From e97f4988bd771120e74796c92e4e377576016c3d Mon Sep 17 00:00:00 2001
From: Arthur Belleville <arthur.belleville@datadoghq.com>
Date: Fri, 15 May 2026 10:17:49 +0200
Subject: [PATCH] fix(04-CR-01): add r.ParseForm() to TaskCreateHandler and
 TaskUpdateHandler

Both handlers were missing the mandatory ParseForm call before reading
PostFormValue. This caused gorilla/csrf (which reads the body for CSRF
token validation) to consume the body, leaving PostFormValue to return
empty strings. TaskReorderHandler was used as the correct reference.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
---
 backend/internal/web/handlers_tasks.go | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/backend/internal/web/handlers_tasks.go b/backend/internal/web/handlers_tasks.go
index cb26e96..3dfb575 100644
--- a/backend/internal/web/handlers_tasks.go
+++ b/backend/internal/web/handlers_tasks.go
@@ -129,6 +129,11 @@ func TaskCreateHandler(deps TasksDeps) http.HandlerFunc {
 		}
 		ctx := r.Context()
 
+		if err := r.ParseForm(); err != nil {
+			http.Error(w, "bad request", http.StatusBadRequest)
+			return
+		}
+
 		title := strings.TrimSpace(r.PostFormValue("title"))
 		statusStr := r.PostFormValue("status")
 		status := parseTaskStatus(statusStr)
@@ -318,6 +323,11 @@ func TaskUpdateHandler(deps TasksDeps) http.HandlerFunc {
 		}
 		ctx := r.Context()
 
+		if err := r.ParseForm(); err != nil {
+			http.Error(w, "bad request", http.StatusBadRequest)
+			return
+		}
+
 		title := strings.TrimSpace(r.PostFormValue("title"))
 		description := r.PostFormValue("description")