Fix move_task() validation, test dataframe schemas, and URL query encoding#24
Merged
VincentGuyader merged 3 commits intov4from Feb 13, 2026
Merged
Conversation
3 tasks
Co-authored-by: VincentGuyader <10470699+VincentGuyader@users.noreply.github.com>
Co-authored-by: VincentGuyader <10470699+VincentGuyader@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Improve test coverage and update CI for version 0.4.0
Fix move_task() validation, test dataframe schemas, and URL query encoding
Feb 12, 2026
VincentGuyader
added a commit
that referenced
this pull request
Feb 13, 2026
* v0.4.0: Improve test coverage, fix bugs, and update CI - Add comprehensive tests for workspaces, activity, backups, templates, uploads - Add HTTP error handling with httr2 req_error() - Fix glue() to character conversion in templates.R - Remove debug message from call_api() - Extract API URLs as package constants - Update GitHub Actions to modern versions (v2/v4) - Add skip_if_test_project_missing() test helper - Add NEWS.md changelog * Update .Rbuildignore * Fix PR review feedback: security, maintainability and bug fixes - Remove check/ directory (R CMD check artifact) and add to .gitignore - Fix tryCatch() syntax in ask_todoist_api_token (interrupt = function(e) NULL) - Add escape_json() for JSON string interpolation in reminders.R and workspaces.R - Use TODOIST_REST_URL constant instead of hardcoded URLs in uploads.R and comments.R - Add req_error() for proper HTTP error handling in comments.R - Fix DESCRIPTION comment field formatting (named elements) - Add req_error() for HTTP error handling in: - templates.R (import_template, export_template) - labels.R (rename_shared_label, remove_shared_label) - uploads.R (delete_upload) - backups.R (download_backup) - Use TODOIST_REST_URL constant instead of hardcoded URLs in: - templates.R - labels.R (shared label functions) - Fix empty data.frame column consistency: - comments.R: add task_id and project_id columns - reminders.R: add due_date and minute_offset columns - Remove unused project_name parameter from unarchive_project() - Update NEWS.md to document all changes * Apply consistent patterns across codebase - Use TODOIST_REST_URL constant in quick_add_task() instead of hardcoded URL - Add req_error() to quick_add_task() and upload_file() for HTTP error handling - Fix empty data.frame column consistency in: - get_activity_logs(): add initiator_id, parent_project_id, parent_item_id - get_tasks_by_filter(): add due_date - get_archived_projects(): add color, is_favorite - get_all_sections(): add order - get_all_workspaces(): add is_default - get_workspace_users(): add role * Add JSON escaping to Sync API command builders (#15) * Fix JSON escaping in Sync API commands across all modules * Fix critical API bugs and JSON injection vulnerabilities from PR review (#14) - Fix call_api() incorrect parameter (base_url -> url) - Add verbose flag to add_label() existing label message - Add escape_json() to all Sync API string interpolations * Fix JSON escaping vulnerabilities in Sync API commands Apply escape_json() to all user-controlled values in JSON payloads: - workspaces.R: escape workspace_id in update_workspace() - tasks.R: - escape task_id in delete_task(), close_task(), reopen_task() - escape task_id and due_date in update_task() - escape labels array values in update_task() - users.R: - escape project_id and email in delete_collaborator() - escape invitation_id and invitation_secret in accept_invitation() - escape invitation_id and invitation_secret in reject_invitation() - escape invitation_id in delete_invitation() This prevents malformed JSON payloads when inputs contain quotes, backslashes, or other special characters. * Add escape_json() to all Sync API commands with ID parameters (#20) * Add escape_json() to all Sync API commands with ID parameters * Fix move_task() validation, test dataframe schemas, and URL query encoding (#24) * Address PR review feedback: validation, test accuracy, and URL handling * update URL * cleaning * Fix CRAN compliance issues before submission - Add @return tags to add_section() and get_section_id() - Remove unused httr dependency (replaced by httr2) - Remove unused lubridate from Suggests - Update LICENSE file format (2019-2026, ThinkR) - Remove dead mock_response() code and rename test file - Add REVIEW.md with pre-submission package audit * Improve security and robustness (Priority 2 fixes) - Escape IDs in move_task() with escape_json() to prevent JSON injection - Add token validation in call_api() and call_api_rest() - Replace print() with message() in users.R for CRAN compliance * Update NEWS.md with comprehensive changelog for v0.4.0 Document all 64 new exported functions across 9 new modules: - Labels, Comments, Filters, Reminders, Workspaces - Activity logs, Backups, Templates, Uploads Plus enhancements to Projects, Sections, Tasks, and Collaboration. * Remove lubridate dependency from vignettes Replace lubridate::today() and days() with base R Sys.Date() and arithmetic operations for consistency with removed Suggests dependency.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Addresses feedback from PR #13 review thread #3793281421: adds missing input validation, fixes test dataframe schemas to match actual function outputs, and improves URL safety.
Changes
move_task()validation: Require at least one destination parameter (project_id, section_id, or parent_id) to prevent invalid API calls with no destination specifiedTest schema fixes:
test-workspaces.R: Add missingis_defaultcolumn to matchget_all_workspaces()outputtest-activity.R: Add missinginitiator_id,parent_project_id,parent_item_idcolumns to matchget_activity_logs()outputifblocks causing variable scope issuesimport_template()URL handling: Usereq_url_query()for query string construction instead of manual string interpolation for proper URL encoding✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.