Rails' ActiveStorage proxy controllers hardcode `http_cache_forever public: true`,
which sets `Cache-Control: public, immutable`. For non-public blobs behind auth,
this allows CDN caching that serves responses without authorization checks.
Override `http_cache_forever` in the Authorize concern to downgrade `public` to
`false` for non-public blobs.
See https://github.com/basecamp/fizzy/pull/2251 for context
BlobRecordSet#import_batch preserved blob keys from exported ZIP files
verbatim. A crafted ZIP with a traversal key like "../../config/deploy.yml"
would create a blob whose key resolves to an arbitrary filesystem path
when served by ActiveStorage's DiskService, allowing an attacker to read
local files.
Fix: generate fresh blob keys on import, discarding whatever key was in
the ZIP. This is safe because nothing else in the import pipeline
references blobs by key — attachments use blob_id, ActionText uses GIDs
based on record IDs, and only FileRecordSet used the old key for file
data lookup.
Update FileRecordSet to build an old_key→blob_id mapping from the blob
JSON metadata in the ZIP, then look up blobs by ID instead of by key.
Both check_record and import_batch are now fail-closed: they raise
IntegrityError for unmapped storage files, missing blobs, and duplicate
keys in the export.
Backfill test coverage for BlobRecordSet and FileRecordSet import, and
add a round-trip test verifying blob data survives export/import with
regenerated keys.
Clear assignee's existing notifications in setup since Notifier now
uses create_or_find_by instead of create, and reload the association
to avoid caching after destroy_all.
Update fixture references after rebase: use `logo_assignment_kevin`
as base notification and `logo_mentioned_david` for mention tests.
Update source to `logo_published` in tests that need generic card events.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add comprehensive integration test covering card assignment, comments,
mentions, email bundling, and edge cases (system user, inactive user)
- Inline push notification test helpers into the only test that uses them
- Remove separate PushNotificationTestHelper module
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* Add reactions association to Card model
Adds `has_many :reactions` to Card, matching the implementation in Comment.
This allows cards to be reacted to directly with emoji reactions.
The association:
- Orders reactions chronologically
- Uses polymorphic `:reactable` interface
- Deletes reactions when card is destroyed
Includes test coverage for the new association.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* Add reactions UI to card detail view
- Create Cards::ReactionsController with turbo stream responses
- Add card reactions views (reactions list, new form, menu partial)
- Position reaction button flush-right when no reactions exist
- Show reactions on bottom-left when present, with button inline
- Handle narrow viewports by flowing button below meta section
- Add controller tests for card reactions
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* Add boost count to card preview
Display reaction count alongside comment count on card tiles in board
columns. Introduces a .card__counts wrapper to group both counts with
proper positioning on all viewport sizes.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* Consolidate reaction views for cards and comments
Extract shared views to app/views/reactions/ using polymorphic routing.
Both card and comment reactions now render the same partials, with a
helper to compute the correct path prefix for nested routes.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* Fix emoji picker width in card reactions
Override .card .popup { inline-size: 260px } for the reaction popup
so the emoji grid displays without horizontal scrollbar.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* Hide boost count where comment count is hidden
Add .card__boosts alongside .card__comments in:
- Tray view (display: none)
- Cards with background images (opacity toggle on hover)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* Fix reactions button overlap with zoom button in card footer
When a card has a background image, the footer contains both a reactions
button and a zoom button. Previously they would overlap because the
reactions button was absolutely positioned to the bottom-right.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* Tighten up previews
* Move card reactions from meta partial to container
Fixes two issues:
1. Reactions were duplicated each time a card was assigned because the
turbo stream replaced the meta div with the full perma/meta partial,
which included reactions outside the replaced element.
2. Draft cards incorrectly showed the boost button because the meta
partial was shared between published and draft containers.
Moving reactions to _container.html.erb (published cards only) fixes
both issues and keeps the meta partial focused on meta content.
Fixes https://app.fizzy.do/5986089/cards/3837
Fixes https://app.fizzy.do/5986089/cards/3835
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* WIP adjust perma page
* Position and style the footer
* Render the stamp in the card body instead of the footer
* Fix undefined local variable in public cards view
Changed `card` to `@card` when rendering the stamp partial.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* Preload card reactions to avoid N+1 queries
Include reactions and their reacters in the preloaded scope, matching
what we already do for comments.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* Add model tests for card and comment reaction cleanup
Test that:
- Creating a card reaction touches the card's last_active_at
- Reactions are deleted when their parent comment is destroyed
- Reactions are deleted when their parent card is destroyed
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* Minor improvements to reactions code
- Use size instead of count in boosts partial to avoid extra SQL query
on already-loaded collection
- Add else clause to reaction_path_prefix_for to raise ArgumentError
for unknown reactable types instead of silently returning nil
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* Bump specificity of reaction popup in the card perma
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Co-authored-by: Andy Smith <andy@37signals.com>
Avatars are purposely accessible without authentication
(5e3b5b6d7c) because they can be in public
collections. Trying to restrict this by checking whether they're in fact
present in some public collection is rather expensive, so let's keep
them public.
The new integration test shows the desired user-facing behavior, which
is to make it easy to login without a tenanted URL and to jump between
tenants.
Note that we track two things in the identity_token cookie: a signed
id, and the updated_at for the underlying Identity object. This allows
us to effectively cache on the Identity without having to hit the
database, by using an Identity::Mock object that is compatible with
etag and cache methods.
- New untenanted Identity and Membership models
- New `identity_token` cookie with path "/" holds state across tenants
We're not sure whether the untenanted database will be sqlite or
MySQL, and so I've been careful to minimize
- database reads, placing them behind etags and caching
- database writes, only writing when a new Session is created (login)
Note that we track two things in the identity_token cookie: a signed
id, and the updated_at for the underlying Identity object. This allows
us to effectively cache on the Identity without having to hit the
database, by using an Identity::Mock object that is compatible with
etag and cache methods.
The new integration test shows the desired user-facing behavior, which
is to make it easy to login without a tenanted URL and to jump between
tenants.
- the untenanted "login_help" page shows all linked memberships
- the jump menu shows all linked memberships (except the current)
Also introduced a utility script to populate existing employee
Identities, grouping accounts by email address.