1)
+		}
+		timezone = loc
+	}
+	return timezone
+}
+
+// Set sets a value
+func (k Key) Set(i interface{}) {
+	viper.Set(string(k), i)
+}
+
+// sets the default config value
+func (k Key) setDefault(i interface{}) {
+	viper.SetDefault(string(k), i)
+}
+
+// InitDefaultConfig sets default config values
+// This is an extra function so we can call it when initializing tests without initializing the full config
+func InitDefaultConfig() {
 	// Service config
 	random, err := random(32)
 	if err != nil {
-		log.Log.Fatal(err.Error())
+		log.Fatal(err.Error())
 	}

 	// Service
-	viper.SetDefault("service.JWTSecret", random)
-	viper.SetDefault("service.interface", ":3456")
-	viper.SetDefault("service.frontendurl", "")
+	ServiceJWTSecret.setDefault(random)
+	ServiceInterface.setDefault(":3456")
+	ServiceFrontendurl.setDefault("")
+	ServiceEnableCaldav.setDefault(true)

 	ex, err := os.Executable()
 	if err != nil {
 		panic(err)
 	}
 	exPath := filepath.Dir(ex)
-	viper.SetDefault("service.rootpath", exPath)
-	viper.SetDefault("service.pagecount", 50)
-	viper.SetDefault("service.enablemetrics", false)
+	ServiceRootpath.setDefault(exPath)
+	ServiceMaxItemsPerPage.setDefault(50)
+	ServiceEnableMetrics.setDefault(false)
+	ServiceMotd.setDefault("")
+	ServiceEnableLinkSharing.setDefault(true)
+	ServiceEnableRegistration.setDefault(true)
+	ServiceEnableTaskAttachments.setDefault(true)
+	ServiceTimeZone.setDefault("GMT")
+	ServiceEnableTaskComments.setDefault(true)
+	ServiceEnableTotp.setDefault(true)
+
 	// Database
-	viper.SetDefault("database.type", "sqlite")
-	viper.SetDefault("database.host", "localhost")
-	viper.SetDefault("database.user", "vikunja")
-	viper.SetDefault("database.password", "")
-	viper.SetDefault("database.database", "vikunja")
-	viper.SetDefault("database.path", "./vikunja.db")
-	viper.SetDefault("database.openconnections", 100)
+	DatabaseType.setDefault("sqlite")
+	DatabaseHost.setDefault("localhost")
+	DatabaseUser.setDefault("vikunja")
+	DatabasePassword.setDefault("")
+	DatabaseDatabase.setDefault("vikunja")
+	DatabasePath.setDefault("./vikunja.db")
+	DatabaseMaxOpenConnections.setDefault(100)
+	DatabaseMaxIdleConnections.setDefault(50)
+	DatabaseMaxConnectionLifetime.setDefault(10000)
+	DatabaseSslMode.setDefault("disable")
+
 	// Cacher
-	viper.SetDefault("cache.enabled", false)
-	viper.SetDefault("cache.type", "memory")
-	viper.SetDefault("cache.maxelementsize", 1000)
+	CacheEnabled.setDefault(false)
+	CacheType.setDefault("memory")
+	CacheMaxElementSize.setDefault(1000)
 	// Mailer
-	viper.SetDefault("mailer.enabled", false)
-	viper.SetDefault("mailer.host", "")
-	viper.SetDefault("mailer.port", "587")
-	viper.SetDefault("mailer.user", "user")
-	viper.SetDefault("mailer.password", "")
-	viper.SetDefault("mailer.skiptlsverify", false)
-	viper.SetDefault("mailer.fromemail", "mail@vikunja")
-	viper.SetDefault("mailer.queuelength", 100)
-	viper.SetDefault("mailer.queuetimeout", 30)
+	MailerEnabled.setDefault(false)
+	MailerHost.setDefault("")
+	MailerPort.setDefault("587")
+	MailerUsername.setDefault("user")
+	MailerPassword.setDefault("")
+	MailerSkipTLSVerify.setDefault(false)
+	MailerFromEmail.setDefault("mail@vikunja")
+	MailerQueuelength.setDefault(100)
+	MailerQueueTimeout.setDefault(30)
 	// Redis
-	viper.SetDefault("redis.enabled", false)
-	viper.SetDefault("redis.host", "localhost:6379")
-	viper.SetDefault("redis.password", "")
-	viper.SetDefault("redis.db", 0)
+	RedisEnabled.setDefault(false)
+	RedisHost.setDefault("localhost:6379")
+	RedisPassword.setDefault("")
+	RedisDB.setDefault(0)
 	// Logger
-	viper.SetDefault("log.enabled", true)
-	viper.SetDefault("log.errors", "stdout")
-	viper.SetDefault("log.standard", "stdout")
-	viper.SetDefault("log.database", "off")
-	viper.SetDefault("log.http", "stdout")
-	viper.SetDefault("log.echo", "off")
-	viper.SetDefault("log.path", viper.GetString("service.rootpath")+"/logs")
+	LogEnabled.setDefault(true)
+	LogStandard.setDefault("stdout")
+	LogLevel.setDefault("INFO")
+	LogDatabase.setDefault("off")
+	LogDatabaseLevel.setDefault("WARNING")
+	LogHTTP.setDefault("stdout")
+	LogEcho.setDefault("off")
+	LogPath.setDefault(ServiceRootpath.GetString() + "/logs")
+	// Rate Limit
+	RateLimitEnabled.setDefault(false)
+	RateLimitKind.setDefault("user")
+	RateLimitLimit.setDefault(100)
+	RateLimitPeriod.setDefault(60)
+	RateLimitStore.setDefault("memory")
+	// Files
+	FilesBasePath.setDefault("files")
+	FilesMaxSize.setDefault("20MB")
+	// Cors
+	CorsEnable.setDefault(true)
+	CorsOrigins.setDefault([]string{"*"})
+	CorsMaxAge.setDefault(0)
+	// Migration
+	MigrationWunderlistEnable.setDefault(false)
+	MigrationTodoistEnable.setDefault(false)
+	// Avatar
+	AvatarProvider.setDefault("gravatar")
+	AvatarGravaterExpiration.setDefault(3600)
+	// List Backgrounds
+	BackgroundsEnabled.setDefault(true)
+	BackgroundsUploadEnabled.setDefault(true)
+	BackgroundsUnsplashEnabled.setDefault(false)
+}
+
+// InitConfig initializes the config, sets defaults etc.
+func InitConfig() {
+
+	// Set defaults
+	InitDefaultConfig()

 	// Init checking for environment variables
 	viper.SetEnvPrefix("vikunja")
@@ -91,16 +288,26 @@ func InitConfig() {
 	viper.AutomaticEnv()

 	// Load the config file
-	viper.AddConfigPath(viper.GetString("service.rootpath"))
+	viper.AddConfigPath(ServiceRootpath.GetString())
 	viper.AddConfigPath("/etc/vikunja/")
-	viper.AddConfigPath("~/.config/vikunja")
+
+	homeDir, err := os.UserHomeDir()
+	if err != nil {
+		log.Printf("No home directory found, not using config from ~/.config/vikunja/. Error was: %s\n", err.Error())
+	} else {
+		viper.AddConfigPath(path.Join(homeDir, ".config", "vikunja"))
+	}
+
 	viper.AddConfigPath(".")
 	viper.SetConfigName("config")
 	err = viper.ReadInConfig()
 	if err != nil {
-		log.Log.Info(err)
-		log.Log.Info("Using defaults.")
+		log.Println(err.Error())
+		log.Println("Using default config.")
+		return
 	}
+
+	log.Printf("Using config file: %s", viper.ConfigFileUsed())
 }

 func random(length int) (string, error) {
--- a/pkg/db/db.go
+++ b/pkg/db/db.go
@@ -1,78 +1,211 @@
-//  Vikunja is a todo-list application to facilitate your life.
-//  Copyright 2019 Vikunja and contributors. All rights reserved.
+// Vikunja is a to-do list application to facilitate your life.
+// Copyright 2018-2020 Vikunja and contributors. All rights reserved.
 //
-//  This program is free software: you can redistribute it and/or modify
-//  it under the terms of the GNU General Public License as published by
-//  the Free Software Foundation, either version 3 of the License, or
-//  (at your option) any later version.
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
 //
-//  This program is distributed in the hope that it will be useful,
-//  but WITHOUT ANY WARRANTY; without even the implied warranty of
-//  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-//  GNU General Public License for more details.
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
 //
-//  You should have received a copy of the GNU General Public License
-//  along with this program.  If not, see <https://www.gnu.org/licenses/>.
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.

 package db

 import (
 	"code.vikunja.io/api/pkg/config"
 	"code.vikunja.io/api/pkg/log"
+	"encoding/gob"
 	"fmt"
-	"github.com/go-xorm/core"
-	"github.com/go-xorm/xorm"
-	"github.com/spf13/viper"
+	xrc "gitea.com/xorm/xorm-redis-cache"
+	"net/url"
+	"os"
+	"strconv"
+	"strings"
+	"time"
+	"xorm.io/core"
+	"xorm.io/xorm"
+	"xorm.io/xorm/caches"

 	_ "github.com/go-sql-driver/mysql" // Because.
+	_ "github.com/lib/pq"              // Because.
 	_ "github.com/mattn/go-sqlite3"    // Because.
 )

+// We only want one instance of the engine, so we can reate it once and reuse it
+var x *xorm.Engine
+
 // CreateDBEngine initializes a db engine from the config
 func CreateDBEngine() (engine *xorm.Engine, err error) {
+
+	if x != nil {
+		return x, nil
+	}
+
 	// If the database type is not set, this likely means we need to initialize the config first
-	if viper.GetString("database.type") == "" {
+	if config.DatabaseType.GetString() == "" {
 		config.InitConfig()
 	}

 	// Use Mysql if set
-	if viper.GetString("database.type") == "mysql" {
+	if config.DatabaseType.GetString() == "mysql" {
 		engine, err = initMysqlEngine()
 		if err != nil {
 			return
 		}
-	} else {
+	} else if config.DatabaseType.GetString() == "postgres" {
+		engine, err = initPostgresEngine()
+		if err != nil {
+			return
+		}
+	} else if config.DatabaseType.GetString() == "sqlite" {
 		// Otherwise use sqlite
 		engine, err = initSqliteEngine()
 		if err != nil {
 			return
 		}
+	} else {
+		log.Fatalf("Unknown database type %s", config.DatabaseType.GetString())
 	}

+	engine.SetTZLocation(config.GetTimeZone()) // Vikunja's timezone
+	loc, err := time.LoadLocation("GMT")       // The db data timezone
+	if err != nil {
+		log.Fatalf("Error parsing time zone: %s", err)
+	}
+	engine.SetTZDatabase(loc)
 	engine.SetMapper(core.GonicMapper{})
-	engine.ShowSQL(viper.GetString("log.database") != "off")
-	engine.SetLogger(xorm.NewSimpleLogger(log.GetLogWriter("database")))
+	logger := log.NewXormLogger("")
+	engine.SetLogger(logger)

+	// Cache
+	// We have to initialize the cache here to avoid import cycles
+	if config.CacheEnabled.GetBool() {
+		switch config.CacheType.GetString() {
+		case "memory":
+			cacher := caches.NewLRUCacher(caches.NewMemoryStore(), config.CacheMaxElementSize.GetInt())
+			engine.SetDefaultCacher(cacher)
+		case "redis":
+			cacher := xrc.NewRedisCacher(config.RedisEnabled.GetString(), config.RedisPassword.GetString(), xrc.DEFAULT_EXPIRATION, engine.Logger())
+			engine.SetDefaultCacher(cacher)
+		default:
+			log.Info("Did not find a valid cache type. Caching disabled. Please refer to the docs for poosible cache types.")
+		}
+	}
+
+	x = engine
 	return
 }

+// RegisterTableStructsForCache registers tables in gob encoding for redis cache
+func RegisterTableStructsForCache(val interface{}) {
+	gob.Register(val)
+}
+
 func initMysqlEngine() (engine *xorm.Engine, err error) {
+	// We're using utf8mb here instead of just utf8 because we want to use non-BMP characters.
+	// See https://stackoverflow.com/a/30074553/10924593 for more info.
 	connStr := fmt.Sprintf(
-		"%s:%s@tcp(%s)/%s?charset=utf8&parseTime=true",
-		viper.GetString("database.user"),
-		viper.GetString("database.password"),
-		viper.GetString("database.host"),
-		viper.GetString("database.database"))
+		"%s:%s@tcp(%s)/%s?charset=utf8mb4&parseTime=true",
+		config.DatabaseUser.GetString(),
+		config.DatabasePassword.GetString(),
+		config.DatabaseHost.GetString(),
+		config.DatabaseDatabase.GetString())
 	engine, err = xorm.NewEngine("mysql", connStr)
-	engine.SetMaxOpenConns(viper.GetInt("database.openconnections"))
+	if err != nil {
+		return
+	}
+	engine.SetMaxOpenConns(config.DatabaseMaxOpenConnections.GetInt())
+	engine.SetMaxIdleConns(config.DatabaseMaxIdleConnections.GetInt())
+	max, err := time.ParseDuration(strconv.Itoa(config.DatabaseMaxConnectionLifetime.GetInt()) + `ms`)
+	if err != nil {
+		return
+	}
+	engine.SetConnMaxLifetime(max)
+	return
+}
+
+// parsePostgreSQLHostPort parses given input in various forms defined in
+// https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-CONNSTRING
+// and returns proper host and port number.
+func parsePostgreSQLHostPort(info string) (string, string) {
+	host, port := "127.0.0.1", "5432"
+	if strings.Contains(info, ":") && !strings.HasSuffix(info, "]") {
+		idx := strings.LastIndex(info, ":")
+		host = info[:idx]
+		port = info[idx+1:]
+	} else if len(info) > 0 {
+		host = info
+	}
+	return host, port
+}
+
+func initPostgresEngine() (engine *xorm.Engine, err error) {
+	host, port := parsePostgreSQLHostPort(config.DatabaseHost.GetString())
+	connStr := fmt.Sprintf("host=%s port=%s user=%s password=%s dbname=%s sslmode=%s",
+		host,
+		port,
+		url.PathEscape(config.DatabaseUser.GetString()),
+		url.PathEscape(config.DatabasePassword.GetString()),
+		config.DatabaseDatabase.GetString(),
+		config.DatabaseSslMode.GetString(),
+	)
+
+	engine, err = xorm.NewEngine("postgres", connStr)
+	if err != nil {
+		return
+	}
+	engine.SetMaxOpenConns(config.DatabaseMaxOpenConnections.GetInt())
+	engine.SetMaxIdleConns(config.DatabaseMaxIdleConnections.GetInt())
+	max, err := time.ParseDuration(strconv.Itoa(config.DatabaseMaxConnectionLifetime.GetInt()) + `ms`)
+	if err != nil {
+		return
+	}
+	engine.SetConnMaxLifetime(max)
 	return
 }

 func initSqliteEngine() (engine *xorm.Engine, err error) {
-	path := viper.GetString("database.path")
+	path := config.DatabasePath.GetString()
 	if path == "" {
 		path = "./db.db"
 	}

