Commit Graph

6041 Commits

Author SHA1 Message Date
Andy Smith 7f8e426534 Add missing list to cards page 2026-01-07 12:32:46 -06:00
Andy Smith 187bff131e Account for simpler public views 2026-01-07 12:22:38 -06:00
Andy Smith 05c00aa1b8 Fix public layout 2026-01-07 12:14:50 -06:00
Andy Smith 897cac06c7 Pull board-tools outside of the list for mobile 2026-01-07 11:36:31 -06:00
Andy Smith 4cc44704e5 Merge branch 'main' into mobile-columns-pt-iii 2026-01-07 11:16:49 -06:00
Jorge Manrubia 7249e20b9b Merge pull request #2303 from basecamp/clear-filters-url
Go back to board after clearing filters
2026-01-07 18:03:52 +01:00
Andy Smith f58bb33775 Merge pull request #2249 from nqst/notification-settings-adjustments
Notification Settings adjustments
2026-01-07 10:08:22 -06:00
Jorge Manrubia a2553f1dcd Merge pull request #2118 from petzbloom-sudo/webhook-update
Add card assignees in card JSON builder
2026-01-07 16:51:58 +01:00
Jorge Manrubia 732c6259a8 Merge pull request #2163 from italomatos/fix/maintain-search-input-focus-on-submit
Fix: Maintain search input focus after form submission
2026-01-07 16:48:53 +01:00
Jorge Manrubia 6d05ab428e Remove engagements
We are not using this anymore!
2026-01-07 16:43:33 +01:00
Jorge Manrubia 6f076dfe3c Merge pull request #2245 from wbso-ai/extend-slack-message
Add link to Fizzy card in Slack message
2026-01-07 16:37:51 +01:00
Jorge Manrubia a1f26ac936 Merge pull request #2223 from afurm/remove-cards-heading-styles
Remove unused cards__heading styles
2026-01-07 16:31:21 +01:00
Jorge Manrubia fb6bcaa18e Merge pull request #2227 from scart88/main
Redirect back to account settings page when the user role is changed …
2026-01-07 16:27:05 +01:00
Jorge Manrubia 8efb778f53 Merge pull request #2237 from dilberryhoundog/fix-closed-cards-from-not_now
Fix: destroy "not now" state when closing cards, enables "indexed_by=closed" expected behaviour
2026-01-07 16:15:14 +01:00
Jorge Manrubia 6e765a114c Merge pull request #2294 from basecamp/refresh-drafts
Make sure new card drafts are refreshed when reused
2026-01-07 15:49:46 +01:00
Andy Smith 776c67a501 Use notch class so Save button is positioned correctly 2026-01-06 15:57:36 -06:00
Andy Smith 218403f9d4 Go back to board after clearing filters 2026-01-06 15:37:40 -06:00
Andy Smith 9f40571a97 Revert "Use existing no_filtering_url to direct back to the board when clearing filters"
This reverts commit 3efe6bf484.
2026-01-06 15:36:42 -06:00
Andy Smith 3efe6bf484 Use existing no_filtering_url to direct back to the board when clearing filters 2026-01-06 15:35:16 -06:00
Andy Smith b5c44e7708 Ensure filters sit on top of cards 2026-01-06 14:06:04 -06:00
Andy Smith 8f2ff62f7f Fix public boards 2026-01-06 13:58:49 -06:00
Andy Smith 802ccef9bf Fix card grid layout 2026-01-06 13:38:50 -06:00
Andy Smith ffc19a864e Merge branch 'main' into mobile-columns-pt-iii
* main:
  Only hide the blank slate when there are no cards present
  Support local installations where the app is loaded over HTTP
  Revert "Make sure new card drafts are refreshed when reused"
  Make sure new card drafts are refreshed when reused
  Add a "*" to the queues handled by the solid queue worker pool
  Remove unnecessary recurring execution cleanup task
  Refactor: Replace pluck(:id) with ids method
2026-01-06 10:29:20 -06:00
Dorin Vancea a966308d77 Fix Chinese/Japanese characters missing from printed PDFs on macOS 2026-01-06 16:15:47 +00:00
Jay Ohms 504e4fa5e2 Merge pull request #2178 from basecamp/mobile-app/prepare-webviews
Mobile app / Prepare webviews
2026-01-06 09:05:13 -05:00
Andy Smith 2ee7af6fde Only hide the blank slate when there are no cards present 2026-01-05 15:00:36 -06:00
Andy Smith a9666225e3 Fix scrolling on mobile 2026-01-05 13:21:00 -06:00
Andy Smith c8c6fbbb13 Remember expanded state on navigation 2026-01-05 12:49:38 -06:00
Rosa Gutierrez 5f390f72df Support local installations where the app is loaded over HTTP
In this case requests won't be performed from a secure context [1] and
the browser won't send the Sec-Fetch-Site header. This means non-GET
requests will be rejected because CSRF protection will fail.

