Commit Graph

1551 Commits

Author SHA1 Message Date
Mike Dalessio 00eee29837 Validate Identity email address
using the "standard" email regexp URI::MailTo::EMAIL_REGEXP. The form
field will validate this in the browser, but if bots are creating
identities, they can put whatever they want in here. So let's add some
protection against that.

The HtmlHelper regex was renamed here to avoid confusing Brakeman,
which does imprecise constant lookup and was confusing the two
constants, one of which uses `\A` and `\z` and the other does
not (intentionally).

ref: https://app.fizzy.do/5986089/cards/3276
2025-12-04 14:01:15 -05:00
Kevin McConnell 2e47749739 Don't allow SVG avatar uploads in the first place 2025-12-04 14:27:28 +00:00
Kevin McConnell 6475ad3425 Don't try to resize non-variable avatars 2025-12-04 13:36:21 +00:00
Jorge Manrubia a0cb25a951 Merge pull request #1881 from basecamp/card-notification-removal-scope
Tighten scope on card notification removals
2025-12-04 08:44:52 +01:00
Jeremy Daer 7af93765a8 Security: close narrow window of exposure to DNS rebinding (#1903) 2025-12-03 23:12:17 -08:00
Jeremy Daer cac0ca1656 Scope the single-board case to just the creator's boards (#1880) 2025-12-03 15:47:04 -08:00
Jeremy Daer f440b0243e Tighten scope on card notification removals
* Iterate each association separately to favor db indexing
* Pluck user IDs rather than select to avoid correlated subquery
2025-12-03 15:46:43 -08:00
Jorge Manrubia 38d86fb17b Merge pull request #1879 from basecamp/scope-tags
Scope tags by account
2025-12-03 23:42:04 +01:00
Jorge Manrubia 4a30663df1 Scope tags by account
We missed this one when we went to MySQL. This can results in cards tagged with cards
from other accounts. No data leaked though: the symptom is that you see the card
tagged as expected but you don't see the tag in the menu.
2025-12-03 23:39:37 +01:00
Jorge Manrubia 6847c001ea Merge pull request #1876 from basecamp/column-reordering-auth
Fix unauthorized column reordering
2025-12-03 22:18:06 +01:00
Jeremy Daer 9f6a4f1cc6 Fix unauthorized column reordering
Users could reorder columns they didn't have access to. Fixed by
limiting ColumnScoped to User::Accessor#accessible_columns.

References https://hackerone.com/reports/3449905
2025-12-03 13:00:49 -08:00
Jorge Manrubia 7fcf660f05 Merge pull request #1854 from MatheusRich/find-by-over-where-first
Prefer find_by! over where + first!
2025-12-03 21:51:18 +01:00
Stanko K.R. 7ab06d1dbd Use cryptographically secure randomness for Magic Link code generation
#sample uses PRNG under the hood which is pseudo random, which means that given enough magic link codes you can predict which code would come next. To fix that we have to switch to CSPRNG - SecureRandom.random_number - which isn't easy to predict based on previous results.
2025-12-03 20:15:27 +01:00
Stanko Krtalić 3520f97e33 Merge pull request #1857 from basecamp/friendly-error-message-when-changing-email-with-an-invalid-code
Render a friendly error message when using an invalid email change token
2025-12-03 20:06:24 +01:00
Jorge Manrubia 60b1fe26e8 Merge pull request #1847 from javier-valencia-arch/patch-1
Refactor with_account and without_account methods
2025-12-03 19:33:31 +01:00
Brian Bailey 30a2149115 Update seeder.rb to fix a few minor things in the onboarding content 2025-12-03 12:20:37 -05:00
Karl Entwistle 59d7229500 Move Eventable concern to app/models/concerns
Aligns with Rails conventions for organizing concerns in a dedicated
concerns directory alongside existing concerns like Attachments,
Mentions, Searchable, etc.
2025-12-03 16:36:15 +00:00
Stanko K.R. 84213265e7 Render friendly error message when using an invalid token 2025-12-03 15:37:27 +01:00
Donal McBreen 13db384648 Auto default for UUID primary keys
Patch load_schmema! to set the default value for UUID primary keys. This
removes the need to patch ApplicationRecord + Rails models individually.

