Conversation
- due_date column added to schema with auto-migration for existing DBs - date picker on add form, due date displayed per todo - overdue items highlighted red, sort by due date or created date - inline edit form per row (title + due date) - HTTP Basic Auth on all routes (AUTH_PASSWORD env var required at startup) - rate limiting, constant-time credential comparison, failed attempt logging - per-todo ownership via created_by column; users see only their own todos - legacy todos migrated to AUTH_USERNAME on startup Closes #26 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
![ai-coding-guardrails[bot]](https://avatars.githubusercontent.com/in/1202546?s=60&v=4){kind=small}
There was a problem hiding this comment.
I've got 2 comments for you to consider
Did you know Zenable also supports GitLab SaaS and self-managed?
| <a href="/toggle/{{ todo.id }}">[toggle]</a> | ||
| <a href="/delete/{{ todo.id }}">[delete]</a> |
There was a problem hiding this comment.
The /toggle/{{ todo.id }} and /delete/{{ todo.id }} actions use GET requests (plain anchor links). This is a CSRF vulnerability — any page can trigger state-changing operations by embedding links or <img src="..."> tags that the authenticated user's browser will follow. These should use POST forms (with a CSRF token if the framework supports it), not GET links.
Why did I show this?
Category: security
Comment Quality: high
Influenced by requirements:
Tools used:
list_changed_files,{'pattern': {'type': 'string', 'value': '**/*.py'}}list_changed_files,{'pattern': '**/*.py'}
| sort = request.args.get("sort", "created_at") | ||
| order_by = "due_date ASC, created_at DESC" if sort == "due_date" else "created_at DESC" |
There was a problem hiding this comment.
The sort parameter is taken from user input and used directly in an f-string SQL query without validation. Although only two values are used, if the logic ever changes or is copy-pasted, this is a SQL injection vector. The allowed values should be explicitly validated:
| sort = request.args.get("sort", "created_at") | |
| order_by = "due_date ASC, created_at DESC" if sort == "due_date" else "created_at DESC" | |
| sort = request.args.get("sort", "created_at") | |
| if sort not in ("due_date", "created_at"): | |
| sort = "created_at" | |
| order_by = "due_date ASC, created_at DESC" if sort == "due_date" else "created_at DESC" |
Why did I show this?
Category: security
Comment Quality: high
Based on general best practices
Tools used:
get_file_lines,{'file_path': 'templates/index.html', 'start_line': '1', 'end_line': '200'}list_changed_files,{'pattern': '**/*.html'}get_file_lines,{'file_path': 'src/templates/index.html', 'start_line': '1', 'end_line': '200'}
1 participant
Summary
due_datesupport to todos with date picker, display, overdue highlighting (red), and sort by due datedue_dateandcreated_bycolumns)Notes
AUTH_PASSWORDenv var before running — app refuses to start without itAUTH_USERNAMEdefaults toadmin; override via env varAUTH_USERNAMEon startupCloses #26
🤖 Generated with Claude Code