Commit Graph

5516 Commits

Author SHA1 Message Date
Andy Smith 029c151a4e Add missing data-attr on public board 2025-12-04 15:43:19 -06:00
Andy Smith 34d3383cbd Fix hotkey text size on tiny viewports 2025-12-04 15:23:20 -06:00
Andy Smith 1c5ead0096 Merge pull request #1930 from basecamp/prevent-blank-board-names
Prevent board names with only spaces and show validation message
2025-12-04 14:50:17 -06:00
Jorge Manrubia e3e57a6a7e Merge pull request #1927 from basecamp/speed-up-sorting
Faster D&D by optimistically inserting dropped cards
2025-12-04 21:31:21 +01:00
Jorge Manrubia 9639e07ab8 Save a bunch of invocations on morph events from children elements 2025-12-04 21:27:22 +01:00
Jorge Manrubia 704b5b9788 Fix: memoization was showing stale values when morphing 2025-12-04 21:21:54 +01:00
Mike Dalessio 00eee29837 Validate Identity email address
using the "standard" email regexp URI::MailTo::EMAIL_REGEXP. The form
field will validate this in the browser, but if bots are creating
identities, they can put whatever they want in here. So let's add some
protection against that.

The HtmlHelper regex was renamed here to avoid confusing Brakeman,
which does imprecise constant lookup and was confusing the two
constants, one of which uses `\A` and `\z` and the other does
not (intentionally).

ref: https://app.fizzy.do/5986089/cards/3276
2025-12-04 14:01:15 -05:00
Jorge Manrubia bbec988516 Golden cards should be placed at the top 2025-12-04 19:23:55 +01:00
Jorge Manrubia a380492b32 Animate the column height with a stimulus controller so that it does not depend to the server to update when you D&D 2025-12-04 19:15:38 +01:00
Andy Smith 23ec3f129a Support custom validation messages 2025-12-04 11:43:55 -06:00
Jorge Manrubia 1122556383 Move css bit to the new blank slates CSS 2025-12-04 18:42:44 +01:00
Andy Smith 5c4fe9fe8b Prevent board names with only spaces and show validation message 2025-12-04 11:37:27 -06:00
Mike Dalessio 03e4f86b7a Merge pull request #1878 from basecamp/flavorjones/console1984-v2
Bump fizzy-saas to enable console auditing
2025-12-04 12:31:34 -05:00
Jorge Manrubia 539d3721db Keep the column color when D&D cards 2025-12-04 18:31:23 +01:00
Jorge Manrubia 104bb5faa9 Add container to drop cards when the stream is empty 2025-12-04 18:31:23 +01:00
Jorge Manrubia 3536b6fb32 Modify counters optimistically too 2025-12-04 18:31:23 +01:00
Jorge Manrubia 19051aec3e Append dropped cards instead of relying on server-side rendering to refresh the columns
This implements a simple strategy to optimistically insert cards in columns without waiting for the column refresh. Cards will be placed at the top respecting golden cards.

This uses sorting by "created at" with sorting by "updated at" for the _Not now_ column, so that the treatment everywhere is homogenous.
2025-12-04 18:31:23 +01:00
Mike Dalessio 912bb8a8e5 Bump fizzy-saas to enable console auditing
ref: https://app.fizzy.do/5986089/cards/2469
ref: https://github.com/basecamp/fizzy-saas/pull/20
2025-12-04 12:25:54 -05:00
Jason Zimdars d4a50c996a Merge pull request #1894 from Venkat-RK/main
Added 'Back to Home' link on notifications list page
2025-12-04 11:19:55 -06:00
Andy Smith 78ea18b5da Merge pull request #1872 from basecamp/filters-no-results
Nicer blank slates
2025-12-04 10:52:08 -06:00
Mike Dalessio 373f4d5116 Merge pull request #1924 from basecamp/flavorjones/retry-mail-jobs
Retry mailer jobs on common networking and SMTP errors
2025-12-04 10:29:53 -05:00
Mike Dalessio c4a8996562 Retry mailer jobs on common networking and SMTP errors
This concern is lifted nearly verbatim from Basecamp.

ref: https://app.fizzy.do/5986089/cards/3300
2025-12-04 10:26:24 -05:00
Kevin McConnell dfe7095ee6 Merge pull request #1917 from basecamp/dont-resize-svg-avatars
Don't try to resize non-variable avatars
2025-12-04 14:53:00 +00:00
Mike Dalessio 394c5dbf03 Revert "Changing columns requires board admin"
This reverts commit cecccadc14.
2025-12-04 09:46:30 -05:00
Kevin McConnell 2e47749739 Don't allow SVG avatar uploads in the first place 2025-12-04 14:27:28 +00:00
Mike Dalessio 89940d36f8 Gracefully handle ill-formed remote images in rich text
A better fix has been proposed upstream at
https://github.com/rails/rails/pull/56283 but this should be fine in
the meantime.