It also means we no longer need to patch the default in for the integer
primary key in Search::Record::SQLite.
2025-12-03 14:27:52 +00:00
Matheus Richard 7e95322776 Prefer find_by! over where + first! 2025-12-03 11:20:02 -03:00
Stanko K.R. 6e9381abb8 Fix crash in join code redemption race condition 2025-12-03 13:29:20 +01:00
Javier Valencia 0d83e9b90c Refactor with_account and without_account methods
Remove variables name for block, not needed from Ruby >= 3.1
2025-12-03 12:26:39 +01:00
Dave Kimura 337af0a575 Merge branch 'basecamp:main' into main 2025-12-02 16:08:26 -05:00
Dave Kimura 2f740c81c0 (account): encode external_account_id in slug
- Use `AccountSlug.encode` to generate slug instead of raw ID
  - Fixes where slug is /1 and will be in the proper format of /0000001
2025-12-02 16:07:04 -05:00
Mike Dalessio a2e024c1b5 Disconnect action cable when user is deactivated
ref: https://app.fizzy.do/5986089/cards/2785
2025-12-02 14:26:04 -05:00
Jorge Manrubia dfe8e7bd5d Scope general broadcasts by account
Because DoS ourselves is not fun
2025-12-02 18:10:49 +01:00
Jorge Manrubia 32fe4339ee Remove general broadcast temporarily 2025-12-02 18:03:19 +01:00
Kevin McConnell f7e2b4e0ba Don't compress attachments in export
Since they are typically images and videos, which are already
compressed.
2025-12-02 10:39:56 +00:00
Kevin McConnell d24726c1d3 Merge pull request #1768 from basecamp/data-exports
Add "data export" feature
2025-12-02 09:56:40 +00:00
Stanko K.R. 78c6751fa0 Prohibit link local addresses 2025-12-02 09:32:15 +01:00
Jason Zimdars 15f4454861 Remove line breaks, update back button copy
Lexxy no longer requires two returns between items
2025-12-01 23:52:21 -06:00
Jorge Manrubia af0113c9ee After touch should trigger board touch too
The change in https://github.com/basecamp/fizzy/commit/c606de7b41f57734c4c859c5fc3d98c952b26d58#diff-1ecde9fb1ee2494e5d94e807f51f861928f77cfcfb0884889911b62a32c2ff4cL4-R23 was preventing marking cards as golden from broadcasting
2025-12-02 05:55:49 +01:00
Kevin McConnell 2c1ab1bb29 Formatting 2025-12-01 17:19:59 +00:00
Kevin McConnell 3eaf9cb350 Put fizzy in the export filename 2025-12-01 16:01:41 +00:00
Kevin McConnell c492e6c4c4 Make the JSON prettier 2025-12-01 15:54:24 +00:00
Kevin McConnell 45afe494ec Skip missing files 2025-12-01 15:40:07 +00:00
Kevin McConnell 12f6dbf79f Handle remote image attachments too 2025-12-01 15:36:35 +00:00
Kevin McConnell e16cc21b0a Add "data export" feature
- Adds a button in Account Settings where you can request a ZIP export of your
  Fizzy data
- Export files are created in the background. When ready, a link to
  download them is sent to the requester.
- Exports expire after 24 hours. And are limited to 10 per day.
2025-12-01 15:23:26 +00:00
Jorge Manrubia 29d07e7326 Fix: not detecting mentions when publishing saved drafts
The problem was that publishing a card with `#publish` was tracking the event
after updating the status, which was clearing the saved changes and preventing the
code from detecting the mention.

See:
https://app.fizzy.do/5986089/cards/2835
2025-12-01 15:39:45 +01:00
Mike Dalessio edf6b53469 Introduce an "owner" role, and prevent it from being administered
to prevent the owner from being demoted or kicked out.

ref: https://app.fizzy.do/5986089/cards/3213
2025-11-29 14:13:29 -05:00
Stanko K.R. 2311efd03e Make sign up Magic Links work across devices
Previously if someone started signing in on their phone, but finished it on their laptop, they'd end up on the menu screen with no account. Bu tracking the purpose of a Magic Link we can always direct the user to sign up if they requested a magic link through sign up. This also makes the logic for changing the copy in the email more robust.
2025-11-29 12:36:00 +01:00
Mike Dalessio 434a9671cc Ensure Account::ExternalIdSequenceTest.value is never nil
If no record exists, create it. This fixes a test in fizzy-saas in
test/models/signup_test.rb that was not actually testing with a valid
external account id.
2025-11-28 14:27:14 -05:00
Jorge Manrubia 4e09352c09 Bring simple signup flow from the fizzy-saas gem
We skip the QB code and we fill external account ids automatically on creation with a sequence

See:
https://github.com/basecamp/fizzy-saas/pull/7
2025-11-28 15:53:58 +01:00
Jorge Manrubia 2061ab4ab2 Use dedicated sequence record instead of deal with issues with ids and uuids when using the previous approach 2025-11-28 15:53:58 +01:00
Jorge Manrubia 07b4c55185 Auto-increment external_account_id automatically by default to allow upcoming simple signups 2025-11-28 15:53:58 +01:00
Mike Dalessio 3f8d10d679 Merge pull request #1747 from basecamp/flavorjones/perf-20251127
Address some N+1 query situations
2025-11-27 12:46:56 -05:00
Mike Dalessio 09366fc949 style: rubocop fix 2025-11-27 12:34:31 -05:00
Stanko K.R. e3d91f4ba2 Fix join codes skipping user setup
If someone joined an account with the same identity as they were signed in with the old logic would skip the user setup step
2025-11-27 17:59:17 +01:00
Mike Dalessio 50fe973105 Remove N+1 on the cards board. 2025-11-27 11:30:54 -05:00
Mike Dalessio 0ab3aaca72 Preload Event to avoid N+1s on the timeline 2025-11-27 11:27:10 -05:00