go-vikunja / vikunja

Mirror of vikunja from https://code.vikunja.io/api
GNU Affero General Public License v3.0
1.02k stars 71 forks source link

403 Forbidding when moving tasks #267

Closed GoliathLabs closed 5 months ago

GoliathLabs commented 5 months ago

Description

I'm getting a 403 when I try to move a task in a Kanban board. I have admin rights and I'm a member of the team. The problem can usually be solved by removing the user and adding them back to the team.

I'm using OIDC (Authentik) for authentication

Vikunja Version

Version: v0.23.0+656-e618becdf4

Browser and version

FireFox 126.0.1 (64-bit)

Can you reproduce the bug on the Vikunja demo site?

No

Screenshots

image (1)
kolaente commented 5 months ago

The problem can usually be solved by removing the user and adding them back to the team.

Does that reproduce it reliably?

What did you try to reproduce it on the demo instance? Since that runs the latest unstable build, it should be reproducible there, as on your instance.

Can you provide exact steps to reproduce the problem?

GoliathLabs commented 5 months ago

The problem can usually be solved by removing the user and adding them back to the team.

Does that reproduce it reliably?

What did you try to reproduce it on the demo instance? Since that runs the latest unstable build, it should be reproducible there, as on your instance.

Can you provide exact steps to reproduce the problem?

The problem occurs from time to time. Removing and re-adding the user to the team sometimes helps.

I've attached my configuration below, omitting sensitive values.

We have several projects. Access to these projects is managed through a team to which the OIDC users are added if necessary. We also have some team-independent boards where users are added directly from the project settings.

We use the latest Authentik 2024.4.2 with the normal OIDC configuration.

After a few days and some logouts/logins, the problem occurs for some users.

service:
  # This token is used to verify issued JWT tokens.
  # Default is a random token which will be generated at each startup of vikunja.
  # (This means all already issued tokens will be invalid once you restart vikunja)
  JWTSecret: "redacted"
  # The public facing URL where your users can reach Vikunja. Used in emails and for the communication between api and frontend.
  publicurl: "https://tasks.example.com"
  # Whether to let new users registering themselves or not
  enableregistration: false
  # The time zone all timestamps are in. Please note that time zones have to use [the official tz database names](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones). UTC or GMT offsets won't work.
  timezone: Europe/Berlin
  # Whether task comments should be enabled or not
  enabletaskcomments: true
  # Whether totp is enabled. In most cases you want to leave that enabled.
  enabletotp: true
  # If enabled, vikunja will send an email to everyone who is either assigned to a task or created it when a task reminder
  # is due.
  enableemailreminders: true
  # If true, will allow users to request the complete deletion of their account. When using external authentication methods
  # it may be required to coordinate with them in order to delete the account. This setting will not affect the cli commands
  # for user deletion.
  enableuserdeletion: true
  # The maximum size clients will be able to request for user avatars.
  # If clients request a size bigger than this, it will be changed on the fly.
  maxavatarsize: 1024
  # Allow changing the logo and other icons based on various occasions throughout the year.
  allowiconchanges: true
  # Allow using a custom logo via external URL.
  customlogourl: 'https://example.com/Logo.png'
  # Enables the public team feature. If enabled, it is possible to configure teams to be public, which makes them
  # discoverable when sharing a project, therefore not only showing teams the user is member of.
  enablepublicteams: true

database:
  # Database type to use. Supported values are mysql, postgres and sqlite. Vikunja is able to run with MySQL 8.0+, Mariadb 10.2+, PostgreSQL 12+, and sqlite.
  type: "mysql"
  # Database user which is used to connect to the database.
  user: "vikunja"
  # Database password
  password: "redacted"
  # Database host
  host: "db"
  # Database to use
  database: "vikunja"

redis:
  # Whether to enable redis or not
  enabled: true
  # The host of the redis server including its port.
  host: 'redis:6379'
  # The password used to authenticate against the redis server
  password: ''
  # 0 means default database
  db: 0

cors:
  # Whether to enable or disable cors headers.
  # Note: If you want to put the frontend and the api on separate domains or ports, you will need to enable this.
  #       Otherwise the frontend won't be able to make requests to the api through the browser.
  enable: false
  # A list of origins which may access the api. These need to include the protocol (`http://` or `https://`) and port, if any.
  origins:
    - "*"
  # How long (in seconds) the results of a preflight request can be cached.
  maxage: 0

mailer:
  # Whether to enable the mailer or not. If it is disabled, all users are enabled right away and password reset is not possible.
  enabled: true
  # SMTP Host
  host: "mail.example.com"
  # SMTP Host port.
  # **NOTE:** If you're unable to send mail and the only error you see in the logs is an `EOF`, try setting the port to `25`.
  port: 587
  # SMTP Auth Type. Can be either `plain`, `login` or `cram-md5`.
  authtype: "login"
  # SMTP username
  username: "no-reply@example.com"
  # SMTP password
  password: "redacted"
  # Wether to skip verification of the tls certificate on the server
  skiptlsverify: false
  # The default from address when sending emails
  fromemail: "no-reply@example.com"
  # The length of the mail queue.
  queuelength: 100
  # The timeout in seconds after which the current open connection to the mailserver will be closed.
  queuetimeout: 30
  # By default, vikunja will try to connect with starttls, use this option to force it to use ssl.
  forcessl: false

auth:
  local:
    enabled: false
  openid:
    enabled: true
    redirecturl: "https://tasks.example.com/auth/openid/"
    providers:
      - name: authentik
        authurl: "https://idp.example.com/application/o/vikunja/"
        logouturl: "https://idp.example.com/application/o/vikunja/end-session/"
        clientid: "redacted" # copy from Authetik
        clientsecret: "redacted" # copy from Authentik

migration:
  trello:
    # Whether to enable the trello migrator or not
    enable: true
    # The client id, required for making requests to the trello api
    # You need to register your vikunja instance at https://trello.com/app-key (log in before you visit that link) to get this
    key: redacted
    # The url where clients are redirected after they authorized Vikunja to access their trello cards.
    # This needs to match the url you entered when registering your Vikunja instance at trello.
    # This is usually the frontend url where the frontend then makes a request to /migration/trello/migrate
    # with the code obtained from the trello api.
    # Note that the vikunja frontend expects this to end on /migrate/trello.
    redirecturl: https://tasks.example.com/migrate/trello
kolaente commented 5 months ago

Does it only happen when moving tasks?

GoliathLabs commented 5 months ago

Does it only happen when moving tasks?

Yes

kolaente commented 5 months ago

This sounds like this bug which was fixed in 6c8299772ab11f00c035a66e2acae4312ed90820 - unrelated to teams or sharing. Does it work if you update to the latest unstable build? (your reported version v0.23.0+656-e618becdf4 does not have the fix)

GoliathLabs commented 5 months ago

This sounds like this bug which was fixed in 6c82997 - unrelated to teams or sharing. Does it work if you update to the latest unstable build? (your reported version v0.23.0+656-e618becdf4 does not have the fix)

I've just upgraded and the problem seems to be gone. Thank you!