Jorge Manrubia
38d86fb17b
Merge pull request #1879 from basecamp/scope-tags
...
Scope tags by account
2025-12-03 23:42:04 +01:00
Jorge Manrubia
4a30663df1
Scope tags by account
...
We missed this one when we went to MySQL. This can results in cards tagged with cards
from other accounts. No data leaked though: the symptom is that you see the card
tagged as expected but you don't see the tag in the menu.
2025-12-03 23:39:37 +01:00
Jorge Manrubia
6847c001ea
Merge pull request #1876 from basecamp/column-reordering-auth
...
Fix unauthorized column reordering
2025-12-03 22:18:06 +01:00
Jorge Manrubia
367e5aa1dd
Merge pull request #1871 from imbriaco/patch-2
...
Use environment variable for default mailer address
2025-12-03 22:07:39 +01:00
Jeremy Daer
9f6a4f1cc6
Fix unauthorized column reordering
...
Users could reorder columns they didn't have access to. Fixed by
limiting ColumnScoped to User::Accessor#accessible_columns.
References https://hackerone.com/reports/3449905
2025-12-03 13:00:49 -08:00
Jorge Manrubia
7fcf660f05
Merge pull request #1854 from MatheusRich/find-by-over-where-first
...
Prefer find_by! over where + first!
2025-12-03 21:51:18 +01:00
Mark Imbriaco
56033d0a8e
Use environment variable for default mailer address
2025-12-03 14:56:19 -05:00
Jason Zimdars
8f2ec267f6
Merge pull request #1820 from dcchambers/delete-board-confirmation
...
Add card deletion warning to board deletion confirmation message
2025-12-03 13:42:06 -06:00
Stanko Krtalić
f41b1b098a
Merge pull request #1868 from basecamp/use-cryptographically-secure-randomness-for-magic-link-code-generation
...
Use cryptographically secure randomness for Magic Link code generation
2025-12-03 20:21:52 +01:00
Andy Smith
4b86399ae9
Merge pull request #1866 from basecamp/quick-filters-on-mobile
...
Don't hide quick filters on mobile
2025-12-03 13:18:09 -06:00
Stanko K.R.
7ab06d1dbd
Use cryptographically secure randomness for Magic Link code generation
...
#sample uses PRNG under the hood which is pseudo random, which means that given enough magic link codes you can predict which code would come next. To fix that we have to switch to CSPRNG - SecureRandom.random_number - which isn't easy to predict based on previous results.
2025-12-03 20:15:27 +01:00
Stanko Krtalić
3520f97e33
Merge pull request #1857 from basecamp/friendly-error-message-when-changing-email-with-an-invalid-code
...
Render a friendly error message when using an invalid email change token
2025-12-03 20:06:24 +01:00
Dakota Chambers
a98cb58348
Update app/views/boards/edit/_delete.html.erb
...
Co-authored-by: Jason Zimdars <jz@37signals.com >
2025-12-03 13:04:29 -06:00
Jorge Manrubia
60b1fe26e8
Merge pull request #1847 from javier-valencia-arch/patch-1
...
Refactor with_account and without_account methods
2025-12-03 19:33:31 +01:00
Jorge Manrubia
2e3c9374a5
Merge pull request #1833 from rossvz/fix/hide-add-step-on-closed-cards
...
hide "add a step" input when card is closed
2025-12-03 19:32:22 +01:00
Andy Smith
e7cdeb1148
Don't monkey with input width
2025-12-03 11:51:23 -06:00
Jason Zimdars
443a6bd408
Merge pull request #1864 from basecamp/update-onboarding-text
...
Update seeder.rb to fix minor things in the onboarding content
2025-12-03 11:45:56 -06:00
Andy Smith
5118ca04b1
Don't hide quick filters on mobile
2025-12-03 11:43:50 -06:00
Jason Zimdars
df04fb9250
Adjust for layout consistency and tighten up some copy
2025-12-03 11:21:34 -06:00
Jason Zimdars
a6c5cc19b7
Copy and layout edits for the new invalid token screen
2025-12-03 11:21:13 -06:00
Brian Bailey
30a2149115
Update seeder.rb to fix a few minor things in the onboarding content
2025-12-03 12:20:37 -05:00
Andy Smith
c3172c66ee
Target tooltips instead of specific buttons
2025-12-03 11:16:37 -06:00
Andy Smith
8cc698b702
Merge pull request #1862 from basecamp/lexxy-attachment-margins
...
Repair margins for attachments
2025-12-03 11:07:21 -06:00
Andy Smith
d62a608772
Repair margins for attachments
2025-12-03 11:02:02 -06:00
Karl Entwistle
59d7229500
Move Eventable concern to app/models/concerns
...