ref: https://app.fizzy.do/5986089/cards/3188
2025-12-04 09:24:52 -05:00
Kevin McConnell 6475ad3425 Don't try to resize non-variable avatars 2025-12-04 13:36:21 +00:00
Stanko Krtalić d466b633fc Merge pull request #1915 from basecamp/sign-up-new-users-on-sign-in
Sign up new users on sign in
2025-12-04 11:32:51 +01:00
Kevin McConnell 9e0b5593ad Merge pull request #1848 from basecamp/rate-limit-warning
Show alert message on login when rate limited
2025-12-04 10:30:37 +00:00
Stanko K.R. a8f328c921 Sign up new users on sign in 2025-12-04 11:30:21 +01:00
Stanko K.R. 5cfe6930ee Change reaction admin permission check to be in-line with other controllers 2025-12-04 11:01:23 +01:00
Jorge Manrubia af43ef4962 Merge pull request #1897 from Hacksore/fix/board-bell-title
Move the title to the button
2025-12-04 09:02:08 +01:00
Jorge Manrubia a0cb25a951 Merge pull request #1881 from basecamp/card-notification-removal-scope
Tighten scope on card notification removals
2025-12-04 08:44:52 +01:00
Jeremy Daer cecccadc14 Changing columns requires board admin 2025-12-03 23:24:25 -08:00
Jeremy Daer 7af93765a8 Security: close narrow window of exposure to DNS rebinding (#1903) 2025-12-03 23:12:17 -08:00
Sean Boult c1468de3d7 Fix title on bell icon 2025-12-03 21:20:34 -06:00
vkagithala 8685b62232 Added 'Back to Home' link on notifications list page to improve navigation experience. 2025-12-03 17:21:50 -08:00
Jeremy Daer cac0ca1656 Scope the single-board case to just the creator's boards (#1880) 2025-12-03 15:47:04 -08:00
Jeremy Daer f440b0243e Tighten scope on card notification removals
* Iterate each association separately to favor db indexing
* Pluck user IDs rather than select to avoid correlated subquery
2025-12-03 15:46:43 -08:00
Jorge Manrubia 38d86fb17b Merge pull request #1879 from basecamp/scope-tags
Scope tags by account
2025-12-03 23:42:04 +01:00
Jorge Manrubia 4a30663df1 Scope tags by account
We missed this one when we went to MySQL. This can results in cards tagged with cards
from other accounts. No data leaked though: the symptom is that you see the card
tagged as expected but you don't see the tag in the menu.
2025-12-03 23:39:37 +01:00
Jorge Manrubia 6847c001ea Merge pull request #1876 from basecamp/column-reordering-auth
Fix unauthorized column reordering
2025-12-03 22:18:06 +01:00
Jorge Manrubia 367e5aa1dd Merge pull request #1871 from imbriaco/patch-2
Use environment variable for default mailer address
2025-12-03 22:07:39 +01:00
Jeremy Daer 9f6a4f1cc6 Fix unauthorized column reordering
Users could reorder columns they didn't have access to. Fixed by
limiting ColumnScoped to User::Accessor#accessible_columns.

References https://hackerone.com/reports/3449905
2025-12-03 13:00:49 -08:00
Jorge Manrubia 7fcf660f05 Merge pull request #1854 from MatheusRich/find-by-over-where-first
Prefer find_by! over where + first!
2025-12-03 21:51:18 +01:00
Andy Smith bb149da532 Move blank slates to its own file 2025-12-03 14:13:04 -06:00
Andy Smith 0ef6f8a822 Nicer blank slates 2025-12-03 14:11:08 -06:00
Mark Imbriaco 56033d0a8e Use environment variable for default mailer address 2025-12-03 14:56:19 -05:00
Jason Zimdars 8f2ec267f6 Merge pull request #1820 from dcchambers/delete-board-confirmation
Add card deletion warning to board deletion confirmation message
2025-12-03 13:42:06 -06:00
Stanko Krtalić f41b1b098a Merge pull request #1868 from basecamp/use-cryptographically-secure-randomness-for-magic-link-code-generation
Use cryptographically secure randomness for Magic Link code generation
2025-12-03 20:21:52 +01:00