Cengiz Guertusgil
09a2e7d7d7
feat: add rate limit to join codes controller
2025-12-12 17:21:57 +01:00
Kevin McConnell
8d32a322e9
Remove redundant include
...
This is no longer needed since af0e2488 removed the streaming of
avatar images.
2025-12-12 08:58:52 +00:00
Stanko Krtalić
23425cb67b
Merge pull request #2086 from basecamp/harden-magic-links
...
Pin sign in attempts to the current session
2025-12-12 07:23:19 +01:00
Jankees van Woezik
78fc80cf35
API: Allow updates to last_active_at ( #2076 )
...
* Allow Card#last_updated_at to be set
This is useful when doing an import from another system. I'm currently
working on a script to import our Github issues into Fizzy.
This is discussed in
https://github.com/basecamp/fizzy/pull/2056#discussion_r2609560246
* Add nil fallback and expand test coverage for last_active_at
Adds a safety fallback to Time.current if created_at is unexpectedly nil
during card creation.
Test coverage to verify:
* last_active_at defaults to created_at when not provided
* last_active_at can be updated via API on existing cards
* import workflow where last_active_at is restored after comments
* publishing doesn't overwrite explicit last_active_at values
---------
Co-authored-by: Jeremy Daer <jeremy@37signals.com >
2025-12-11 19:06:03 -08:00
Stanko K.R.
abaed12124
Prohibit access to magic links unless an email address
2025-12-11 19:17:39 +01:00
Stanko K.R.
b6edb93c47
Pin sign in attempts to the current session
...
This makes it way more difficult to brute-force a magic link.
Original implementation by udiudi. Ref: https://github.com/udiudi/fizzy/pull/1/files
Discussion: https://github.com/basecamp/fizzy/discussions/1981
Co-Authored-By: Udi <udi@udi.codes >
2025-12-11 19:05:54 +01:00
Mike Dalessio
3d523b84fc
Explicitly use main_app for URL helpers
...
in controller concerns that are mixed into other engines' controllers. This prevents errors like:
> NoMethodError: undefined method 'session_menu_url' for an instance of ActiveStorage::DirectUploadsController
See also 912bb8a8 and 5ee10800
2025-12-11 12:55:32 -05:00
Kevin McConnell
5d2ca6759d
Naming
2025-12-11 11:20:43 +00:00
Adam Haris
f76309d116
Merge branch 'main' into single_tenant
2025-12-11 06:08:01 +01:00
Jankees van Woezik
477b4d65f2
API: Support created_at for API card and comment creation ( #2056 )
...
* Add support to set `created_at`
Discussed in
https://github.com/basecamp/fizzy/pull/1766#issuecomment-3637846074 ,
this allows users to import cards from another system with entries from
the past. For instance I'm importing all our Github issues (including
the closed onces) to Fizzy.
* Iron out published state tracking
---------
Co-authored-by: Jeremy Daer <jeremy@37signals.com >
2025-12-10 19:57:38 -08:00
Mike Dalessio
fa118a7d83
Add validation for the join code usage limit
...
which is preferred to generating a database error
2025-12-10 10:10:08 -05:00
Adam Haris
eb8655dc8e
refactor: use MULTI_TENANT env variable, model concern instead of controller (#accepting_signups?)
2025-12-10 15:14:22 +01:00
Stanko K.R.
5ce71bf941
Move Identities to My::Identities
2025-12-10 15:13:35 +01:00
Stanko K.R.
90e6322092
Return no content on update
2025-12-10 15:07:22 +01:00
Stanko K.R.
566def581e
Remove redundant respond_to
2025-12-10 15:05:13 +01:00
Adam Haris
64ca9e551e
fix linting
2025-12-10 14:22:51 +01:00
Adam Haris
ab5a5c4360
refactor: tenant config might be better in a separate concern
2025-12-10 14:19:53 +01:00
Stanko K.R.
79e77a3780
Handle user update failures
2025-12-10 09:23:53 +01:00
Stanko K.R.
7b30ca203e
Add index actions for Comments and Columns
...
Also, fix crash when a deactivated user is serialized (they don't have
an identity).
2025-12-10 09:23:52 +01:00
Stanko K.R.
6b229424a3
Lower the number of returned unread notifications
...
After talking to the mobile team we cam to the conclusion that for the API and the mobile apps speed is of the utmost importance when working with notifications. So we agreed to lower the unread notifications limit to 100 like we have in Basecamp. This strikes a balance between speed and usability.
2025-12-10 09:23:52 +01:00
Stanko K.R.
bf51950007
Add API for reading notifications
2025-12-10 09:23:52 +01:00
Stanko K.R.
1a24c1373c
Add API for creating and updating boards
2025-12-10 09:23:52 +01:00
Stanko K.R.
f3ff0c605e
Add pagination to most places and fix cards pagination
2025-12-10 09:23:52 +01:00
Stanko K.R.
ba30a301dc
Add API for updating and deactivating users
2025-12-10 09:23:52 +01:00
Stanko K.R.
7a0554774c
Add API for columns
2025-12-10 09:23:52 +01:00
Stanko K.R.
d16b3756de
Add API for reactions
2025-12-10 09:23:52 +01:00
Stanko K.R.
eeed2a8416
Add API for watching cards
2025-12-10 09:23:52 +01:00
Stanko K.R.
ed1002f6c5
Add API for card triage
2025-12-10 09:23:52 +01:00
Stanko K.R.
8a84785056
Add API for tagging cards
2025-12-10 09:23:52 +01:00
Stanko K.R.
c517ef6063
Add API for CRUD actions on steps
2025-12-10 09:23:52 +01:00
Stanko K.R.
8a61ca2a79
Add API for postponing cards
2025-12-10 09:23:52 +01:00
Stanko K.R.
52e65b3c08
Add API for removing card images
2025-12-10 09:23:52 +01:00
Stanko K.R.
1caeea541d
Add API for gilding cards
2025-12-10 09:23:52 +01:00
Stanko K.R.
41115eaf87
Add API for comments CRUD
2025-12-10 09:23:52 +01:00
Stanko K.R.
b4012dfb40
Add API for closing and opening cards
2025-12-10 09:23:52 +01:00
Stanko K.R.
cf52982b8b
Add API for mobing cards between boards
2025-12-10 09:23:52 +01:00
Stanko K.R.
23e6f3b095
Add API for assigning cards
2025-12-10 09:23:52 +01:00
Stanko K.R.
235a94355e
Add card update & delete actions
2025-12-10 09:23:52 +01:00
Stanko K.R.
259707bf70
Fix identity tests
2025-12-10 09:23:52 +01:00
Jay Ohms
26fc9ecad4
Add an /identity.json endpoint to obtain the identity accounts and users
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
ae0eaadcdf
Publish any API card as soon as it is created
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
0159f369f4
Only authenticate with bearer token if the header is present
2025-12-10 09:23:52 +01:00
Jay Ohms
680f9c0c4d
Add top-level API index support for tags
2025-12-10 09:23:52 +01:00
Jay Ohms
5ad7b973cb
Add API support for users
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
79fc57a82a
Use built-in authenticate_or_request_with_http_token
...
Hat tip to @adrienpoly
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
983a19fd8a
Create cards via API
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
f0c0a87c74
Return json URLs for API actions
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
129b81984f
Creating a new board will return the location header
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
efbd2cc3da
Allow API JSON requests to sidestep csrf protection
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
0ce3a85778
Only allow writing when the access token has permission
2025-12-10 09:23:52 +01:00