Aligns with Rails conventions for organizing concerns in a dedicated
concerns directory alongside existing concerns like Attachments,
Mentions, Searchable, etc.
2025-12-03 16:36:15 +00:00
Stanko K.R.
92b7c4a86c
Update copy
2025-12-03 15:44:20 +01:00
Stanko K.R.
84213265e7
Render friendly error message when using an invalid token
2025-12-03 15:37:27 +01:00
Donal McBreen
13db384648
Auto default for UUID primary keys
...
Patch load_schmema! to set the default value for UUID primary keys. This
removes the need to patch ApplicationRecord + Rails models individually.
It also means we no longer need to patch the default in for the integer
primary key in Search::Record::SQLite.
2025-12-03 14:27:52 +00:00
Matheus Richard
7e95322776
Prefer find_by! over where + first!
2025-12-03 11:20:02 -03:00
Stanko Krtalić
372d46f2cc
Merge pull request #1849 from basecamp/prevent-crash-in-join-code-race-condition
...
Fix crash in join code redemption race condition
2025-12-03 13:35:08 +01:00
Stanko K.R.
6e9381abb8
Fix crash in join code redemption race condition
2025-12-03 13:29:20 +01:00
Jorge Manrubia
0cb65685e5
Capture key presses inside the column edit form to prevent interferences with column navigation
...
https://app.fizzy.do/5986089/cards/3249
2025-12-03 13:28:44 +01:00
Javier Valencia
0d83e9b90c
Refactor with_account and without_account methods
...
Remove variables name for block, not needed from Ruby >= 3.1
2025-12-03 12:26:39 +01:00
Stanko Krtalić
7a0290a4af
Merge pull request #1841 from basecamp/fix-access-control-issues
...
Allow only the owner of a reaction to delete it
2025-12-03 11:33:36 +01:00
Stanko K.R.
77f1110020
Allow only the owner of a reaction to delete it
2025-12-03 11:10:44 +01:00
Stanko K.R.
702865873d
Allow only people who can administer a board to delete it
2025-12-03 10:56:05 +01:00
Stanko Krtalić
297f727199
Merge pull request #1838 from basecamp/fix-crash-when-inserting-an-emoji-in-a-maxlength-reaction
...
Fix crash when inserting an emoji into a max length reaction
2025-12-03 10:36:38 +01:00
Stanko K.R.
f8eda42187
Fix crash when inserting an emoji into a max length reaction
2025-12-03 10:32:49 +01:00
Stanko Krtalić
62e43c76fa
Merge pull request #1817 from kobaltz/main
...
Fix Account Slug and Database yaml
2025-12-03 08:42:45 +01:00
Ross van Zyl
244d92d92a
hide "add a step" input when card is closed
2025-12-02 22:22:24 -05:00
Andy Smith
c1881ffb15
Merge pull request #1825 from basecamp/clean-media-queries
...
Consistent breakpoints for min- and max-width
2025-12-02 17:12:10 -06:00
Jason Zimdars
f7e375a4ef
We can't hide public boards like this
2025-12-02 16:41:32 -06:00
Andy Smith
ccd8d5736b
Consistent breakpoints for min- and max-width
2025-12-02 16:22:56 -06:00
Andy Smith
f0804a151f
Repair tooltip z-index selector
2025-12-02 15:47:16 -06:00
Andy Smith
da57e2529b
Merge pull request #1819 from basecamp/autoresize-padding
...
Account for input padding on autoresize pseudo-element
2025-12-02 15:41:04 -06:00
Jeremy Daer
b755b3fead
Robots, begone ( #1812 )
...
* robots.txt: "Please, don't come in." If a page is directly linked, the
URL can still appear in search results, though.
* X-Robots-Tag: "If you're here, forget what you saw." Works even if the
crawler ignores robots.txt or reaches a page via external link. Can
remove already-indexed pages.
* Public boards may not be indexed. They're meant for "anyone with the
link" private sharing, not worldwide publishing.
2025-12-02 13:35:58 -08:00
Dakota Chambers
e606a142f1
Update board delete confirmation message
2025-12-02 15:25:50 -06:00
Andy Smith
657b3c04c5
Account for input padding on autoresize pseudo-element
2025-12-02 15:19:16 -06:00
Dave Kimura
337af0a575
Merge branch 'basecamp:main' into main
2025-12-02 16:08:26 -05:00
Dave Kimura
2f740c81c0
(account): encode external_account_id in slug
...
- Use `AccountSlug.encode` to generate slug instead of raw ID
- Fixes where slug is /1 and will be in the proper format of /0000001
2025-12-02 16:07:04 -05:00