With this change, we allow these requests with missing Sec-Fetch-Site
headers if:
- They happen over HTTP
- The app is not configured to force SSL

The Origin check happens in any case.

[1] https://developer.mozilla.org/en-US/docs/Web/Security/Defenses/Secure_Contexts#potentially_trustworthy_origins
2026-01-05 18:50:14 +01:00
Jorge Manrubia ffb9847a4e Merge pull request #2287 from italomatos/refactor/use-ids-method-instead-of-pluck
Refactor: Replace pluck(:id) with ids method
2026-01-05 16:03:41 +01:00
Jorge Manrubia 85bfa7aa48 Rename method 2026-01-05 16:01:25 +01:00
Jorge Manrubia 5f38e8957e Reapply "Make sure new card drafts are refreshed when reused"
This reverts commit 045ddf78f3.
2026-01-05 15:58:29 +01:00
Jorge Manrubia 045ddf78f3 Revert "Make sure new card drafts are refreshed when reused"
This reverts commit 3008011175.
2026-01-05 15:58:16 +01:00
Jorge Manrubia 3008011175 Make sure new card drafts are refreshed when reused
To deal with old timestamps messing with card ordering and so.

https://app.fizzy.do/5986089/cards/3495
2026-01-05 15:57:48 +01:00
Italo Matos 4189261cd0 Refactor: Replace pluck(:id) with ids method
Use the more idiomatic ActiveRecord ids method instead of pluck(:id)
across controllers and models. The ids method is more readable and
explicitly conveys the intent to retrieve primary key values.

Changes:
- BoardsController#edit: Use @board.users.ids
- Board::Storage: Use cards.ids, Comment.where().ids, and ActionText::RichText.where().ids
- User::Accessor: Use account.boards.all_access.ids

