Commit Graph

1245 Commits

Author SHA1 Message Date
Rosa Gutierrez 196d685f8d Implement authorization for Active Storage endpoints
Consider blobs attached to any public records accessible to anyone with
the URL.
2025-12-25 21:22:36 +01:00
Stanko Krtalić 24c20ad55f Merge pull request #2244 from basecamp/expose-card-ids-on-comments
Expose the card ID and URL on comments
2025-12-24 08:50:47 +01:00
Stanko K.R. 822c3bb2ad Expose the card ID and URL on comments 2025-12-24 08:45:31 +01:00
Rosa Gutierrez 3fcf5a9d08 Require authorization for direct uploads
Respond with 403 to JSON requests that are unauthorized, instead of
redirecting.
2025-12-23 11:08:51 +01:00
Jason Zimdars 563c530e3e Merge pull request #2213 from basecamp/welcome-letter
Stub welcome letter for newly created accounts
2025-12-22 10:17:41 -06:00
Stanko K.R. 0df667f4fb Fix HTML injection in webhooks through card titles 2025-12-22 12:20:32 +01:00
Jason Zimdars bc4745c6ce Add a test 2025-12-20 18:12:42 -06:00
Jeremy Daer bd6c1cf34f Storage: harden reconcile for concurrent writes and fix board transfer (#2096)
* Storage: harden reconcile for concurrent writes and fix board transfer

Reconcile now uses two-cursor approach: captures cursor before and after
the storage scan, aborting if they differ (entries added during scan).
Job retries 3x with 1-minute waits and limits concurrency to 1 per owner.

Board transfer now correctly moves storage for card description embeds
and comment embeds, not just direct attachments. Uses batched queries
to handle cards with thousands of comments efficiently.

Also fixes N+1 queries in attachment grouping via lookup maps.

* Storage: fix per-attachment reconcile and enforce no blob reuse

The storage ledger tracks per-attachment (not per-blob) as a business
abstraction for quotas. This fixes reconcile to match that model and
adds enforcement to prevent blob reuse in tracked contexts.

* Reconcile now uses joins(:blob).sum() for per-attachment counting
* New validation prevents reusing blobs across tracked attachments
* Race-safe storage_total creation with create_or_find_by
* Job efficiency: skip find_by when object already available
* Backfill script checks per-attachment, not just per-blob
2025-12-19 13:07:32 -08:00
Stanko K.R. e0270c6c49 Clean up interfaces
I talked to the mobile team, and to keep things simple we agreed to send
the token via a cookie.
2025-12-19 19:21:57 +01:00
Stanko K.R. 23fc7b594f Split tests by controller or responsibility 2025-12-19 19:21:57 +01:00
Stanko K.R. 1a1f4a077b Simplify auth logic 2025-12-19 19:21:57 +01:00
Fernando Olivares cddddcf83a Fix due to unit test when creating with invalid emails 2025-12-19 19:21:57 +01:00
Fernando Olivares fb487f598c Restore sessions_controller test on creating invalid email address 2025-12-19 19:21:57 +01:00
Fernando Olivares be447f90ba Move magic link api tests to their own files 2025-12-19 19:21:57 +01:00
Fernando Olivares 6be20e215b Rename test to clarify what they're about 2025-12-19 19:21:57 +01:00
Fernando Olivares 6e8d6a3df0 Update to always return a pending auth token for JSON responses. 2025-12-19 19:21:57 +01:00
Fernando Olivares fbf829b346 Update API test for cross code 2025-12-19 19:21:57 +01:00
Fernando Olivares 9009e0fb49 Change test expectation on single tenant mode account creation 2025-12-19 19:21:57 +01:00
Fernando Olivares a2333623b6 Add unit tests for the new endpoints 2025-12-19 19:21:57 +01:00
Stanko K.R. c0a0786539 Return the session cookie
We had a call about this. In short, we could reuse access tokens but then the user would see access tokens for every mobile device they have without any indication as to what is going on. So, since this really is just logging in instead of an integration which seems to be the primary purpose of access tokens, we can just use our regular session cookie for authentication.
2025-12-19 19:21:57 +01:00
Stanko K.R. 58a92f0bb7 Add tests for sign in via API 2025-12-19 19:21:57 +01:00
Mike Dalessio fa21bc9b61 Merge pull request #2169 from basecamp/flavorjones/better-hex-uuid
Extract `hex_to_base36` and `base36_to_hex` methods in `Uuid` type
2025-12-19 10:06:36 -05:00
Jorge Manrubia eb1d112013 Merge pull request #2203 from basecamp/remove-unused-param
Remove unused `tag_ids` parameter from `CardsController#update`
2025-12-19 12:16:32 +01:00
Jorge Manrubia 33fc239571 Merge pull request #2140 from dilberryhoundog/fix-stale-account-cache
Fix: resolve stale account names in jump menu and page titles
2025-12-19 11:26:23 +01:00
Rosa Gutierrez 1e640643e9 Remove unused tag_ids parameter from CardsController#update
This is no longer used in the normal flow of the app. The tags are added
via `Cards::TaggingsController`.
2025-12-19 11:16:20 +01:00
Rosa Gutierrez cb01966439 Remove unused Card.published_or_drafted_by scope
As the tests for it could lead to confusion where it seems drafted cards
are not accessible to someone with access to the board and with the
direct drafted card URL.
2025-12-19 09:46:21 +01:00
Stanko Krtalić 42185a8d6d Merge pull request #2153 from basecamp/limit-the-number-of-asignees-on-a-card
Limit the number of asignees on a card
2025-12-18 12:08:45 +01:00
Mike Dalessio 18b3319a94 Extract hex_to_base36 and base36_to_hex methods in Uuid type
replacing normalize_base36. This should make it easier to convert
UUIDs between hex and base36 formats, useful when debugging production
logs that contain hex UUIDs.

