Critical security improvements:
- Add requireAuth middleware to /api/upload/project-image endpoint (prevents unauthenticated file uploads)
- Fix SQL injection vulnerability in tasks.js DELETE route by whitelisting table names
- Add missing resource existence check in shares.js POST endpoint (prevents permissions on non-existent resources)
Code quality improvements:
- Replace all console.error with logError across all route files for consistent logging
- Import logError service in all route modules
All tests passing (597 passed).
- Keep :uid endpoints throughout (not :id)
- Keep hasAccess middleware for permission checks
- Keep logError instead of console.error
- Add Note orphaning in project deletion
- Merge area attributes (include uid)
- Merge project store update on delete
- Use uid in test data-testids
* Scaffold project states
* fixup! Scaffold project states
* Fix blinking project modal
* fixup! Fix blinking project modal
* fixup! fixup! Fix blinking project modal
* Fix an issue with the tag input autosuggest
* fixup! Fix an issue with the tag input autosuggest
* fixup! fixup! Fix an issue with the tag input autosuggest
* Add state to project details
* fixup! Add state to project details
* Add state indicator on project cards
* fixup! Add state indicator on project cards
- Add project share modal and service; wire Share menu and hide for non-owners
- Show emails in shares list; label access levels clearly
- Enforce owner/admin-only grant/revoke on share endpoints
- Include project user_id in list/detail responses for ownership checks
- Show 'Permission denied' toast on forbidden project/task edits/deletes; avoid blank state on failure
Drop legacy 404-on-forbidden behavior by removing forbiddenStatus override in hasAccess for PATCH/DELETE. Update integration tests to expect 403 and 'Forbidden' when accessing others' projects.
* Fix upcoming view
* Fix to show areas projects
* fixup! Fix to show areas projects
* Fix symbol validation for tags
* Add hash to allowed characters for tag names
* Fix project deletion constraints
* fixup! Fix project deletion constraints
* Fix search functionality in All Tasks view
* fixup! Fix search functionality in All Tasks view
* Fix task save not refreshing list
- Add unified UID column migration for all entities
- Create centralized UID generation utility
- Update all models to use standardized UID hooks
- Fix route handlers to support UID-based lookups
- Update slug utilities for consistent UID extraction
- Fix tag tests to use query parameters instead of path params
- Configure Jest for better TypeScript support
* Add necessary migrations for project model.
* Add a few tests for project model new columns.
* make upload location into a configurable
* fix uploadDir path
* use config in app.js
* Change upload env var naming
* Add upload env var to Docker files
---------
Co-authored-by: antanst <>
Co-authored-by: vhsdream <punk.sand7393@fastmail.com>
* Add next suggestions and remove console logs
* Add pomodoro timer
* Add pomodoro switch in settings
* Fix pomodoro setting
* Add timezones to settings
* Fix an issue with password reset
* Cleanup
* Sort tags alphabetically
* Clean up today's view
* Add an indicator for repeatedly added to today
* Refactor tags
* Add due date today item
* Move recurrence to the subtitle area
* Fix today layout
* Add a badge to Inbox items
* Move inbox badge to sidebar
* Add quotes and progress bar
* Add translations for quotes
* Fix test issues
* Add helper script for docker local
* Set up overdue tasks
* Add linux/arm/v7 build to deploy script
* Add linux/arm/v7 build to deploy script pt2
* Fix an issue with helmet and SSL
* Add volume db persistence
* Fix cog icon issues
* Initial migration
* Cleanup and create migration scripts
* Introduce test suite
* Fix test issues
* Correct CORS issue and update paths
* Update README
