[PR #1848] [MERGED] fix: prevent panic in webhook listener when fetching project #5274

New Issue

Closed

opened 2026-04-16 13:32:43 -05:00 by GiteaMirror · 0 comments

GiteaMirror commented 2026-04-16 13:32:43 -05:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/go-vikunja/vikunja/pull/1848
Author: @Copilot
Created: 11/19/2025
Status: ✅ Merged
Merged: 11/19/2025
Merged by: @kolaente

Base: main ← Head: copilot/fix-webhook-panic-issue

---

📝 Commits (3)

• 3e83a82 Initial plan
• a380abc fix: use webhook.ProjectID instead of webhook.CreatedByID and add nil check
• f79c5e2 Complete webhook panic fix

📊 Changes

2 files changed (+9 additions, -11 deletions)

View changed files

📝 go.sum (+0 -4)
📝 pkg/models/listeners.go (+9 -7)

📄 Description

Webhook listener panics with "invalid memory address or nil pointer dereference" when the webhook's creator user ID doesn't correspond to an existing project ID.

Changes

• Use webhook.ProjectID instead of webhook.CreatedByID when fetching project for webhook payload
• Add nil check before calling project.ReadOne() to prevent panic when project lookup fails

// Before: incorrectly used user ID to fetch project
project, err := GetProjectSimpleByID(s, webhook.CreatedByID)
// ... error handling ...
err = project.ReadOne(s, &user.User{ID: doerID})  // panic if project is nil

// After: use correct project ID with nil guard
project, err := GetProjectSimpleByID(s, webhook.ProjectID)
if err != nil && !IsErrProjectDoesNotExist(err) {
    log.Errorf("Could not load project for webhook %d: %s", webhook.ID, err)
}
if project != nil {
    err = project.ReadOne(s, &user.User{ID: doerID})
    // ... rest of logic ...
}

Original prompt

---

This section details on the original issue you should resolve

<issue_title>panic on webhook when not having a project with the id same as webhook creator</issue_title>
<issue_description>### Description

I'm testing whether go-vikunja/vikunja#1724 was fixed and then found out the webhook trigger time turn from 3 to 0.

ERROR log was found.

