mirror of
https://github.com/go-vikunja/vikunja.git
synced 2026-05-06 11:37:49 -05:00
Closed
opened 2026-04-23 09:19:44 -05:00 by GiteaMirror
·
0 comments
No Branch/Tag Specified
main
gh-readonly-queue/main/pr-2731-7800102f937efa5fbcec6262a1159beb4441caf7
feat-v2-foundation
spike-huma-openapi3
claude/investigate-swagger3-support-nyyUa
feat-list-view-buckets
ci-mysql-8-test
codex/analyze-codebase-for-email-task-feature
feat-project-templates
csv-import-feature
claude/email-reply-comments-wpdcQ
fix-oidc-pkce-support
fix/overview-subtasks-expand
feat/bucket-select-task-detail
feat-soft-delete-projects
claude/review-bot-design-plan-cf5C3
claude/project-scoped-api-tokens-KTqR3
claude/explore-openclaw-integration-KQEzg
claude/project-scoped-api-tokens-yv5KS
fix-duplicate-close-button
feat-list-view-sorting
feat/official-vite-sentry-plugin
feat/highlight-overdue-tasks
feat/add-enter-key-form-submission-handling
feat/TipTap-nits
feat/update-caldavtimetotimestamp-parsing
feat-phosphor-icons
wip-plans
claude/investigate-issue-2173-llKme
fix-description-text-drag
feat-custom-keyboard-shortcuts
pr-1845-ci
codex/fix-drag-and-drop-behavior-inconsistency
copilot/add-clickable-labels-for-filtering
copilot/fix-issue-1786
playwright-migration
fix-kanban-repeating-wip
copilot/fix-1498
feature/replace-axios
codex/upgrade-to-tailwind-4.1.8-using-pnpm
codex/add-cypress-test-for-avatar-types
feature/biome
feature/oxc
codex/update-flexsearch-to-0.8.205
4r6ni9-codex/fix-deprecated-sass-@import-usage
codex/fix-deprecated-sass-@import-usage
codex/add-cypress-test-for-task-list-refresh-fix
codex/fix-quick-add-magic-not-adding-tasks
codex/fix-all-type-errors
codex/fix-mimetype-for-docs.json
feature/caldav-from-scratch
feature/gh-actions-hetzner
fix-ci
feat/new-logger
jyte-better-dev-config
feat/add-team-member-with-enter
fix/button-and-icon-types
fix/notifications-component-name-collision
feature/null-time
renovate/tailwindcss-4.x
feature/unplugin-vue-router
fix/deprecated-import
feature/zod-schema
renovate/golangci-golangci-lint-1.x
fix/tiptap-editor-reactive-destructuring
release/0.24
feat/improve-add-task
fix/saved-filter-search
feat/webp-and-avif-attachment-previews
feature/migrate-back-to-bulma
fix/sass-add-missing-list-import
feature/sticky-demo-bar
fix/gantt-view-switch
feature/typesense-position-join
feature/focus-visible
dependencies/golangci-lint
feature/better-filter-syntax
fix/tiptap-task-list
renovate/github.com-golang-jwt-jwt-v4-5.x
feature/hide-forbidden-related-tasks
renovate/golang-1.x
release/0.20
release/0.17
release/0.16
release/0.15
release/0.14
v2.3.0
v2.2.2
v2.2.1
v2.2.0
v2.1.0
v2.0.0
v1.1.0
v1.0.0
v1.0.0-rc4
v1.0.0-rc3
v1.0.0-rc2
v1.0.0-rc1
v1.0.0-rc0
v0.24.6
v0.24.5
v0.24.4
v0.24.3
v0.24.2
v0.24.1
v0.24.0
v0.23.0
v0.22.1
v0.22.0
0.21.0
v0.21.0
v0.20.4
v0.20.5
v0.20.3
v0.20.2
v0.20.1
v0.20.0
v0.19.2
v0.19.1
v0.19.0
vue3
v0.18.1
v0.18.0
v0.17.1
v0.17.0
v0.16.1
v0.16.0
v0.15.1
v0.15.0
v0.14.1
v0.14.0
v0.13.1
v0.13
v0.12
v0.11
v0.10
v0.9
v0.8
v0.7
v0.6
v0.5
v0.4
v0.3
v0.2
v0.1
Labels
Clear labels
area/api
area/attachments
area/auth
area/avatars
area/backup-restore
area/caldav
area/calendar-view
area/comments
area/config
area/database
