Closed requ1Re closed 1 month ago
/routes
is not supposed to work, as there is no permission for it. The route is only really used for the form in the frontend when creating a token.
Should the project background be a separate permission or an existing one like project read?
It should probably be part of the project read permission. I would've guessed API keys with "full permissions" (aka. all permission checkboxes checked) would have access to everything anyways.
I think there was another route (not /routes
) which had the same error, I am not sure which it was though.
Now fixed in https://github.com/go-vikunja/vikunja/commit/99a67e09b14f40ffddf7761da69275349a196541. There are now new permissions for all routes, except user settings. Please check with the next unstable build (should be ready for deployment in ~45min, also on try).
Description
While testing the API, I found out that multiple routes return
missing, malformed, expired or otherwise invalid token provided
errors (status code 401) even if you use valid, full-permission API tokens. For example, getting a project background (usingGET /api/v1/projects/{id}/background
) does always yield me this error, even on thetry.vikunja.io
-instance and if the project has an user-uploaded background. Another route which does not work is/api/v1/routes
, for example. I think there are even more than that.There was a similar issue, but that has since been closed as completed: #105
Vikunja Version
v0.23.0
Browser and version
n/a
Can you reproduce the bug on the Vikunja demo site?
Yes
Screenshots