Error while handling message f0555d8c-8673-4d72-bbed-87e335be2a7b, reason_poisoned=panic occurred: "invalid memory address or nil pointer dereference", stacktrace:
goroutine 492 [running]:
runtime/debug.Stack()
        /go/pkg/mod/golang.org/toolchain@v0.0.1-go1.25.4.linux-amd64/src/runtime/debug/stack.go:26 +0x5e
github.com/ThreeDotsLabs/watermill/message/router/middleware.Recoverer.func1.1()
        /go/pkg/mod/github.com/!three!dots!labs/watermill@v1.5.1/message/router/middleware/recoverer.go:29 +0x50
panic({0x1bca960?, 0x3a0a910?})
        /go/pkg/mod/golang.org/toolchain@v0.0.1-go1.25.4.linux-amd64/src/runtime/panic.go:783 +0x132
code.vikunja.io/api/pkg/models.(*Project).ReadOne(0xc00163b380?, 0x1?, {0x2b967c0?, 0xc001599848?})
        /go/src/code.vikunja.io/api/pkg/models/project.go:282 +0x1c
code.vikunja.io/api/pkg/models.(*WebhookListener).Handle(0xc000b80130, 0xc000c81b60)
        /go/src/code.vikunja.io/api/pkg/models/listeners.go:1026 +0x87c
github.com/ThreeDotsLabs/watermill/message.(*Router).AddConsumerHandler.func1(0x5715e4?)
        /go/pkg/mod/github.com/!three!dots!labs/watermill@v1.5.1/message/router.go:349 +0x17
github.com/ThreeDotsLabs/watermill/message/router/middleware.Recoverer.func1(0xc001599b3c?)
        /go/pkg/mod/github.com/!three!dots!labs/watermill@v1.5.1/message/router/middleware/recoverer.go:33 +0x70
github.com/ThreeDotsLabs/watermill/message/router/middleware.Retry.Middleware-fm.Retry.Middleware.func1.2()
        /go/pkg/mod/github.com/!three!dots!labs/watermill@v1.5.1/message/router/middleware/retry.go:104 +0x9e
github.com/cenkalti/backoff/v5.Retry[...]({0x2ba73a0?, 0xc0008804b0}, 0xc000eb0fc0, {0xc000d20820, 0x4, 0x481e05})
        /go/pkg/mod/github.com/cenkalti/backoff/v5@v5.0.3/retry.go:87 +0x207
github.com/ThreeDotsLabs/watermill/message/router/middleware.Retry.Middleware-fm.Retry.Middleware.func1(0xc000c81b60)
        /go/pkg/mod/github.com/!three!dots!labs/watermill@v1.5.1/message/router/middleware/retry.go:127 +0x351
github.com/ThreeDotsLabs/watermill/message/router/middleware.poisonQueue.Middleware-fm.poisonQueue.Middleware.func1(0x1c49ac0?)
        /go/pkg/mod/github.com/!three!dots!labs/watermill@v1.5.1/message/router/middleware/poison.go:100 +0xa2
github.com/ThreeDotsLabs/watermill/components/metrics.HandlerPrometheusMetricsMiddleware.Middleware-fm.HandlerPrometheusMetricsMiddleware.Middleware.func1(0xc000c81b60)
        /go/pkg/mod/github.com/!three!dots!labs/watermill@v1.5.1/components/metrics/handler.go:62 +0x2e8
github.com/ThreeDotsLabs/watermill/message.(*handler).handleMessage(0xc0006cc0d0, 0xc000c81b60, 0xc000b68270)
        /go/pkg/mod/github.com/!three!dots!labs/watermill@v1.5.1/message/router.go:824 +0x1cc
created by github.com/ThreeDotsLabs/watermill/message.(*handler).run in goroutine 322
        /go/pkg/mod/github.com/!three!dots!labs/watermill@v1.5.1/message/router.go:670 +0x2a8
, topic_poisoned=task.updated, handler_poisoned=task.updated.webhook.listener, subscriber_poisoned=gochannel.GoChannel,  payload=**REDACATED**

79aaa2a906/pkg/models/listeners.go (L1022)

It should be webhook.ProjectID not webhook.CreatedByID

79aaa2a906/pkg/models/listeners.go (L1022-L1026)

The project may be nil, causing 79aaa2a906/pkg/models/project.go (L282) p.ID panic.

Vikunja Version

v1.0.0-rc2-302-5f795bb5

Browser and version

No response

Can you reproduce the bug on the Vikunja demo site?

Yes

Screenshots

No response</issue_description>

<agent_instructions>The issue description already contains the analysis and a potential fix, implement that fix</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes go-vikunja/vikunja#1847

