fix: always add public url to allowed cors origins

This fixes a bug where it was not possible to do anything because the public url was not allowed by default for CORS requests. Regression from 433b8b9115 Resolves https://github.com/go-vikunja/vikunja/issues/916
2026-05-03 10:27:01 +00:00 · 2025-06-11 14:27:32 +02:00
parent efb6ccf3e1
commit 842e7f524b
2 changed files with 4 additions and 0 deletions
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -599,6 +599,9 @@ func InitConfig() {
 	if DefaultSettingsTimezone.GetString() == "" {
 		DefaultSettingsTimezone.Set(ServiceTimeZone.GetString())
 	}
+
+	publicURL := strings.TrimSuffix(ServicePublicURL.GetString(), "/")
+	CorsOrigins.Set(append(CorsOrigins.GetStringSlice(), publicURL))
 }

 func random(length int) (string, error) {