area/desktop
area/docker
area/email
area/favorites
area/filters
area/frontend
area/gantt
area/i18n
area/import-export
area/internal-code
area/kanban
area/labels
area/list-view
area/mobile
area/notifications
area/permissions
area/projects
area/pwa
area/recurring-tasks
area/reminders
area/search
area/shortcuts
area/subtasks
area/sync
area/table-view
area/task-editor
area/task-metadata
area/task-relations
area/teams
area/theming
area/time-tracking
area/typesense
area/views
area/webhooks
bug
changes requested
concern/accessibility
concern/performance
concern/regression
concern/ux
confirmed
db/mysql
dependencies
enhancement
good first issue
help wanted
integration/inbound
integration/outbound
kind/bug
kind/feature
needs reproduction
pull-request
question
security
support
upstream issue
waiting for reply
wontfix
Mirrored from GitHub Pull Request
No Label
pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/vikunja#9988
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/go-vikunja/vikunja/pull/2444
Author: @tink-bot
Created: 3/23/2026
Status: ✅ Merged
Merged: 3/23/2026
Merged by: @kolaente
Base:
main← Head:fix-disabled-user-auth-bypass📝 Commits (10+)
75a6c49feat(user): add ErrAccountLocked error typec5fb0b1fix(user): reject disabled/locked users in getUser by default80666bdfix(user): handle status errors in pkg/user callers, remove redundant checksd76129ffix(user): handle status errors across the codebase, remove redundant checks67e0e6afix(auth): reject disabled/locked users in OIDC callback453bb5ctest: add API token fixture for disabled usercbd1859test: verify disabled user's API token is rejected58cbd02test: verify disabled user is rejected via CalDAV authc3dbf57test: verify GetUserByID rejects disabled users and returns user with error8c0dcfbfix(auth): reject disabled/locked users in API token middleware📊 Changes
19 files changed (+171 additions, -53 deletions)
View changed files
📝
pkg/cmd/user.go(+2 -2)📝
pkg/db/fixtures/api_tokens.yml(+10 -0)📝
pkg/models/project_users.go(+2 -2)📝
pkg/models/team_members.go(+2 -2)📝
pkg/models/team_members_permissions.go(+1 -1)📝
pkg/modules/auth/ldap/ldap.go(+1 -1)📝
pkg/modules/auth/openid/openid.go(+24 -4)📝
pkg/routes/api/v1/avatar.go(+2 -2)📝
pkg/routes/api/v1/login.go(+10 -11)📝
pkg/routes/api_tokens.go(+4 -0)📝
pkg/routes/caldav/auth.go(+3 -0)📝
pkg/user/error.go(+27 -0)📝
pkg/user/user.go(+24 -9)📝
pkg/user/user_create.go(+1 -1)📝
pkg/user/user_email_confirm.go(+2 -6)📝
pkg/user/user_password_reset.go(+4 -12)📝
pkg/user/user_test.go(+25 -0)📝
pkg/webtests/api_tokens_test.go(+15 -0)📝
pkg/webtests/caldav_test.go(+12 -0)📄 Description
Disabled/locked user accounts could still authenticate via API tokens, CalDAV basic auth, and OpenID Connect because only the login and token refresh paths checked user status.
Adds a status check in
getUserthat returnsErrAccountDisabledorErrAccountLocked(new error type) alongside the full user object. Callers that need disabled users discard the error explicitly; all others propagate it automatically. Redundant manual status checks in token refresh, password reset, and email confirmation are removed.GHSA-94xm-jj8x-3cr4
🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.