+	// Try opening the db file to return a better error message if that does not work
+	var exists = true
+	if _, err := os.Stat(path); err != nil {
+		exists = !os.IsNotExist(err)
+	}
+	file, err := os.OpenFile(path, os.O_RDWR|os.O_CREATE, 0)
+	if err != nil {
+		return nil, fmt.Errorf("could not open database file [uid=%d, gid=%d]: %s", os.Getuid(), os.Getgid(), err)
+	}
+	_ = file.Close() // We directly close the file because we only want to check if it is writable. It will be reopened lazily later by xorm.
+
+	if !exists {
+		_ = os.Remove(path) // Remove the file to not prevent the db from creating another one
+	}
+
 	return xorm.NewEngine("sqlite3", path)
 }
+
+// WipeEverything wipes all tables and their data. Use with caution...
+func WipeEverything() error {
+
+	tables, err := x.DBMetas()
+	if err != nil {
+		return err
+	}
+
+	for _, t := range tables {
+		if err := x.DropTables(t.Name); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
--- a/pkg/db/dump.go
+++ b/pkg/db/dump.go
@@ -0,0 +1,54 @@
+// Vikunja is a to-do list application to facilitate your life.
+// Copyright 2018-2020 Vikunja and contributors. All rights reserved.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package db
+
+import "encoding/json"
+
+// Dump dumps all database tables
+func Dump() (data map[string][]byte, err error) {
+	tables, err := x.DBMetas()
+	if err != nil {
+		return
+	}
+
+	data = make(map[string][]byte, len(tables))
+	for _, table := range tables {
+		entries := []map[string]interface{}{}
+		err := x.Table(table.Name).Find(&entries)
+		if err != nil {
+			return nil, err
+		}
+		data[table.Name], err = json.Marshal(entries)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return
+}
+
+// Restore restores a table with all its entries
+func Restore(table string, contents []map[string]interface{}) (err error) {
+
+	for _, content := range contents {
+		if _, err := x.Table(table).Insert(content); err != nil {
+			return err
+		}
+	}
+
+	return
+}
--- a/pkg/db/fixtures/buckets.yml
+++ b/pkg/db/fixtures/buckets.yml
@@ -0,0 +1,207 @@
+- id: 1
+  title: testbucket1
+  list_id: 1
+  created_by_id: 1
+  created: 2020-04-18 21:13:52
+  updated: 2020-04-18 21:13:52
+- id: 2
+  title: testbucket2
+  list_id: 1
+  created_by_id: 1
+  created: 2020-04-18 21:13:52
+  updated: 2020-04-18 21:13:52
+- id: 3
+  title: testbucket3
+  list_id: 1
+  created_by_id: 1
+  created: 2020-04-18 21:13:52
+  updated: 2020-04-18 21:13:52
+- id: 4
+  title: testbucket4 - other list
+  list_id: 2
+  created_by_id: 1
+  created: 2020-04-18 21:13:52
+  updated: 2020-04-18 21:13:52
+# The following are not or only partly owned by user 1
+- id: 5
+  title: testbucket5
+  list_id: 20
+  created_by_id: 1
+  created: 2020-04-18 21:13:52
+  updated: 2020-04-18 21:13:52
+- id: 6
+  title: testbucket6
+  list_id: 6
+  created_by_id: 1
+  created: 2020-04-18 21:13:52
+  updated: 2020-04-18 21:13:52
+- id: 7
+  title: testbucket7
+  list_id: 7
+  created_by_id: 1
+  created: 2020-04-18 21:13:52
+  updated: 2020-04-18 21:13:52
+- id: 8
+  title: testbucket8
+  list_id: 8
+  created_by_id: 1
+  created: 2020-04-18 21:13:52
+  updated: 2020-04-18 21:13:52
+- id: 9
+  title: testbucket9
+  list_id: 9
+  created_by_id: 1
+  created: 2020-04-18 21:13:52
+  updated: 2020-04-18 21:13:52
+- id: 10
+  title: testbucket10
+  list_id: 10
+  created_by_id: 1
+  created: 2020-04-18 21:13:52
+  updated: 2020-04-18 21:13:52
+- id: 11
+  title: testbucket11
+  list_id: 11
+  created_by_id: 1
+  created: 2020-04-18 21:13:52
+  updated: 2020-04-18 21:13:52
+- id: 12
+  title: testbucket13
+  list_id: 12
+  created_by_id: 1
+  created: 2020-04-18 21:13:52
+  updated: 2020-04-18 21:13:52
+- id: 13
+  title: testbucket13
+  list_id: 13
+  created_by_id: 1
+  created: 2020-04-18 21:13:52
+  updated: 2020-04-18 21:13:52
+- id: 14
+  title: testbucket14
+  list_id: 14
+  created_by_id: 1
+  created: 2020-04-18 21:13:52
+  updated: 2020-04-18 21:13:52
+- id: 15
+  title: testbucket15
+  list_id: 15
+  created_by_id: 1
+  created: 2020-04-18 21:13:52
+  updated: 2020-04-18 21:13:52
+- id: 16
+  title: testbucket16
+  list_id: 16
+  created_by_id: 1
+  created: 2020-04-18 21:13:52
+  updated: 2020-04-18 21:13:52
+- id: 17
+  title: testbucket17
+  list_id: 17
+  created_by_id: 1
+  created: 2020-04-18 21:13:52
+  updated: 2020-04-18 21:13:52
+- id: 18
+  title: testbucket18
+  list_id: 5
+  created_by_id: 1
+  created: 2020-04-18 21:13:52
+  updated: 2020-04-18 21:13:52
+- id: 19
+  title: testbucket19
+  list_id: 21
+  created_by_id: 1
+  created: 2020-04-18 21:13:52
+  updated: 2020-04-18 21:13:52
+- id: 20
+  title: testbucket20
+  list_id: 22
+  created_by_id: 1
+  created: 2020-04-18 21:13:52
+  updated: 2020-04-18 21:13:52
+- id: 21
+  title: testbucket21
+  list_id: 3
+  created_by_id: 1
+  created: 2020-04-18 21:13:52
+  updated: 2020-04-18 21:13:52
+# Duplicate buckets to make deletion of one of them possible
+- id: 22
+  title: testbucket22
+  list_id: 6
+  created_by_id: 1
+  created: 2020-04-18 21:13:52
+  updated: 2020-04-18 21:13:52
+- id: 23
+  title: testbucket23
+  list_id: 7
+  created_by_id: 1
+  created: 2020-04-18 21:13:52
+  updated: 2020-04-18 21:13:52
+- id: 24
+  title: testbucket24
+  list_id: 8
+  created_by_id: 1
+  created: 2020-04-18 21:13:52
+  updated: 2020-04-18 21:13:52
+- id: 25
+  title: testbucket25
+  list_id: 9
+  created_by_id: 1
+  created: 2020-04-18 21:13:52
+  updated: 2020-04-18 21:13:52
+- id: 26
+  title: testbucket26
+  list_id: 10
+  created_by_id: 1
+  created: 2020-04-18 21:13:52
+  updated: 2020-04-18 21:13:52
+- id: 27
+  title: testbucket27
+  list_id: 11
+  created_by_id: 1
+  created: 2020-04-18 21:13:52
+  updated: 2020-04-18 21:13:52
+- id: 28
+  title: testbucket28
+  list_id: 12
+  created_by_id: 1
+  created: 2020-04-18 21:13:52
+  updated: 2020-04-18 21:13:52
+- id: 29
+  title: testbucket29
+  list_id: 13
+  created_by_id: 1
+  created: 2020-04-18 21:13:52
+  updated: 2020-04-18 21:13:52
+- id: 30
+  title: testbucket30
+  list_id: 14
+  created_by_id: 1
+  created: 2020-04-18 21:13:52
+  updated: 2020-04-18 21:13:52
+- id: 31
+  title: testbucket31
+  list_id: 15
+  created_by_id: 1
+  created: 2020-04-18 21:13:52
+  updated: 2020-04-18 21:13:52
+- id: 32
+  title: testbucket32
+  list_id: 16
+  created_by_id: 1
+  created: 2020-04-18 21:13:52
+  updated: 2020-04-18 21:13:52
+- id: 33
+  title: testbucket33
+  list_id: 17
+  created_by_id: 1
+  created: 2020-04-18 21:13:52
+  updated: 2020-04-18 21:13:52
+# This bucket is the last one in its list
+- id: 34
+  title: testbucket34
+  list_id: 18
+  created_by_id: 1
+  created: 2020-04-18 21:13:52
+  updated: 2020-04-18 21:13:52
--- a/pkg/db/fixtures/files.yml
+++ b/pkg/db/fixtures/files.yml
@@ -0,0 +1,5 @@
+- id: 1
+  name: test
+  size: 100
+  created: 2019-10-13 20:33:11
+  created_by_id: 1
--- a/pkg/db/fixtures/label_task.yml
+++ b/pkg/db/fixtures/label_task.yml
@@ -0,0 +1,16 @@
+- id: 1
+  task_id: 1
+  label_id: 4
+  created: 2018-12-01 15:13:12
+- id: 2
+  task_id: 2
+  label_id: 4
+  created: 2018-12-01 15:13:12
+- id: 3
+  task_id: 35
+  label_id: 4
+  created: 2018-12-01 15:13:12
+- id: 4
+  task_id: 36
+  label_id: 4
+  created: 2018-12-01 15:13:12
--- a/pkg/db/fixtures/labels.yml
+++ b/pkg/db/fixtures/labels.yml
@@ -0,0 +1,20 @@
+- id: 1
+  title: 'Label #1'
+  created_by_id: 1
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+- id: 2
+  title: 'Label #2'
+  created_by_id: 1
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+- id: 3
+  title: 'Label #3 - other user'
+  created_by_id: 2
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+- id: 4
+  title: 'Label #4 - visible via other task'
+  created_by_id: 2
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
--- a/pkg/db/fixtures/link_sharing.yml
+++ b/pkg/db/fixtures/link_sharing.yml
@@ -0,0 +1,24 @@
+- id: 1
+  hash: test
+  list_id: 1
+  right: 0
+  sharing_type: 1
+  shared_by_id: 1
+  created: 2018-12-01 15:13:12
+  updated: 2018-12-02 15:13:12
+- id: 2
+  hash: test2
+  list_id: 2
+  right: 1
+  sharing_type: 1
+  shared_by_id: 1
+  created: 2018-12-01 15:13:12
+  updated: 2018-12-02 15:13:12
+- id: 3
+  hash: test3
+  list_id: 3
+  right: 2
+  sharing_type: 1
+  shared_by_id: 1
+  created: 2018-12-01 15:13:12
+  updated: 2018-12-02 15:13:12
--- a/pkg/db/fixtures/list.yml
+++ b/pkg/db/fixtures/list.yml
@@ -0,0 +1,201 @@
+-
+  id: 1
+  title: Test1
+  description: Lorem Ipsum
+  identifier: test1
+  owner_id: 1
+  namespace_id: 1
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+-
+  id: 2
+  title: Test2
+  description: Lorem Ipsum
+  identifier: test2
+  owner_id: 3
+  namespace_id: 1
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+-
+  id: 3
+  title: Test3
+  description: Lorem Ipsum
+  identifier: test3
+  owner_id: 3
+  namespace_id: 2
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+-
+  id: 4
+  title: Test4
+  description: Lorem Ipsum
+  identifier: test4
+  owner_id: 3
+  namespace_id: 3
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+-
+  id: 5
+  title: Test5
+  description: Lorem Ipsum
+  identifier: test5
+  owner_id: 5
+  namespace_id: 5
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+-
+  id: 6
+  title: Test6
+  description: Lorem Ipsum
+  identifier: test6
+  owner_id: 6
+  namespace_id: 6
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+-
+  id: 7
+  title: Test7
+  description: Lorem Ipsum
+  identifier: test7
+  owner_id: 6
+  namespace_id: 6
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+-
+  id: 8
+  title: Test8
+  description: Lorem Ipsum
+  identifier: test8
+  owner_id: 6
+  namespace_id: 6
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+-
+  id: 9
+  title: Test9
+  description: Lorem Ipsum
+  identifier: test9
+  owner_id: 6
+  namespace_id: 6
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+-
+  id: 10
+  title: Test10
+  description: Lorem Ipsum
+  identifier: test10
+  owner_id: 6
+  namespace_id: 6
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+-
+  id: 11
+  title: Test11
+  description: Lorem Ipsum
+  identifier: test11
+  owner_id: 6
+  namespace_id: 6
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+-
+  id: 12
+  title: Test12
+  description: Lorem Ipsum
+  identifier: test12
+  owner_id: 6
+  namespace_id: 7
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+-
+  id: 13
+  title: Test13
+  description: Lorem Ipsum
+  identifier: test13
+  owner_id: 6
+  namespace_id: 8
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+-
+  id: 14
+  title: Test14
+  description: Lorem Ipsum
+  identifier: test14
+  owner_id: 6
+  namespace_id: 9
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+-
+  id: 15
+  title: Test15
+  description: Lorem Ipsum
+  identifier: test15
+  owner_id: 6
+  namespace_id: 10
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+-
+  id: 16
+  title: Test16
+  description: Lorem Ipsum
+  identifier: test16
+  owner_id: 6
+  namespace_id: 11
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+-
+  id: 17
+  title: Test17
+  description: Lorem Ipsum
+  identifier: test17
+  owner_id: 6
+  namespace_id: 12
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+# This list is owned by user 7, and several other users have access to it via different methods.
+# It is used to test the listUsers method.
+-
+  id: 18
+  title: Test18
+  description: Lorem Ipsum
+  identifier: test18
+  owner_id: 7
+  namespace_id: 13
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+-
+  id: 19
+  title: Test19
+  description: Lorem Ipsum
+  identifier: test19
+  owner_id: 7
+  namespace_id: 14
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+-
+  id: 20
+  title: Test20
+  description: Lorem Ipsum
+  identifier: test20
+  owner_id: 13
+  namespace_id: 15
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+-
+  id: 21
+  title: Test21 archived through namespace
+  description: Lorem Ipsum
+  identifier: test21
+  owner_id: 1
+  namespace_id: 16
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+-
+  id: 22
+  title: Test22 archived individually
+  description: Lorem Ipsum
+  identifier: test22
+  owner_id: 1
+  namespace_id: 1
+  is_archived: 1
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
--- a/pkg/db/fixtures/namespaces.yml
+++ b/pkg/db/fixtures/namespaces.yml
@@ -0,0 +1,84 @@
+- id: 1
+  title: testnamespace
+  description: Lorem Ipsum
+  owner_id: 1
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+- id: 2
+  title: testnamespace2
+  description: Lorem Ipsum
+  owner_id: 2
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+- id: 3
+  title: testnamespace3
+  description: Lorem Ipsum
+  owner_id: 3
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+- id: 6
+  title: testnamespace6
+  description: Lorem Ipsum
+  owner_id: 6
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+- id: 7
+  title: testnamespace7
+  description: Lorem Ipsum
+  owner_id: 6
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+- id: 8
+  title: testnamespace8
+  description: Lorem Ipsum
+  owner_id: 6
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+- id: 9
+  title: testnamespace9
+  description: Lorem Ipsum
+  owner_id: 6
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+- id: 10
+  title: testnamespace10
+  description: Lorem Ipsum
+  owner_id: 6
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+- id: 11
+  title: testnamespace11
+  description: Lorem Ipsum
+  owner_id: 6
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+- id: 12
+  title: testnamespace12
+  description: Lorem Ipsum
+  owner_id: 6
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+- id: 13
+  title: testnamespace13
+  description: Lorem Ipsum
+  owner_id: 7
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+- id: 14
+  title: testnamespace14
+  description: Lorem Ipsum
+  owner_id: 7
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+- id: 15
+  title: testnamespace15
+  description: Lorem Ipsum
+  owner_id: 13
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+- id: 16
+  title: Archived testnamespace16
+  owner_id: 1
+  is_archived: 1
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
--- a/pkg/db/fixtures/task_assignees.yml
+++ b/pkg/db/fixtures/task_assignees.yml
@@ -0,0 +1,16 @@
+- id: 1
+  task_id: 30
+  user_id: 1
+  created: 2018-12-01 15:13:12
+- id: 2
+  task_id: 30
+  user_id: 2
+  created: 2018-12-01 15:13:12
+- id: 3
+  task_id: 35
+  user_id: 2
+  created: 2018-12-01 15:13:12
+- id: 4
+  task_id: 36
+  user_id: 2
+  created: 2018-12-01 15:13:12
--- a/pkg/db/fixtures/task_attachments.yml
+++ b/pkg/db/fixtures/task_attachments.yml
@@ -0,0 +1,11 @@
+- id: 1
+  task_id: 1
+  file_id: 1
+  created_by_id: 1
+  created: 2018-12-01 15:13:12
+# The file for this attachment does not exist
+- id: 2
+  task_id: 1
+  file_id: 9999
+  created_by_id: 1
+  created: 2018-12-01 15:13:12
--- a/pkg/db/fixtures/task_comments.yml
+++ b/pkg/db/fixtures/task_comments.yml
@@ -0,0 +1,96 @@
+- id: 1
+  comment: Lorem Ipsum Dolor Sit Amet
+  author_id: 1
+  task_id: 1
+  created: 2020-02-19 18:07:06
+  updated: 2020-02-19 18:07:06
+- id: 2
+  comment: comment 2
+  author_id: 5
+  task_id: 14
+  created: 2020-02-19 18:07:06
+  updated: 2020-02-19 18:07:06
+- id: 3
+  comment: comment 3
+  author_id: 5
+  task_id: 15
+  created: 2020-02-19 18:07:06
+  updated: 2020-02-19 18:07:06
+- id: 4
+  comment: comment 4
+  author_id: 6
+  task_id: 16
+  created: 2020-02-19 18:07:06
+  updated: 2020-02-19 18:07:06
+- id: 5
+  comment: comment 5
+  author_id: 6
+  task_id: 17
+  created: 2020-02-19 18:07:06
+  updated: 2020-02-19 18:07:06
+- id: 6
+  comment: comment 6
+  author_id: 6
+  task_id: 18
+  created: 2020-02-19 18:07:06
+  updated: 2020-02-19 18:07:06
+- id: 7
+  comment: comment 7
+  author_id: 6
+  task_id: 19
+  created: 2020-02-19 18:07:06
+  updated: 2020-02-19 18:07:06
+- id: 8
+  comment: comment 8
+  author_id: 6
+  task_id: 20
+  created: 2020-02-19 18:07:06
+  updated: 2020-02-19 18:07:06
+- id: 9
+  comment: comment 9
+  author_id: 6
+  task_id: 21
+  created: 2020-02-19 18:07:06
+  updated: 2020-02-19 18:07:06
+- id: 10
+  comment: comment 10
+  author_id: 6
+  task_id: 22
+  created: 2020-02-19 18:07:06
+  updated: 2020-02-19 18:07:06
+- id: 11
+  comment: comment 11
+  author_id: 6
+  task_id: 23
+  created: 2020-02-19 18:07:06
+  updated: 2020-02-19 18:07:06
+- id: 12
+  comment: comment 12
+  author_id: 6
+  task_id: 24
+  created: 2020-02-19 18:07:06
+  updated: 2020-02-19 18:07:06
+- id: 13
+  comment: comment 13
+  author_id: 6
+  task_id: 25
+  created: 2020-02-19 18:07:06
+  updated: 2020-02-19 18:07:06
+- id: 14
+  comment: comment 14
+  author_id: 6
+  task_id: 26
+  created: 2020-02-19 18:07:06
+  updated: 2020-02-19 18:07:06
+- id: 15
+  comment: comment 15
+  author_id: 1
+  task_id: 35
+  created: 2020-02-19 18:07:06
+  updated: 2020-02-19 18:07:06
+- id: 16
+  comment: comment 16
+  author_id: 1
+  task_id: 36
+  created: 2020-02-19 18:07:06
+  updated: 2020-02-19 18:07:06
--- a/pkg/db/fixtures/task_relations.yml
+++ b/pkg/db/fixtures/task_relations.yml
@@ -0,0 +1,36 @@
+- id: 1
+  task_id: 1
+  other_task_id: 29
+  relation_kind: 'subtask'
+  created_by_id: 1
+  created: 2018-12-01 15:13:12
+- id: 2
+  task_id: 29
+  other_task_id: 1
+  relation_kind: 'parenttask'
+  created_by_id: 1
+  created: 2018-12-01 15:13:12
+- id: 3
+  task_id: 35
+  other_task_id: 1
+  relation_kind: 'related'
+  created_by_id: 1
+  created: 2018-12-01 15:13:12
+- id: 4
+  task_id: 35
+  other_task_id: 1
+  relation_kind: 'related'
+  created_by_id: 1
+  created: 2018-12-01 15:13:12
+- id: 5
+  task_id: 36
+  other_task_id: 1
+  relation_kind: 'related'
+  created_by_id: 1
+  created: 2018-12-01 15:13:12
+- id: 6
+  task_id: 36
+  other_task_id: 1
+  relation_kind: 'related'
+  created_by_id: 1
+  created: 2018-12-01 15:13:12
--- a/pkg/db/fixtures/task_reminders.yml
+++ b/pkg/db/fixtures/task_reminders.yml
@@ -0,0 +1,8 @@
+- id: 1
+  task_id: 27
+  reminder: 2018-12-01 01:12:04
+  created: 2018-12-01 01:12:04
+- id: 2
+  task_id: 27
+  reminder: 2018-12-01 01:13:44
+  created: 2018-12-01 01:12:04
--- a/pkg/db/fixtures/tasks.yml
+++ b/pkg/db/fixtures/tasks.yml
@@ -0,0 +1,339 @@
+- id: 1
+  title: 'task #1'
+  description: 'Lorem Ipsum'
+  done: false
+  created_by_id: 1
+  list_id: 1
+  index: 1
+  created: 2018-12-01 01:12:04
+  updated: 2018-12-01 01:12:04
+  bucket_id: 1
+- id: 2
+  title: 'task #2 done'
+  done: true
+  created_by_id: 1
+  list_id: 1
+  index: 2
+  created: 2018-12-01 01:12:04
+  updated: 2018-12-01 01:12:04
+  bucket_id: 1
+- id: 3
+  title: 'task #3 high prio'
+  done: false
+  created_by_id: 1
+  list_id: 1
+  index: 3
+  created: 2018-12-01 01:12:04
+  updated: 2018-12-01 01:12:04
+  priority: 100
+  bucket_id: 2
+- id: 4
+  title: 'task #4 low prio'
+  done: false
+  created_by_id: 1
+  list_id: 1
+  index: 4
+  created: 2018-12-01 01:12:04
+  updated: 2018-12-01 01:12:04
+  priority: 1
+  bucket_id: 2
+- id: 5
+  title: 'task #5 higher due date'
+  done: false
+  created_by_id: 1
+  list_id: 1
+  index: 5
+  created: 2018-12-01 01:12:04
+  updated: 2018-12-01 01:12:04
+  due_date: 2018-12-01 03:58:44
+  bucket_id: 2
+- id: 6
+  title: 'task #6 lower due date'
+  done: false
+  created_by_id: 1
+  list_id: 1
+  index: 6
+  created: 2018-12-01 01:12:04
+  updated: 2018-12-01 01:12:04
+  due_date: 2018-11-30 22:25:24
+  bucket_id: 3
+- id: 7
+  title: 'task #7 with start date'
+  done: false
+  created_by_id: 1
+  list_id: 1
+  index: 7
+  created: 2018-12-01 01:12:04
+  updated: 2018-12-01 01:12:04
+  start_date: 2018-12-12 07:33:20
+  bucket_id: 3
+- id: 8
+  title: 'task #8 with end date'
+  done: false
+  created_by_id: 1
+  list_id: 1
+  index: 8
+  created: 2018-12-01 01:12:04
+  updated: 2018-12-01 01:12:04
+  end_date: 2018-12-13 11:20:00
+  bucket_id: 3
+- id: 9
+  title: 'task #9 with start and end date'
+  done: false
+  created_by_id: 1
+  list_id: 1
+  index: 9
+  created: 2018-12-01 01:12:04
+  updated: 2018-12-01 01:12:04
+  start_date: 2018-12-12 07:33:20
+  end_date: 2018-12-13 11:20:00
+  bucket_id: 1
+- id: 10
+  title: 'task #10 basic'
+  done: false
+  created_by_id: 1
+  list_id: 1
+  index: 10
+  bucket_id: 1
+  created: 2018-12-01 01:12:04
+  updated: 2018-12-01 01:12:04
+- id: 11
+  title: 'task #11 basic'
+  done: false
+  created_by_id: 1
+  list_id: 1
+  index: 11
+  bucket_id: 1
+  created: 2018-12-01 01:12:04
+  updated: 2018-12-01 01:12:04
+- id: 12
+  title: 'task #12 basic'
+  done: false
+  created_by_id: 1
+  list_id: 1
+  index: 12
+  bucket_id: 1
+  created: 2018-12-01 01:12:04
+  updated: 2018-12-01 01:12:04
+- id: 13
+  title: 'task #13 basic other list'
+  done: false
+  created_by_id: 1
+  list_id: 2
+  index: 1
+  bucket_id: 4
+  created: 2018-12-01 01:12:04
+  updated: 2018-12-01 01:12:04
+- id: 14
+  title: 'task #14 basic other list'
+  done: false
+  created_by_id: 5
+  list_id: 5
+  index: 1
+  bucket_id: 18
+  created: 2018-12-01 01:12:04
+  updated: 2018-12-01 01:12:04
+- id: 15
+  title: 'task #15'
+  done: false
+  created_by_id: 6
+  list_id: 6
+  index: 1
+  bucket_id: 6
+  created: 2018-12-01 01:12:04
+  updated: 2018-12-01 01:12:04
+- id: 16
+  title: 'task #16'
+  done: false
+  created_by_id: 6
+  list_id: 7
+  index: 1
+  bucket_id: 7
+  created: 2018-12-01 01:12:04
+  updated: 2018-12-01 01:12:04
+- id: 17
+  title: 'task #17'
+  done: false
+  created_by_id: 6
+  list_id: 8
+  index: 1
+  bucket_id: 8
+  created: 2018-12-01 01:12:04
+  updated: 2018-12-01 01:12:04
+- id: 18
+  title: 'task #18'
+  done: false
+  created_by_id: 6
+  list_id: 9
+  index: 1
+  bucket_id: 9
+  created: 2018-12-01 01:12:04
+  updated: 2018-12-01 01:12:04
+- id: 19
+  title: 'task #19'
+  done: false
+  created_by_id: 6
+  list_id: 10
+  index: 1
+  bucket_id: 10
+  created: 2018-12-01 01:12:04
+  updated: 2018-12-01 01:12:04
+- id: 20
+  title: 'task #20'
+  done: false
+  created_by_id: 6
+  list_id: 11
+  index: 1
+  bucket_id: 11
+  created: 2018-12-01 01:12:04
+  updated: 2018-12-01 01:12:04
+- id: 21
+  title: 'task #21'
+  done: false
+  created_by_id: 6
+  list_id: 12
+  index: 1
+  bucket_id: 12
+  created: 2018-12-01 01:12:04
+  updated: 2018-12-01 01:12:04
+- id: 22
+  title: 'task #22'
+  done: false
+  created_by_id: 6
+  list_id: 13
+  index: 1
+  bucket_id: 13
+  created: 2018-12-01 01:12:04
+  updated: 2018-12-01 01:12:04
+- id: 23
+  title: 'task #23'
+  done: false
+  created_by_id: 6
+  list_id: 14
+  index: 1
+  bucket_id: 14
+  created: 2018-12-01 01:12:04
+  updated: 2018-12-01 01:12:04
+- id: 24
+  title: 'task #24'
+  done: false
+  created_by_id: 6
+  list_id: 15
+  index: 1
+  bucket_id: 15
+  created: 2018-12-01 01:12:04
+  updated: 2018-12-01 01:12:04
+- id: 25
+  title: 'task #25'
+  done: false
+  created_by_id: 6
+  list_id: 16
+  index: 1
+  bucket_id: 16
+  created: 2018-12-01 01:12:04
+  updated: 2018-12-01 01:12:04
+- id: 26
+  title: 'task #26'
+  done: false
+  created_by_id: 6
+  list_id: 17
+  index: 1
+  bucket_id: 17
+  created: 2018-12-01 01:12:04
+  updated: 2018-12-01 01:12:04
+- id: 27
+  title: 'task #27 with reminders'
+  done: false
+  created_by_id: 1
+  list_id: 1
+  index: 12
+  bucket_id: 1
+  created: 2018-12-01 01:12:04
+  updated: 2018-12-01 01:12:04
+- id: 28
+  title: 'task #28 with repeat after'
+  done: false
+  created_by_id: 1
+  repeat_after: 3600
+  list_id: 1
+  index: 13
+  bucket_id: 1
+  created: 2018-12-01 01:12:04
+  updated: 2018-12-01 01:12:04
+- id: 29
+  title: 'task #29 with parent task (1)'
+  done: false
+  created_by_id: 1
+  list_id: 1
+  index: 14
+  bucket_id: 1
+  created: 2018-12-01 01:12:04
+  updated: 2018-12-01 01:12:04
+- id: 30
+  title: 'task #30 with assignees'
+  done: false
+  created_by_id: 1
+  list_id: 1
+  index: 15
+  bucket_id: 1
+  created: 2018-12-01 01:12:04
+  updated: 2018-12-01 01:12:04
+- id: 31
+  title: 'task #31 with color'
+  done: false
+  created_by_id: 1
+  list_id: 1
+  index: 16
+  hex_color: f0f0f0
+  bucket_id: 1
+  created: 2018-12-01 01:12:04
+  updated: 2018-12-01 01:12:04
+- id: 32
+  title: 'task #32'
+  done: false
+  created_by_id: 1
+  list_id: 3
+  index: 1
+  bucket_id: 21
+  created: 2018-12-01 01:12:04
+  updated: 2018-12-01 01:12:04
+- id: 33
+  title: 'task #33 with percent done'
+  done: false
+  created_by_id: 1
+  list_id: 1
+  index: 17
+  percent_done: 0.5
+  bucket_id: 1
+  created: 2018-12-01 01:12:04
+  updated: 2018-12-01 01:12:04
+  # This task is forbidden for user1
+- id: 34
+  title: 'task #34'
+  done: false
+  created_by_id: 13
+  list_id: 20
+  index: 20
+  bucket_id: 5
+  created: 2018-12-01 01:12:04
+  updated: 2018-12-01 01:12:04
+- id: 35
+  title: 'task #35'
+  done: false
+  created_by_id: 1
+  list_id: 21
+  index: 1
+  bucket_id: 19
+  created: 2018-12-01 01:12:04
+  updated: 2018-12-01 01:12:04
+- id: 36
+  title: 'task #36'
+  done: false
+  created_by_id: 1
+  list_id: 22
+  index: 1
+  bucket_id: 20
+  created: 2018-12-01 01:12:04
+  updated: 2018-12-01 01:12:04
+
+
--- a/pkg/db/fixtures/team_list.yml
+++ b/pkg/db/fixtures/team_list.yml
@@ -0,0 +1,48 @@
+- id: 1
+  team_id: 1
+  list_id: 3
+  right: 0
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+# This team has read only access on list 6
+- id: 2
+  team_id: 2
+  list_id: 6
+  right: 0
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+# This team has write access on list 7
+- id: 3
+  team_id: 3
+  list_id: 7
+  right: 1
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+# This team has admin access on list 8
+- id: 4
+  team_id: 4
+  list_id: 8
+  right: 2
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+# Readonly acces on list 19
+- id: 5
+  team_id: 8
+  list_id: 19
+  right: 2
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+# Write acces on list 19
+- id: 6
+  team_id: 9
+  list_id: 19
+  right: 1
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+# Admin acces on list 19
+- id: 7
+  team_id: 10
+  list_id: 19
+  right: 2
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
--- a/pkg/db/fixtures/team_members.yml
+++ b/pkg/db/fixtures/team_members.yml
@@ -0,0 +1,57 @@
+-
+  team_id: 1
+  user_id: 1
+  admin: true
+  created: 2018-12-01 15:13:12
+-
+  team_id: 1
+  user_id: 2
+  created: 2018-12-01 15:13:12
+-
+  team_id: 2
+  user_id: 1
+  created: 2018-12-01 15:13:12
+-
+  team_id: 3
+  user_id: 1
+  created: 2018-12-01 15:13:12
+-
+  team_id: 4
+  user_id: 1
+  created: 2018-12-01 15:13:12
+-
+  team_id: 5
+  user_id: 1
+  created: 2018-12-01 15:13:12
+-
+  team_id: 6
+  user_id: 1
+  created: 2018-12-01 15:13:12
+-
+  team_id: 7
+  user_id: 1
+  created: 2018-12-01 15:13:12
+-
+  team_id: 8
+  user_id: 1
+  created: 2018-12-01 15:13:12
+-
+  team_id: 9
+  user_id: 2
+  created: 2018-12-01 15:13:12
+-
+  team_id: 10
+  user_id: 3
+  created: 2018-12-01 15:13:12
+-
+  team_id: 11
+  user_id: 8
+  created: 2018-12-01 15:13:12
+-
+  team_id: 12
+  user_id: 9
+  created: 2018-12-01 15:13:12
+-
+  team_id: 13
+  user_id: 10
+  created: 2018-12-01 15:13:12
--- a/pkg/db/fixtures/team_namespaces.yml
+++ b/pkg/db/fixtures/team_namespaces.yml
@@ -0,0 +1,52 @@
+- id: 1
+  team_id: 1
+  namespace_id: 3
+  right: 0
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+
+- id: 2
+  team_id: 2
+  namespace_id: 3
+  right: 0
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+
+- id: 3
+  team_id: 5
+  namespace_id: 7
+  right: 0
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+
+- id: 4
+  team_id: 6
+  namespace_id: 8
+  right: 1
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+
+- id: 5
+  team_id: 7
+  namespace_id: 9
+  right: 2
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+- id: 6
+  team_id: 11
+  namespace_id: 14
+  right: 0
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+- id: 7
+  team_id: 12
+  namespace_id: 14
+  right: 1
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+- id: 8
+  team_id: 13
+  namespace_id: 14
+  right: 2
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
--- a/pkg/db/fixtures/teams.yml
+++ b/pkg/db/fixtures/teams.yml
@@ -0,0 +1,40 @@
+- id: 1
+  name: testteam1
+  description: Lorem Ipsum
+  created_by_id: 1
+- id: 2
+  name: testteam2_read_only_on_list6
+  created_by_id: 1
+- id: 3
+  name: testteam3_write_on_list7
+  created_by_id: 1
+- id: 4
+  name: testteam4_admin_on_list8
+  created_by_id: 1
+- id: 5
+  name: testteam2_read_only_on_namespace7
+  created_by_id: 1
+- id: 6
+  name: testteam3_write_on_namespace8
+  created_by_id: 1
+- id: 7
+  name: testteam4_admin_on_namespace9
+  created_by_id: 1
+- id: 8
+  name: testteam8
+  created_by_id: 7
+- id: 9
+  name: testteam9
+  created_by_id: 7
+- id: 10
+  name: testteam10
+  created_by_id: 7
+- id: 11
+  name: testteam11
+  created_by_id: 7
+- id: 12
+  name: testteam12
+  created_by_id: 7
+- id: 13
+  name: testteam13
+  created_by_id: 7
--- a/pkg/db/fixtures/users.yml
+++ b/pkg/db/fixtures/users.yml
@@ -0,0 +1,97 @@
+-
+  id: 1
+  username: 'user1'
+  password: '$2a$14$dcadBoMBL9jQoOcZK8Fju.cy0Ptx2oZECkKLnaa8ekRoTFe1w7To.' # 1234
+  email: 'user1@example.com'
+  is_active: true
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+-
+  id: 2
+  username: 'user2'
+  password: '$2a$14$dcadBoMBL9jQoOcZK8Fju.cy0Ptx2oZECkKLnaa8ekRoTFe1w7To.' # 1234