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/go-vikunja/vikunja/pull/1848 **Author:** [@Copilot](https://github.com/apps/copilot-swe-agent) **Created:** 11/19/2025 **Status:** ✅ Merged **Merged:** 11/19/2025 **Merged by:** [@kolaente](https://github.com/kolaente) **Base:** `main` ← **Head:** `copilot/fix-webhook-panic-issue` --- ### 📝 Commits (3) - [`3e83a82`](https://github.com/go-vikunja/vikunja/commit/3e83a823be29508dab8ef3fd1c3597070f5b6c15) Initial plan - [`a380abc`](https://github.com/go-vikunja/vikunja/commit/a380abcb9b76928764c9f2d98519f3a53e457974) fix: use webhook.ProjectID instead of webhook.CreatedByID and add nil check - [`f79c5e2`](https://github.com/go-vikunja/vikunja/commit/f79c5e280f295f37f173de0a71522b3919cc67ed) Complete webhook panic fix ### 📊 Changes **2 files changed** (+9 additions, -11 deletions) <details> <summary>View changed files</summary> 📝 `go.sum` (+0 -4) 📝 `pkg/models/listeners.go` (+9 -7) </details> ### 📄 Description Webhook listener panics with "invalid memory address or nil pointer dereference" when the webhook's creator user ID doesn't correspond to an existing project ID. ### Changes - Use `webhook.ProjectID` instead of `webhook.CreatedByID` when fetching project for webhook payload - Add nil check before calling `project.ReadOne()` to prevent panic when project lookup fails ```go // Before: incorrectly used user ID to fetch project project, err := GetProjectSimpleByID(s, webhook.CreatedByID) // ... error handling ... err = project.ReadOne(s, &user.User{ID: doerID}) // panic if project is nil // After: use correct project ID with nil guard project, err := GetProjectSimpleByID(s, webhook.ProjectID) if err != nil && !IsErrProjectDoesNotExist(err) { log.Errorf("Could not load project for webhook %d: %s", webhook.ID, err) } if project != nil { err = project.ReadOne(s, &user.User{ID: doerID}) // ... rest of logic ... } ``` <!-- START COPILOT CODING AGENT SUFFIX --> <details> <summary>Original prompt</summary> > > ---- > > *This section details on the original issue you should resolve* > > <issue_title>panic on webhook when not having a project with the id same as webhook creator</issue_title> > <issue_description>### Description > > I'm testing whether go-vikunja/vikunja#1724 was fixed and then found out the webhook trigger time turn from 3 to 0. > > ERROR log was found. > > ``` > Error while handling message f0555d8c-8673-4d72-bbed-87e335be2a7b, reason_poisoned=panic occurred: "invalid memory address or nil pointer dereference", stacktrace: > goroutine 492 [running]: > runtime/debug.Stack() > /go/pkg/mod/golang.org/toolchain@v0.0.1-go1.25.4.linux-amd64/src/runtime/debug/stack.go:26 +0x5e > github.com/ThreeDotsLabs/watermill/message/router/middleware.Recoverer.func1.1() > /go/pkg/mod/github.com/!three!dots!labs/watermill@v1.5.1/message/router/middleware/recoverer.go:29 +0x50 > panic({0x1bca960?, 0x3a0a910?}) > /go/pkg/mod/golang.org/toolchain@v0.0.1-go1.25.4.linux-amd64/src/runtime/panic.go:783 +0x132 > code.vikunja.io/api/pkg/models.(*Project).ReadOne(0xc00163b380?, 0x1?, {0x2b967c0?, 0xc001599848?}) > /go/src/code.vikunja.io/api/pkg/models/project.go:282 +0x1c > code.vikunja.io/api/pkg/models.(*WebhookListener).Handle(0xc000b80130, 0xc000c81b60) > /go/src/code.vikunja.io/api/pkg/models/listeners.go:1026 +0x87c > github.com/ThreeDotsLabs/watermill/message.