tasks pagination

[fiftin]

• feat(tasks): pagination
• feat(tasks): pagination

[cursor]

Security review — no findings

Reviewed the pagination changes in api/projects/tasks.go, db/sql/task.go, api/router.go, and web/src/views/project/History.vue. No prior automation review threads were open on this PR.

Scope checked

• Keyset cursor (before) and page size (count/limit) parsing
• SQL construction for BeforeID
• Auth middleware on task list routes (ProjectMiddleware, GetMustCanMiddleware)
• Controller refactor (helpers.Store(r) → injected c.store)
• Frontend pagination request construction

Why nothing was reported

• before is parsed with strconv.Atoi, rejected unless > 0, and bound as a parameterized predicate (task.id < ?) inside a query already scoped by tpl.project_id (and template_id on template routes). No SQL injection or cross-project IDOR path.
• Page size is capped at 200 (maxTasksPageSize); invalid values fall back safely.
• Task list endpoints remain behind authenticated project membership; middleware wiring is unchanged aside from method receiver refactor.
• Injected store is the same singleton passed into Route(); request-context store was also a single shared instance — no authz bypass from the refactor.
• History UI builds URLs from numeric projectId/perPage/cursor IDs; Vue/Vuetify escaping for rendered task fields is unchanged.

Slack summary: PR #3946 (tasks pagination) — clean. No medium/high/critical vulnerabilities identified in the added or modified code.

  

_{Sent by Cursor Automation: Find vulnerabilities}