+  email: 'user2@example.com'
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+-
+  id: 3
+  username: 'user3'
+  password: '$2a$14$dcadBoMBL9jQoOcZK8Fju.cy0Ptx2oZECkKLnaa8ekRoTFe1w7To.' # 1234
+  email: 'user3@example.com'
+  password_reset_token: passwordresettesttoken
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+-
+  id: 4
+  username: 'user4'
+  password: '$2a$14$dcadBoMBL9jQoOcZK8Fju.cy0Ptx2oZECkKLnaa8ekRoTFe1w7To.' # 1234
+  email: 'user4@example.com'
+  email_confirm_token: tiepiQueed8ahc7zeeFe1eveiy4Ein8osooxegiephauph2Ael
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+-
+  id: 5
+  username: 'user5'
+  password: '$2a$14$dcadBoMBL9jQoOcZK8Fju.cy0Ptx2oZECkKLnaa8ekRoTFe1w7To.' # 1234
+  email: 'user5@example.com'
+  email_confirm_token: tiepiQueed8ahc7zeeFe1eveiy4Ein8osooxegiephauph2Ael
+  is_active: false
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+# This use is used to create a whole bunch of lists which are then shared directly with a user
+- id: 6
+  username: 'user6'
+  password: '$2a$14$dcadBoMBL9jQoOcZK8Fju.cy0Ptx2oZECkKLnaa8ekRoTFe1w7To.' # 1234
+  email: 'user6@example.com'
+  is_active: true
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+- id: 7
+  username: 'user7'
+  password: '$2a$14$dcadBoMBL9jQoOcZK8Fju.cy0Ptx2oZECkKLnaa8ekRoTFe1w7To.' # 1234
+  email: 'user7@example.com'
+  is_active: true
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+- id: 8
+  username: 'user8'
+  password: '$2a$14$dcadBoMBL9jQoOcZK8Fju.cy0Ptx2oZECkKLnaa8ekRoTFe1w7To.' # 1234
+  email: 'user8@example.com'
+  is_active: true
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+- id: 9
+  username: 'user9'
+  password: '$2a$14$dcadBoMBL9jQoOcZK8Fju.cy0Ptx2oZECkKLnaa8ekRoTFe1w7To.' # 1234
+  email: 'user9@example.com'
+  is_active: true
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+- id: 10
+  username: 'user10'
+  password: '$2a$14$dcadBoMBL9jQoOcZK8Fju.cy0Ptx2oZECkKLnaa8ekRoTFe1w7To.' # 1234
+  email: 'user10@example.com'
+  is_active: true
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+- id: 11
+  username: 'user11'
+  password: '$2a$14$dcadBoMBL9jQoOcZK8Fju.cy0Ptx2oZECkKLnaa8ekRoTFe1w7To.' # 1234
+  email: 'user11@example.com'
+  is_active: true
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+- id: 12
+  username: 'user12'
+  password: '$2a$14$dcadBoMBL9jQoOcZK8Fju.cy0Ptx2oZECkKLnaa8ekRoTFe1w7To.' # 1234
+  email: 'user12@example.com'
+  is_active: true
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+- id: 13
+  username: 'user13'
+  password: '$2a$14$dcadBoMBL9jQoOcZK8Fju.cy0Ptx2oZECkKLnaa8ekRoTFe1w7To.' # 1234
+  email: 'user14@example.com'
+  is_active: true
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
--- a/pkg/db/fixtures/users_list.yml
+++ b/pkg/db/fixtures/users_list.yml
@@ -0,0 +1,48 @@
+- id: 1
+  user_id: 1
+  list_id: 3
+  right: 0
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+- id: 2
+  user_id: 2
+  list_id: 3
+  right: 0
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+- id: 3
+  user_id: 1
+  list_id: 9
+  right: 0
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+- id: 4
+  user_id: 1
+  list_id: 10
+  right: 1
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+- id: 5
+  user_id: 1
+  list_id: 11
+  right: 2
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+- id: 6
+  user_id: 4
+  list_id: 19
+  right: 0
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+- id: 7
+  user_id: 5
+  list_id: 19
+  right: 1
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+- id: 8
+  user_id: 6
+  list_id: 19
+  right: 2
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
--- a/pkg/db/fixtures/users_namespace.yml
+++ b/pkg/db/fixtures/users_namespace.yml
@@ -0,0 +1,52 @@
+- id: 1
+  user_id: 1
+  namespace_id: 3
+  right: 0
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+
+- id: 2
+  user_id: 2
+  namespace_id: 3
+  right: 0
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+
+- id: 3
+  user_id: 1
+  namespace_id: 10
+  right: 0
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+
+- id: 4
+  user_id: 1
+  namespace_id: 11
+  right: 1
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+
+- id: 5
+  user_id: 1
+  namespace_id: 12
+  right: 2
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+- id: 6
+  user_id: 11
+  namespace_id: 14
+  right: 0
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+- id: 7
+  user_id: 12
+  namespace_id: 14
+  right: 1
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
+- id: 8
+  user_id: 13
+  namespace_id: 14
+  right: 2
+  updated: 2018-12-02 15:13:12
+  created: 2018-12-01 15:13:12
--- a/pkg/db/test.go
+++ b/pkg/db/test.go
@@ -0,0 +1,71 @@
+// Copyright2018-2020 Vikunja and contriubtors. All rights reserved.
+//
+// This file is part of Vikunja.
+//
+// Vikunja is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Vikunja is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Vikunja.  If not, see <https://www.gnu.org/licenses/>.
+
+package db
+
+import (
+	"code.vikunja.io/api/pkg/config"
+	"code.vikunja.io/api/pkg/log"
+	"os"
+	"xorm.io/core"
+	"xorm.io/xorm"
+)
+
+// CreateTestEngine creates an instance of the db engine which lives in memory
+func CreateTestEngine() (engine *xorm.Engine, err error) {
+
+	if x != nil {
+		return x, nil
+	}
+
+	if os.Getenv("VIKUNJA_TESTS_USE_CONFIG") == "1" {
+		config.InitConfig()
+		engine, err = CreateDBEngine()
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		engine, err = xorm.NewEngine("sqlite3", "file::memory:?cache=shared")
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	engine.SetMapper(core.GonicMapper{})
+	logger := log.NewXormLogger("DEBUG")
+	logger.ShowSQL(os.Getenv("UNIT_TESTS_VERBOSE") == "1")
+	engine.SetLogger(logger)
+	engine.SetTZLocation(config.GetTimeZone())
+	x = engine
+	return
+}
+
+// InitTestFixtures populates the db with all fixtures from the fixtures folder
+func InitTestFixtures(tablenames ...string) (err error) {
+	// Create all fixtures
+	config.InitDefaultConfig()
+	// We need to set the root path even if we're not using the config, otherwise fixtures are not loaded correctly
+	config.ServiceRootpath.Set(os.Getenv("VIKUNJA_SERVICE_ROOTPATH"))
+
+	// Sync fixtures
+	err = InitFixtures(tablenames...)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	return nil
+}
--- a/pkg/db/test_fixtures.go
+++ b/pkg/db/test_fixtures.go
@@ -0,0 +1,116 @@
+// Copyright 2018-2020 Vikunja and contriubtors. All rights reserved.
+//
+// This file is part of Vikunja.
+//
+// Vikunja is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Vikunja is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Vikunja.  If not, see <https://www.gnu.org/licenses/>.
+
+package db
+
+import (
+	"code.vikunja.io/api/pkg/config"
+	"fmt"
+	"github.com/go-testfixtures/testfixtures/v3"
+	"github.com/stretchr/testify/assert"
+	"path/filepath"
+	"testing"
+	"xorm.io/xorm/schemas"
+)
+
+var fixtures *testfixtures.Loader
+
+// InitFixtures initialize test fixtures for a test database
+func InitFixtures(tablenames ...string) (err error) {
+
+	var testfiles func(loader *testfixtures.Loader) error
+	dir := filepath.Join(config.ServiceRootpath.GetString(), "pkg", "db", "fixtures")
+
+	// If fixture table names are specified, load them
+	// Otherwise, load all fixtures
+	if len(tablenames) > 0 {
+		for i, name := range tablenames {
+			tablenames[i] = filepath.Join(dir, name+".yml")
+		}
+		testfiles = testfixtures.Files(tablenames...)
+	} else {
+		testfiles = testfixtures.Directory(dir)
+	}
+
+	loaderOptions := []func(loader *testfixtures.Loader) error{
+		testfixtures.Database(x.DB().DB),
+		testfixtures.Dialect(config.DatabaseType.GetString()),
+		testfixtures.DangerousSkipTestDatabaseCheck(),
+		testfixtures.Location(config.GetTimeZone()),
+		testfiles,
+	}
+
+	if config.DatabaseType.GetString() == "postgres" {
+		loaderOptions = append(loaderOptions, testfixtures.SkipResetSequences())
+	}
+
+	fixtures, err = testfixtures.New(loaderOptions...)
+	if err != nil {
+		return err
+	}
+
+	return err
+}
+
+// LoadFixtures load fixtures for a test database
+func LoadFixtures() error {
+	err := fixtures.Load()
+	if err != nil {
+		return err
+	}
+
+	// Copied from https://github.com/go-gitea/gitea/blob/master/models/test_fixtures.go#L39
+	// Now if we're running postgres we need to tell it to update the sequences
+	if x.Dialect().URI().DBType == schemas.POSTGRES {
+		results, err := x.QueryString(`SELECT 'SELECT SETVAL(' ||
+		quote_literal(quote_ident(PGT.schemaname) || '.' || quote_ident(S.relname)) ||
+		', COALESCE(MAX(' ||quote_ident(C.attname)|| '), 1) ) FROM ' ||
+		quote_ident(PGT.schemaname)|| '.'||quote_ident(T.relname)|| ';'
+	 FROM pg_class AS S,
+	      pg_depend AS D,
+	      pg_class AS T,
+	      pg_attribute AS C,
+	      pg_tables AS PGT
+	 WHERE S.relkind = 'S'
+	     AND S.oid = D.objid
+	     AND D.refobjid = T.oid
+	     AND D.refobjid = C.attrelid
+	     AND D.refobjsubid = C.attnum
+	     AND T.relname = PGT.tablename
+	 ORDER BY S.relname;`)
+		if err != nil {
+			fmt.Printf("Failed to generate sequence update: %v\n", err)
+			return err
+		}
+		for _, r := range results {
+			for _, value := range r {
+				_, err = x.Exec(value)
+				if err != nil {
+					fmt.Printf("Failed to update sequence: %s Error: %v\n", value, err)
+					return err
+				}
+			}
+		}
+	}
+	return err
+}
+
+// LoadAndAssertFixtures loads all fixtures defined before and asserts they are correctly loaded
+func LoadAndAssertFixtures(t *testing.T) {
+	err := LoadFixtures()
+	assert.NoError(t, err)
+}
--- a/pkg/files/db.go
+++ b/pkg/files/db.go
@@ -0,0 +1,49 @@
+// Vikunja is a to-do list application to facilitate your life.
+// Copyright 2018-2020 Vikunja and contributors. All rights reserved.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package files
+
+import (
+	"code.vikunja.io/api/pkg/config"
+	"code.vikunja.io/api/pkg/db"
+	"code.vikunja.io/api/pkg/log"
+	"xorm.io/xorm"
+)
+
+var x *xorm.Engine
+
+// SetEngine sets the xorm.Engine
+func SetEngine() (err error) {
+	x, err = db.CreateDBEngine()
+	if err != nil {
+		log.Criticalf("Could not connect to db: %v", err.Error())
+		return
+	}
+
+	// Cache
+	if config.CacheEnabled.GetBool() && config.CacheType.GetString() == "redis" {
+		db.RegisterTableStructsForCache(GetTables())
+	}
+
+	return nil
+}
+
+// GetTables returns all structs which are also a table.
+func GetTables() []interface{} {
+	return []interface{}{
+		&File{},
+	}
+}
--- a/pkg/files/dump.go
+++ b/pkg/files/dump.go
@@ -0,0 +1,41 @@
+// Vikunja is a to-do list application to facilitate your life.
+// Copyright 2018-2020 Vikunja and contributors. All rights reserved.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package files
+
+import (
+	"io"
+)
+
+// Dump dumps all saved files
+// This only includes the raw files, no db entries.
+func Dump() (allFiles map[int64]io.ReadCloser, err error) {
+	files := []*File{}
+	err = x.Find(&files)
+	if err != nil {
+		return
+	}
+
+	allFiles = make(map[int64]io.ReadCloser, len(files))
+	for _, file := range files {
+		if err := file.LoadFileByID(); err != nil {
+			return nil, err
+		}
+		allFiles[file.ID] = file.File
+	}
+
+	return
+}
--- a/pkg/files/error.go
+++ b/pkg/files/error.go
@@ -0,0 +1,69 @@
+// Copyright 2018-2020 Vikunja and contriubtors. All rights reserved.
+//
+// This file is part of Vikunja.
+//
+// Vikunja is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Vikunja is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Vikunja.  If not, see <https://www.gnu.org/licenses/>.
+
+package files
+
+import "fmt"
+
+// ErrFileDoesNotExist defines an error where a file does not exist in the db
+type ErrFileDoesNotExist struct {
+	FileID int64
+}
+
+// Error is the error implementation of ErrFileDoesNotExist
+func (err ErrFileDoesNotExist) Error() string {
+	return fmt.Sprintf("file %d does not exist", err.FileID)
+}
+
+//IsErrFileDoesNotExist checks if an error is ErrFileDoesNotExist
+func IsErrFileDoesNotExist(err error) bool {
+	_, ok := err.(ErrFileDoesNotExist)
+	return ok
+}
+
+// ErrFileIsTooLarge defines an error where a file is larger than the configured limit
+type ErrFileIsTooLarge struct {
+	Size uint64
+}
+
+// Error is the error implementation of ErrFileIsTooLarge
+func (err ErrFileIsTooLarge) Error() string {
+	return fmt.Sprintf("file is too large [Size: %d]", err.Size)
+}
+
+//IsErrFileIsTooLarge checks if an error is ErrFileIsTooLarge
+func IsErrFileIsTooLarge(err error) bool {
+	_, ok := err.(ErrFileIsTooLarge)
+	return ok
+}
+
+// ErrFileIsNotUnsplashFile defines an error where a file is not downloaded from unsplash.
+// Used in cases whenever unsplash information about a file is requested, but the file was not downloaded from unsplash.
+type ErrFileIsNotUnsplashFile struct {
+	FileID int64
+}
+
+// Error is the error implementation of ErrFileIsNotUnsplashFile
+func (err ErrFileIsNotUnsplashFile) Error() string {
+	return fmt.Sprintf("file was not downloaded from unsplash [FileID: %d]", err.FileID)
+}
+
+//IsErrFileIsNotUnsplashFile checks if an error is ErrFileIsNotUnsplashFile
+func IsErrFileIsNotUnsplashFile(err error) bool {
+	_, ok := err.(ErrFileIsNotUnsplashFile)
+	return ok
+}
--- a/pkg/files/filehandling.go
+++ b/pkg/files/filehandling.go
@@ -0,0 +1,84 @@
+// Vikunja is a to-do list application to facilitate your life.
+// Copyright 2018-2020 Vikunja and contributors. All rights reserved.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package files
+
+import (
+	"code.vikunja.io/api/pkg/config"
+	"code.vikunja.io/api/pkg/db"
+	"code.vikunja.io/api/pkg/log"
+	"github.com/spf13/afero"
+	"github.com/stretchr/testify/assert"
+	"os"
+	"testing"
+)
+
+// This file handles storing and retrieving a file for different backends
+var fs afero.Fs
+var afs *afero.Afero
+
+// InitFileHandler creates a new file handler for the file backend we want to use
+func InitFileHandler() {
+	fs = afero.NewOsFs()
+	afs = &afero.Afero{Fs: fs}
+}
+
+// InitTestFileHandler initializes a new memory file system for testing
+func InitTestFileHandler() {
+	fs = afero.NewMemMapFs()
+	afs = &afero.Afero{Fs: fs}
+}
+
+func initFixtures(t *testing.T) {
+	// DB fixtures
+	db.LoadAndAssertFixtures(t)
+	// File fixtures
+	InitTestFileFixtures(t)
+}
+
+//InitTestFileFixtures initializes file fixtures
+func InitTestFileFixtures(t *testing.T) {
+	// Init fixture files
+	filename := config.FilesBasePath.GetString() + "/1"
+	err := afero.WriteFile(afs, filename, []byte("testfile1"), 0644)
+	assert.NoError(t, err)
+}
+
+// InitTests handles the actual bootstrapping of the test env
+func InitTests() {
+	var err error
+	x, err = db.CreateTestEngine()
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	err = x.Sync2(GetTables()...)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	err = db.InitTestFixtures("files")
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	InitTestFileHandler()
+}
+
+// FileStat stats a file. This is an exported function to be able to test this from outide of the package
+func FileStat(filename string) (os.FileInfo, error) {
+	return afs.Stat(filename)
+}
--- a/pkg/files/files.go
+++ b/pkg/files/files.go
@@ -0,0 +1,116 @@
+// Vikunja is a to-do list application to facilitate your life.
+// Copyright 2018-2020 Vikunja and contributors. All rights reserved.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package files
+
+import (
+	"code.vikunja.io/api/pkg/config"
+	"code.vikunja.io/web"
+	"github.com/c2h5oh/datasize"
+	"github.com/spf13/afero"
+	"io"
+	"strconv"
+	"time"
+)
+
+// File holds all information about a file
+type File struct {
+	ID   int64  `xorm:"int(11) autoincr not null unique pk" json:"id"`
+	Name string `xorm:"text not null" json:"name"`
+	Mime string `xorm:"text null" json:"mime"`
+	Size uint64 `xorm:"int(11) not null" json:"size"`
+
+	Created     time.Time `xorm:"created" json:"created"`
+	CreatedByID int64     `xorm:"int(11) not null" json:"-"`
+
+	File afero.File `xorm:"-" json:"-"`
+	// This ReadCloser is only used for migration purposes. Use with care!
+	// There is currentlc no better way of doing this.
+	FileContent []byte `xorm:"-" json:"-"`
+}
+
+// TableName is the table name for the files table
+func (File) TableName() string {
+	return "files"
+}
+
+func (f *File) getFileName() string {
+	return config.FilesBasePath.GetString() + "/" + strconv.FormatInt(f.ID, 10)
+}
+
+// LoadFileByID returns a file by its ID
+func (f *File) LoadFileByID() (err error) {
+	f.File, err = afs.Open(f.getFileName())
+	return
+}
+
+// LoadFileMetaByID loads everything about a file without loading the actual file
+func (f *File) LoadFileMetaByID() (err error) {
+	exists, err := x.Where("id = ?", f.ID).Get(f)
+	if !exists {
+		return ErrFileDoesNotExist{FileID: f.ID}
+	}
+	return
+}
+
+// Create creates a new file from an FileHeader
+func Create(f io.ReadCloser, realname string, realsize uint64, a web.Auth) (file *File, err error) {
+
+	// Get and parse the configured file size
+	var maxSize datasize.ByteSize
+	err = maxSize.UnmarshalText([]byte(config.FilesMaxSize.GetString()))
+	if err != nil {
+		return nil, err
+	}
+	if realsize > maxSize.Bytes() {
+		return nil, ErrFileIsTooLarge{Size: realsize}
+	}
+
+	// We first insert the file into the db to get it's ID
+	file = &File{
+		Name:        realname,
+		Size:        realsize,
+		CreatedByID: a.GetID(),
+	}
+
+	_, err = x.Insert(file)
+	if err != nil {
+		return
+	}
+
+	// Save the file to storage with its new ID as path
+	err = file.Save(f)
+	return
+}
+
+// Delete removes a file from the DB and the file system
+func (f *File) Delete() (err error) {
+	deleted, err := x.Where("id = ?", f.ID).Delete(f)
+	if err != nil {
+		return err
+	}
+	if deleted == 0 {
+		return ErrFileDoesNotExist{FileID: f.ID}
+	}
+
+	err = afs.Remove(f.getFileName())
+	return
+}
+
+// Save saves a file to storage
+func (f *File) Save(fcontent io.ReadCloser) error {
+	return afs.WriteReader(f.getFileName(), fcontent)
+}
--- a/pkg/files/files_test.go
+++ b/pkg/files/files_test.go
@@ -0,0 +1,131 @@
+// Copyright 2018-2020 Vikunja and contriubtors. All rights reserved.
+//
+// This file is part of Vikunja.
+//
+// Vikunja is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Vikunja is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Vikunja.  If not, see <https://www.gnu.org/licenses/>.
+
+package files
+
+import (
+	"github.com/stretchr/testify/assert"
+	"io"
+	"os"
+	"testing"
+)
+
+type testfile struct {
+	content []byte
+	done    bool
+}
+
+func (t *testfile) Read(p []byte) (n int, err error) {
+	if t.done {
+		return 0, io.EOF
+	}
+	copy(p, t.content)
+	t.done = true
+	return len(p), nil
+}
+
+func (t *testfile) Close() error {
+	return nil
+}
+
+type testauth struct {
+	id int64
+}
+
+func (a *testauth) GetID() int64 {
+	return a.id
+}
+
+func TestCreate(t *testing.T) {
+	t.Run("Normal", func(t *testing.T) {
+		initFixtures(t)
+		tf := &testfile{
+			content: []byte("testfile"),
+		}
+		ta := &testauth{id: 1}
+		createdFile, err := Create(tf, "testfile", 100, ta)
+		assert.NoError(t, err)
+
+		// Check the file was created correctly
+		file := &File{ID: createdFile.ID}
+		err = file.LoadFileMetaByID()
+		assert.NoError(t, err)
+		assert.Equal(t, int64(1), file.CreatedByID)
+		assert.Equal(t, "testfile", file.Name)
+		assert.Equal(t, uint64(100), file.Size)
+
+	})
+	t.Run("Too Large", func(t *testing.T) {
+		initFixtures(t)
+		tf := &testfile{
+			content: []byte("testfile"),
+		}
+		ta := &testauth{id: 1}
+		_, err := Create(tf, "testfile", 99999999999, ta)
+		assert.Error(t, err)
+		assert.True(t, IsErrFileIsTooLarge(err))
+	})
+}
+
+func TestFile_Delete(t *testing.T) {
+	t.Run("Normal", func(t *testing.T) {
+		initFixtures(t)
+		f := &File{ID: 1}
+		err := f.Delete()
+		assert.NoError(t, err)
+	})
+	t.Run("Nonexisting", func(t *testing.T) {
+		initFixtures(t)
+		f := &File{ID: 9999}
+		err := f.Delete()
+		assert.Error(t, err)
+		assert.True(t, IsErrFileDoesNotExist(err))
+	})
+}
+
+func TestFile_LoadFileByID(t *testing.T) {
+	t.Run("Normal", func(t *testing.T) {
+		initFixtures(t)
+		f := &File{ID: 1}
+		err := f.LoadFileByID()
+		assert.NoError(t, err)
+	})
+	t.Run("Nonexisting", func(t *testing.T) {
+		initFixtures(t)
+		f := &File{ID: 9999}
+		err := f.LoadFileByID()
+		assert.Error(t, err)
+		assert.True(t, os.IsNotExist(err))
+	})
+}
+
+func TestFile_LoadFileMetaByID(t *testing.T) {
+	t.Run("Normal", func(t *testing.T) {
+		initFixtures(t)
+		f := &File{ID: 1}
+		err := f.LoadFileMetaByID()
+		assert.NoError(t, err)
+		assert.Equal(t, "test", f.Name)
+	})
+	t.Run("Nonexisting", func(t *testing.T) {
+		initFixtures(t)
+		f := &File{ID: 9999}
+		err := f.LoadFileMetaByID()
+		assert.Error(t, err)
+		assert.True(t, IsErrFileDoesNotExist(err))
+	})
+}
--- a/pkg/files/main_test.go
+++ b/pkg/files/main_test.go
@@ -0,0 +1,29 @@
+// Copyright 2018-2020 Vikunja and contriubtors. All rights reserved.
+//
+// This file is part of Vikunja.
+//
+// Vikunja is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Vikunja is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Vikunja.  If not, see <https://www.gnu.org/licenses/>.
+
+package files
+
+import (
+	"os"
+	"testing"
+)
+
+// TestMain is the main test function used to bootstrap the test env
+func TestMain(m *testing.M) {
+	InitTests()
+	os.Exit(m.Run())
+}
--- a/pkg/initialize/init.go
+++ b/pkg/initialize/init.go
@@ -0,0 +1,79 @@
+// Vikunja is a to-do list application to facilitate your life.
+// Copyright 2018-2020 Vikunja and contributors. All rights reserved.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package initialize
+
+import (
+	"code.vikunja.io/api/pkg/config"
+	"code.vikunja.io/api/pkg/files"
+	"code.vikunja.io/api/pkg/log"
+	"code.vikunja.io/api/pkg/mail"
+	"code.vikunja.io/api/pkg/migration"
+	"code.vikunja.io/api/pkg/models"
+	migrator "code.vikunja.io/api/pkg/modules/migration"
+	"code.vikunja.io/api/pkg/red"
+	"code.vikunja.io/api/pkg/user"
+)
+
+// LightInit will only fullInit config, redis, logger but no db connection.
+func LightInit() {
+	// Init the config
+	config.InitConfig()
+
+	// Init redis
+	red.InitRedis()
+
+	// Set logger
+	log.InitLogger()
+}
+
+// InitEngines intializes all db connections
+func InitEngines() {
+	err := models.SetEngine()
+	if err != nil {
+		log.Fatal(err.Error())
+	}
+	err = user.InitDB()
+	if err != nil {
+		log.Fatal(err.Error())
+	}
+	err = files.SetEngine()
+	if err != nil {
+		log.Fatal(err.Error())
+	}
+	err = migrator.InitDB()
+	if err != nil {
+		log.Fatal(err.Error())
+	}
+}
+
+// FullInit initializes all kinds of things in the right order
+func FullInit() {
+
+	LightInit()
+
+	// Run the migrations
+	migration.Migrate(nil)
+
+	// Set Engine
+	InitEngines()
+
+	// Initialize the files handler
+	files.InitFileHandler()
+
+	// Start the mail daemon
+	mail.StartMailDaemon()
+}
--- a/pkg/integrations/_test.go.tpl
+++ b/pkg/integrations/_test.go.tpl
@@ -0,0 +1,350 @@
+//   Vikunja is a to-do list application to facilitate your life.
+//   Copyright 2018-2020 Vikunja and contributors. All rights reserved.
+//
+//   This program is free software: you can redistribute it and/or modify
+//   it under the terms of the GNU General Public License as published by
+//   the Free Software Foundation, either version 3 of the License, or
+//   (at your option) any later version.
+//
+//   This program is distributed in the hope that it will be useful,
+//   but WITHOUT ANY WARRANTY; without even the implied warranty of
+//   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//   GNU General Public License for more details.
+//
+//   You should have received a copy of the GNU General Public License
+//   along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package integrations
+
+import (
+	"code.vikunja.io/api/pkg/models"
+	"code.vikunja.io/web/handler"
+	"github.com/labstack/echo"
+	"github.com/stretchr/testify/assert"
+	"net/url"
+	"testing"
+)
+
+func Test${MODEL}(t *testing.T) {
+	testHandler := webHandlerTest{
+		user: &testuser1,
+		strFunc: func() handler.CObject {
+			return &models.${MODEL}{}
+		},
+		t: t,
+	}
+	t.Run("ReadAll", func(t *testing.T) {
+		t.Run("Normal", func(t *testing.T) {
+			rec, err := testHandler.testReadAll(nil, nil)
+			assert.NoError(t, err)
+			assert.Contains(t, rec.Body.String(), ``)
+			assert.NotContains(t, rec.Body.String(), ``)
+		})
+		t.Run("Search", func(t *testing.T) {
+			rec, err := testHandler.testReadAll(url.Values{"s": []string{""}}, nil)
+			assert.NoError(t, err)
+			assert.Contains(t, rec.Body.String(), ``)
+			assert.NotContains(t, rec.Body.String(), ``)
+		})
+	})
+	t.Run("ReadOne", func(t *testing.T) {
+		t.Run("Normal", func(t *testing.T) {
+			rec, err := testHandler.testReadOne(nil, map[string]string{"${URL_PLACEHOLDER}": ""})
+			assert.NoError(t, err)
+			assert.Contains(t, rec.Body.String(), ``)
+			assert.NotContains(t, rec.Body.String(), ``)
+		})
+		t.Run("Nonexisting", func(t *testing.T) {
+			_, err := testHandler.testReadOne(nil, map[string]string{"${URL_PLACEHOLDER}": ""})
+			assert.Error(t, err)
+			assertHandlerErrorCode(t, err, models.ErrCode)
+		})
+		t.Run("Rights check", func(t *testing.T) {
+			t.Run("Forbidden", func(t *testing.T) {
+				// Owned by user3
+				_, err := testHandler.testReadOne(nil, map[string]string{"${URL_PLACEHOLDER}": ""})
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `You don't have the right to see this`)
+			})
+			t.Run("Shared Via Team readonly", func(t *testing.T) {
+				rec, err := testHandler.testReadOne(nil, map[string]string{"${URL_PLACEHOLDER}": ""})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), ``)
+			})
+			t.Run("Shared Via Team write", func(t *testing.T) {
+				rec, err := testHandler.testReadOne(nil, map[string]string{"${URL_PLACEHOLDER}": ""})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), ``)
+			})
+			t.Run("Shared Via Team admin", func(t *testing.T) {
+				rec, err := testHandler.testReadOne(nil, map[string]string{"${URL_PLACEHOLDER}": ""})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), ``)
+			})
+
+			t.Run("Shared Via User readonly", func(t *testing.T) {
+				rec, err := testHandler.testReadOne(nil, map[string]string{"${URL_PLACEHOLDER}": ""})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), ``)
+			})
+			t.Run("Shared Via User write", func(t *testing.T) {
+				rec, err := testHandler.testReadOne(nil, map[string]string{"${URL_PLACEHOLDER}": ""})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), ``)
+			})
+			t.Run("Shared Via User admin", func(t *testing.T) {
+				rec, err := testHandler.testReadOne(nil, map[string]string{"${URL_PLACEHOLDER}": ""})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), ``)
+			})
+
+			t.Run("Shared Via NamespaceTeam readonly", func(t *testing.T) {
+				rec, err := testHandler.testReadOne(nil, map[string]string{"${URL_PLACEHOLDER}": ""})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), ``)
+			})
+			t.Run("Shared Via NamespaceTeam write", func(t *testing.T) {
+				rec, err := testHandler.testReadOne(nil, map[string]string{"${URL_PLACEHOLDER}": ""})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), ``)
+			})
+			t.Run("Shared Via NamespaceTeam admin", func(t *testing.T) {
+				rec, err := testHandler.testReadOne(nil, map[string]string{"${URL_PLACEHOLDER}": ""})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), ``)
+			})
+
+			t.Run("Shared Via NamespaceUser readonly", func(t *testing.T) {
+				rec, err := testHandler.testReadOne(nil, map[string]string{"${URL_PLACEHOLDER}": ""})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), ``)
+			})
+			t.Run("Shared Via NamespaceUser write", func(t *testing.T) {
+				rec, err := testHandler.testReadOne(nil, map[string]string{"${URL_PLACEHOLDER}": ""})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), ``)
+			})
+			t.Run("Shared Via NamespaceUser admin", func(t *testing.T) {
+				rec, err := testHandler.testReadOne(nil, map[string]string{"${URL_PLACEHOLDER}": ""})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), ``)
+			})
+		})
+	})
+	t.Run("Update", func(t *testing.T) {
+		t.Run("Normal", func(t *testing.T) {
+			rec, err := testHandler.testUpdate(nil, map[string]string{"${URL_PLACEHOLDER}": ""}, `{}`)
+			assert.NoError(t, err)
+			assert.Contains(t, rec.Body.String(), ``)
+		})
+		t.Run("Nonexisting", func(t *testing.T) {
+			_, err := testHandler.testUpdate(nil, map[string]string{"${URL_PLACEHOLDER}": ""}, `{}`)
+			assert.Error(t, err)
+			assertHandlerErrorCode(t, err, models.ErrCode)
+		})
+		t.Run("Rights check", func(t *testing.T) {
+			t.Run("Forbidden", func(t *testing.T) {
+				_, err := testHandler.testUpdate(nil, map[string]string{"${URL_PLACEHOLDER}": ""}, `{}`)
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via Team readonly", func(t *testing.T) {
+				_, err := testHandler.testUpdate(nil, map[string]string{"${URL_PLACEHOLDER}": ""}, `{}`)
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via Team write", func(t *testing.T) {
+				rec, err := testHandler.testUpdate(nil, map[string]string{"${URL_PLACEHOLDER}": ""}, `{}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), ``)
+			})
+			t.Run("Shared Via Team admin", func(t *testing.T) {