(*Router).AddConsumerHandler.func1(0x5715e4?) > /go/pkg/mod/github.com/!three!dots!labs/watermill@v1.5.1/message/router.go:349 +0x17 > github.com/ThreeDotsLabs/watermill/message/router/middleware.Recoverer.func1(0xc001599b3c?) > /go/pkg/mod/github.com/!three!dots!labs/watermill@v1.5.1/message/router/middleware/recoverer.go:33 +0x70 > github.com/ThreeDotsLabs/watermill/message/router/middleware.Retry.Middleware-fm.Retry.Middleware.func1.2() > /go/pkg/mod/github.com/!three!dots!labs/watermill@v1.5.1/message/router/middleware/retry.go:104 +0x9e > github.com/cenkalti/backoff/v5.Retry[...]({0x2ba73a0?, 0xc0008804b0}, 0xc000eb0fc0, {0xc000d20820, 0x4, 0x481e05}) > /go/pkg/mod/github.com/cenkalti/backoff/v5@v5.0.3/retry.go:87 +0x207 > github.com/ThreeDotsLabs/watermill/message/router/middleware.Retry.Middleware-fm.Retry.Middleware.func1(0xc000c81b60) > /go/pkg/mod/github.com/!three!dots!labs/watermill@v1.5.1/message/router/middleware/retry.go:127 +0x351 > github.com/ThreeDotsLabs/watermill/message/router/middleware.poisonQueue.Middleware-fm.poisonQueue.Middleware.func1(0x1c49ac0?) > /go/pkg/mod/github.com/!three!dots!labs/watermill@v1.5.1/message/router/middleware/poison.go:100 +0xa2 > github.com/ThreeDotsLabs/watermill/components/metrics.HandlerPrometheusMetricsMiddleware.Middleware-fm.HandlerPrometheusMetricsMiddleware.Middleware.func1(0xc000c81b60) > /go/pkg/mod/github.com/!three!dots!labs/watermill@v1.5.1/components/metrics/handler.go:62 +0x2e8 > github.com/ThreeDotsLabs/watermill/message.(*handler).handleMessage(0xc0006cc0d0, 0xc000c81b60, 0xc000b68270) > /go/pkg/mod/github.com/!three!dots!labs/watermill@v1.5.1/message/router.go:824 +0x1cc > created by github.com/ThreeDotsLabs/watermill/message.(*handler).run in goroutine 322 > /go/pkg/mod/github.com/!three!dots!labs/watermill@v1.5.1/message/router.go:670 +0x2a8 > , topic_poisoned=task.updated, handler_poisoned=task.updated.webhook.listener, subscriber_poisoned=gochannel.GoChannel, payload=**REDACATED** > ``` > > https://github.com/go-vikunja/vikunja/blob/79aaa2a906d960b4f14571b79363d3a1a731c426/pkg/models/listeners.go#L1022 > > It should be `webhook.ProjectID` not `webhook.CreatedByID` > > https://github.com/go-vikunja/vikunja/blob/79aaa2a906d960b4f14571b79363d3a1a731c426/pkg/models/listeners.go#L1022-L1026 > > The `project` may be nil, causing https://github.com/go-vikunja/vikunja/blob/79aaa2a906d960b4f14571b79363d3a1a731c426/pkg/models/project.go#L282 `p.ID` panic. > > ### Vikunja Version > > v1.0.0-rc2-302-5f795bb5 > > ### Browser and version > > _No response_ > > ### Can you reproduce the bug on the Vikunja demo site? > > Yes > > ### Screenshots > > _No response_</issue_description> > > <agent_instructions>The issue description already contains the analysis and a potential fix, implement that fix</agent_instructions> > > ## Comments on the Issue (you are @copilot in this section) > > <comments> > </comments> > </details> - Fixes go-vikunja/vikunja#1847 <!-- START COPILOT CODING AGENT TIPS --> --- ✨ Let Copilot coding agent [set things up for you](https://github.com/go-vikunja/vikunja/issues/new?title=✨+Set+up+Copilot+instructions&body=Configure%20instructions%20for%20this%20repository%20as%20documented%20in%20%5BBest%20practices%20for%20Copilot%20coding%20agent%20in%20your%20repository%5D%28https://gh.io/copilot-coding-agent-tips%29%2E%0A%0A%3COnboard%20this%20repo%3E&assignees=copilot) — coding agent works faster and does higher quality work when set up for your repo. --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

