When running a Docker deployment, we need a way to set the app's base
URL. Otherwise links in emails, or generated in jobs etc., can not be
correctly constructed.
Remove data-action from the sanitizer allowlist to disallow injection
of potentially malicious Stimulus actions in user-provided
content. The lightbox controller now uses imageTarget callbacks to
handle clicks on image links.
Also add the file name as a caption in the light box, and fix the
caption color for dark mode visibility.
* Add more configuration options for the SMTP connection
* Add SMTP_TLS option for implicit TLS connections
For SMTPS servers (typically port 465), set SMTP_TLS=true.
Port auto-defaults to 465 when TLS is enabled, 587 otherwise.
STARTTLS is used by default and automatically disabled when TLS is on.
Fixes boolean conversion bug in original PR (string "false" is truthy)
and removes insecure default for certificate verification.
---------
Co-authored-by: Jeremy Daer <jeremy@37signals.com>
Ensure we can serve the app from multiple hosts without breaking links.
* Switch unnecessary full URLs to paths
* Drop default host/port URL options for controllers
Shell 1
```bash
bin/dev
```
Shell 2
```bash
tailscale serve http://fizzy.localhost:3006
```
This allows us to have different cache controls depending on whether
you're viewing your own avatar, or someone else's. Your own avatar will
always be fresh, while other folks' avatars can be pulled from the CDN.
Gemfile.saas evals Gemfile, so shared gems should have identical versions
in both lockfiles. This adds bin/bundle-drift to detect and fix drift:
* `bin/bundle-drift check` compares shared gem versions
* `bin/bundle-drift correct` seeds Gemfile.lock from Gemfile.saas.lock
and re-locks, letting Bundler prune SaaS-only gems while preserving
shared versions
Adds drift check to bin/ci and GitHub CI. Corrects existing drift.
`assume_ssl` and `force_ssl` are often used together:
- When running behind a terminating proxy (including Thruster) you'll
want both.
- When running without SSL (like on localhost) you'll want neither.
To simplify setup for those cases, we add the `DISABLE_SSL` option. When
set to `true` all SSL-related behaviour is turned off. When left as the
default, it's on.
We can still use `ASSUME_SSL` and `FORCE_SSL` to set those separately
if required.
* Configure all sources with CSP_* vars. Space separated source list.
* Fall back to `config.x.content_security_policy.*`
* Move our sources to fizzy-saas
References https://github.com/basecamp/fizzy-saas/pull/24
An append-only storage ledger replaces deadlock-prone synchronous
counter updates and drift-prone async updates.
All content storage (card images, card/comment/board description embeds)
is tracked. Account exports (which expire) and avatars are not tracked.
Storage is accounted for by Account and Board. Both consume the same
event stream independently: no bubble-up storage bumps triggering
deadlocks due to lock sequencing. Each calculates its own total from
the underlying ledger with independent cursors and materialization.
* Storage::Entry: Append-only ledger recording attach/detach/transfer
events with delta bytes. Single event stream indexed for both
Account and Board cursor queries.
* Storage::Total: Polymorphic snapshot cache with cursor (last_entry_id)
tracking which entries have been materialized.
* Storage::Totaled concern: Provides bytes_used (fast snapshot) and
bytes_used_exact (snapshot + pending) query modes, plus
materialize_storage! to roll up pending entries.
* Storage::Tracked concern: For models owning attachments (Card,
Comment, Board). Provides board_for_storage_tracking for models
where board is determined differently (Board returns self).
Handles board transfers by recording transfer_out/transfer_in entries.
* Storage::AttachmentTracking: Hooks ActiveStorage::Attachment lifecycle
to record attach/detach entries. Handles ActionText::RichText embeds
by traversing to the actual model. Snapshots context in before_destroy
to handle cascading deletes where parent record may be gone by
after_destroy_commit.
* MaterializeJob: Rolls up pending entries into snapshot. Concurrency
limited per owner to prevent duplicate work.
* ReconcileJob: On-demand reconciliation against actual attachment
storage for support/debugging. Compares ledger total to real bytes
from card images, card embeds, comment embeds, and board embeds.
Usage:
* account.bytes_used / board.bytes_used: fast, slightly stale bytesize
* account.bytes_used_exact / board.bytes_used_exact: real-time bytesize
* Storage::Entry: audit trail for debugging and point-in-time queries
- If `SMTP_ADDRESS` is set, configure Action Mailer to use it, along
with additional optional SMTP-related settings.
- Otherwise, don't set config (for compatibility with engines like
fizzy-saas).
- Remove sendmail env setup, since by default there is no sendmail in
the container, and custom deployment can use whatever config the want
directly. If we end up needing this, we can bring it back via its
own env.