+				rec, err := testHandler.testUpdate(nil, map[string]string{"${URL_PLACEHOLDER}": ""}, `{}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), ``)
+			})
+
+			t.Run("Shared Via User readonly", func(t *testing.T) {
+				_, err := testHandler.testUpdate(nil, map[string]string{"${URL_PLACEHOLDER}": ""}, `{}`)
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via User write", func(t *testing.T) {
+				rec, err := testHandler.testUpdate(nil, map[string]string{"${URL_PLACEHOLDER}": ""}, `{}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), ``)
+			})
+			t.Run("Shared Via User admin", func(t *testing.T) {
+				rec, err := testHandler.testUpdate(nil, map[string]string{"${URL_PLACEHOLDER}": ""}, `{}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), ``)
+			})
+
+			t.Run("Shared Via NamespaceTeam readonly", func(t *testing.T) {
+				_, err := testHandler.testUpdate(nil, map[string]string{"${URL_PLACEHOLDER}": ""}, `{}`)
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via NamespaceTeam write", func(t *testing.T) {
+				rec, err := testHandler.testUpdate(nil, map[string]string{"${URL_PLACEHOLDER}": ""}, `{}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), ``)
+			})
+			t.Run("Shared Via NamespaceTeam admin", func(t *testing.T) {
+				rec, err := testHandler.testUpdate(nil, map[string]string{"${URL_PLACEHOLDER}": ""}, `{}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), ``)
+			})
+
+			t.Run("Shared Via NamespaceUser readonly", func(t *testing.T) {
+				_, err := testHandler.testUpdate(nil, map[string]string{"${URL_PLACEHOLDER}": ""}, `{}`)
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via NamespaceUser write", func(t *testing.T) {
+				rec, err := testHandler.testUpdate(nil, map[string]string{"${URL_PLACEHOLDER}": ""}, `{}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), ``)
+			})
+			t.Run("Shared Via NamespaceUser admin", func(t *testing.T) {
+				rec, err := testHandler.testUpdate(nil, map[string]string{"${URL_PLACEHOLDER}": ""}, `{}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), ``)
+			})
+		})
+	})
+	t.Run("Delete", func(t *testing.T) {
+		t.Run("Normal", func(t *testing.T) {
+			rec, err := testHandler.testDelete(nil, map[string]string{"${URL_PLACEHOLDER}": ""})
+			assert.NoError(t, err)
+			assert.Contains(t, rec.Body.String(), ``)
+		})
+		t.Run("Nonexisting", func(t *testing.T) {
+			_, err := testHandler.testDelete(nil, map[string]string{"${URL_PLACEHOLDER}": ""})
+			assert.Error(t, err)
+			assertHandlerErrorCode(t, err, models.ErrCode)
+		})
+		t.Run("Rights check", func(t *testing.T) {
+			t.Run("Forbidden", func(t *testing.T) {
+				_, err := testHandler.testDelete(nil, map[string]string{"${URL_PLACEHOLDER}": ""})
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via Team readonly", func(t *testing.T) {
+				_, err := testHandler.testDelete(nil, map[string]string{"${URL_PLACEHOLDER}": ""})
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via Team write", func(t *testing.T) {
+				_, err := testHandler.testDelete(nil, map[string]string{"${URL_PLACEHOLDER}": ""})
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via Team admin", func(t *testing.T) {
+				rec, err := testHandler.testDelete(nil, map[string]string{"${URL_PLACEHOLDER}": ""})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), ``)
+			})
+
+			t.Run("Shared Via User readonly", func(t *testing.T) {
+				_, err := testHandler.testDelete(nil, map[string]string{"${URL_PLACEHOLDER}": ""})
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via User write", func(t *testing.T) {
+				_, err := testHandler.testDelete(nil, map[string]string{"${URL_PLACEHOLDER}": ""})
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via User admin", func(t *testing.T) {
+				rec, err := testHandler.testDelete(nil, map[string]string{"${URL_PLACEHOLDER}": ""})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), ``)
+			})
+
+			t.Run("Shared Via NamespaceTeam readonly", func(t *testing.T) {
+				_, err := testHandler.testDelete(nil, map[string]string{"${URL_PLACEHOLDER}": ""})
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via NamespaceTeam write", func(t *testing.T) {
+				_, err := testHandler.testDelete(nil, map[string]string{"${URL_PLACEHOLDER}": ""})
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via NamespaceTeam admin", func(t *testing.T) {
+				rec, err := testHandler.testDelete(nil, map[string]string{"${URL_PLACEHOLDER}": ""})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), ``)
+			})
+
+			t.Run("Shared Via NamespaceUser readonly", func(t *testing.T) {
+				_, err := testHandler.testDelete(nil, map[string]string{"${URL_PLACEHOLDER}": ""})
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via NamespaceUser write", func(t *testing.T) {
+				_, err := testHandler.testDelete(nil, map[string]string{"${URL_PLACEHOLDER}": ""})
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via NamespaceUser admin", func(t *testing.T) {
+				rec, err := testHandler.testDelete(nil, map[string]string{"${URL_PLACEHOLDER}": ""})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), ``)
+			})
+		})
+	})
+	t.Run("Create", func(t *testing.T) {
+		t.Run("Normal", func(t *testing.T) {
+			rec, err := testHandler.testCreate(nil, map[string]string{"${URL_PLACEHOLDER}": ""}, `{}`)
+			assert.NoError(t, err)
+			assert.Contains(t, rec.Body.String(), ``)
+		})
+		t.Run("Nonexisting", func(t *testing.T) {
+			_, err := testHandler.testCreate(nil, map[string]string{"${URL_PLACEHOLDER}": ""}, `{}`)
+			assert.Error(t, err)
+			assertHandlerErrorCode(t, err, models.ErrCode)
+		})
+		t.Run("Rights check", func(t *testing.T) {
+
+			t.Run("Forbidden", func(t *testing.T) {
+				_, err := testHandler.testCreate(nil, map[string]string{"${URL_PLACEHOLDER}": ""}, `{}`)
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+
+			t.Run("Shared Via NamespaceTeam readonly", func(t *testing.T) {
+				_, err := testHandler.testCreate(nil, map[string]string{"${URL_PLACEHOLDER}": ""}, `{}`)
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via NamespaceTeam write", func(t *testing.T) {
+				rec, err := testHandler.testCreate(nil, map[string]string{"${URL_PLACEHOLDER}": ""}, `{}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), ``)
+			})
+			t.Run("Shared Via NamespaceTeam admin", func(t *testing.T) {
+				rec, err := testHandler.testCreate(nil, map[string]string{"${URL_PLACEHOLDER}": ""}, `{}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), ``)
+			})
+
+			t.Run("Shared Via NamespaceUser readonly", func(t *testing.T) {
+				_, err := testHandler.testCreate(nil, map[string]string{"${URL_PLACEHOLDER}": ""}, `{}`)
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via NamespaceUser write", func(t *testing.T) {
+				rec, err := testHandler.testCreate(nil, map[string]string{"${URL_PLACEHOLDER}": ""}, `{}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), ``)
+			})
+			t.Run("Shared Via NamespaceUser admin", func(t *testing.T) {
+				rec, err := testHandler.testCreate(nil, map[string]string{"${URL_PLACEHOLDER}": ""}, `{}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), ``)
+			})
+		})
+	})
+}
--- a/pkg/integrations/archived_test.go
+++ b/pkg/integrations/archived_test.go
@@ -0,0 +1,238 @@
+// Copyright 2020 Vikunja and contriubtors. All rights reserved.
+//
+// This file is part of Vikunja.
+//
+// Vikunja is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Vikunja is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Vikunja.  If not, see <https://www.gnu.org/licenses/>.
+
+package integrations
+
+import (
+	"code.vikunja.io/api/pkg/models"
+	"code.vikunja.io/web/handler"
+	"github.com/stretchr/testify/assert"
+	"net/url"
+	"testing"
+)
+
+// This tests the following behaviour:
+// 1. A namespace should not be editable if it is archived.
+//   1. With the exception being to un-archive it.
+// 2. A list which belongs to an archived namespace cannot be edited.
+// 3. An archived list should not be editable.
+//   1. Except for un-archiving it.
+// 4. It is not possible to un-archive a list individually if its namespace is archived.
+// 5. Creating new lists on an archived namespace should not work.
+// 6. Creating new tasks on an archived list should not work.
+// 7. Creating new tasks on a list who's namespace is archived should not work.
+// 8. Editing tasks on an archived list should not work.
+// 9. Editing tasks on a list who's namespace is archived should not work.
+// 10. Archived namespaces should not appear in the list with all namespaces.
+// 11. Archived lists should not appear in the list with all lists.
+// 12. Lists who's namespace is archived should not appear in the list with all lists.
+//
+// All of this is tested through integration tests because it's not yet clear if this will be implemented directly
+// or with some kind of middleware.
+//
+// Maybe the inheritance of lists from namespaces could be solved with some kind of is_archived_inherited flag -
+// that way I'd only need to implement the checking on a list level and update the flag for all lists once the
+// namespace is archived. The archived flag would then be used to not accedentially unarchive lists which were
+// already individually archived when the namespace was archived.
+// Should still test it all though.
+//
+// Namespace 16 is archived
+// List 21 belongs to namespace 16
+// List 22 is archived individually
+
+func TestArchived(t *testing.T) {
+	testListHandler := webHandlerTest{
+		user: &testuser1,
+		strFunc: func() handler.CObject {
+			return &models.List{}
+		},
+		t: t,
+	}
+	testNamespaceHandler := webHandlerTest{
+		user: &testuser1,
+		strFunc: func() handler.CObject {
+			return &models.Namespace{}
+		},
+		t: t,
+	}
+	testTaskHandler := webHandlerTest{
+		user: &testuser1,
+		strFunc: func() handler.CObject {
+			return &models.Task{}
+		},
+		t: t,
+	}
+	testLabelHandler := webHandlerTest{
+		user: &testuser1,
+		strFunc: func() handler.CObject {
+			return &models.LabelTask{}
+		},
+		t: t,
+	}
+	testAssigneeHandler := webHandlerTest{
+		user: &testuser1,
+		strFunc: func() handler.CObject {
+			return &models.TaskAssginee{}
+		},
+		t: t,
+	}
+	testRelationHandler := webHandlerTest{
+		user: &testuser1,
+		strFunc: func() handler.CObject {
+			return &models.TaskRelation{}
+		},
+		t: t,
+	}
+	testCommentHandler := webHandlerTest{
+		user: &testuser1,
+		strFunc: func() handler.CObject {
+			return &models.TaskComment{}
+		},
+		t: t,
+	}
+
+	t.Run("namespace", func(t *testing.T) {
+		t.Run("not editable", func(t *testing.T) {
+			_, err := testNamespaceHandler.testUpdateWithUser(nil, map[string]string{"namespace": "16"}, `{"title":"TestIpsum","is_archived":true}`)
+			assert.Error(t, err)
+			assertHandlerErrorCode(t, err, models.ErrCodeNamespaceIsArchived)
+		})
+		t.Run("unarchivable", func(t *testing.T) {
+			rec, err := testNamespaceHandler.testUpdateWithUser(nil, map[string]string{"namespace": "16"}, `{"title":"TestIpsum","is_archived":false}`)
+			assert.NoError(t, err)
+			assert.Contains(t, rec.Body.String(), `"is_archived":false`)
+		})
+		t.Run("no new lists", func(t *testing.T) {
+			_, err := testListHandler.testCreateWithUser(nil, map[string]string{"namespace": "16"}, `{"title":"Lorem"}`)
+			assert.Error(t, err)
+			assertHandlerErrorCode(t, err, models.ErrCodeNamespaceIsArchived)
+		})
+		t.Run("should not appear in the list", func(t *testing.T) {
+			rec, err := testNamespaceHandler.testReadAllWithUser(nil, nil)
+			assert.NoError(t, err)
+			assert.NotContains(t, rec.Body.String(), `"title":"Archived testnamespace16"`)
+		})
+		t.Run("should appear in the list if explicitly requested", func(t *testing.T) {
+			rec, err := testNamespaceHandler.testReadAllWithUser(url.Values{"is_archived": []string{"true"}}, nil)
+			assert.NoError(t, err)
+			assert.Contains(t, rec.Body.String(), `"title":"Archived testnamespace16"`)
+		})
+	})
+
+	t.Run("list", func(t *testing.T) {
+
+		taskTests := func(taskID string, errCode int, t *testing.T) {
+			t.Run("task", func(t *testing.T) {
+				t.Run("edit task", func(t *testing.T) {
+					_, err := testTaskHandler.testUpdateWithUser(nil, map[string]string{"listtask": taskID}, `{"title":"TestIpsum"}`)
+					assert.Error(t, err)
+					assertHandlerErrorCode(t, err, errCode)
+				})
+				t.Run("delete", func(t *testing.T) {
+					_, err := testTaskHandler.testDeleteWithUser(nil, map[string]string{"listtask": taskID})
+					assert.Error(t, err)
+					assertHandlerErrorCode(t, err, errCode)
+				})
+				t.Run("add new labels", func(t *testing.T) {
+					_, err := testLabelHandler.testCreateWithUser(nil, map[string]string{"listtask": taskID}, `{"label_id":1}`)
+					assert.Error(t, err)
+					assertHandlerErrorCode(t, err, errCode)
+				})
+				t.Run("remove lables", func(t *testing.T) {
+					_, err := testLabelHandler.testDeleteWithUser(nil, map[string]string{"listtask": taskID, "label": "4"})
+					assert.Error(t, err)
+					assertHandlerErrorCode(t, err, errCode)
+				})
+				t.Run("add assignees", func(t *testing.T) {
+					_, err := testAssigneeHandler.testCreateWithUser(nil, map[string]string{"listtask": taskID}, `{"user_id":3}`)
+					assert.Error(t, err)
+					assertHandlerErrorCode(t, err, errCode)
+				})
+				t.Run("remove assignees", func(t *testing.T) {
+					_, err := testAssigneeHandler.testDeleteWithUser(nil, map[string]string{"listtask": taskID, "user": "2"})
+					assert.Error(t, err)
+					assertHandlerErrorCode(t, err, errCode)
+				})
+				t.Run("add relation", func(t *testing.T) {
+					_, err := testRelationHandler.testCreateWithUser(nil, map[string]string{"task": taskID}, `{"other_task_id":1,"relation_kind":"related"}`)
+					assert.Error(t, err)
+					assertHandlerErrorCode(t, err, errCode)
+				})
+				t.Run("remove relation", func(t *testing.T) {
+					_, err := testRelationHandler.testDeleteWithUser(nil, map[string]string{"task": taskID}, `{"other_task_id":2,"relation_kind":"related"}`)
+					assert.Error(t, err)
+					assertHandlerErrorCode(t, err, errCode)
+				})
+				t.Run("add comment", func(t *testing.T) {
+					_, err := testCommentHandler.testCreateWithUser(nil, map[string]string{"task": taskID}, `{"comment":"Lorem"}`)
+					assert.Error(t, err)
+					assertHandlerErrorCode(t, err, errCode)
+				})
+				t.Run("remove comment", func(t *testing.T) {
+					var commentID = "15"
+					if taskID == "36" {
+						commentID = "16"
+					}
+					_, err := testCommentHandler.testDeleteWithUser(nil, map[string]string{"task": taskID, "commentid": commentID})
+					assert.Error(t, err)
+					assertHandlerErrorCode(t, err, errCode)
+				})
+			})
+		}
+
+		// The list belongs to an archived namespace
+		t.Run("archived namespace", func(t *testing.T) {
+			t.Run("not editable", func(t *testing.T) {
+				_, err := testListHandler.testUpdateWithUser(nil, map[string]string{"list": "21"}, `{"title":"TestIpsum","is_archived":true}`)
+				assert.Error(t, err)
+				assertHandlerErrorCode(t, err, models.ErrCodeNamespaceIsArchived)
+			})
+			t.Run("no new tasks", func(t *testing.T) {
+				_, err := testTaskHandler.testCreateWithUser(nil, map[string]string{"list": "21"}, `{"title":"Lorem"}`)
+				assert.Error(t, err)
+				assertHandlerErrorCode(t, err, models.ErrCodeNamespaceIsArchived)
+			})
+			t.Run("not unarchivable", func(t *testing.T) {
+				_, err := testListHandler.testUpdateWithUser(nil, map[string]string{"list": "21"}, `{"title":"LoremIpsum","is_archived":false}`)
+				assert.Error(t, err)
+				assertHandlerErrorCode(t, err, models.ErrCodeNamespaceIsArchived)
+			})
+
+			taskTests("35", models.ErrCodeNamespaceIsArchived, t)
+		})
+		// The list itself is archived
+		t.Run("archived individually", func(t *testing.T) {
+			t.Run("not editable", func(t *testing.T) {
+				_, err := testListHandler.testUpdateWithUser(nil, map[string]string{"list": "22"}, `{"title":"TestIpsum","is_archived":true}`)
+				assert.Error(t, err)
+				assertHandlerErrorCode(t, err, models.ErrCodeListIsArchived)
+			})
+			t.Run("no new tasks", func(t *testing.T) {
+				_, err := testTaskHandler.testCreateWithUser(nil, map[string]string{"list": "22"}, `{"title":"Lorem"}`)
+				assert.Error(t, err)
+				assertHandlerErrorCode(t, err, models.ErrCodeListIsArchived)
+			})
+			t.Run("unarchivable", func(t *testing.T) {
+				rec, err := testListHandler.testUpdateWithUser(nil, map[string]string{"list": "22"}, `{"title":"LoremIpsum","is_archived":false}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"is_archived":false`)
+			})
+
+			taskTests("36", models.ErrCodeListIsArchived, t)
+		})
+	})
+}
--- a/pkg/integrations/integrations.go
+++ b/pkg/integrations/integrations.go
@@ -0,0 +1,256 @@
+// Vikunja is a to-do list application to facilitate your life.
+// Copyright 2018-2020 Vikunja and contributors. All rights reserved.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package integrations
+
+import (
+	"code.vikunja.io/api/pkg/config"
+	"code.vikunja.io/api/pkg/db"
+	"code.vikunja.io/api/pkg/files"
+	"code.vikunja.io/api/pkg/models"
+	"code.vikunja.io/api/pkg/routes"
+	v1 "code.vikunja.io/api/pkg/routes/api/v1"
+	"code.vikunja.io/api/pkg/user"
+	"code.vikunja.io/web"
+	"code.vikunja.io/web/handler"
+	"github.com/dgrijalva/jwt-go"
+	"github.com/labstack/echo/v4"
+	"github.com/stretchr/testify/assert"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"os"
+	"strings"
+	"testing"
+)
+
+// These are the test users, the same way they are in the test database
+var (
+	testuser1 = user.User{
+		ID:       1,
+		Username: "user1",
+		Password: "$2a$14$dcadBoMBL9jQoOcZK8Fju.cy0Ptx2oZECkKLnaa8ekRoTFe1w7To.",
+		Email:    "user1@example.com",
+		IsActive: true,
+	}
+	testuser2 = user.User{
+		ID:       2,
+		Username: "user2",
+		Password: "$2a$14$dcadBoMBL9jQoOcZK8Fju.cy0Ptx2oZECkKLnaa8ekRoTFe1w7To.",
+		Email:    "user2@example.com",
+	}
+	testuser3 = user.User{
+		ID:                 3,
+		Username:           "user3",
+		Password:           "$2a$14$dcadBoMBL9jQoOcZK8Fju.cy0Ptx2oZECkKLnaa8ekRoTFe1w7To.",
+		Email:              "user3@example.com",
+		PasswordResetToken: "passwordresettesttoken",
+	}
+	testuser4 = user.User{
+		ID:                4,
+		Username:          "user4",
+		Password:          "$2a$14$dcadBoMBL9jQoOcZK8Fju.cy0Ptx2oZECkKLnaa8ekRoTFe1w7To.",
+		Email:             "user4@example.com",
+		EmailConfirmToken: "tiepiQueed8ahc7zeeFe1eveiy4Ein8osooxegiephauph2Ael",
+	}
+	testuser5 = user.User{
+		ID:                4,
+		Username:          "user5",
+		Password:          "$2a$14$dcadBoMBL9jQoOcZK8Fju.cy0Ptx2oZECkKLnaa8ekRoTFe1w7To.",
+		Email:             "user5@example.com",
+		EmailConfirmToken: "tiepiQueed8ahc7zeeFe1eveiy4Ein8osooxegiephauph2Ael",
+		IsActive:          false,
+	}
+)
+
+func setupTestEnv() (e *echo.Echo, err error) {
+	config.InitDefaultConfig()
+	// We need to set the root path even if we're not using the config, otherwise fixtures are not loaded correctly
+	config.ServiceRootpath.Set(os.Getenv("VIKUNJA_SERVICE_ROOTPATH"))
+	// Some tests use the file engine, so we'll need to initialize that
+	files.InitTests()
+	user.InitTests()
+	models.SetupTests()
+
+	err = db.LoadFixtures()
+	if err != nil {
+		return
+	}
+
+	e = routes.NewEcho()
+	routes.RegisterRoutes(e)
+	return
+}
+
+func bootstrapTestRequest(t *testing.T, method string, payload string, queryParam url.Values) (c echo.Context, rec *httptest.ResponseRecorder) {
+	// Setup
+	e, err := setupTestEnv()
+	assert.NoError(t, err)
+
+	// Do the actual request
+	req := httptest.NewRequest(method, "/", strings.NewReader(payload))
+	req.Header.Set(echo.HeaderContentType, echo.MIMEApplicationJSON)
+	req.URL.RawQuery = queryParam.Encode()
+	rec = httptest.NewRecorder()
+
+	c = e.NewContext(req, rec)
+	return
+}
+
+func newTestRequest(t *testing.T, method string, handler func(ctx echo.Context) error, payload string) (rec *httptest.ResponseRecorder, err error) {
+	c, rec := bootstrapTestRequest(t, method, payload, nil)
+	err = handler(c)
+	return
+}
+
+func addUserTokenToContext(t *testing.T, user *user.User, c echo.Context) {
+	// Get the token as a string
+	token, err := v1.NewUserJWTAuthtoken(user)
+	assert.NoError(t, err)
+	// We send the string token through the parsing function to get a valid jwt.Token
+	tken, err := jwt.Parse(token, func(t *jwt.Token) (interface{}, error) {
+		return []byte(config.ServiceJWTSecret.GetString()), nil
+	})
+	assert.NoError(t, err)
+	c.Set("user", tken)
+}
+
+func addLinkShareTokenToContext(t *testing.T, share *models.LinkSharing, c echo.Context) {
+	// Get the token as a string
+	token, err := v1.NewLinkShareJWTAuthtoken(share)
+	assert.NoError(t, err)
+	// We send the string token through the parsing function to get a valid jwt.Token
+	tken, err := jwt.Parse(token, func(t *jwt.Token) (interface{}, error) {
+		return []byte(config.ServiceJWTSecret.GetString()), nil
+	})
+	assert.NoError(t, err)
+	c.Set("user", tken)
+}
+
+func testRequestSetup(t *testing.T, method string, payload string, queryParams url.Values, urlParams map[string]string) (rec *httptest.ResponseRecorder, c echo.Context) {
+	c, rec = bootstrapTestRequest(t, method, payload, queryParams)
+
+	var paramNames []string
+	var paramValues []string
+	for name, value := range urlParams {
+		paramNames = append(paramNames, name)
+		paramValues = append(paramValues, value)
+	}
+	c.SetParamNames(paramNames...)
+	c.SetParamValues(paramValues...)
+	return
+}
+
+func newTestRequestWithUser(t *testing.T, method string, handler echo.HandlerFunc, user *user.User, payload string, queryParams url.Values, urlParams map[string]string) (rec *httptest.ResponseRecorder, err error) {
+	rec, c := testRequestSetup(t, method, payload, queryParams, urlParams)
+	addUserTokenToContext(t, user, c)
+	err = handler(c)
+	return
+}
+
+func newTestRequestWithLinkShare(t *testing.T, method string, handler echo.HandlerFunc, share *models.LinkSharing, payload string, queryParams url.Values, urlParams map[string]string) (rec *httptest.ResponseRecorder, err error) {
+	rec, c := testRequestSetup(t, method, payload, queryParams, urlParams)
+	addLinkShareTokenToContext(t, share, c)
+	err = handler(c)
+	return
+}
+
+func assertHandlerErrorCode(t *testing.T, err error, expectedErrorCode int) {
+	if err == nil {
+		t.Error("Error is nil")
+		t.FailNow()
+	}
+	httperr, ok := err.(*echo.HTTPError)
+	if !ok {
+		t.Error("Error is not *echo.HTTPError")
+		t.FailNow()
+	}
+	webhttperr, ok := httperr.Message.(web.HTTPError)
+	if !ok {
+		t.Error("Error is not *web.HTTPError")
+		t.FailNow()
+	}
+	assert.Equal(t, expectedErrorCode, webhttperr.Code)
+}
+
+type webHandlerTest struct {
+	user      *user.User
+	linkShare *models.LinkSharing
+	strFunc   func() handler.CObject
+	t         *testing.T
+}
+
+func (h *webHandlerTest) getHandler() handler.WebHandler {
+	return handler.WebHandler{
+		EmptyStruct: func() handler.CObject {
+			return h.strFunc()
+		},
+	}
+}
+
+func (h *webHandlerTest) testReadAllWithUser(queryParams url.Values, urlParams map[string]string) (rec *httptest.ResponseRecorder, err error) {
+	hndl := h.getHandler()
+	return newTestRequestWithUser(h.t, http.MethodGet, hndl.ReadAllWeb, h.user, "", queryParams, urlParams)
+}
+
+func (h *webHandlerTest) testReadOneWithUser(queryParams url.Values, urlParams map[string]string) (rec *httptest.ResponseRecorder, err error) {
+	hndl := h.getHandler()
+	return newTestRequestWithUser(h.t, http.MethodGet, hndl.ReadOneWeb, h.user, "", queryParams, urlParams)
+}
+
+func (h *webHandlerTest) testCreateWithUser(queryParams url.Values, urlParams map[string]string, payload string) (rec *httptest.ResponseRecorder, err error) {
+	hndl := h.getHandler()
+	return newTestRequestWithUser(h.t, http.MethodPut, hndl.CreateWeb, h.user, payload, queryParams, urlParams)
+}
+
+func (h *webHandlerTest) testUpdateWithUser(queryParams url.Values, urlParams map[string]string, payload string) (rec *httptest.ResponseRecorder, err error) {
+	hndl := h.getHandler()
+	return newTestRequestWithUser(h.t, http.MethodPost, hndl.UpdateWeb, h.user, payload, queryParams, urlParams)
+}
+
+func (h *webHandlerTest) testDeleteWithUser(queryParams url.Values, urlParams map[string]string, payload ...string) (rec *httptest.ResponseRecorder, err error) {
+	pl := ""
+	if len(payload) > 0 {
+		pl = payload[0]
+	}
+	hndl := h.getHandler()
+	return newTestRequestWithUser(h.t, http.MethodDelete, hndl.DeleteWeb, h.user, pl, queryParams, urlParams)
+}
+
+func (h *webHandlerTest) testReadAllWithLinkShare(queryParams url.Values, urlParams map[string]string) (rec *httptest.ResponseRecorder, err error) {
+	hndl := h.getHandler()
+	return newTestRequestWithLinkShare(h.t, http.MethodGet, hndl.ReadAllWeb, h.linkShare, "", queryParams, urlParams)
+}
+
+func (h *webHandlerTest) testReadOneWithLinkShare(queryParams url.Values, urlParams map[string]string) (rec *httptest.ResponseRecorder, err error) {
+	hndl := h.getHandler()
+	return newTestRequestWithLinkShare(h.t, http.MethodGet, hndl.ReadOneWeb, h.linkShare, "", queryParams, urlParams)
+}
+
+func (h *webHandlerTest) testCreateWithLinkShare(queryParams url.Values, urlParams map[string]string, payload string) (rec *httptest.ResponseRecorder, err error) {
+	hndl := h.getHandler()
+	return newTestRequestWithLinkShare(h.t, http.MethodPut, hndl.CreateWeb, h.linkShare, payload, queryParams, urlParams)
+}
+
+func (h *webHandlerTest) testUpdateWithLinkShare(queryParams url.Values, urlParams map[string]string, payload string) (rec *httptest.ResponseRecorder, err error) {
+	hndl := h.getHandler()
+	return newTestRequestWithLinkShare(h.t, http.MethodPost, hndl.UpdateWeb, h.linkShare, payload, queryParams, urlParams)
+}
+
+func (h *webHandlerTest) testDeleteWithLinkShare(queryParams url.Values, urlParams map[string]string) (rec *httptest.ResponseRecorder, err error) {
+	hndl := h.getHandler()
+	return newTestRequestWithLinkShare(h.t, http.MethodDelete, hndl.DeleteWeb, h.linkShare, "", queryParams, urlParams)
+}
--- a/pkg/integrations/kanban_test.go
+++ b/pkg/integrations/kanban_test.go
@@ -0,0 +1,300 @@
+// Vikunja is a to-do list application to facilitate your life.
+// Copyright 2018-2020 Vikunja and contributors. All rights reserved.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package integrations
+
+import (
+	"code.vikunja.io/api/pkg/models"
+	"code.vikunja.io/web/handler"
+	"github.com/labstack/echo/v4"
+	"github.com/stretchr/testify/assert"
+	"testing"
+)
+
+func TestBucket(t *testing.T) {
+	testHandler := webHandlerTest{
+		user: &testuser1,
+		strFunc: func() handler.CObject {
+			return &models.Bucket{}
+		},
+		t: t,
+	}
+	t.Run("ReadAll", func(t *testing.T) {
+		t.Run("Normal", func(t *testing.T) {
+			rec, err := testHandler.testReadAllWithUser(nil, map[string]string{"list": "1"})
+			assert.NoError(t, err)
+			assert.Contains(t, rec.Body.String(), `testbucket1`)
+			assert.Contains(t, rec.Body.String(), `testbucket2`)
+			assert.Contains(t, rec.Body.String(), `testbucket3`)
+			assert.NotContains(t, rec.Body.String(), `testbucket4`) // Different List
+		})
+	})
+	t.Run("Update", func(t *testing.T) {
+		t.Run("Normal", func(t *testing.T) {
+			// Check the list was loaded successfully afterwards, see testReadOneWithUser
+			rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"bucket": "1"}, `{"title":"TestLoremIpsum"}`)
+			assert.NoError(t, err)
+			assert.Contains(t, rec.Body.String(), `"title":"TestLoremIpsum"`)
+		})
+		t.Run("Nonexisting Bucket", func(t *testing.T) {
+			_, err := testHandler.testUpdateWithUser(nil, map[string]string{"bucket": "9999"}, `{"title":"TestLoremIpsum"}`)
+			assert.Error(t, err)
+			assertHandlerErrorCode(t, err, models.ErrCodeBucketDoesNotExist)
+		})
+		t.Run("Empty title", func(t *testing.T) {
+			_, err := testHandler.testUpdateWithUser(nil, map[string]string{"bucket": "1"}, `{"title":""}`)
+			assert.Error(t, err)
+			assert.Contains(t, err.(*echo.HTTPError).Message.(models.ValidationHTTPError).InvalidFields, "title: non zero value required")
+		})
+		t.Run("Rights check", func(t *testing.T) {
+			t.Run("Forbidden", func(t *testing.T) {
+				// Owned by user13
+				_, err := testHandler.testUpdateWithUser(nil, map[string]string{"bucket": "5"}, `{"title":"TestLoremIpsum"}`)
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via Team readonly", func(t *testing.T) {
+				_, err := testHandler.testUpdateWithUser(nil, map[string]string{"bucket": "6"}, `{"title":"TestLoremIpsum"}`)
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via Team write", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"bucket": "7"}, `{"title":"TestLoremIpsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"TestLoremIpsum"`)
+			})
+			t.Run("Shared Via Team admin", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"bucket": "8"}, `{"title":"TestLoremIpsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"TestLoremIpsum"`)
+			})
+
+			t.Run("Shared Via User readonly", func(t *testing.T) {
+				_, err := testHandler.testUpdateWithUser(nil, map[string]string{"bucket": "9"}, `{"title":"TestLoremIpsum"}`)
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via User write", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"bucket": "10"}, `{"title":"TestLoremIpsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"TestLoremIpsum"`)
+			})
+			t.Run("Shared Via User admin", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"bucket": "11"}, `{"title":"TestLoremIpsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"TestLoremIpsum"`)