GiteaMirror added the pull-request label 2026-04-16 13:32:43 -05:00

GiteaMirror closed this issue 2026-04-16 13:32:43 -05:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

feat-v2-route-registry

feat-project-templates

claude/veans-question-xBFkq

fix-list-sort-resets

feat-mcp

spike-huma-openapi3

claude/investigate-swagger3-support-nyyUa

feat-list-view-buckets

ci-mysql-8-test

codex/analyze-codebase-for-email-task-feature

csv-import-feature

claude/email-reply-comments-wpdcQ

fix-oidc-pkce-support

fix/overview-subtasks-expand

feat/bucket-select-task-detail

feat-soft-delete-projects

claude/review-bot-design-plan-cf5C3

claude/project-scoped-api-tokens-KTqR3

claude/explore-openclaw-integration-KQEzg

claude/project-scoped-api-tokens-yv5KS

fix-duplicate-close-button

feat-list-view-sorting

feat/official-vite-sentry-plugin

feat/highlight-overdue-tasks

feat/add-enter-key-form-submission-handling

feat/TipTap-nits

feat/update-caldavtimetotimestamp-parsing

feat-phosphor-icons

wip-plans

claude/investigate-issue-2173-llKme

fix-description-text-drag

feat-custom-keyboard-shortcuts

pr-1845-ci

codex/fix-drag-and-drop-behavior-inconsistency

copilot/add-clickable-labels-for-filtering

copilot/fix-issue-1786

playwright-migration

fix-kanban-repeating-wip

copilot/fix-1498

feature/replace-axios

codex/upgrade-to-tailwind-4.1.8-using-pnpm

codex/add-cypress-test-for-avatar-types

feature/biome

feature/oxc

codex/update-flexsearch-to-0.8.205

4r6ni9-codex/fix-deprecated-sass-@import-usage

codex/fix-deprecated-sass-@import-usage

codex/add-cypress-test-for-task-list-refresh-fix

codex/fix-quick-add-magic-not-adding-tasks

codex/fix-all-type-errors

codex/fix-mimetype-for-docs.json

feature/caldav-from-scratch

feature/gh-actions-hetzner

fix-ci

feat/new-logger

jyte-better-dev-config

feat/add-team-member-with-enter

fix/button-and-icon-types

fix/notifications-component-name-collision

feature/null-time

renovate/tailwindcss-4.x

feature/unplugin-vue-router

fix/deprecated-import

feature/zod-schema

renovate/golangci-golangci-lint-1.x

fix/tiptap-editor-reactive-destructuring

release/0.24

feat/improve-add-task

fix/saved-filter-search

feat/webp-and-avif-attachment-previews

feature/migrate-back-to-bulma

fix/sass-add-missing-list-import

feature/sticky-demo-bar

fix/gantt-view-switch

feature/typesense-position-join

feature/focus-visible

dependencies/golangci-lint

feature/better-filter-syntax

fix/tiptap-task-list

renovate/github.com-golang-jwt-jwt-v4-5.x

feature/hide-forbidden-related-tasks

renovate/golang-1.x

release/0.20

release/0.17

release/0.16

release/0.15

release/0.14

v2.3.0

v2.2.2

v2.2.1

v2.2.0

v2.1.0

v2.0.0

v1.1.0

v1.0.0

v1.0.0-rc4

v1.0.0-rc3

v1.0.0-rc2

v1.0.0-rc1

v1.0.0-rc0

v0.24.6

v0.24.5

v0.24.4

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.0

v0.22.1

v0.22.0

0.21.0

v0.21.0

v0.20.4

v0.20.5

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.2

v0.19.1

v0.19.0

vue3

v0.18.1

v0.18.0

v0.17.1

v0.17.0

v0.16.1

v0.16.0

v0.15.1

v0.15.0

v0.14.1

v0.14.0

v0.13.1

v0.13

v0.12

v0.11

v0.10

v0.9

v0.8

v0.7

v0.6

v0.5

v0.4

v0.3

v0.2

v0.1

Labels

Clear labels

area/api

area/attachments

area/auth

area/avatars

area/backup-restore

area/caldav

area/calendar-view

area/comments

area/config

area/database

area/desktop

area/docker

area/email

area/favorites

area/filters

area/frontend

area/gantt

area/i18n

area/import-export

area/internal-code

area/kanban

area/labels

area/list-view

area/mobile

area/notifications

area/permissions

area/projects

area/pwa

area/recurring-tasks

area/reminders

area/search

area/shortcuts

area/subtasks

area/sync

area/table-view

area/task-editor

area/task-metadata

area/task-relations

area/teams

area/theming

area/time-tracking

area/typesense

area/views

area/webhooks

bug

changes requested

concern/accessibility

concern/performance

concern/regression

concern/ux

confirmed

db/mysql

dependencies

enhancement

good first issue

help wanted

integration/inbound

integration/outbound

kind/bug

kind/feature

needs reproduction

pull-request

Mirrored from GitHub Pull Request

question

security

support

upstream issue

waiting for reply

wontfix

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/vikunja#5274