This change improves code clarity while maintaining the same functionality.
2026-01-04 10:02:58 -03:00
Andy Smith 3fb45c14e3 Merge branch 'main' into mobile-columns-pt-iii
* main:
  Update Rails
  Ignore hotkeys with modifiers
  Fix 1Password account ID (was user UUID) (#2278)
  Switch 1Password account to 37signals.1password.com (#2276)
  Remove CSS testing comments
  Max card count equals geared pagination size
  Block IPv4-compatible IPv6 addresses in SSRF protection (#2273)
  Only enable transitions on user interaction
  Don't update counter if value hasn't changed
2026-01-02 14:50:27 -06:00
Andy Smith 5b6fdbfeae Fix mini bubble cropping, filters padding, and grid-style 2026-01-02 12:45:53 -06:00
Andy Smith 837b820291 Better scroll snapping 2026-01-02 12:22:07 -06:00
Andy Smith d3bfd14c22 Only auto-focus Maybe column on desktop 2026-01-02 12:11:17 -06:00
Andy Smith b4096d9f22 Move card__list outside pagination 2026-01-02 11:42:00 -06:00
Andy Smith 1686c48654 Show icons 2026-01-02 11:17:58 -06:00
Jay Ohms d273ab20a6 Merge branch 'main' into mobile-app/prepare-webviews
* main: (63 commits)
  Ignore hotkeys with modifiers
  Fix 1Password account ID (was user UUID) (#2278)
  Switch 1Password account to 37signals.1password.com (#2276)
  Remove CSS testing comments
  Max card count equals geared pagination size
  Block IPv4-compatible IPv6 addresses in SSRF protection (#2273)
  Only enable transitions on user interaction
  Don't update counter if value hasn't changed
  Add padding to upgrade message on larger screens
  Add test coverage for autolinking multiple URLs
  Add "noopener" to autolinks' rel attribute
  Avoid string manipulation when autolinking.
  Only bump z-index when nav is open
  Move nav and related elements above footer
  Delete Dockerfile.dev
  fix: use the right gh-cli arch package (#2232)
  Bump actions/attest-build-provenance from 3.0.0 to 3.1.0 (#2257)
  Bump docker/setup-buildx-action from 3.11.1 to 3.12.0 (#2256)
  Consider user avatars always public
  Implement authorization for Active Storage endpoints
  ...
2026-01-02 11:42:07 -05:00
Jason Zimdars d7ef796092 Ignore hotkeys with modifiers
Avoids unintentionally triggering when using system shortcuts like
`command+[` in macOS
2026-01-01 09:47:10 -06:00
Andy Smith f2759f1ca0 Remove CSS testing comments 2025-12-30 12:37:10 -06:00
Andy Smith 711eec133a Max card count equals geared pagination size 2025-12-30 12:30:55 -06:00
petzbloom-sudo 60f3f547c0 Update _card.json.jbuilder
Added Card assignees limit to 5*
2025-12-30 15:02:51 +00:00
Jeremy Daer 0eefd67b68 Block IPv4-compatible IPv6 addresses in SSRF protection (#2273)
The SSRF filter checked ipv4_mapped? but not ipv4_compat?, allowing
addresses like ::169.254.169.254 to bypass the link-local check and
reach cloud metadata endpoints.

Changes:
- Add ipv4_compat? check to block deprecated IPv4-compatible format
- Rename private_address? to blocked_address? (more accurate - method
  blocks more than just RFC 1918 private ranges)
- Add IPv6 test coverage for both mapped and compat formats

Both ipv4_mapped and ipv4_compat formats are blocked entirely as
defense-in-depth: DNS never returns these formats, so they only
appear in attack scenarios.

HackerOne: #3481701
2025-12-29 21:45:06 -08:00
Andy Smith b9c11ad768 Only enable transitions on user interaction 2025-12-29 15:30:55 -06:00
Andy Smith 67f39aad8a Don't update counter if value hasn't changed 2025-12-29 14:51:11 -06:00
Andy Smith 58a330aa17 Merge branch 'main' into mobile-columns-pt-iii
* main: (55 commits)
  Add padding to upgrade message on larger screens
  Add test coverage for autolinking multiple URLs
  Add "noopener" to autolinks' rel attribute
  Avoid string manipulation when autolinking.
  Only bump z-index when nav is open
  Move nav and related elements above footer
  Delete Dockerfile.dev
  fix: use the right gh-cli arch package (#2232)
  Bump actions/attest-build-provenance from 3.0.0 to 3.1.0 (#2257)
  Bump docker/setup-buildx-action from 3.11.1 to 3.12.0 (#2256)
  Consider user avatars always public
  Implement authorization for Active Storage endpoints
  Update documentation
  Expose the card ID and URL on comments
  Don't run application recurring jobs in betas
  This link is reduntant if you're over the limits
  Add obvious upgrade button when you're out of storage
  Internaly only view
  Target comment elements more precisely
  Better name for helper method
  ...
2025-12-29 14:07:00 -06:00