+			})
+
+			t.Run("Shared Via NamespaceTeam readonly", func(t *testing.T) {
+				_, err := testHandler.testUpdateWithUser(nil, map[string]string{"bucket": "12"}, `{"title":"TestLoremIpsum"}`)
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via NamespaceTeam write", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"bucket": "13"}, `{"title":"TestLoremIpsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"TestLoremIpsum"`)
+			})
+			t.Run("Shared Via NamespaceTeam admin", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"bucket": "14"}, `{"title":"TestLoremIpsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"TestLoremIpsum"`)
+			})
+
+			t.Run("Shared Via NamespaceUser readonly", func(t *testing.T) {
+				_, err := testHandler.testUpdateWithUser(nil, map[string]string{"bucket": "15"}, `{"title":"TestLoremIpsum"}`)
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via NamespaceUser write", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"bucket": "16"}, `{"title":"TestLoremIpsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"TestLoremIpsum"`)
+			})
+			t.Run("Shared Via NamespaceUser admin", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"bucket": "17"}, `{"title":"TestLoremIpsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"TestLoremIpsum"`)
+			})
+		})
+	})
+	t.Run("Delete", func(t *testing.T) {
+		t.Run("Normal", func(t *testing.T) {
+			rec, err := testHandler.testDeleteWithUser(nil, map[string]string{"list": "1", "bucket": "1"})
+			assert.NoError(t, err)
+			assert.Contains(t, rec.Body.String(), `"message":"Successfully deleted."`)
+		})
+		t.Run("Nonexisting", func(t *testing.T) {
+			_, err := testHandler.testDeleteWithUser(nil, map[string]string{"bucket": "999"})
+			assert.Error(t, err)
+			assertHandlerErrorCode(t, err, models.ErrCodeBucketDoesNotExist)
+		})
+		t.Run("Rights check", func(t *testing.T) {
+			t.Run("Forbidden", func(t *testing.T) {
+				// Owned by user13
+				_, err := testHandler.testDeleteWithUser(nil, map[string]string{"list": "20", "bucket": "5"})
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via Team readonly", func(t *testing.T) {
+				_, err := testHandler.testDeleteWithUser(nil, map[string]string{"list": "6", "bucket": "6"})
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via Team write", func(t *testing.T) {
+				rec, err := testHandler.testDeleteWithUser(nil, map[string]string{"list": "7", "bucket": "7"})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"message":"Successfully deleted."`)
+			})
+			t.Run("Shared Via Team admin", func(t *testing.T) {
+				rec, err := testHandler.testDeleteWithUser(nil, map[string]string{"list": "8", "bucket": "8"})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"message":"Successfully deleted."`)
+			})
+
+			t.Run("Shared Via User readonly", func(t *testing.T) {
+				_, err := testHandler.testDeleteWithUser(nil, map[string]string{"list": "9", "bucket": "9"})
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via User write", func(t *testing.T) {
+				rec, err := testHandler.testDeleteWithUser(nil, map[string]string{"list": "10", "bucket": "10"})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"message":"Successfully deleted."`)
+			})
+			t.Run("Shared Via User admin", func(t *testing.T) {
+				rec, err := testHandler.testDeleteWithUser(nil, map[string]string{"list": "11", "bucket": "11"})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"message":"Successfully deleted."`)
+			})
+
+			t.Run("Shared Via NamespaceTeam readonly", func(t *testing.T) {
+				_, err := testHandler.testDeleteWithUser(nil, map[string]string{"list": "12", "bucket": "12"})
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via NamespaceTeam write", func(t *testing.T) {
+				rec, err := testHandler.testDeleteWithUser(nil, map[string]string{"list": "13", "bucket": "13"})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"message":"Successfully deleted."`)
+			})
+			t.Run("Shared Via NamespaceTeam admin", func(t *testing.T) {
+				rec, err := testHandler.testDeleteWithUser(nil, map[string]string{"list": "14", "bucket": "14"})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"message":"Successfully deleted."`)
+			})
+
+			t.Run("Shared Via NamespaceUser readonly", func(t *testing.T) {
+				_, err := testHandler.testDeleteWithUser(nil, map[string]string{"list": "15", "bucket": "15"})
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via NamespaceUser write", func(t *testing.T) {
+				rec, err := testHandler.testDeleteWithUser(nil, map[string]string{"list": "16", "bucket": "16"})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"message":"Successfully deleted."`)
+			})
+			t.Run("Shared Via NamespaceUser admin", func(t *testing.T) {
+				rec, err := testHandler.testDeleteWithUser(nil, map[string]string{"list": "17", "bucket": "17"})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"message":"Successfully deleted."`)
+			})
+		})
+	})
+	t.Run("Create", func(t *testing.T) {
+		t.Run("Normal", func(t *testing.T) {
+			rec, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "1"}, `{"title":"Lorem Ipsum"}`)
+			assert.NoError(t, err)
+			assert.Contains(t, rec.Body.String(), `"title":"Lorem Ipsum"`)
+		})
+		t.Run("Nonexisting", func(t *testing.T) {
+			_, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "9999"}, `{"title":"Lorem Ipsum"}`)
+			assert.Error(t, err)
+			assertHandlerErrorCode(t, err, models.ErrCodeListDoesNotExist)
+		})
+		t.Run("Rights check", func(t *testing.T) {
+			t.Run("Forbidden", func(t *testing.T) {
+				// Owned by user13
+				_, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "20"}, `{"title":"Lorem Ipsum"}`)
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via Team readonly", func(t *testing.T) {
+				_, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "6"}, `{"title":"Lorem Ipsum"}`)
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via Team write", func(t *testing.T) {
+				rec, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "7"}, `{"title":"Lorem Ipsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"Lorem Ipsum"`)
+			})
+			t.Run("Shared Via Team admin", func(t *testing.T) {
+				rec, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "8"}, `{"title":"Lorem Ipsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"Lorem Ipsum"`)
+			})
+
+			t.Run("Shared Via User readonly", func(t *testing.T) {
+				_, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "9"}, `{"title":"Lorem Ipsum"}`)
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via User write", func(t *testing.T) {
+				rec, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "10"}, `{"title":"Lorem Ipsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"Lorem Ipsum"`)
+			})
+			t.Run("Shared Via User admin", func(t *testing.T) {
+				rec, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "11"}, `{"title":"Lorem Ipsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"Lorem Ipsum"`)
+			})
+
+			t.Run("Shared Via NamespaceTeam readonly", func(t *testing.T) {
+				_, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "12"}, `{"title":"Lorem Ipsum"}`)
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via NamespaceTeam write", func(t *testing.T) {
+				rec, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "13"}, `{"title":"Lorem Ipsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"Lorem Ipsum"`)
+			})
+			t.Run("Shared Via NamespaceTeam admin", func(t *testing.T) {
+				rec, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "14"}, `{"title":"Lorem Ipsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"Lorem Ipsum"`)
+			})
+
+			t.Run("Shared Via NamespaceUser readonly", func(t *testing.T) {
+				_, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "15"}, `{"title":"Lorem Ipsum"}`)
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via NamespaceUser write", func(t *testing.T) {
+				rec, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "16"}, `{"title":"Lorem Ipsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"Lorem Ipsum"`)
+			})
+			t.Run("Shared Via NamespaceUser admin", func(t *testing.T) {
+				rec, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "17"}, `{"title":"Lorem Ipsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"Lorem Ipsum"`)
+			})
+		})
+	})
+}
--- a/pkg/integrations/link_sharing_test.go
+++ b/pkg/integrations/link_sharing_test.go
--- a/pkg/integrations/list_test.go
+++ b/pkg/integrations/list_test.go
@@ -0,0 +1,428 @@
+// Vikunja is a to-do list application to facilitate your life.
+// Copyright 2018-2020 Vikunja and contributors. All rights reserved.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package integrations
+
+import (
+	"code.vikunja.io/api/pkg/models"
+	"code.vikunja.io/web/handler"
+	"github.com/labstack/echo/v4"
+	"github.com/stretchr/testify/assert"
+	"net/url"
+	"testing"
+)
+
+func TestList(t *testing.T) {
+	testHandler := webHandlerTest{
+		user: &testuser1,
+		strFunc: func() handler.CObject {
+			return &models.List{}
+		},
+		t: t,
+	}
+	t.Run("ReadAll", func(t *testing.T) {
+		t.Run("Normal", func(t *testing.T) {
+			rec, err := testHandler.testReadAllWithUser(nil, nil)
+			assert.NoError(t, err)
+			assert.Contains(t, rec.Body.String(), `Test1`)
+			assert.NotContains(t, rec.Body.String(), `Test2"`)
+			assert.Contains(t, rec.Body.String(), `Test3`) // Shared directly via users_list
+			assert.Contains(t, rec.Body.String(), `Test4`) // Shared via namespace
+			assert.NotContains(t, rec.Body.String(), `Test5`)
+			assert.NotContains(t, rec.Body.String(), `Test21`) // Archived through namespace
+			assert.NotContains(t, rec.Body.String(), `Test22`) // Archived directly
+		})
+		t.Run("Search", func(t *testing.T) {
+			rec, err := testHandler.testReadAllWithUser(url.Values{"s": []string{"Test1"}}, nil)
+			assert.NoError(t, err)
+			assert.Contains(t, rec.Body.String(), `Test1`)
+			assert.NotContains(t, rec.Body.String(), `Test2`)
+			assert.NotContains(t, rec.Body.String(), `Test3`)
+			assert.NotContains(t, rec.Body.String(), `Test4`)
+			assert.NotContains(t, rec.Body.String(), `Test5`)
+		})
+		t.Run("Normal with archived lists", func(t *testing.T) {
+			rec, err := testHandler.testReadAllWithUser(url.Values{"is_archived": []string{"true"}}, nil)
+			assert.NoError(t, err)
+			assert.Contains(t, rec.Body.String(), `Test1`)
+			assert.NotContains(t, rec.Body.String(), `Test2"`)
+			assert.Contains(t, rec.Body.String(), `Test3`) // Shared directly via users_list
+			assert.Contains(t, rec.Body.String(), `Test4`) // Shared via namespace
+			assert.NotContains(t, rec.Body.String(), `Test5`)
+			assert.Contains(t, rec.Body.String(), `Test21`) // Archived through namespace
+			assert.Contains(t, rec.Body.String(), `Test22`) // Archived directly
+		})
+	})
+	t.Run("ReadOne", func(t *testing.T) {
+		t.Run("Normal", func(t *testing.T) {
+			rec, err := testHandler.testReadOneWithUser(nil, map[string]string{"list": "1"})
+			assert.NoError(t, err)
+			assert.Contains(t, rec.Body.String(), `"title":"Test1"`)
+			assert.NotContains(t, rec.Body.String(), `"title":"Test2"`)
+			assert.Contains(t, rec.Body.String(), `"owner":{"id":1,"username":"user1",`)
+			assert.NotContains(t, rec.Body.String(), `"owner":{"id":2,"username":"user2",`)
+			assert.NotContains(t, rec.Body.String(), `"tasks":`)
+		})
+		t.Run("Nonexisting", func(t *testing.T) {
+			_, err := testHandler.testReadOneWithUser(nil, map[string]string{"list": "9999"})
+			assert.Error(t, err)
+			assertHandlerErrorCode(t, err, models.ErrCodeListDoesNotExist)
+		})
+		t.Run("Rights check", func(t *testing.T) {
+			t.Run("Forbidden", func(t *testing.T) {
+				// Owned by user13
+				_, err := testHandler.testReadOneWithUser(nil, map[string]string{"list": "20"})
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `You don't have the right to see this`)
+			})
+			t.Run("Shared Via Team readonly", func(t *testing.T) {
+				rec, err := testHandler.testReadOneWithUser(nil, map[string]string{"list": "6"})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"Test6"`)
+			})
+			t.Run("Shared Via Team write", func(t *testing.T) {
+				rec, err := testHandler.testReadOneWithUser(nil, map[string]string{"list": "7"})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"Test7"`)
+			})
+			t.Run("Shared Via Team admin", func(t *testing.T) {
+				rec, err := testHandler.testReadOneWithUser(nil, map[string]string{"list": "8"})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"Test8"`)
+			})
+
+			t.Run("Shared Via User readonly", func(t *testing.T) {
+				rec, err := testHandler.testReadOneWithUser(nil, map[string]string{"list": "9"})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"Test9"`)
+			})
+			t.Run("Shared Via User write", func(t *testing.T) {
+				rec, err := testHandler.testReadOneWithUser(nil, map[string]string{"list": "10"})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"Test10"`)
+			})
+			t.Run("Shared Via User admin", func(t *testing.T) {
+				rec, err := testHandler.testReadOneWithUser(nil, map[string]string{"list": "11"})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"Test11"`)
+			})
+
+			t.Run("Shared Via NamespaceTeam readonly", func(t *testing.T) {
+				rec, err := testHandler.testReadOneWithUser(nil, map[string]string{"list": "12"})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"Test12"`)
+			})
+			t.Run("Shared Via NamespaceTeam write", func(t *testing.T) {
+				rec, err := testHandler.testReadOneWithUser(nil, map[string]string{"list": "13"})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"Test13"`)
+			})
+			t.Run("Shared Via NamespaceTeam admin", func(t *testing.T) {
+				rec, err := testHandler.testReadOneWithUser(nil, map[string]string{"list": "14"})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"Test14"`)
+			})
+
+			t.Run("Shared Via NamespaceUser readonly", func(t *testing.T) {
+				rec, err := testHandler.testReadOneWithUser(nil, map[string]string{"list": "15"})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"Test15"`)
+			})
+			t.Run("Shared Via NamespaceUser write", func(t *testing.T) {
+				rec, err := testHandler.testReadOneWithUser(nil, map[string]string{"list": "16"})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"Test16"`)
+			})
+			t.Run("Shared Via NamespaceUser admin", func(t *testing.T) {
+				rec, err := testHandler.testReadOneWithUser(nil, map[string]string{"list": "17"})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"Test17"`)
+			})
+		})
+	})
+	t.Run("Update", func(t *testing.T) {
+		t.Run("Normal", func(t *testing.T) {
+			// Check the list was loaded successfully afterwards, see testReadOneWithUser
+			rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"list": "1"}, `{"title":"TestLoremIpsum"}`)
+			assert.NoError(t, err)
+			assert.Contains(t, rec.Body.String(), `"title":"TestLoremIpsum"`)
+			// The description should not be updated but returned correctly
+			assert.Contains(t, rec.Body.String(), `description":"Lorem Ipsum`)
+		})
+		t.Run("Nonexisting", func(t *testing.T) {
+			_, err := testHandler.testUpdateWithUser(nil, map[string]string{"list": "9999"}, `{"title":"TestLoremIpsum"}`)
+			assert.Error(t, err)
+			assertHandlerErrorCode(t, err, models.ErrCodeListDoesNotExist)
+		})
+		t.Run("Normal with updating the description", func(t *testing.T) {
+			rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"list": "1"}, `{"title":"TestLoremIpsum","description":"Lorem Ipsum dolor sit amet"}`)
+			assert.NoError(t, err)
+			assert.Contains(t, rec.Body.String(), `"title":"TestLoremIpsum"`)
+			assert.Contains(t, rec.Body.String(), `"description":"Lorem Ipsum dolor sit amet`)
+		})
+		t.Run("Empty title", func(t *testing.T) {
+			_, err := testHandler.testUpdateWithUser(nil, map[string]string{"list": "1"}, `{"title":""}`)
+			assert.Error(t, err)
+			assert.Contains(t, err.(*echo.HTTPError).Message.(models.ValidationHTTPError).InvalidFields, "title: non zero value required")
+		})
+		t.Run("Title too long", func(t *testing.T) {
+			_, err := testHandler.testUpdateWithUser(nil, map[string]string{"list": "1"}, `{"title":"Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea taki"}`)
+			assert.Error(t, err)
+			assert.Contains(t, err.(*echo.HTTPError).Message.(models.ValidationHTTPError).InvalidFields[0], "does not validate as runelength(1|250)")
+		})
+		t.Run("Rights check", func(t *testing.T) {
+			t.Run("Forbidden", func(t *testing.T) {
+				// Owned by user13
+				_, err := testHandler.testUpdateWithUser(nil, map[string]string{"list": "20"}, `{"title":"TestLoremIpsum"}`)
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via Team readonly", func(t *testing.T) {
+				_, err := testHandler.testUpdateWithUser(nil, map[string]string{"list": "6"}, `{"title":"TestLoremIpsum"}`)
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via Team write", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"list": "7"}, `{"title":"TestLoremIpsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"TestLoremIpsum"`)
+			})
+			t.Run("Shared Via Team admin", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"list": "8"}, `{"title":"TestLoremIpsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"TestLoremIpsum"`)
+			})
+
+			t.Run("Shared Via User readonly", func(t *testing.T) {
+				_, err := testHandler.testUpdateWithUser(nil, map[string]string{"list": "9"}, `{"title":"TestLoremIpsum"}`)
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via User write", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"list": "10"}, `{"title":"TestLoremIpsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"TestLoremIpsum"`)
+			})
+			t.Run("Shared Via User admin", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"list": "11"}, `{"title":"TestLoremIpsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"TestLoremIpsum"`)
+			})
+
+			t.Run("Shared Via NamespaceTeam readonly", func(t *testing.T) {
+				_, err := testHandler.testUpdateWithUser(nil, map[string]string{"list": "12"}, `{"title":"TestLoremIpsum"}`)
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via NamespaceTeam write", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"list": "13"}, `{"title":"TestLoremIpsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"TestLoremIpsum"`)
+			})
+			t.Run("Shared Via NamespaceTeam admin", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"list": "14"}, `{"title":"TestLoremIpsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"TestLoremIpsum"`)
+			})
+
+			t.Run("Shared Via NamespaceUser readonly", func(t *testing.T) {
+				_, err := testHandler.testUpdateWithUser(nil, map[string]string{"list": "15"}, `{"title":"TestLoremIpsum"}`)
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via NamespaceUser write", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"list": "16"}, `{"title":"TestLoremIpsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"TestLoremIpsum"`)
+			})
+			t.Run("Shared Via NamespaceUser admin", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"list": "17"}, `{"title":"TestLoremIpsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"TestLoremIpsum"`)
+			})
+		})
+	})
+	t.Run("Delete", func(t *testing.T) {
+		t.Run("Normal", func(t *testing.T) {
+			rec, err := testHandler.testDeleteWithUser(nil, map[string]string{"list": "1"})
+			assert.NoError(t, err)
+			assert.Contains(t, rec.Body.String(), `"message":"Successfully deleted."`)
+		})
+		t.Run("Nonexisting", func(t *testing.T) {
+			_, err := testHandler.testDeleteWithUser(nil, map[string]string{"list": "999"})
+			assert.Error(t, err)
+			assertHandlerErrorCode(t, err, models.ErrCodeListDoesNotExist)
+		})
+		t.Run("Rights check", func(t *testing.T) {
+			t.Run("Forbidden", func(t *testing.T) {
+				// Owned by user13
+				_, err := testHandler.testDeleteWithUser(nil, map[string]string{"list": "20"})
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via Team readonly", func(t *testing.T) {
+				_, err := testHandler.testDeleteWithUser(nil, map[string]string{"list": "6"})
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via Team write", func(t *testing.T) {
+				_, err := testHandler.testDeleteWithUser(nil, map[string]string{"list": "7"})
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via Team admin", func(t *testing.T) {
+				rec, err := testHandler.testDeleteWithUser(nil, map[string]string{"list": "8"})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"message":"Successfully deleted."`)
+			})
+
+			t.Run("Shared Via User readonly", func(t *testing.T) {
+				_, err := testHandler.testDeleteWithUser(nil, map[string]string{"list": "9"})
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via User write", func(t *testing.T) {
+				_, err := testHandler.testDeleteWithUser(nil, map[string]string{"list": "10"})
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via User admin", func(t *testing.T) {
+				rec, err := testHandler.testDeleteWithUser(nil, map[string]string{"list": "11"})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"message":"Successfully deleted."`)
+			})
+
+			t.Run("Shared Via NamespaceTeam readonly", func(t *testing.T) {
+				_, err := testHandler.testDeleteWithUser(nil, map[string]string{"list": "12"})
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via NamespaceTeam write", func(t *testing.T) {
+				_, err := testHandler.testDeleteWithUser(nil, map[string]string{"list": "13"})
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via NamespaceTeam admin", func(t *testing.T) {
+				rec, err := testHandler.testDeleteWithUser(nil, map[string]string{"list": "14"})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"message":"Successfully deleted."`)
+			})
+
+			t.Run("Shared Via NamespaceUser readonly", func(t *testing.T) {
+				_, err := testHandler.testDeleteWithUser(nil, map[string]string{"list": "15"})
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via NamespaceUser write", func(t *testing.T) {
+				_, err := testHandler.testDeleteWithUser(nil, map[string]string{"list": "16"})
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via NamespaceUser admin", func(t *testing.T) {
+				rec, err := testHandler.testDeleteWithUser(nil, map[string]string{"list": "17"})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"message":"Successfully deleted."`)
+			})
+		})
+	})
+	t.Run("Create", func(t *testing.T) {
+		t.Run("Normal", func(t *testing.T) {
+			// Check the list was loaded successfully after update, see testReadOneWithUser
+			rec, err := testHandler.testCreateWithUser(nil, map[string]string{"namespace": "1"}, `{"title":"Lorem"}`)
+			assert.NoError(t, err)
+			assert.Contains(t, rec.Body.String(), `"title":"Lorem"`)
+			assert.Contains(t, rec.Body.String(), `"description":""`)
+			assert.Contains(t, rec.Body.String(), `"owner":{"id":1`)
+			assert.NotContains(t, rec.Body.String(), `"tasks":`)
+		})
+		t.Run("Normal with description", func(t *testing.T) {
+			rec, err := testHandler.testCreateWithUser(nil, map[string]string{"namespace": "1"}, `{"title":"Lorem","description":"Lorem Ipsum"}`)
+			assert.NoError(t, err)
+			assert.Contains(t, rec.Body.String(), `"title":"Lorem"`)
+			assert.Contains(t, rec.Body.String(), `"description":"Lorem Ipsum"`)
+			assert.Contains(t, rec.Body.String(), `"owner":{"id":1`)
+			assert.NotContains(t, rec.Body.String(), `"tasks":`)
+		})
+		t.Run("Nonexisting Namespace", func(t *testing.T) {
+			_, err := testHandler.testCreateWithUser(nil, map[string]string{"namespace": "999999"}, `{"title":"Lorem"}`)
+			assert.Error(t, err)
+			assertHandlerErrorCode(t, err, models.ErrCodeNamespaceDoesNotExist)
+		})
+		t.Run("Empty title", func(t *testing.T) {
+			_, err := testHandler.testCreateWithUser(nil, map[string]string{"namespace": "1"}, `{"title":""}`)
+			assert.Error(t, err)
+			assert.Contains(t, err.(*echo.HTTPError).Message.(models.ValidationHTTPError).InvalidFields, "title: non zero value required")
+		})
+		t.Run("Title too long", func(t *testing.T) {
+			_, err := testHandler.testCreateWithUser(nil, map[string]string{"namespace": "1"}, `{"title":"Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea taki"}`)
+			assert.Error(t, err)
+			assert.Contains(t, err.(*echo.HTTPError).Message.(models.ValidationHTTPError).InvalidFields[0], "does not validate as runelength(1|250)")
+		})
+		t.Run("Rights check", func(t *testing.T) {
+
+			t.Run("Forbidden", func(t *testing.T) {
+				// Owned by user13
+				_, err := testHandler.testCreateWithUser(nil, map[string]string{"namespace": "15"}, `{"title":"Lorem"}`)
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+
+			t.Run("Shared Via NamespaceTeam readonly", func(t *testing.T) {
+				_, err := testHandler.testCreateWithUser(nil, map[string]string{"namespace": "7"}, `{"title":"Lorem"}`)
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via NamespaceTeam write", func(t *testing.T) {
+				rec, err := testHandler.testCreateWithUser(nil, map[string]string{"namespace": "8"}, `{"title":"Lorem"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"Lorem"`)
+				assert.Contains(t, rec.Body.String(), `"description":""`)
+				assert.Contains(t, rec.Body.String(), `"owner":{"id":1`)
+				assert.NotContains(t, rec.Body.String(), `"tasks":`)
+			})
+			t.Run("Shared Via NamespaceTeam admin", func(t *testing.T) {
+				rec, err := testHandler.testCreateWithUser(nil, map[string]string{"namespace": "9"}, `{"title":"Lorem"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"Lorem"`)
+				assert.Contains(t, rec.Body.String(), `"description":""`)
+				assert.Contains(t, rec.Body.String(), `"owner":{"id":1`)
+				assert.NotContains(t, rec.Body.String(), `"tasks":`)
+			})
+
+			t.Run("Shared Via NamespaceUser readonly", func(t *testing.T) {
+				_, err := testHandler.testCreateWithUser(nil, map[string]string{"namespace": "10"}, `{"title":"Lorem"}`)
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via NamespaceUser write", func(t *testing.T) {
+				rec, err := testHandler.testCreateWithUser(nil, map[string]string{"namespace": "11"}, `{"title":"Lorem"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"Lorem"`)
+				assert.Contains(t, rec.Body.String(), `"description":""`)
+				assert.Contains(t, rec.Body.String(), `"owner":{"id":1`)
+				assert.NotContains(t, rec.Body.String(), `"tasks":`)
+			})
+			t.Run("Shared Via NamespaceUser admin", func(t *testing.T) {
+				rec, err := testHandler.testCreateWithUser(nil, map[string]string{"namespace": "12"}, `{"title":"Lorem"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"Lorem"`)
+				assert.Contains(t, rec.Body.String(), `"description":""`)
+				assert.Contains(t, rec.Body.String(), `"owner":{"id":1`)
+				assert.NotContains(t, rec.Body.String(), `"tasks":`)
+			})
+		})
+	})
+}
--- a/pkg/integrations/login_test.go
+++ b/pkg/integrations/login_test.go
@@ -0,0 +1,65 @@
+// Vikunja is a to-do list application to facilitate your life.
+// Copyright 2018-2020 Vikunja and contributors. All rights reserved.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package integrations
+
+import (
+	apiv1 "code.vikunja.io/api/pkg/routes/api/v1"
+	"code.vikunja.io/api/pkg/user"
+	"github.com/stretchr/testify/assert"
+	"net/http"
+	"testing"
+)
+
+func TestLogin(t *testing.T) {
+	t.Run("Normal login", func(t *testing.T) {
+		rec, err := newTestRequest(t, http.MethodPost, apiv1.Login, `{
+  "username": "user1",
+  "password": "1234"
+}`)
+		assert.NoError(t, err)
+		assert.Contains(t, rec.Body.String(), "token")
+	})
+	t.Run("Empty payload", func(t *testing.T) {
+		_, err := newTestRequest(t, http.MethodPost, apiv1.Login, `{}`)
+		assert.Error(t, err)
+		assertHandlerErrorCode(t, err, user.ErrCodeNoUsernamePassword)
+	})
+	t.Run("Not existing user", func(t *testing.T) {
+		_, err := newTestRequest(t, http.MethodPost, apiv1.Login, `{
+  "username": "userWichDoesNotExist",
+  "password": "1234"
+}`)
+		assert.Error(t, err)
+		assertHandlerErrorCode(t, err, user.ErrCodeWrongUsernameOrPassword)
+	})
+	t.Run("Wrong password", func(t *testing.T) {
+		_, err := newTestRequest(t, http.MethodPost, apiv1.Login, `{
+  "username": "user1",
+  "password": "wrong"
+}`)
+		assert.Error(t, err)
+		assertHandlerErrorCode(t, err, user.ErrCodeWrongUsernameOrPassword)
+	})
+	t.Run("user with unconfirmed email", func(t *testing.T) {
+		_, err := newTestRequest(t, http.MethodPost, apiv1.Login, `{
+  "username": "user5",
+  "password": "1234"
+}`)
+		assert.Error(t, err)
+		assertHandlerErrorCode(t, err, user.ErrCodeEmailNotConfirmed)
+	})
+}
--- a/pkg/integrations/register_test.go
+++ b/pkg/integrations/register_test.go
@@ -0,0 +1,87 @@
+// Vikunja is a to-do list application to facilitate your life.
+// Copyright 2018-2020 Vikunja and contributors. All rights reserved.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package integrations
+
+import (
+	apiv1 "code.vikunja.io/api/pkg/routes/api/v1"
+	"code.vikunja.io/api/pkg/user"
+	"github.com/stretchr/testify/assert"
+	"net/http"
+	"testing"
+)
+
+func TestRegister(t *testing.T) {
+	t.Run("normal register", func(t *testing.T) {
+		rec, err := newTestRequest(t, http.MethodPost, apiv1.RegisterUser, `{
+  "username": "newUser",
+  "password": "1234",
+  "email": "email@example.com"
+}`)
+		assert.NoError(t, err)