For example, if in a log you see:

    User Load (0.3ms) SELECT `users`.* FROM `users` WHERE
    `users`.`account_id` = x'019afab815897a4f920f3a24fab75400' AND
    `users`.`id` = x'019afab815a2790688c58c7f8326e700' LIMIT 1

and you want to find that account or that user in the console, you can
now do:

    id = ActiveRecord::Type::Uuid.hex_to_base36("019afab815897a4f920f3a24fab75400")
    => "03f6bilrvt3oghzhurll4pp8g"
2025-12-16 14:16:55 -05:00
Mike Dalessio 2b388dd241 Merge pull request #2164 from basecamp/flavorjones/user-validate-name
Validate User name presence and handle blank names gracefully
2025-12-16 10:49:13 -05:00
Jorge Manrubia ee80b87c8c Add billing system with Stripe
🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Jason Zimdars <jz@37signals.com>
2025-12-16 16:44:20 +01:00
Mike Dalessio b75d2ae6d8 Validate User name presence and handle blank names gracefully
Addresses an issue where User#familiar_name assumed `name` was always
present, potentially raising an exception during view rendering. Now
User validates name presence, and User#familiar_name handles blank
strings without error, in case any existing invalid records exist.
2025-12-16 10:44:10 -05:00
Stanko K.R. 15daa2bf05 Limit asignees to 10 per card 2025-12-15 16:40:52 +01:00
Kevin McConnell 741eff7bdc Revert "Merge pull request #1865 from basecamp/public-avatar-caching"
This reverts commit c628f14c01, reversing
changes made to 4bafc73236.
2025-12-15 13:07:13 +00:00
Stanko Krtalić 2058743be9 Merge pull request #2146 from basecamp/show-only-published-cards-on-public-boards
Show only public cards on public boards
2025-12-15 13:26:12 +01:00
Kevin McConnell c628f14c01 Merge pull request #1865 from basecamp/public-avatar-caching
Serve own avatar from its own endpoint
2025-12-15 12:20:28 +00:00
Stanko K.R. 87081aa617 Show only public cards on public boards 2025-12-15 13:15:36 +01:00
Kevin McConnell 87c6557747 Limit length of full name during signup
If we don't validate for length, then signups that overflow the database
columns will unnecessarily create and cancel a tenant. Adding a
validation means we can avoid this.
2025-12-15 09:56:35 +00:00
Dylan f01a648441 🐛 fix: resolve stale account names in jump menu and page titles
Add account data to fresh_when etag arrays so Rails serves fresh responses after account changes.

- Add @accounts to menus controller etag

- Add Current.account to boards controller etag

- Add ETag cache invalidation tests for both controllers
2025-12-15 15:59:25 +08:00
Mike Dalessio cbaf5d245f Merge pull request #2136 from afurm/test/tenancy-timezone
Add focused tests for tenancy middleware and timezone cookie caching
2025-12-14 16:20:56 -05:00
Mike Dalessio 088b06bf95 Merge pull request #2137 from basecamp/flavorjones/data-action-fix
Image lightbox uses Stimulus target callbacks instead of `data-action`
2025-12-14 12:48:17 -05:00
Jorge Manrubia 31542373ee Merge pull request #2112 from JangoCG/feature/rate-limit-join-codes
feat: protect join codes from brute-force attacks
2025-12-14 09:43:28 +01:00
Jorge Manrubia cac9088ad3 Merge pull request #2105 from seuros/main
feat: expose closed boolean in card JSON API
2025-12-14 09:36:32 +01:00
Jorge Manrubia d7e5d4218f Merge pull request #2032 from tomycostantino/update-columns-on-actions
Fix: board columns actions are stale when moving a column moves
2025-12-14 09:28:57 +01:00
Mike Dalessio e9cb2956ee Lightbox uses Stimulus target callbacks instead of data-action
Remove data-action from the sanitizer allowlist to disallow injection
of potentially malicious Stimulus actions in user-provided
content. The lightbox controller now uses imageTarget callbacks to
handle clicks on image links.

Also add the file name as a caption in the light box, and fix the
caption color for dark mode visibility.
2025-12-13 17:06:03 -05:00
Mike Dalessio 51df4af6ba Add test coverage for the image lightbox
because we're about to mess with it.
2025-12-13 16:00:54 -05:00
Andrii Furmanets f3bd38ea79 Add tests for tenancy middleware and timezone cookie 2025-12-13 22:10:21 +02:00
Ítalo Matos 2066109003 Add test coverage for with_golden_first scope (#2130)
* Add test coverage for with_golden_first scope

Test verifies that the with_golden_first scope correctly orders
golden cards before non-golden cards in query results.

* Refactor golden test: use instance variables, add subordering coverage

Extract @golden and @non_golden fixtures into setup for reuse across
all tests. Simplify with_golden_first test to verify both primary
ordering (golden before non-golden) and subordering preservation.

---------

Co-authored-by: Jeremy Daer <jeremy@37signals.com>
2025-12-13 10:34:35 -08:00
Mike Dalessio 139bf3cf81 Validate avatar sizes 2025-12-13 13:05:30 -05:00
Jeremy Daer 43ab17df2f Update tests with final method naming: record! -> record 2025-12-12 21:47:10 -08:00
Mike Dalessio 9cff236f66 Drop staff restriction in beta and staging
because it was preventing testing of signups.
2025-12-12 15:12:46 -05:00