And close the gap with JSON requests, which shouldn't be allowed if
Sec-Fetch-Site is 'cross-site' or 'none', only if it's empty as this
wouldn't be coming from a browser.
To avoid any visual flashes of the old theme before the Stimulus
controllers load, we can apply the saved theme from `<head>` whenever
there is a full page load.
This applies to both the regular and public views, as we're doing it in
the shared head partial.
Gemfile.saas evals Gemfile, so shared gems should have identical versions
in both lockfiles. This adds bin/bundle-drift to detect and fix drift:
* `bin/bundle-drift check` compares shared gem versions
* `bin/bundle-drift correct` seeds Gemfile.lock from Gemfile.saas.lock
and re-locks, letting Bundler prune SaaS-only gems while preserving
shared versions
Adds drift check to bin/ci and GitHub CI. Corrects existing drift.
Replace SQL string syntax with Rails range syntax for date filtering
in the ActivitySpike::Detector. This improves code readability and
follows Rails idioms.
Changed from:
.where("created_at >= ?", recent_period.seconds.ago)
To:
.where(created_at: recent_period.seconds.ago..)
This modernizes the codebase while maintaining the same functionality.
Simplifies the last_event method in ActivitySpike::Detector by using
the more idiomatic Rails pattern .order(:created_at).last instead of
.order(created_at: :desc).first. Both generate the same SQL query but
.last is more readable and conventional in Rails codebases.
Convenience for bundling both OSS and SaaS in lock-step:
```bash
> bin/bundle-both install
▸ OSS: Gemfile
bundle install
Bundle complete! 45 Gemfile dependencies, 161 gems now installed.
Use `bundle info [gemname]` to see where a bundled gem is installed.
▸ SaaS: Gemfile.saas
bundle install
Bundle complete! 63 Gemfile dependencies, 187 gems now installed.
Use `bundle info [gemname]` to see where a bundled gem is installed.
```
* Allow Card#last_updated_at to be set
This is useful when doing an import from another system. I'm currently
working on a script to import our Github issues into Fizzy.
This is discussed in
https://github.com/basecamp/fizzy/pull/2056#discussion_r2609560246
* Add nil fallback and expand test coverage for last_active_at
Adds a safety fallback to Time.current if created_at is unexpectedly nil
during card creation.
Test coverage to verify:
* last_active_at defaults to created_at when not provided
* last_active_at can be updated via API on existing cards
* import workflow where last_active_at is restored after comments
* publishing doesn't overwrite explicit last_active_at values
---------
Co-authored-by: Jeremy Daer <jeremy@37signals.com>
in controller concerns that are mixed into other engines' controllers. This prevents errors like:
> NoMethodError: undefined method 'session_menu_url' for an instance of ActiveStorage::DirectUploadsController
See also 912bb8a8 and 5ee10800
`assume_ssl` and `force_ssl` are often used together:
- When running behind a terminating proxy (including Thruster) you'll
want both.
- When running without SSL (like on localhost) you'll want neither.
To simplify setup for those cases, we add the `DISABLE_SSL` option. When
set to `true` all SSL-related behaviour is turned off. When left as the
default, it's on.
We can still use `ASSUME_SSL` and `FORCE_SSL` to set those separately
if required.