+		assert.Contains(t, rec.Body.String(), `"username":"newUser"`)
+	})
+	t.Run("Empty payload", func(t *testing.T) {
+		_, err := newTestRequest(t, http.MethodPost, apiv1.RegisterUser, `{}`)
+		assert.Error(t, err)
+		assertHandlerErrorCode(t, err, user.ErrCodeNoUsernamePassword)
+	})
+	t.Run("Empty username", func(t *testing.T) {
+		_, err := newTestRequest(t, http.MethodPost, apiv1.RegisterUser, `{
+  "username": "",
+  "password": "1234",
+  "email": "email@example.com"
+}`)
+		assert.Error(t, err)
+		assertHandlerErrorCode(t, err, user.ErrCodeNoUsernamePassword)
+	})
+	t.Run("Empty password", func(t *testing.T) {
+		_, err := newTestRequest(t, http.MethodPost, apiv1.RegisterUser, `{
+  "username": "newUser",
+  "password": "",
+  "email": "email@example.com"
+}`)
+		assert.Error(t, err)
+		assertHandlerErrorCode(t, err, user.ErrCodeNoUsernamePassword)
+	})
+	t.Run("Empty email", func(t *testing.T) {
+		_, err := newTestRequest(t, http.MethodPost, apiv1.RegisterUser, `{
+  "username": "newUser",
+  "password": "1234",
+  "email": ""
+}`)
+		assert.Error(t, err)
+		assertHandlerErrorCode(t, err, user.ErrCodeNoUsernamePassword)
+	})
+	t.Run("Already existing username", func(t *testing.T) {
+		_, err := newTestRequest(t, http.MethodPost, apiv1.RegisterUser, `{
+  "username": "user1",
+  "password": "1234",
+  "email": "email@example.com"
+}`)
+		assert.Error(t, err)
+		assertHandlerErrorCode(t, err, user.ErrorCodeUsernameExists)
+	})
+	t.Run("Already existing email", func(t *testing.T) {
+		_, err := newTestRequest(t, http.MethodPost, apiv1.RegisterUser, `{
+  "username": "newUser",
+  "password": "1234",
+  "email": "user1@example.com"
+}`)
+		assert.Error(t, err)
+		assertHandlerErrorCode(t, err, user.ErrorCodeUserEmailExists)
+	})
+}
--- a/pkg/integrations/task_collection_test.go
+++ b/pkg/integrations/task_collection_test.go
@@ -0,0 +1,442 @@
+// Copyright 2018-2020 Vikunja and contriubtors. All rights reserved.
+//
+// This file is part of Vikunja.
+//
+// Vikunja is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Vikunja is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Vikunja.  If not, see <https://www.gnu.org/licenses/>.
+
+package integrations
+
+import (
+	"code.vikunja.io/api/pkg/models"
+	"code.vikunja.io/web/handler"
+	"github.com/stretchr/testify/assert"
+	"net/url"
+	"testing"
+)
+
+func TestTaskCollection(t *testing.T) {
+	testHandler := webHandlerTest{
+		user: &testuser1,
+		strFunc: func() handler.CObject {
+			return &models.TaskCollection{}
+		},
+		t: t,
+	}
+	t.Run("ReadAll on list", func(t *testing.T) {
+
+		urlParams := map[string]string{"list": "1"}
+
+		t.Run("Normal", func(t *testing.T) {
+			rec, err := testHandler.testReadAllWithUser(nil, urlParams)
+			assert.NoError(t, err)
+			// Not using assert.Equal to avoid having the tests break every time we add new fixtures
+			assert.Contains(t, rec.Body.String(), `task #1`)
+			assert.Contains(t, rec.Body.String(), `task #2`)
+			assert.Contains(t, rec.Body.String(), `task #3`)
+			assert.Contains(t, rec.Body.String(), `task #4`)
+			assert.Contains(t, rec.Body.String(), `task #5`)
+			assert.Contains(t, rec.Body.String(), `task #6`)
+			assert.Contains(t, rec.Body.String(), `task #7`)
+			assert.Contains(t, rec.Body.String(), `task #8`)
+			assert.Contains(t, rec.Body.String(), `task #9`)
+			assert.Contains(t, rec.Body.String(), `task #10`)
+			assert.Contains(t, rec.Body.String(), `task #11`)
+			assert.Contains(t, rec.Body.String(), `task #12`)
+			assert.NotContains(t, rec.Body.String(), `task #13`)
+			assert.NotContains(t, rec.Body.String(), `task #14`)
+			assert.NotContains(t, rec.Body.String(), `task #15`) // Shared via team readonly
+			assert.NotContains(t, rec.Body.String(), `task #16`) // Shared via team write
+			assert.NotContains(t, rec.Body.String(), `task #17`) // Shared via team admin
+			assert.NotContains(t, rec.Body.String(), `task #18`) // Shared via user readonly
+			assert.NotContains(t, rec.Body.String(), `task #19`) // Shared via user write
+			assert.NotContains(t, rec.Body.String(), `task #20`) // Shared via user admin
+			assert.NotContains(t, rec.Body.String(), `task #21`) // Shared via namespace team readonly
+			assert.NotContains(t, rec.Body.String(), `task #22`) // Shared via namespace team write
+			assert.NotContains(t, rec.Body.String(), `task #23`) // Shared via namespace team admin
+			assert.NotContains(t, rec.Body.String(), `task #24`) // Shared via namespace user readonly
+			assert.NotContains(t, rec.Body.String(), `task #25`) // Shared via namespace user write
+			assert.NotContains(t, rec.Body.String(), `task #26`) // Shared via namespace user admin
+			assert.Contains(t, rec.Body.String(), `task #27`)
+			assert.Contains(t, rec.Body.String(), `task #28`)
+			assert.NotContains(t, rec.Body.String(), `task #32`)
+		})
+		t.Run("Search", func(t *testing.T) {
+			rec, err := testHandler.testReadAllWithUser(url.Values{"s": []string{"task #6"}}, urlParams)
+			assert.NoError(t, err)
+			assert.NotContains(t, rec.Body.String(), `task #1`)
+			assert.NotContains(t, rec.Body.String(), `task #2`)
+			assert.NotContains(t, rec.Body.String(), `task #3`)
+			assert.NotContains(t, rec.Body.String(), `task #4`)
+			assert.NotContains(t, rec.Body.String(), `task #5`)
+			assert.Contains(t, rec.Body.String(), `task #6`)
+			assert.NotContains(t, rec.Body.String(), `task #7`)
+			assert.NotContains(t, rec.Body.String(), `task #8`)
+			assert.NotContains(t, rec.Body.String(), `task #9`)
+			assert.NotContains(t, rec.Body.String(), `task #10`)
+			assert.NotContains(t, rec.Body.String(), `task #11`)
+			assert.NotContains(t, rec.Body.String(), `task #12`)
+			assert.NotContains(t, rec.Body.String(), `task #13`)
+			assert.NotContains(t, rec.Body.String(), `task #14`)
+		})
+		t.Run("Search case insensitive", func(t *testing.T) {
+			rec, err := testHandler.testReadAllWithUser(url.Values{"s": []string{"tASk #6"}}, urlParams)
+			assert.NoError(t, err)
+			assert.NotContains(t, rec.Body.String(), `task #1`)
+			assert.NotContains(t, rec.Body.String(), `task #2`)
+			assert.NotContains(t, rec.Body.String(), `task #3`)
+			assert.NotContains(t, rec.Body.String(), `task #4`)
+			assert.NotContains(t, rec.Body.String(), `task #5`)
+			assert.Contains(t, rec.Body.String(), `task #6`)
+			assert.NotContains(t, rec.Body.String(), `task #7`)
+			assert.NotContains(t, rec.Body.String(), `task #8`)
+			assert.NotContains(t, rec.Body.String(), `task #9`)
+			assert.NotContains(t, rec.Body.String(), `task #10`)
+			assert.NotContains(t, rec.Body.String(), `task #11`)
+			assert.NotContains(t, rec.Body.String(), `task #12`)
+			assert.NotContains(t, rec.Body.String(), `task #13`)
+			assert.NotContains(t, rec.Body.String(), `task #14`)
+		})
+		t.Run("Sort Order", func(t *testing.T) {
+			// TODO: Add more cases
+			// should equal priority asc
+			t.Run("by priority", func(t *testing.T) {
+				rec, err := testHandler.testReadAllWithUser(url.Values{"sort_by": []string{"priority"}}, urlParams)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `{"id":33,"title":"task #33 with percent done","description":"","done":false,"done_at":"0001-01-01T00:00:00Z","due_date":"0001-01-01T00:00:00Z","reminder_dates":null,"list_id":1,"repeat_after":0,"repeat_from_current_date":false,"priority":0,"start_date":"0001-01-01T00:00:00Z","end_date":"0001-01-01T00:00:00Z","assignees":null,"labels":null,"hex_color":"","percent_done":0.5,"identifier":"test1-17","index":17,"related_tasks":{},"attachments":null,"created":"2018-12-01T01:12:04Z","updated":"2018-12-01T01:12:04Z","bucket_id":1,"position":0,"created_by":{"id":1,"username":"user1","created":"2018-12-01T15:13:12Z","updated":"2018-12-02T15:13:12Z"}},{"id":4,"title":"task #4 low prio","description":"","done":false,"done_at":"0001-01-01T00:00:00Z","due_date":"0001-01-01T00:00:00Z","reminder_dates":null,"list_id":1,"repeat_after":0,"repeat_from_current_date":false,"priority":1,"start_date":"0001-01-01T00:00:00Z","end_date":"0001-01-01T00:00:00Z","assignees":null,"labels":null,"hex_color":"","percent_done":0,"identifier":"test1-4","index":4,"related_tasks":{},"attachments":null,"created":"2018-12-01T01:12:04Z","updated":"2018-12-01T01:12:04Z","bucket_id":2,"position":0,"created_by":{"id":1,"username":"user1","created":"2018-12-01T15:13:12Z","updated":"2018-12-02T15:13:12Z"}},{"id":3,"title":"task #3 high prio","description":"","done":false,"done_at":"0001-01-01T00:00:00Z","due_date":"0001-01-01T00:00:00Z","reminder_dates":null,"list_id":1,"repeat_after":0,"repeat_from_current_date":false,"priority":100,"start_date":"0001-01-01T00:00:00Z","end_date":"0001-01-01T00:00:00Z","assignees":null,"labels":null,"hex_color":"","percent_done":0,"identifier":"test1-3","index":3,"related_tasks":{},"attachments":null,"created":"2018-12-01T01:12:04Z","updated":"2018-12-01T01:12:04Z","bucket_id":2,"position":0,"created_by":{"id":1,"username":"user1","created":"2018-12-01T15:13:12Z","updated":"2018-12-02T15:13:12Z"}}]`)
+			})
+			t.Run("by priority desc", func(t *testing.T) {
+				rec, err := testHandler.testReadAllWithUser(url.Values{"sort_by": []string{"priority"}, "order_by": []string{"desc"}}, urlParams)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `[{"id":3,"title":"task #3 high prio","description":"","done":false,"done_at":"0001-01-01T00:00:00Z","due_date":"0001-01-01T00:00:00Z","reminder_dates":null,"list_id":1,"repeat_after":0,"repeat_from_current_date":false,"priority":100,"start_date":"0001-01-01T00:00:00Z","end_date":"0001-01-01T00:00:00Z","assignees":null,"labels":null,"hex_color":"","percent_done":0,"identifier":"test1-3","index":3,"related_tasks":{},"attachments":null,"created":"2018-12-01T01:12:04Z","updated":"2018-12-01T01:12:04Z","bucket_id":2,"position":0,"created_by":{"id":1,"username":"user1","created":"2018-12-01T15:13:12Z","updated":"2018-12-02T15:13:12Z"}},{"id":4,"title":"task #4 low prio","description":"","done":false,"done_at":"0001-01-01T00:00:00Z","due_date":"0001-01-01T00:00:00Z","reminder_dates":null,"list_id":1,"repeat_after":0,"repeat_from_current_date":false,"priority":1`)
+			})
+			t.Run("by priority asc", func(t *testing.T) {
+				rec, err := testHandler.testReadAllWithUser(url.Values{"sort_by": []string{"priority"}, "order_by": []string{"asc"}}, urlParams)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `{"id":33,"title":"task #33 with percent done","description":"","done":false,"done_at":"0001-01-01T00:00:00Z","due_date":"0001-01-01T00:00:00Z","reminder_dates":null,"list_id":1,"repeat_after":0,"repeat_from_current_date":false,"priority":0,"start_date":"0001-01-01T00:00:00Z","end_date":"0001-01-01T00:00:00Z","assignees":null,"labels":null,"hex_color":"","percent_done":0.5,"identifier":"test1-17","index":17,"related_tasks":{},"attachments":null,"created":"2018-12-01T01:12:04Z","updated":"2018-12-01T01:12:04Z","bucket_id":1,"position":0,"created_by":{"id":1,"username":"user1","created":"2018-12-01T15:13:12Z","updated":"2018-12-02T15:13:12Z"}},{"id":4,"title":"task #4 low prio","description":"","done":false,"done_at":"0001-01-01T00:00:00Z","due_date":"0001-01-01T00:00:00Z","reminder_dates":null,"list_id":1,"repeat_after":0,"repeat_from_current_date":false,"priority":1,"start_date":"0001-01-01T00:00:00Z","end_date":"0001-01-01T00:00:00Z","assignees":null,"labels":null,"hex_color":"","percent_done":0,"identifier":"test1-4","index":4,"related_tasks":{},"attachments":null,"created":"2018-12-01T01:12:04Z","updated":"2018-12-01T01:12:04Z","bucket_id":2,"position":0,"created_by":{"id":1,"username":"user1","created":"2018-12-01T15:13:12Z","updated":"2018-12-02T15:13:12Z"}},{"id":3,"title":"task #3 high prio","description":"","done":false,"done_at":"0001-01-01T00:00:00Z","due_date":"0001-01-01T00:00:00Z","reminder_dates":null,"list_id":1,"repeat_after":0,"repeat_from_current_date":false,"priority":100,"start_date":"0001-01-01T00:00:00Z","end_date":"0001-01-01T00:00:00Z","assignees":null,"labels":null,"hex_color":"","percent_done":0,"identifier":"test1-3","index":3,"related_tasks":{},"attachments":null,"created":"2018-12-01T01:12:04Z","updated":"2018-12-01T01:12:04Z","bucket_id":2,"position":0,"created_by":{"id":1,"username":"user1","created":"2018-12-01T15:13:12Z","updated":"2018-12-02T15:13:12Z"}}]`)
+			})
+			// should equal duedate asc
+			t.Run("by due_date", func(t *testing.T) {
+				rec, err := testHandler.testReadAllWithUser(url.Values{"sort_by": []string{"due_date"}}, urlParams)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `{"id":6,"title":"task #6 lower due date","description":"","done":false,"done_at":"0001-01-01T00:00:00Z","due_date":"2018-11-30T22:25:24Z","reminder_dates":null,"list_id":1,"repeat_after":0,"repeat_from_current_date":false,"priority":0,"start_date":"0001-01-01T00:00:00Z","end_date":"0001-01-01T00:00:00Z","assignees":null,"labels":null,"hex_color":"","percent_done":0,"identifier":"test1-6","index":6,"related_tasks":{},"attachments":null,"created":"2018-12-01T01:12:04Z","updated":"2018-12-01T01:12:04Z","bucket_id":3,"position":0,"created_by":{"id":1,"username":"user1","created":"2018-12-01T15:13:12Z","updated":"2018-12-02T15:13:12Z"}},{"id":5,"title":"task #5 higher due date","description":"","done":false,"done_at":"0001-01-01T00:00:00Z","due_date":"2018-12-01T03:58:44Z","reminder_dates":null,"list_id":1,"repeat_after":0,"repeat_from_current_date":false,"priority":0,"start_date":"0001-01-01T00:00:00Z","end_date":"0001-01-01T00:00:00Z","assignees":null,"labels":null,"hex_color":"","percent_done":0,"identifier":"test1-5","index":5,"related_tasks":{},"attachments":null,"created":"2018-12-01T01:12:04Z","updated":"2018-12-01T01:12:04Z","bucket_id":2,"position":0,"created_by":{"id":1,"username":"user1","created":"2018-12-01T15:13:12Z","updated":"2018-12-02T15:13:12Z"}}]`)
+			})
+			t.Run("by duedate desc", func(t *testing.T) {
+				rec, err := testHandler.testReadAllWithUser(url.Values{"sort_by": []string{"due_date"}, "order_by": []string{"desc"}}, urlParams)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `[{"id":5,"title":"task #5 higher due date","description":"","done":false,"done_at":"0001-01-01T00:00:00Z","due_date":"2018-12-01T03:58:44Z","reminder_dates":null,"list_id":1,"repeat_after":0,"repeat_from_current_date":false,"priority":0,"start_date":"0001-01-01T00:00:00Z","end_date":"0001-01-01T00:00:00Z","assignees":null,"labels":null,"hex_color":"","percent_done":0,"identifier":"test1-5","index":5,"related_tasks":{},"attachments":null,"created":"2018-12-01T01:12:04Z","updated":"2018-12-01T01:12:04Z","bucket_id":2,"position":0,"created_by":{"id":1,"username":"user1","created":"2018-12-01T15:13:12Z","updated":"2018-12-02T15:13:12Z"}},{"id":6,"title":"task #6 lower due date`)
+			})
+			// Due date without unix suffix
+			t.Run("by duedate asc without  suffix", func(t *testing.T) {
+				rec, err := testHandler.testReadAllWithUser(url.Values{"sort_by": []string{"due_date"}, "order_by": []string{"asc"}}, urlParams)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `{"id":6,"title":"task #6 lower due date","description":"","done":false,"done_at":"0001-01-01T00:00:00Z","due_date":"2018-11-30T22:25:24Z","reminder_dates":null,"list_id":1,"repeat_after":0,"repeat_from_current_date":false,"priority":0,"start_date":"0001-01-01T00:00:00Z","end_date":"0001-01-01T00:00:00Z","assignees":null,"labels":null,"hex_color":"","percent_done":0,"identifier":"test1-6","index":6,"related_tasks":{},"attachments":null,"created":"2018-12-01T01:12:04Z","updated":"2018-12-01T01:12:04Z","bucket_id":3,"position":0,"created_by":{"id":1,"username":"user1","created":"2018-12-01T15:13:12Z","updated":"2018-12-02T15:13:12Z"}},{"id":5,"title":"task #5 higher due date","description":"","done":false,"done_at":"0001-01-01T00:00:00Z","due_date":"2018-12-01T03:58:44Z","reminder_dates":null,"list_id":1,"repeat_after":0,"repeat_from_current_date":false,"priority":0,"start_date":"0001-01-01T00:00:00Z","end_date":"0001-01-01T00:00:00Z","assignees":null,"labels":null,"hex_color":"","percent_done":0,"identifier":"test1-5","index":5,"related_tasks":{},"attachments":null,"created":"2018-12-01T01:12:04Z","updated":"2018-12-01T01:12:04Z","bucket_id":2,"position":0,"created_by":{"id":1,"username":"user1","created":"2018-12-01T15:13:12Z","updated":"2018-12-02T15:13:12Z"}}]`)
+			})
+			t.Run("by due_date without  suffix", func(t *testing.T) {
+				rec, err := testHandler.testReadAllWithUser(url.Values{"sort_by": []string{"due_date"}}, urlParams)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `{"id":6,"title":"task #6 lower due date","description":"","done":false,"done_at":"0001-01-01T00:00:00Z","due_date":"2018-11-30T22:25:24Z","reminder_dates":null,"list_id":1,"repeat_after":0,"repeat_from_current_date":false,"priority":0,"start_date":"0001-01-01T00:00:00Z","end_date":"0001-01-01T00:00:00Z","assignees":null,"labels":null,"hex_color":"","percent_done":0,"identifier":"test1-6","index":6,"related_tasks":{},"attachments":null,"created":"2018-12-01T01:12:04Z","updated":"2018-12-01T01:12:04Z","bucket_id":3,"position":0,"created_by":{"id":1,"username":"user1","created":"2018-12-01T15:13:12Z","updated":"2018-12-02T15:13:12Z"}},{"id":5,"title":"task #5 higher due date","description":"","done":false,"done_at":"0001-01-01T00:00:00Z","due_date":"2018-12-01T03:58:44Z","reminder_dates":null,"list_id":1,"repeat_after":0,"repeat_from_current_date":false,"priority":0,"start_date":"0001-01-01T00:00:00Z","end_date":"0001-01-01T00:00:00Z","assignees":null,"labels":null,"hex_color":"","percent_done":0,"identifier":"test1-5","index":5,"related_tasks":{},"attachments":null,"created":"2018-12-01T01:12:04Z","updated":"2018-12-01T01:12:04Z","bucket_id":2,"position":0,"created_by":{"id":1,"username":"user1","created":"2018-12-01T15:13:12Z","updated":"2018-12-02T15:13:12Z"}}]`)
+			})
+			t.Run("by duedate desc without  suffix", func(t *testing.T) {
+				rec, err := testHandler.testReadAllWithUser(url.Values{"sort_by": []string{"due_date"}, "order_by": []string{"desc"}}, urlParams)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `[{"id":5,"title":"task #5 higher due date","description":"","done":false,"done_at":"0001-01-01T00:00:00Z","due_date":"2018-12-01T03:58:44Z","reminder_dates":null,"list_id":1,"repeat_after":0,"repeat_from_current_date":false,"priority":0,"start_date":"0001-01-01T00:00:00Z","end_date":"0001-01-01T00:00:00Z","assignees":null,"labels":null,"hex_color":"","percent_done":0,"identifier":"test1-5","index":5,"related_tasks":{},"attachments":null,"created":"2018-12-01T01:12:04Z","updated":"2018-12-01T01:12:04Z","bucket_id":2,"position":0,"created_by":{"id":1,"username":"user1","created":"2018-12-01T15:13:12Z","updated":"2018-12-02T15:13:12Z"}},{"id":6,"title":"task #6 lower due date`)
+			})
+			t.Run("by duedate asc", func(t *testing.T) {
+				rec, err := testHandler.testReadAllWithUser(url.Values{"sort_by": []string{"due_date"}, "order_by": []string{"asc"}}, urlParams)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `{"id":6,"title":"task #6 lower due date","description":"","done":false,"done_at":"0001-01-01T00:00:00Z","due_date":"2018-11-30T22:25:24Z","reminder_dates":null,"list_id":1,"repeat_after":0,"repeat_from_current_date":false,"priority":0,"start_date":"0001-01-01T00:00:00Z","end_date":"0001-01-01T00:00:00Z","assignees":null,"labels":null,"hex_color":"","percent_done":0,"identifier":"test1-6","index":6,"related_tasks":{},"attachments":null,"created":"2018-12-01T01:12:04Z","updated":"2018-12-01T01:12:04Z","bucket_id":3,"position":0,"created_by":{"id":1,"username":"user1","created":"2018-12-01T15:13:12Z","updated":"2018-12-02T15:13:12Z"}},{"id":5,"title":"task #5 higher due date","description":"","done":false,"done_at":"0001-01-01T00:00:00Z","due_date":"2018-12-01T03:58:44Z","reminder_dates":null,"list_id":1,"repeat_after":0,"repeat_from_current_date":false,"priority":0,"start_date":"0001-01-01T00:00:00Z","end_date":"0001-01-01T00:00:00Z","assignees":null,"labels":null,"hex_color":"","percent_done":0,"identifier":"test1-5","index":5,"related_tasks":{},"attachments":null,"created":"2018-12-01T01:12:04Z","updated":"2018-12-01T01:12:04Z","bucket_id":2,"position":0,"created_by":{"id":1,"username":"user1","created":"2018-12-01T15:13:12Z","updated":"2018-12-02T15:13:12Z"}}]`)
+			})
+			t.Run("invalid sort parameter", func(t *testing.T) {
+				_, err := testHandler.testReadAllWithUser(url.Values{"sort_by": []string{"loremipsum"}}, urlParams)
+				assert.Error(t, err)
+				assertHandlerErrorCode(t, err, models.ErrCodeInvalidTaskField)
+			})
+			t.Run("invalid sort order", func(t *testing.T) {
+				_, err := testHandler.testReadAllWithUser(url.Values{"sort_by": []string{"id"}, "order_by": []string{"loremipsum"}}, urlParams)
+				assert.Error(t, err)
+				assertHandlerErrorCode(t, err, models.ErrCodeInvalidSortOrder)
+			})
+			t.Run("invalid parameter", func(t *testing.T) {
+				// Invalid parameter should not sort at all
+				rec, err := testHandler.testReadAllWithUser(url.Values{"sort": []string{"loremipsum"}}, urlParams)
+				assert.NoError(t, err)
+				assert.NotContains(t, rec.Body.String(), `[{"id":3,"title":"task #3 high prio","description":"","done":false,"due_date":0,"reminder_dates":null,"repeat_after":0,"repeat_from_current_date":false,"priority":100,"start_date":0,"end_date":0,"assignees":null,"labels":null,"hex_color":"","created":1543626724,"updated":1543626724,"created_by":{"id":0,"username":"","email":"","created":0,"updated":0}},{"id":4,"title":"task #4 low prio","description":"","done":false,"due_date":0,"reminder_dates":null,"repeat_after":0,"repeat_from_current_date":false,"priority":1`)
+				assert.NotContains(t, rec.Body.String(), `{"id":4,"title":"task #4 low prio","description":"","done":false,"due_date":0,"reminder_dates":null,"repeat_after":0,"repeat_from_current_date":false,"priority":1,"start_date":0,"end_date":0,"assignees":null,"labels":null,"hex_color":"","created":1543626724,"updated":1543626724,"created_by":{"id":0,"username":"","email":"","created":0,"updated":0}},{"id":3,"title":"task #3 high prio","description":"","done":false,"due_date":0,"reminder_dates":null,"repeat_after":0,"repeat_from_current_date":false,"priority":100,"start_date":0,"end_date":0,"assignees":null,"labels":null,"created":1543626724,"updated":1543626724,"created_by":{"id":0,"username":"","email":"","created":0,"updated":0}}]`)
+				assert.NotContains(t, rec.Body.String(), `[{"id":5,"title":"task #5 higher due date","description":"","done":false,"due_date":1543636724,"reminder_dates":null,"repeat_after":0,"repeat_from_current_date":false,"priority":0,"start_date":0,"end_date":0,"assignees":null,"labels":null,"hex_color":"","created":1543626724,"updated":1543626724,"created_by":{"id":0,"username":"","email":"","created":0,"updated":0}},{"id":6,"title":"task #6 lower due date"`)
+				assert.NotContains(t, rec.Body.String(), `{"id":6,"title":"task #6 lower due date","description":"","done":false,"due_date":1543616724,"reminder_dates":null,"repeat_after":0,"repeat_from_current_date":false,"priority":0,"start_date":0,"end_date":0,"assignees":null,"labels":null,"hex_color":"","created":1543626724,"updated":1543626724,"created_by":{"id":0,"username":"","email":"","created":0,"updated":0}},{"id":5,"title":"task #5 higher due date","description":"","done":false,"due_date":1543636724,"reminder_dates":null,"repeat_after":0,"repeat_from_current_date":false,"priority":0,"start_date":0,"end_date":0,"assignees":null,"labels":null,"created":1543626724,"updated":1543626724,"created_by":{"id":0,"username":"","email":"","created":0,"updated":0}}]`)
+			})
+		})
+		t.Run("Filter", func(t *testing.T) {
+			t.Run("Date range", func(t *testing.T) {
+				t.Run("start and end date", func(t *testing.T) {
+					rec, err := testHandler.testReadAllWithUser(
+						url.Values{
+							"filter_by":         []string{"start_date", "end_date", "due_date"},
+							"filter_value":      []string{"2018-12-11T03:46:40+00:00", "2018-12-13T11:20:01+00:00", "2018-11-29T14:00:00+00:00"},
+							"filter_comparator": []string{"greater", "less", "greater"},
+						},
+						urlParams,
+					)
+					assert.NoError(t, err)
+					assert.NotContains(t, rec.Body.String(), `task #1`)
+					assert.NotContains(t, rec.Body.String(), `task #2`)
+					assert.NotContains(t, rec.Body.String(), `task #3`)
+					assert.NotContains(t, rec.Body.String(), `task #4`)
+					assert.Contains(t, rec.Body.String(), `task #5`)
+					assert.Contains(t, rec.Body.String(), `task #6`)
+					assert.Contains(t, rec.Body.String(), `task #7`)
+					assert.Contains(t, rec.Body.String(), `task #8`)
+					assert.Contains(t, rec.Body.String(), `task #9`)
+					assert.NotContains(t, rec.Body.String(), `task #10`)
+					assert.NotContains(t, rec.Body.String(), `task #11`)
+					assert.NotContains(t, rec.Body.String(), `task #12`)
+					assert.NotContains(t, rec.Body.String(), `task #13`)
+					assert.NotContains(t, rec.Body.String(), `task #14`)
+				})
+				t.Run("start date only", func(t *testing.T) {
+					rec, err := testHandler.testReadAllWithUser(
+						url.Values{
+							"filter_by":         []string{"start_date"},
+							"filter_value":      []string{"2018-10-20T01:46:40+00:00"},
+							"filter_comparator": []string{"greater"},
+						},
+						urlParams,
+					)
+					assert.NoError(t, err)
+					assert.NotContains(t, rec.Body.String(), `task #1`)
+					assert.NotContains(t, rec.Body.String(), `task #2`)
+					assert.NotContains(t, rec.Body.String(), `task #3`)
+					assert.NotContains(t, rec.Body.String(), `task #4`)
+					assert.NotContains(t, rec.Body.String(), `task #5`)
+					assert.NotContains(t, rec.Body.String(), `task #6`)
+					assert.Contains(t, rec.Body.String(), `task #7`)
+					assert.NotContains(t, rec.Body.String(), `task #8`)
+					assert.Contains(t, rec.Body.String(), `task #9`)
+					assert.NotContains(t, rec.Body.String(), `task #10`)
+					assert.NotContains(t, rec.Body.String(), `task #11`)
+					assert.NotContains(t, rec.Body.String(), `task #12`)
+					assert.NotContains(t, rec.Body.String(), `task #13`)
+					assert.NotContains(t, rec.Body.String(), `task #14`)
+				})
+				t.Run("end date only", func(t *testing.T) {
+					rec, err := testHandler.testReadAllWithUser(
+						url.Values{
+							"filter_by":         []string{"end_date"},
+							"filter_value":      []string{"2018-12-13T11:20:01+00:00"},
+							"filter_comparator": []string{"greater"},
+						},
+						urlParams,
+					)
+					assert.NoError(t, err)
+					// If no start date but an end date is specified, this should be null
+					// since we don't have any tasks in the fixtures with an end date >
+					// the current date.
+					assert.Equal(t, "[]\n", rec.Body.String())
+				})
+			})
+			t.Run("invalid date", func(t *testing.T) {
+				_, err := testHandler.testReadAllWithUser(
+					url.Values{
+						"filter_by":         []string{"due_date"},
+						"filter_value":      []string{"1540000000"},
+						"filter_comparator": []string{"greater"},
+					},
+					nil,
+				)
+				assert.Error(t, err)
+				assertHandlerErrorCode(t, err, models.ErrCodeInvalidTaskFilterValue)
+			})
+		})
+	})
+
+	t.Run("ReadAll for all tasks", func(t *testing.T) {
+		t.Run("Normal", func(t *testing.T) {
+			rec, err := testHandler.testReadAllWithUser(nil, nil)
+			assert.NoError(t, err)
+			// Not using assert.Equal to avoid having the tests break every time we add new fixtures
+			assert.Contains(t, rec.Body.String(), `task #1`)
+			assert.Contains(t, rec.Body.String(), `task #2`)
+			assert.Contains(t, rec.Body.String(), `task #3`)
+			assert.Contains(t, rec.Body.String(), `task #4`)
+			assert.Contains(t, rec.Body.String(), `task #5`)
+			assert.Contains(t, rec.Body.String(), `task #6`)
+			assert.Contains(t, rec.Body.String(), `task #7`)
+			assert.Contains(t, rec.Body.String(), `task #8`)
+			assert.Contains(t, rec.Body.String(), `task #9`)
+			assert.Contains(t, rec.Body.String(), `task #10`)
+			assert.Contains(t, rec.Body.String(), `task #11`)
+			assert.Contains(t, rec.Body.String(), `task #12`)
+			assert.NotContains(t, rec.Body.String(), `task #13`)
+			assert.NotContains(t, rec.Body.String(), `task #14`)
+			assert.NotContains(t, rec.Body.String(), `task #13`)
+			assert.NotContains(t, rec.Body.String(), `task #14`)
+			assert.Contains(t, rec.Body.String(), `task #15`) // Shared via team readonly
+			assert.Contains(t, rec.Body.String(), `task #16`) // Shared via team write
+			assert.Contains(t, rec.Body.String(), `task #17`) // Shared via team admin
+			assert.Contains(t, rec.Body.String(), `task #18`) // Shared via user readonly
+			assert.Contains(t, rec.Body.String(), `task #19`) // Shared via user write
+			assert.Contains(t, rec.Body.String(), `task #20`) // Shared via user admin
+			assert.Contains(t, rec.Body.String(), `task #21`) // Shared via namespace team readonly
+			assert.Contains(t, rec.Body.String(), `task #22`) // Shared via namespace team write
+			assert.Contains(t, rec.Body.String(), `task #23`) // Shared via namespace team admin
+			assert.Contains(t, rec.Body.String(), `task #24`) // Shared via namespace user readonly
+			assert.Contains(t, rec.Body.String(), `task #25`) // Shared via namespace user write
+			assert.Contains(t, rec.Body.String(), `task #26`) // Shared via namespace user admin
+			// TODO: Add some cases where the user has access to the list, somhow shared
+		})
+		t.Run("Search", func(t *testing.T) {
+			rec, err := testHandler.testReadAllWithUser(url.Values{"s": []string{"task #6"}}, nil)
+			assert.NoError(t, err)
+			assert.NotContains(t, rec.Body.String(), `task #1`)
+			assert.NotContains(t, rec.Body.String(), `task #2`)
+			assert.NotContains(t, rec.Body.String(), `task #3`)
+			assert.NotContains(t, rec.Body.String(), `task #4`)
+			assert.NotContains(t, rec.Body.String(), `task #5`)
+			assert.Contains(t, rec.Body.String(), `task #6`)
+			assert.NotContains(t, rec.Body.String(), `task #7`)
+			assert.NotContains(t, rec.Body.String(), `task #8`)
+			assert.NotContains(t, rec.Body.String(), `task #9`)
+			assert.NotContains(t, rec.Body.String(), `task #10`)
+			assert.NotContains(t, rec.Body.String(), `task #11`)
+			assert.NotContains(t, rec.Body.String(), `task #12`)
+			assert.NotContains(t, rec.Body.String(), `task #13`)
+			assert.NotContains(t, rec.Body.String(), `task #14`)
+		})
+		t.Run("Sort Order", func(t *testing.T) {
+			// should equal priority asc
+			t.Run("by priority", func(t *testing.T) {
+				rec, err := testHandler.testReadAllWithUser(url.Values{"sort_by": []string{"priority"}}, nil)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `{"id":33,"title":"task #33 with percent done","description":"","done":false,"done_at":"0001-01-01T00:00:00Z","due_date":"0001-01-01T00:00:00Z","reminder_dates":null,"list_id":1,"repeat_after":0,"repeat_from_current_date":false,"priority":0,"start_date":"0001-01-01T00:00:00Z","end_date":"0001-01-01T00:00:00Z","assignees":null,"labels":null,"hex_color":"","percent_done":0.5,"identifier":"test1-17","index":17,"related_tasks":{},"attachments":null,"created":"2018-12-01T01:12:04Z","updated":"2018-12-01T01:12:04Z","bucket_id":1,"position":0,"created_by":{"id":1,"username":"user1","created":"2018-12-01T15:13:12Z","updated":"2018-12-02T15:13:12Z"}},{"id":4,"title":"task #4 low prio","description":"","done":false,"done_at":"0001-01-01T00:00:00Z","due_date":"0001-01-01T00:00:00Z","reminder_dates":null,"list_id":1,"repeat_after":0,"repeat_from_current_date":false,"priority":1,"start_date":"0001-01-01T00:00:00Z","end_date":"0001-01-01T00:00:00Z","assignees":null,"labels":null,"hex_color":"","percent_done":0,"identifier":"test1-4","index":4,"related_tasks":{},"attachments":null,"created":"2018-12-01T01:12:04Z","updated":"2018-12-01T01:12:04Z","bucket_id":2,"position":0,"created_by":{"id":1,"username":"user1","created":"2018-12-01T15:13:12Z","updated":"2018-12-02T15:13:12Z"}},{"id":3,"title":"task #3 high prio","description":"","done":false,"done_at":"0001-01-01T00:00:00Z","due_date":"0001-01-01T00:00:00Z","reminder_dates":null,"list_id":1,"repeat_after":0,"repeat_from_current_date":false,"priority":100,"start_date":"0001-01-01T00:00:00Z","end_date":"0001-01-01T00:00:00Z","assignees":null,"labels":null,"hex_color":"","percent_done":0,"identifier":"test1-3","index":3,"related_tasks":{},"attachments":null,"created":"2018-12-01T01:12:04Z","updated":"2018-12-01T01:12:04Z","bucket_id":2,"position":0,"created_by":{"id":1,"username":"user1","created":"2018-12-01T15:13:12Z","updated":"2018-12-02T15:13:12Z"}}]`)
+			})
+			t.Run("by priority desc", func(t *testing.T) {
+				rec, err := testHandler.testReadAllWithUser(url.Values{"sort_by": []string{"priority"}, "order_by": []string{"desc"}}, nil)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `[{"id":3,"title":"task #3 high prio","description":"","done":false,"done_at":"0001-01-01T00:00:00Z","due_date":"0001-01-01T00:00:00Z","reminder_dates":null,"list_id":1,"repeat_after":0,"repeat_from_current_date":false,"priority":100,"start_date":"0001-01-01T00:00:00Z","end_date":"0001-01-01T00:00:00Z","assignees":null,"labels":null,"hex_color":"","percent_done":0,"identifier":"test1-3","index":3,"related_tasks":{},"attachments":null,"created":"2018-12-01T01:12:04Z","updated":"2018-12-01T01:12:04Z","bucket_id":2,"position":0,"created_by":{"id":1,"username":"user1","created":"2018-12-01T15:13:12Z","updated":"2018-12-02T15:13:12Z"}},{"id":4,"title":"task #4 low prio","description":"","done":false,"done_at":"0001-01-01T00:00:00Z","due_date":"0001-01-01T00:00:00Z","reminder_dates":null,"list_id":1,"repeat_after":0,"repeat_from_current_date":false,"priority":1`)
+			})
+			t.Run("by priority asc", func(t *testing.T) {
+				rec, err := testHandler.testReadAllWithUser(url.Values{"sort_by": []string{"priority"}, "order_by": []string{"asc"}}, nil)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `{"id":33,"title":"task #33 with percent done","description":"","done":false,"done_at":"0001-01-01T00:00:00Z","due_date":"0001-01-01T00:00:00Z","reminder_dates":null,"list_id":1,"repeat_after":0,"repeat_from_current_date":false,"priority":0,"start_date":"0001-01-01T00:00:00Z","end_date":"0001-01-01T00:00:00Z","assignees":null,"labels":null,"hex_color":"","percent_done":0.5,"identifier":"test1-17","index":17,"related_tasks":{},"attachments":null,"created":"2018-12-01T01:12:04Z","updated":"2018-12-01T01:12:04Z","bucket_id":1,"position":0,"created_by":{"id":1,"username":"user1","created":"2018-12-01T15:13:12Z","updated":"2018-12-02T15:13:12Z"}},{"id":4,"title":"task #4 low prio","description":"","done":false,"done_at":"0001-01-01T00:00:00Z","due_date":"0001-01-01T00:00:00Z","reminder_dates":null,"list_id":1,"repeat_after":0,"repeat_from_current_date":false,"priority":1,"start_date":"0001-01-01T00:00:00Z","end_date":"0001-01-01T00:00:00Z","assignees":null,"labels":null,"hex_color":"","percent_done":0,"identifier":"test1-4","index":4,"related_tasks":{},"attachments":null,"created":"2018-12-01T01:12:04Z","updated":"2018-12-01T01:12:04Z","bucket_id":2,"position":0,"created_by":{"id":1,"username":"user1","created":"2018-12-01T15:13:12Z","updated":"2018-12-02T15:13:12Z"}},{"id":3,"title":"task #3 high prio","description":"","done":false,"done_at":"0001-01-01T00:00:00Z","due_date":"0001-01-01T00:00:00Z","reminder_dates":null,"list_id":1,"repeat_after":0,"repeat_from_current_date":false,"priority":100,"start_date":"0001-01-01T00:00:00Z","end_date":"0001-01-01T00:00:00Z","assignees":null,"labels":null,"hex_color":"","percent_done":0,"identifier":"test1-3","index":3,"related_tasks":{},"attachments":null,"created":"2018-12-01T01:12:04Z","updated":"2018-12-01T01:12:04Z","bucket_id":2,"position":0,"created_by":{"id":1,"username":"user1","created":"2018-12-01T15:13:12Z","updated":"2018-12-02T15:13:12Z"}}]`)
+			})
+			// should equal duedate asc
+			t.Run("by due_date", func(t *testing.T) {
+				rec, err := testHandler.testReadAllWithUser(url.Values{"sort_by": []string{"due_date"}}, nil)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `{"id":6,"title":"task #6 lower due date","description":"","done":false,"done_at":"0001-01-01T00:00:00Z","due_date":"2018-11-30T22:25:24Z","reminder_dates":null,"list_id":1,"repeat_after":0,"repeat_from_current_date":false,"priority":0,"start_date":"0001-01-01T00:00:00Z","end_date":"0001-01-01T00:00:00Z","assignees":null,"labels":null,"hex_color":"","percent_done":0,"identifier":"test1-6","index":6,"related_tasks":{},"attachments":null,"created":"2018-12-01T01:12:04Z","updated":"2018-12-01T01:12:04Z","bucket_id":3,"position":0,"created_by":{"id":1,"username":"user1","created":"2018-12-01T15:13:12Z","updated":"2018-12-02T15:13:12Z"}},{"id":5,"title":"task #5 higher due date","description":"","done":false,"done_at":"0001-01-01T00:00:00Z","due_date":"2018-12-01T03:58:44Z","reminder_dates":null,"list_id":1,"repeat_after":0,"repeat_from_current_date":false,"priority":0,"start_date":"0001-01-01T00:00:00Z","end_date":"0001-01-01T00:00:00Z","assignees":null,"labels":null,"hex_color":"","percent_done":0,"identifier":"test1-5","index":5,"related_tasks":{},"attachments":null,"created":"2018-12-01T01:12:04Z","updated":"2018-12-01T01:12:04Z","bucket_id":2,"position":0,"created_by":{"id":1,"username":"user1","created":"2018-12-01T15:13:12Z","updated":"2018-12-02T15:13:12Z"}}]`)
+			})
+			t.Run("by duedate desc", func(t *testing.T) {
+				rec, err := testHandler.testReadAllWithUser(url.Values{"sort_by": []string{"due_date"}, "order_by": []string{"desc"}}, nil)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `[{"id":5,"title":"task #5 higher due date","description":"","done":false,"done_at":"0001-01-01T00:00:00Z","due_date":"2018-12-01T03:58:44Z","reminder_dates":null,"list_id":1,"repeat_after":0,"repeat_from_current_date":false,"priority":0,"start_date":"0001-01-01T00:00:00Z","end_date":"0001-01-01T00:00:00Z","assignees":null,"labels":null,"hex_color":"","percent_done":0,"identifier":"test1-5","index":5,"related_tasks":{},"attachments":null,"created":"2018-12-01T01:12:04Z","updated":"2018-12-01T01:12:04Z","bucket_id":2,"position":0,"created_by":{"id":1,"username":"user1","created":"2018-12-01T15:13:12Z","updated":"2018-12-02T15:13:12Z"}},{"id":6,"title":"task #6 lower due date`)
+			})
+			t.Run("by duedate asc", func(t *testing.T) {
+				rec, err := testHandler.testReadAllWithUser(url.Values{"sort_by": []string{"due_date"}, "order_by": []string{"asc"}}, nil)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `{"id":6,"title":"task #6 lower due date","description":"","done":false,"done_at":"0001-01-01T00:00:00Z","due_date":"2018-11-30T22:25:24Z","reminder_dates":null,"list_id":1,"repeat_after":0,"repeat_from_current_date":false,"priority":0,"start_date":"0001-01-01T00:00:00Z","end_date":"0001-01-01T00:00:00Z","assignees":null,"labels":null,"hex_color":"","percent_done":0,"identifier":"test1-6","index":6,"related_tasks":{},"attachments":null,"created":"2018-12-01T01:12:04Z","updated":"2018-12-01T01:12:04Z","bucket_id":3,"position":0,"created_by":{"id":1,"username":"user1","created":"2018-12-01T15:13:12Z","updated":"2018-12-02T15:13:12Z"}},{"id":5,"title":"task #5 higher due date","description":"","done":false,"done_at":"0001-01-01T00:00:00Z","due_date":"2018-12-01T03:58:44Z","reminder_dates":null,"list_id":1,"repeat_after":0,"repeat_from_current_date":false,"priority":0,"start_date":"0001-01-01T00:00:00Z","end_date":"0001-01-01T00:00:00Z","assignees":null,"labels":null,"hex_color":"","percent_done":0,"identifier":"test1-5","index":5,"related_tasks":{},"attachments":null,"created":"2018-12-01T01:12:04Z","updated":"2018-12-01T01:12:04Z","bucket_id":2,"position":0,"created_by":{"id":1,"username":"user1","created":"2018-12-01T15:13:12Z","updated":"2018-12-02T15:13:12Z"}}]`)
+			})
+			t.Run("invalid parameter", func(t *testing.T) {
+				// Invalid parameter should not sort at all
+				rec, err := testHandler.testReadAllWithUser(url.Values{"sort": []string{"loremipsum"}}, nil)
+				assert.NoError(t, err)
+				assert.NotContains(t, rec.Body.String(), `[{"id":3,"title":"task #3 high prio","description":"","done":false,"due_date":0,"reminder_dates":null,"repeat_after":0,"repeat_from_current_date":false,"priority":100,"start_date":0,"end_date":0,"assignees":null,"labels":null,"hex_color":"","created":1543626724,"updated":1543626724,"created_by":{"id":0,"username":"","email":"","created":0,"updated":0}},{"id":4,"title":"task #4 low prio","description":"","done":false,"due_date":0,"reminder_dates":null,"repeat_after":0,"repeat_from_current_date":false,"priority":1`)
+				assert.NotContains(t, rec.Body.String(), `{"id":4,"title":"task #4 low prio","description":"","done":false,"due_date":0,"reminder_dates":null,"repeat_after":0,"repeat_from_current_date":false,"priority":1,"start_date":0,"end_date":0,"assignees":null,"labels":null,"hex_color":"","created":1543626724,"updated":1543626724,"created_by":{"id":0,"username":"","email":"","created":0,"updated":0}},{"id":3,"title":"task #3 high prio","description":"","done":false,"due_date":0,"reminder_dates":null,"repeat_after":0,"repeat_from_current_date":false,"priority":100,"start_date":0,"end_date":0,"assignees":null,"labels":null,"created":1543626724,"updated":1543626724,"created_by":{"id":0,"username":"","email":"","created":0,"updated":0}}]`)
+				assert.NotContains(t, rec.Body.String(), `[{"id":5,"title":"task #5 higher due date","description":"","done":false,"due_date":1543636724,"reminder_dates":null,"repeat_after":0,"repeat_from_current_date":false,"priority":0,"start_date":0,"end_date":0,"assignees":null,"labels":null,"hex_color":"","created":1543626724,"updated":1543626724,"created_by":{"id":0,"username":"","email":"","created":0,"updated":0}},{"id":6,"title":"task #6 lower due date"`)
+				assert.NotContains(t, rec.Body.String(), `{"id":6,"title":"task #6 lower due date","description":"","done":false,"due_date":1543616724,"reminder_dates":null,"repeat_after":0,"repeat_from_current_date":false,"priority":0,"start_date":0,"end_date":0,"assignees":null,"labels":null,"hex_color":"","created":1543626724,"updated":1543626724,"created_by":{"id":0,"username":"","email":"","created":0,"updated":0}},{"id":5,"title":"task #5 higher due date","description":"","done":false,"due_date":1543636724,"reminder_dates":null,"repeat_after":0,"repeat_from_current_date":false,"priority":0,"start_date":0,"end_date":0,"assignees":null,"labels":null,"created":1543626724,"updated":1543626724,"created_by":{"id":0,"username":"","email":"","created":0,"updated":0}}]`)
+			})
+		})
+		t.Run("Filter", func(t *testing.T) {
+			t.Run("Date range", func(t *testing.T) {
+				t.Run("start and end date", func(t *testing.T) {
+					rec, err := testHandler.testReadAllWithUser(
+						url.Values{
+							"filter_by":         []string{"start_date", "end_date", "due_date"},
+							"filter_value":      []string{"2018-12-11T03:46:40+00:00", "2018-12-13T11:20:01+00:00", "2018-11-29T14:00:00+00:00"},
+							"filter_comparator": []string{"greater", "less", "greater"},
+						},
+						nil,
+					)
+					assert.NoError(t, err)
+					assert.NotContains(t, rec.Body.String(), `task #1`)
+					assert.NotContains(t, rec.Body.String(), `task #2`)
+					assert.NotContains(t, rec.Body.String(), `task #3`)
+					assert.NotContains(t, rec.Body.String(), `task #4`)
+					assert.Contains(t, rec.Body.String(), `task #5`)
+					assert.Contains(t, rec.Body.String(), `task #6`)
+					assert.Contains(t, rec.Body.String(), `task #7`)
+					assert.Contains(t, rec.Body.String(), `task #8`)
+					assert.Contains(t, rec.Body.String(), `task #9`)
+					assert.NotContains(t, rec.Body.String(), `task #10`)
+					assert.NotContains(t, rec.Body.String(), `task #11`)
+					assert.NotContains(t, rec.Body.String(), `task #12`)
+					assert.NotContains(t, rec.Body.String(), `task #13`)
+					assert.NotContains(t, rec.Body.String(), `task #14`)
+				})
+				t.Run("start date only", func(t *testing.T) {
+					rec, err := testHandler.testReadAllWithUser(
+						url.Values{
+							"filter_by":         []string{"start_date"},
+							"filter_value":      []string{"2018-10-20T01:46:40+00:00"},
+							"filter_comparator": []string{"greater"},
+						},
+						nil,
+					)
+					assert.NoError(t, err)
+					assert.NotContains(t, rec.Body.String(), `task #1`)
+					assert.NotContains(t, rec.Body.String(), `task #2`)
+					assert.NotContains(t, rec.Body.String(), `task #3`)
+					assert.NotContains(t, rec.Body.String(), `task #4`)
+					assert.NotContains(t, rec.Body.String(), `task #5`)
+					assert.NotContains(t, rec.Body.String(), `task #6`)
+					assert.Contains(t, rec.Body.String(), `task #7`)
+					assert.NotContains(t, rec.Body.String(), `task #8`)
+					assert.Contains(t, rec.Body.String(), `task #9`)
+					assert.NotContains(t, rec.Body.String(), `task #10`)
+					assert.NotContains(t, rec.Body.String(), `task #11`)
+					assert.NotContains(t, rec.Body.String(), `task #12`)
+					assert.NotContains(t, rec.Body.String(), `task #13`)
+					assert.NotContains(t, rec.Body.String(), `task #14`)
+				})
+				t.Run("end date only", func(t *testing.T) {
+					rec, err := testHandler.testReadAllWithUser(
+						url.Values{
+							"filter_by":         []string{"end_date"},
+							"filter_value":      []string{"2018-12-13T11:20:01+00:00"},
+							"filter_comparator": []string{"greater"},
+						},
+						nil,
+					)
+					assert.NoError(t, err)
+					// If no start date but an end date is specified, this should be null
+					// since we don't have any tasks in the fixtures with an end date >
+					// the current date.
+					assert.Equal(t, "[]\n", rec.Body.String())
+				})
+			})
+			t.Run("invalid date", func(t *testing.T) {
+				_, err := testHandler.testReadAllWithUser(
+					url.Values{
+						"filter_by":         []string{"due_date"},
+						"filter_value":      []string{"1540000000"},
+						"filter_comparator": []string{"greater"},
+					},
+					nil,
+				)
+				assert.Error(t, err)
+				assertHandlerErrorCode(t, err, models.ErrCodeInvalidTaskFilterValue)
+			})
+		})
+	})
+
+}
--- a/pkg/integrations/task_comment_test.go
+++ b/pkg/integrations/task_comment_test.go
@@ -0,0 +1,284 @@
+// Vikunja is a to-do list application to facilitate your life.
+// Copyright 2018-2020 Vikunja and contributors. All rights reserved.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package integrations
+
+import (
+	"code.vikunja.io/api/pkg/models"
+	"code.vikunja.io/web/handler"
+	"github.com/labstack/echo/v4"
+	"github.com/stretchr/testify/assert"
+	"testing"
+)
+
+func TestTaskComments(t *testing.T) {
+	testHandler := webHandlerTest{
+		user: &testuser1,
+		strFunc: func() handler.CObject {
+			return &models.TaskComment{}
+		},
+		t: t,
+	}
+	// Only run specific nested tests:
+	// ^TestTaskComments$/^Update$/^Update_task_items$/^Removing_Assignees_null$
+	t.Run("Update", func(t *testing.T) {
+		t.Run("Normal", func(t *testing.T) {
+			rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"task": "1", "commentid": "1"}, `{"comment":"Lorem Ipsum"}`)
+			assert.NoError(t, err)
+			assert.Contains(t, rec.Body.String(), `"comment":"Lorem Ipsum"`)
+		})
+		t.Run("Nonexisting", func(t *testing.T) {
+			_, err := testHandler.testUpdateWithUser(nil, map[string]string{"task": "99999", "commentid": "9999"}, `{"comment":"Lorem Ipsum"}`)
+			assert.Error(t, err)
+			assertHandlerErrorCode(t, err, models.ErrCodeTaskDoesNotExist)
+		})
+		t.Run("Rights check", func(t *testing.T) {
+			t.Run("Forbidden", func(t *testing.T) {
+				_, err := testHandler.testUpdateWithUser(nil, map[string]string{"task": "14", "commentid": "2"}, `{"comment":"Lorem Ipsum"}`)
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via Team readonly", func(t *testing.T) {
+				_, err := testHandler.testUpdateWithUser(nil, map[string]string{"task": "15", "commentid": "3"}, `{"comment":"Lorem Ipsum"}`)
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via Team write", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"task": "16", "commentid": "4"}, `{"comment":"Lorem Ipsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"comment":"Lorem Ipsum"`)
+			})
+			t.Run("Shared Via Team admin", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"task": "17", "commentid": "5"}, `{"comment":"Lorem Ipsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"comment":"Lorem Ipsum"`)
+			})
+
+			t.Run("Shared Via User readonly", func(t *testing.T) {
+				_, err := testHandler.testUpdateWithUser(nil, map[string]string{"task": "18", "commentid": "6"}, `{"comment":"Lorem Ipsum"}`)
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via User write", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"task": "19", "commentid": "7"}, `{"comment":"Lorem Ipsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"comment":"Lorem Ipsum"`)
+			})
+			t.Run("Shared Via User admin", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"task": "20", "commentid": "8"}, `{"comment":"Lorem Ipsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"comment":"Lorem Ipsum"`)
+			})
+
+			t.Run("Shared Via NamespaceTeam readonly", func(t *testing.T) {
+				_, err := testHandler.testUpdateWithUser(nil, map[string]string{"task": "21", "commentid": "9"}, `{"comment":"Lorem Ipsum"}`)
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via NamespaceTeam write", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"task": "22", "commentid": "10"}, `{"comment":"Lorem Ipsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"comment":"Lorem Ipsum"`)
+			})
+			t.Run("Shared Via NamespaceTeam admin", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"task": "23", "commentid": "11"}, `{"comment":"Lorem Ipsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"comment":"Lorem Ipsum"`)
+			})
+
+			t.Run("Shared Via NamespaceUser readonly", func(t *testing.T) {
+				_, err := testHandler.testUpdateWithUser(nil, map[string]string{"task": "24", "commentid": "12"}, `{"comment":"Lorem Ipsum"}`)
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via NamespaceUser write", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"task": "25", "commentid": "13"}, `{"comment":"Lorem Ipsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"comment":"Lorem Ipsum"`)
+			})
+			t.Run("Shared Via NamespaceUser admin", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"task": "26", "commentid": "14"}, `{"comment":"Lorem Ipsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"comment":"Lorem Ipsum"`)
+			})
+		})
+	})
+	t.Run("Delete", func(t *testing.T) {
+		t.Run("Normal", func(t *testing.T) {
+			rec, err := testHandler.testDeleteWithUser(nil, map[string]string{"task": "1", "commentid": "1"})
+			assert.NoError(t, err)
+			assert.Contains(t, rec.Body.String(), `Successfully deleted.`)
+		})
+		t.Run("Nonexisting", func(t *testing.T) {
+			_, err := testHandler.testDeleteWithUser(nil, map[string]string{"task": "99999", "commentid": "9999"})
+			assert.Error(t, err)
+			assertHandlerErrorCode(t, err, models.ErrCodeTaskDoesNotExist)
+		})
+		t.Run("Rights check", func(t *testing.T) {
+			t.Run("Forbidden", func(t *testing.T) {
+				_, err := testHandler.testDeleteWithUser(nil, map[string]string{"task": "14", "commentid": "2"})
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via Team readonly", func(t *testing.T) {
+				_, err := testHandler.testDeleteWithUser(nil, map[string]string{"task": "15", "commentid": "3"})
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via Team write", func(t *testing.T) {
+				rec, err := testHandler.testDeleteWithUser(nil, map[string]string{"task": "16", "commentid": "4"})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `Successfully deleted.`)
+			})
+			t.Run("Shared Via Team admin", func(t *testing.T) {
+				rec, err := testHandler.testDeleteWithUser(nil, map[string]string{"task": "17", "commentid": "5"})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `Successfully deleted.`)
+			})
+
+			t.Run("Shared Via User readonly", func(t *testing.T) {
+				_, err := testHandler.testDeleteWithUser(nil, map[string]string{"task": "18", "commentid": "6"})
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via User write", func(t *testing.T) {
+				rec, err := testHandler.testDeleteWithUser(nil, map[string]string{"task": "19", "commentid": "7"})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `Successfully deleted.`)
+			})
+			t.Run("Shared Via User admin", func(t *testing.T) {
+				rec, err := testHandler.testDeleteWithUser(nil, map[string]string{"task": "20", "commentid": "8"})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `Successfully deleted.`)
+			})
+
+			t.Run("Shared Via NamespaceTeam readonly", func(t *testing.T) {
+				_, err := testHandler.testDeleteWithUser(nil, map[string]string{"task": "21", "commentid": "9"})
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via NamespaceTeam write", func(t *testing.T) {
+				rec, err := testHandler.testDeleteWithUser(nil, map[string]string{"task": "22", "commentid": "10"})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `Successfully deleted.`)
+			})
+			t.Run("Shared Via NamespaceTeam admin", func(t *testing.T) {
+				rec, err := testHandler.testDeleteWithUser(nil, map[string]string{"task": "23", "commentid": "11"})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `Successfully deleted.`)
+			})
+
+			t.Run("Shared Via NamespaceUser readonly", func(t *testing.T) {
+				_, err := testHandler.testDeleteWithUser(nil, map[string]string{"task": "24", "commentid": "12"})
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via NamespaceUser write", func(t *testing.T) {
+				rec, err := testHandler.testDeleteWithUser(nil, map[string]string{"task": "25", "commentid": "13"})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `Successfully deleted.`)
+			})
+			t.Run("Shared Via NamespaceUser admin", func(t *testing.T) {
+				rec, err := testHandler.testDeleteWithUser(nil, map[string]string{"task": "26", "commentid": "14"})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `Successfully deleted.`)
+			})
+		})
+	})
+	t.Run("Create", func(t *testing.T) {
+		t.Run("Normal", func(t *testing.T) {
+			rec, err := testHandler.testCreateWithUser(nil, map[string]string{"task": "1"}, `{"comment":"Lorem Ipsum"}`)
+			assert.NoError(t, err)
+			assert.Contains(t, rec.Body.String(), `"comment":"Lorem Ipsum"`)
+		})
+		t.Run("Nonexisting", func(t *testing.T) {
+			_, err := testHandler.testCreateWithUser(nil, map[string]string{"task": "9999"}, `{"comment":"Lorem Ipsum"}`)
+			assert.Error(t, err)
+			assertHandlerErrorCode(t, err, models.ErrCodeTaskDoesNotExist)
+		})
+		t.Run("Rights check", func(t *testing.T) {
+			t.Run("Forbidden", func(t *testing.T) {
+				// Owned by user13
+				_, err := testHandler.testCreateWithUser(nil, map[string]string{"task": "34"}, `{"comment":"Lorem Ipsum"}`)
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via Team readonly", func(t *testing.T) {
+				_, err := testHandler.testCreateWithUser(nil, map[string]string{"task": "15"}, `{"comment":"Lorem Ipsum"}`)
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via Team write", func(t *testing.T) {
+				rec, err := testHandler.testCreateWithUser(nil, map[string]string{"task": "16"}, `{"comment":"Lorem Ipsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"comment":"Lorem Ipsum"`)
+			})
+			t.Run("Shared Via Team admin", func(t *testing.T) {
+				rec, err := testHandler.testCreateWithUser(nil, map[string]string{"task": "17"}, `{"comment":"Lorem Ipsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"comment":"Lorem Ipsum"`)
+			})
+
+			t.Run("Shared Via User readonly", func(t *testing.T) {
+				_, err := testHandler.testCreateWithUser(nil, map[string]string{"task": "18"}, `{"comment":"Lorem Ipsum"}`)
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via User write", func(t *testing.T) {
+				rec, err := testHandler.testCreateWithUser(nil, map[string]string{"task": "19"}, `{"comment":"Lorem Ipsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"comment":"Lorem Ipsum"`)
+			})
+			t.Run("Shared Via User admin", func(t *testing.T) {
+				rec, err := testHandler.testCreateWithUser(nil, map[string]string{"task": "20"}, `{"comment":"Lorem Ipsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"comment":"Lorem Ipsum"`)
+			})
+
+			t.Run("Shared Via NamespaceTeam readonly", func(t *testing.T) {
+				_, err := testHandler.testCreateWithUser(nil, map[string]string{"task": "21"}, `{"comment":"Lorem Ipsum"}`)
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via NamespaceTeam write", func(t *testing.T) {
+				rec, err := testHandler.testCreateWithUser(nil, map[string]string{"task": "22"}, `{"comment":"Lorem Ipsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"comment":"Lorem Ipsum"`)
+			})
+			t.Run("Shared Via NamespaceTeam admin", func(t *testing.T) {
+				rec, err := testHandler.testCreateWithUser(nil, map[string]string{"task": "23"}, `{"comment":"Lorem Ipsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"comment":"Lorem Ipsum"`)
+			})
+
+			t.Run("Shared Via NamespaceUser readonly", func(t *testing.T) {
+				_, err := testHandler.testCreateWithUser(nil, map[string]string{"task": "24"}, `{"comment":"Lorem Ipsum"}`)
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via NamespaceUser write", func(t *testing.T) {
+				rec, err := testHandler.testCreateWithUser(nil, map[string]string{"task": "25"}, `{"comment":"Lorem Ipsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"comment":"Lorem Ipsum"`)
+			})
+			t.Run("Shared Via NamespaceUser admin", func(t *testing.T) {
+				rec, err := testHandler.testCreateWithUser(nil, map[string]string{"task": "26"}, `{"comment":"Lorem Ipsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"comment":"Lorem Ipsum"`)
+			})
+		})
+	})
+}
--- a/pkg/integrations/task_test.go
+++ b/pkg/integrations/task_test.go
@@ -0,0 +1,492 @@
+// Vikunja is a to-do list application to facilitate your life.
+// Copyright 2018-2020 Vikunja and contributors. All rights reserved.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package integrations
+
+import (
+	"code.vikunja.io/api/pkg/models"
+	"code.vikunja.io/web/handler"
+	"github.com/labstack/echo/v4"
+	"github.com/stretchr/testify/assert"
+	"testing"
+)
+
+func TestTask(t *testing.T) {
+	testHandler := webHandlerTest{
+		user: &testuser1,
+		strFunc: func() handler.CObject {
+			return &models.Task{}
+		},
+		t: t,
+	}
+	// Only run specific nested tests:
+	// ^TestTask$/^Update$/^Update_task_items$/^Removing_Assignees_null$
+	t.Run("Update", func(t *testing.T) {
+		t.Run("Update task items", func(t *testing.T) {
+			t.Run("Title", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"listtask": "1"}, `{"title":"Lorem Ipsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"Lorem Ipsum"`)
+				assert.NotContains(t, rec.Body.String(), `"title":"task #1"`)
+			})
+			t.Run("Description", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"listtask": "1"}, `{"description":"Dolor sit amet"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"description":"Dolor sit amet"`)
+				assert.NotContains(t, rec.Body.String(), `"description":"Lorem Ipsum"`)
+			})
+			t.Run("Description to empty", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"listtask": "1"}, `{"description":""}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"description":""`)
+				assert.NotContains(t, rec.Body.String(), `"description":"Lorem Ipsum"`)
+			})
+			t.Run("Done", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"listtask": "1"}, `{"done":true}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"done":true`)
+				assert.NotContains(t, rec.Body.String(), `"done":false`)
+			})
+			t.Run("Undone", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"listtask": "2"}, `{"done":false}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"done":false`)
+				assert.NotContains(t, rec.Body.String(), `"done":true`)
+			})
+			t.Run("Due date", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"listtask": "1"}, `{"due_date": "2020-02-10T10:00:00Z"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"due_date":"2020-02-10T10:00:00Z"`)
+				assert.NotContains(t, rec.Body.String(), `"due_date":0`)
+			})
+			t.Run("Due date unset", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"listtask": "5"}, `{"due_date": null}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"due_date":"0001-01-01T00:00:00Z"`)
+				assert.NotContains(t, rec.Body.String(), `"due_date":"2020-02-10T10:00:00Z"`)
+			})
+			t.Run("Reminders", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"listtask": "1"}, `{"reminder_dates": ["2020-02-10T10:00:00Z","2020-02-11T10:00:00Z"]}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"reminder_dates":["2020-02-10T10:00:00Z","2020-02-11T10:00:00Z"]`)
+				assert.NotContains(t, rec.Body.String(), `"reminder_dates": null`)
+			})
+			t.Run("Reminders unset to empty array", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"listtask": "27"}, `{"reminder_dates": []}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"reminder_dates":null`)
+				assert.NotContains(t, rec.Body.String(), `"reminder_dates":[1543626724,1543626824]`)
+			})
+			t.Run("Reminders unset to null", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"listtask": "27"}, `{"reminder_dates": null}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"reminder_dates":null`)
+				assert.NotContains(t, rec.Body.String(), `"reminder_dates":[1543626724,1543626824]`)
+			})
+			t.Run("Repeat after", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"listtask": "1"}, `{"repeat_after":3600}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"repeat_after":3600`)
+				assert.NotContains(t, rec.Body.String(), `"repeat_after":0`)
+			})
+			t.Run("Repeat after unset", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"listtask": "28"}, `{"repeat_after":0}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"repeat_after":0`)
+				assert.NotContains(t, rec.Body.String(), `"repeat_after":3600`)
+			})
+			t.Run("Repeat after update done", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"listtask": "28"}, `{"done":true}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"done":false`)
+				assert.NotContains(t, rec.Body.String(), `"done":true`)
+			})
+			t.Run("Assignees", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"listtask": "1"}, `{"assignees":[{"id":1}]}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"assignees":[{"id":1`)
+				assert.NotContains(t, rec.Body.String(), `"assignees":[]`)
+			})
+			t.Run("Removing Assignees empty array", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"listtask": "30"}, `{"assignees":[]}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"assignees":null`)
+				assert.NotContains(t, rec.Body.String(), `"assignees":[{"id":1`)
+			})
+			t.Run("Removing Assignees null", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"listtask": "30"}, `{"assignees":null}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"assignees":null`)
+				assert.NotContains(t, rec.Body.String(), `"assignees":[{"id":1`)
+			})
+			t.Run("Priority", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"listtask": "1"}, `{"priority":100}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"priority":100`)
+				assert.NotContains(t, rec.Body.String(), `"priority":0`)
+			})
+			t.Run("Priority to 0", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"listtask": "3"}, `{"priority":0}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"priority":0`)
+				assert.NotContains(t, rec.Body.String(), `"priority":100`)
+			})
+			t.Run("Start date", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"listtask": "1"}, `{"start_date":"2020-02-10T10:00:00Z"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"start_date":"2020-02-10T10:00:00Z"`)
+				assert.NotContains(t, rec.Body.String(), `"start_date":0`)
+			})
+			t.Run("Start date unset", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"listtask": "7"}, `{"start_date":"0001-01-01T00:00:00Z"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"start_date":"0001-01-01T00:00:00Z"`)
+				assert.NotContains(t, rec.Body.String(), `"start_date":"2020-02-10T10:00:00Z"`)
+			})
+			t.Run("End date", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"listtask": "1"}, `{"end_date":"2020-02-10T12:00:00Z"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"end_date":"2020-02-10T12:00:00Z"`)
+				assert.NotContains(t, rec.Body.String(), `"end_date":""`)
+			})
+			t.Run("End date unset", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"listtask": "8"}, `{"end_date":"0001-01-01T00:00:00Z"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"end_date":"0001-01-01T00:00:00Z"`)
+				assert.NotContains(t, rec.Body.String(), `"end_date":"2020-02-10T10:00:00Z"`)
+			})
+			t.Run("Color", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"listtask": "1"}, `{"hex_color":"f0f0f0"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"hex_color":"f0f0f0"`)
+				assert.NotContains(t, rec.Body.String(), `"hex_color":""`)
+			})
+			t.Run("Color unset", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"listtask": "31"}, `{"hex_color":""}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"hex_color":""`)
+				assert.NotContains(t, rec.Body.String(), `"hex_color":"f0f0f0"`)
+			})
+			t.Run("Percent Done", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"listtask": "1"}, `{"percent_done":0.1}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"percent_done":0.1`)
+				assert.NotContains(t, rec.Body.String(), `"percent_done":0,`)
+			})
+			t.Run("Percent Done unset", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"listtask": "33"}, `{"percent_done":0}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"percent_done":0,`)
+				assert.NotContains(t, rec.Body.String(), `"percent_done":0.1`)
+			})
+		})
+
+		t.Run("Nonexisting", func(t *testing.T) {
+			_, err := testHandler.testUpdateWithUser(nil, map[string]string{"listtask": "99999"}, `{"title":"Lorem Ipsum"}`)
+			assert.Error(t, err)
+			assertHandlerErrorCode(t, err, models.ErrCodeTaskDoesNotExist)
+		})
+		t.Run("Rights check", func(t *testing.T) {
+			t.Run("Forbidden", func(t *testing.T) {
+				_, err := testHandler.testUpdateWithUser(nil, map[string]string{"listtask": "14"}, `{"title":"Lorem Ipsum"}`)
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via Team readonly", func(t *testing.T) {
+				_, err := testHandler.testUpdateWithUser(nil, map[string]string{"listtask": "15"}, `{"title":"Lorem Ipsum"}`)
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via Team write", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"listtask": "16"}, `{"title":"Lorem Ipsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"Lorem Ipsum"`)
+			})
+			t.Run("Shared Via Team admin", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"listtask": "17"}, `{"title":"Lorem Ipsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"Lorem Ipsum"`)
+			})
+
+			t.Run("Shared Via User readonly", func(t *testing.T) {
+				_, err := testHandler.testUpdateWithUser(nil, map[string]string{"listtask": "18"}, `{"title":"Lorem Ipsum"}`)
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via User write", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"listtask": "19"}, `{"title":"Lorem Ipsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"Lorem Ipsum"`)
+			})
+			t.Run("Shared Via User admin", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"listtask": "20"}, `{"title":"Lorem Ipsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"Lorem Ipsum"`)
+			})
+
+			t.Run("Shared Via NamespaceTeam readonly", func(t *testing.T) {
+				_, err := testHandler.testUpdateWithUser(nil, map[string]string{"listtask": "21"}, `{"title":"Lorem Ipsum"}`)
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via NamespaceTeam write", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"listtask": "22"}, `{"title":"Lorem Ipsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"Lorem Ipsum"`)
+			})
+			t.Run("Shared Via NamespaceTeam admin", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"listtask": "23"}, `{"title":"Lorem Ipsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"Lorem Ipsum"`)
+			})
+
+			t.Run("Shared Via NamespaceUser readonly", func(t *testing.T) {
+				_, err := testHandler.testUpdateWithUser(nil, map[string]string{"listtask": "24"}, `{"title":"Lorem Ipsum"}`)
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via NamespaceUser write", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"listtask": "25"}, `{"title":"Lorem Ipsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"Lorem Ipsum"`)
+			})
+			t.Run("Shared Via NamespaceUser admin", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"listtask": "26"}, `{"title":"Lorem Ipsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"Lorem Ipsum"`)
+			})
+		})
+		t.Run("Move to other list", func(t *testing.T) {
+			t.Run("normal", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"listtask": "1"}, `{"list_id":7}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"list_id":7`)
+				assert.NotContains(t, rec.Body.String(), `"list_id":1`)
+			})
+			t.Run("Forbidden", func(t *testing.T) {
+				_, err := testHandler.testUpdateWithUser(nil, map[string]string{"listtask": "1"}, `{"list_id":20}`)
+				assert.Error(t, err)
+				assertHandlerErrorCode(t, err, models.ErrorCodeGenericForbidden)
+			})
+			t.Run("Read Only", func(t *testing.T) {
+				_, err := testHandler.testUpdateWithUser(nil, map[string]string{"listtask": "1"}, `{"list_id":6}`)
+				assert.Error(t, err)
+				assertHandlerErrorCode(t, err, models.ErrorCodeGenericForbidden)
+			})
+		})
+		t.Run("Bucket", func(t *testing.T) {
+			t.Run("Normal", func(t *testing.T) {
+				rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"listtask": "1"}, `{"bucket_id":2}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"bucket_id":2`)
+				assert.NotContains(t, rec.Body.String(), `"bucket_id":1`)
+			})
+			t.Run("Different List", func(t *testing.T) {
+				_, err := testHandler.testUpdateWithUser(nil, map[string]string{"listtask": "1"}, `{"bucket_id":4}`)
+				assert.Error(t, err)
+				assertHandlerErrorCode(t, err, models.ErrCodeBucketDoesNotBelongToList)
+			})
+			t.Run("Nonexisting Bucket", func(t *testing.T) {
+				_, err := testHandler.testUpdateWithUser(nil, map[string]string{"listtask": "1"}, `{"bucket_id":9999}`)
+				assert.Error(t, err)
+				assertHandlerErrorCode(t, err, models.ErrCodeBucketDoesNotExist)
+			})
+		})
+	})
+	t.Run("Delete", func(t *testing.T) {
+		t.Run("Normal", func(t *testing.T) {
+			rec, err := testHandler.testDeleteWithUser(nil, map[string]string{"listtask": "1"})
+			assert.NoError(t, err)
+			assert.Contains(t, rec.Body.String(), `Successfully deleted.`)
+		})
+		t.Run("Nonexisting", func(t *testing.T) {
+			_, err := testHandler.testDeleteWithUser(nil, map[string]string{"listtask": "99999"})
+			assert.Error(t, err)
+			assertHandlerErrorCode(t, err, models.ErrCodeTaskDoesNotExist)
+		})
+		t.Run("Rights check", func(t *testing.T) {
+			t.Run("Forbidden", func(t *testing.T) {
+				_, err := testHandler.testDeleteWithUser(nil, map[string]string{"listtask": "14"})
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via Team readonly", func(t *testing.T) {
+				_, err := testHandler.testDeleteWithUser(nil, map[string]string{"listtask": "15"})
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via Team write", func(t *testing.T) {
+				rec, err := testHandler.testDeleteWithUser(nil, map[string]string{"listtask": "16"})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `Successfully deleted.`)
+			})
+			t.Run("Shared Via Team admin", func(t *testing.T) {
+				rec, err := testHandler.testDeleteWithUser(nil, map[string]string{"listtask": "17"})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `Successfully deleted.`)
+			})
+
+			t.Run("Shared Via User readonly", func(t *testing.T) {
+				_, err := testHandler.testDeleteWithUser(nil, map[string]string{"listtask": "18"})
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via User write", func(t *testing.T) {
+				rec, err := testHandler.testDeleteWithUser(nil, map[string]string{"listtask": "19"})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `Successfully deleted.`)
+			})
+			t.Run("Shared Via User admin", func(t *testing.T) {
+				rec, err := testHandler.testDeleteWithUser(nil, map[string]string{"listtask": "20"})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `Successfully deleted.`)
+			})
+
+			t.Run("Shared Via NamespaceTeam readonly", func(t *testing.T) {
+				_, err := testHandler.testDeleteWithUser(nil, map[string]string{"listtask": "21"})
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via NamespaceTeam write", func(t *testing.T) {
+				rec, err := testHandler.testDeleteWithUser(nil, map[string]string{"listtask": "22"})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `Successfully deleted.`)
+			})
+			t.Run("Shared Via NamespaceTeam admin", func(t *testing.T) {
+				rec, err := testHandler.testDeleteWithUser(nil, map[string]string{"listtask": "23"})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `Successfully deleted.`)
+			})
+
+			t.Run("Shared Via NamespaceUser readonly", func(t *testing.T) {
+				_, err := testHandler.testDeleteWithUser(nil, map[string]string{"listtask": "24"})
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via NamespaceUser write", func(t *testing.T) {
+				rec, err := testHandler.testDeleteWithUser(nil, map[string]string{"listtask": "25"})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `Successfully deleted.`)
+			})
+			t.Run("Shared Via NamespaceUser admin", func(t *testing.T) {
+				rec, err := testHandler.testDeleteWithUser(nil, map[string]string{"listtask": "26"})
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `Successfully deleted.`)
+			})
+		})
+	})
+	t.Run("Create", func(t *testing.T) {
+		t.Run("Normal", func(t *testing.T) {
+			rec, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "1"}, `{"title":"Lorem Ipsum"}`)
+			assert.NoError(t, err)
+			assert.Contains(t, rec.Body.String(), `"title":"Lorem Ipsum"`)
+		})
+		t.Run("Nonexisting", func(t *testing.T) {
+			_, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "9999"}, `{"title":"Lorem Ipsum"}`)
+			assert.Error(t, err)
+			assertHandlerErrorCode(t, err, models.ErrCodeListDoesNotExist)
+		})
+		t.Run("Rights check", func(t *testing.T) {
+			t.Run("Forbidden", func(t *testing.T) {
+				// Owned by user13
+				_, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "20"}, `{"title":"Lorem Ipsum"}`)
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via Team readonly", func(t *testing.T) {
+				_, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "6"}, `{"title":"Lorem Ipsum"}`)
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via Team write", func(t *testing.T) {
+				rec, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "7"}, `{"title":"Lorem Ipsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"Lorem Ipsum"`)
+			})
+			t.Run("Shared Via Team admin", func(t *testing.T) {
+				rec, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "8"}, `{"title":"Lorem Ipsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"Lorem Ipsum"`)
+			})
+
+			t.Run("Shared Via User readonly", func(t *testing.T) {
+				_, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "9"}, `{"title":"Lorem Ipsum"}`)
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via User write", func(t *testing.T) {
+				rec, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "10"}, `{"title":"Lorem Ipsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"Lorem Ipsum"`)
+			})
+			t.Run("Shared Via User admin", func(t *testing.T) {
+				rec, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "11"}, `{"title":"Lorem Ipsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"Lorem Ipsum"`)
+			})
+
+			t.Run("Shared Via NamespaceTeam readonly", func(t *testing.T) {
+				_, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "12"}, `{"title":"Lorem Ipsum"}`)
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via NamespaceTeam write", func(t *testing.T) {
+				rec, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "13"}, `{"title":"Lorem Ipsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"Lorem Ipsum"`)
+			})
+			t.Run("Shared Via NamespaceTeam admin", func(t *testing.T) {
+				rec, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "14"}, `{"title":"Lorem Ipsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"Lorem Ipsum"`)
+			})
+
+			t.Run("Shared Via NamespaceUser readonly", func(t *testing.T) {
+				_, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "15"}, `{"title":"Lorem Ipsum"}`)
+				assert.Error(t, err)
+				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
+			})
+			t.Run("Shared Via NamespaceUser write", func(t *testing.T) {
+				rec, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "16"}, `{"title":"Lorem Ipsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"Lorem Ipsum"`)
+			})
+			t.Run("Shared Via NamespaceUser admin", func(t *testing.T) {
+				rec, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "17"}, `{"title":"Lorem Ipsum"}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"title":"Lorem Ipsum"`)
+			})
+		})
+		t.Run("Bucket", func(t *testing.T) {
+			t.Run("Normal", func(t *testing.T) {
+				rec, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "1"}, `{"title":"Lorem Ipsum","bucket_id":2}`)
+				assert.NoError(t, err)
+				assert.Contains(t, rec.Body.String(), `"bucket_id":2`)
+				assert.NotContains(t, rec.Body.String(), `"bucket_id":1`)
+			})
+			t.Run("Different List", func(t *testing.T) {
+				_, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "1"}, `{"title":"Lorem Ipsum","bucket_id":4}`)
+				assert.Error(t, err)
+				assertHandlerErrorCode(t, err, models.ErrCodeBucketDoesNotBelongToList)
+			})
+			t.Run("Nonexisting Bucket", func(t *testing.T) {
+				_, err := testHandler.testCreateWithUser(nil, map[string]string{"list": "1"}, `{"title":"Lorem Ipsum","bucket_id":9999}`)
+				assert.Error(t, err)
+				assertHandlerErrorCode(t, err, models.ErrCodeBucketDoesNotExist)
+			})
+		})
+	})
+}
--- a/pkg/integrations/token_test.go
+++ b/pkg/integrations/token_test.go
@@ -0,0 +1,32 @@
+// Vikunja is a to-do list application to facilitate your life.
+// Copyright 2018-2020 Vikunja and contributors. All rights reserved.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package integrations
+
+import (
+	apiv1 "code.vikunja.io/api/pkg/routes/api/v1"
+	"github.com/stretchr/testify/assert"
+	"net/http"
+	"testing"
+)
+
+func TestCheckToken(t *testing.T) {
+	t.Run("Normal test", func(t *testing.T) {
+		rec, err := newTestRequestWithUser(t, http.MethodPost, apiv1.CheckToken, &testuser1, "", nil, nil)
+		assert.NoError(t, err)
+		assert.Contains(t, rec.Body.String(), `🍵`)
+	})
+}
--- a/pkg/integrations/user_change_password_test.go
+++ b/pkg/integrations/user_change_password_test.go
@@ -0,0 +1,60 @@
+// Vikunja is a to-do list application to facilitate your life.
+// Copyright 2018-2020 Vikunja and contributors. All rights reserved.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package integrations
+
+import (
+	apiv1 "code.vikunja.io/api/pkg/routes/api/v1"
+	"code.vikunja.io/api/pkg/user"
+	"github.com/stretchr/testify/assert"
+	"net/http"
+	"testing"
+)
+
+func TestUserChangePassword(t *testing.T) {
+	t.Run("Normal test", func(t *testing.T) {
+		rec, err := newTestRequestWithUser(t, http.MethodPost, apiv1.UserChangePassword, &testuser1, `{
+  "new_password": "12345",
+  "old_password": "1234"
+}`, nil, nil)
+		assert.NoError(t, err)
+		assert.Contains(t, rec.Body.String(), `The password was updated successfully.`)
+	})
+	t.Run("Wrong old password", func(t *testing.T) {
+		_, err := newTestRequestWithUser(t, http.MethodPost, apiv1.UserChangePassword, &testuser1, `{
+  "new_password": "12345",
+  "old_password": "invalid"
+}`, nil, nil)
+		assert.Error(t, err)
+		assertHandlerErrorCode(t, err, user.ErrCodeWrongUsernameOrPassword)
+	})
+	t.Run("Empty old password", func(t *testing.T) {
+		_, err := newTestRequestWithUser(t, http.MethodPost, apiv1.UserChangePassword, &testuser1, `{
+  "new_password": "12345",
+  "old_password": ""
+}`, nil, nil)
+		assert.Error(t, err)
+		assertHandlerErrorCode(t, err, user.ErrCodeEmptyOldPassword)
+	})
+	t.Run("Empty new password", func(t *testing.T) {
+		_, err := newTestRequestWithUser(t, http.MethodPost, apiv1.UserChangePassword, &testuser1, `{
+  "new_password": "",
+  "old_password": "1234"
+}`, nil, nil)
+		assert.Error(t, err)
+		assertHandlerErrorCode(t, err, user.ErrCodeEmptyNewPassword)
+	})
+}
--- a/pkg/integrations/user_confirm_email_test.go
+++ b/pkg/integrations/user_confirm_email_test.go
@@ -0,0 +1,50 @@
+// Vikunja is a to-do list application to facilitate your life.
+// Copyright 2018-2020 Vikunja and contributors. All rights reserved.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package integrations
+
+import (
+	apiv1 "code.vikunja.io/api/pkg/routes/api/v1"
+	"code.vikunja.io/api/pkg/user"
+	"github.com/labstack/echo/v4"
+	"github.com/stretchr/testify/assert"
+	"net/http"
+	"testing"
+)
+
+func TestUserConfirmEmail(t *testing.T) {
+	t.Run("Normal test", func(t *testing.T) {
+		rec, err := newTestRequest(t, http.MethodPost, apiv1.UserConfirmEmail, `{"token": "tiepiQueed8ahc7zeeFe1eveiy4Ein8osooxegiephauph2Ael"}`)
+		assert.NoError(t, err)
+		assert.Contains(t, rec.Body.String(), `The email was confirmed successfully.`)
+	})
+	t.Run("Empty payload", func(t *testing.T) {
+		_, err := newTestRequest(t, http.MethodPost, apiv1.UserConfirmEmail, `{}`)
+		assert.Error(t, err)
+		assert.Equal(t, http.StatusPreconditionFailed, err.(*echo.HTTPError).Code)
+		assertHandlerErrorCode(t, err, user.ErrCodeInvalidEmailConfirmToken)
+	})
+	t.Run("Empty token", func(t *testing.T) {
+		_, err := newTestRequest(t, http.MethodPost, apiv1.UserConfirmEmail, `{"token": ""}`)
+		assert.Error(t, err)
+		assertHandlerErrorCode(t, err, user.ErrCodeInvalidEmailConfirmToken)
+	})
+	t.Run("Invalid token", func(t *testing.T) {
+		_, err := newTestRequest(t, http.MethodPost, apiv1.UserConfirmEmail, `{"token": "invalidToken"}`)
+		assert.Error(t, err)
+		assertHandlerErrorCode(t, err, user.ErrCodeInvalidEmailConfirmToken)
+	})
+}
--- a/pkg/integrations/user_list_test.go
+++ b/pkg/integrations/user_list_test.go
@@ -0,0 +1,45 @@
+// Vikunja is a to-do list application to facilitate your life.
+// Copyright 2018-2020 Vikunja and contributors. All rights reserved.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package integrations
+
+import (
+	apiv1 "code.vikunja.io/api/pkg/routes/api/v1"
+	"github.com/stretchr/testify/assert"
+	"net/http"
+	"testing"
+)
+
+func TestUserList(t *testing.T) {
+	t.Run("Normal test", func(t *testing.T) {
+		rec, err := newTestRequestWithUser(t, http.MethodPost, apiv1.UserList, &testuser1, "", nil, nil)
+		assert.NoError(t, err)
+		assert.Contains(t, rec.Body.String(), `user1`)
+		assert.Contains(t, rec.Body.String(), `user2`)
+		assert.Contains(t, rec.Body.String(), `user3`)
+		assert.Contains(t, rec.Body.String(), `user4`)
+		assert.Contains(t, rec.Body.String(), `user5`)
+	})
+	t.Run("Search for user3", func(t *testing.T) {
+		rec, err := newTestRequestWithUser(t, http.MethodPost, apiv1.UserList, &testuser1, "", map[string][]string{"s": {"user3"}}, nil)
+		assert.NoError(t, err)
+		assert.Contains(t, rec.Body.String(), `user3`)
+		assert.NotContains(t, rec.Body.String(), `user1`)
+		assert.NotContains(t, rec.Body.String(), `user2`)
+		assert.NotContains(t, rec.Body.String(), `user4`)
+		assert.NotContains(t, rec.Body.String(), `user5`)
+	})
+}
--- a/pkg/integrations/user_password_request_token_test.go
+++ b/pkg/integrations/user_password_request_token_test.go
@@ -0,0 +1,49 @@
+// Vikunja is a to-do list application to facilitate your life.
+// Copyright 2018-2020 Vikunja and contributors. All rights reserved.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package integrations
+
+import (
+	apiv1 "code.vikunja.io/api/pkg/routes/api/v1"
+	"code.vikunja.io/api/pkg/user"
+	"github.com/labstack/echo/v4"
+	"github.com/stretchr/testify/assert"
+	"net/http"
+	"testing"
+)
+
+func TestUserRequestResetPasswordToken(t *testing.T) {
+	t.Run("Normal requesting a password reset token", func(t *testing.T) {
+		rec, err := newTestRequest(t, http.MethodPost, apiv1.UserRequestResetPasswordToken, `{"email": "user1@example.com"}`)
+		assert.NoError(t, err)
+		assert.Contains(t, rec.Body.String(), `Token was sent.`)
+	})
+	t.Run("Empty payload", func(t *testing.T) {
+		_, err := newTestRequest(t, http.MethodPost, apiv1.UserRequestResetPasswordToken, `{}`)
+		assert.Error(t, err)
+		assertHandlerErrorCode(t, err, user.ErrCodeNoUsernamePassword)
+	})
+	t.Run("Invalid email address", func(t *testing.T) {
+		_, err := newTestRequest(t, http.MethodPost, apiv1.UserRequestResetPasswordToken, `{"email": "user1example.com"}`)
+		assert.Error(t, err)
+		assert.Equal(t, http.StatusBadRequest, err.(*echo.HTTPError).Code)
+	})
+	t.Run("No user with that email address", func(t *testing.T) {
+		_, err := newTestRequest(t, http.MethodPost, apiv1.UserRequestResetPasswordToken, `{"email": "user1000@example.com"}`)
+		assert.Error(t, err)
+		assertHandlerErrorCode(t, err, user.ErrCodeUserDoesNotExist)
+	})
+}
--- a/pkg/integrations/user_password_reset_test.go
+++ b/pkg/integrations/user_password_reset_test.go
@@ -0,0 +1,58 @@
+// Vikunja is a to-do list application to facilitate your life.
+// Copyright 2018-2020 Vikunja and contributors. All rights reserved.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package integrations
+
+import (
+	apiv1 "code.vikunja.io/api/pkg/routes/api/v1"
+	"code.vikunja.io/api/pkg/user"
+	"github.com/labstack/echo/v4"
+	"github.com/stretchr/testify/assert"
+	"net/http"
+	"testing"
+)
+
+func TestUserPasswordReset(t *testing.T) {
+	t.Run("Normal password reset test", func(t *testing.T) {
+		rec, err := newTestRequest(t, http.MethodPost, apiv1.UserResetPassword, `{
+	"new_password": "1234",
+	"token": "passwordresettesttoken"
+}`)
+		assert.NoError(t, err)
+		assert.Contains(t, rec.Body.String(), `The password was updated successfully.`)
+	})
+	t.Run("Empty payload", func(t *testing.T) {
+		_, err := newTestRequest(t, http.MethodPost, apiv1.UserResetPassword, `{}`)
+		assert.Error(t, err)
+		assert.Equal(t, http.StatusBadRequest, err.(*echo.HTTPError).Code)
+	})
+	t.Run("No new password", func(t *testing.T) {
+		_, err := newTestRequest(t, http.MethodPost, apiv1.UserResetPassword, `{
+	"new_password": "",
+	"token": "passwordresettesttoken"
+}`)
+		assert.Error(t, err)
+		assertHandlerErrorCode(t, err, user.ErrCodeNoUsernamePassword)
+	})
+	t.Run("Invalid password reset token", func(t *testing.T) {
+		_, err := newTestRequest(t, http.MethodPost, apiv1.UserResetPassword, `{
+	"new_password": "1234",
+	"token": "invalidtoken"
+}`)
+		assert.Error(t, err)
+		assertHandlerErrorCode(t, err, user.ErrCodeInvalidPasswordResetToken)
+	})
+}
--- a/pkg/integrations/user_show_test.go
+++ b/pkg/integrations/user_show_test.go
@@ -0,0 +1,34 @@
+// Vikunja is a to-do list application to facilitate your life.
+// Copyright 2018-2020 Vikunja and contributors. All rights reserved.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package integrations
+
+import (
+	apiv1 "code.vikunja.io/api/pkg/routes/api/v1"
+	"github.com/stretchr/testify/assert"
+	"net/http"
+	"testing"
+)
+
+func TestUserShow(t *testing.T) {
+	t.Run("Normal test", func(t *testing.T) {
+		rec, err := newTestRequestWithUser(t, http.MethodPost, apiv1.UserShow, &testuser1, "", nil, nil)
+		assert.NoError(t, err)
+		assert.Contains(t, rec.Body.String(), `"id":1`)
+		assert.Contains(t, rec.Body.String(), `"username":"user1"`)
+		assert.NotContains(t, rec.Body.String(), `"email":""`)
+	})
+}
--- a/Show More
+++ b/Show More