Commit Graph

5473 Commits

Author SHA1 Message Date
Jorge Manrubia 38d86fb17b Merge pull request #1879 from basecamp/scope-tags
Scope tags by account
2025-12-03 23:42:04 +01:00
Jorge Manrubia 4a30663df1 Scope tags by account
We missed this one when we went to MySQL. This can results in cards tagged with cards
from other accounts. No data leaked though: the symptom is that you see the card
tagged as expected but you don't see the tag in the menu.
2025-12-03 23:39:37 +01:00
Jorge Manrubia 6847c001ea Merge pull request #1876 from basecamp/column-reordering-auth
Fix unauthorized column reordering
2025-12-03 22:18:06 +01:00
Jorge Manrubia 367e5aa1dd Merge pull request #1871 from imbriaco/patch-2
Use environment variable for default mailer address
2025-12-03 22:07:39 +01:00
Jeremy Daer 9f6a4f1cc6 Fix unauthorized column reordering
Users could reorder columns they didn't have access to. Fixed by
limiting ColumnScoped to User::Accessor#accessible_columns.

References https://hackerone.com/reports/3449905
2025-12-03 13:00:49 -08:00
Jorge Manrubia 7fcf660f05 Merge pull request #1854 from MatheusRich/find-by-over-where-first
Prefer find_by! over where + first!
2025-12-03 21:51:18 +01:00
Mark Imbriaco 56033d0a8e Use environment variable for default mailer address 2025-12-03 14:56:19 -05:00
Jason Zimdars 8f2ec267f6 Merge pull request #1820 from dcchambers/delete-board-confirmation
Add card deletion warning to board deletion confirmation message
2025-12-03 13:42:06 -06:00
Stanko Krtalić f41b1b098a Merge pull request #1868 from basecamp/use-cryptographically-secure-randomness-for-magic-link-code-generation
Use cryptographically secure randomness for Magic Link code generation
2025-12-03 20:21:52 +01:00
Andy Smith 4b86399ae9 Merge pull request #1866 from basecamp/quick-filters-on-mobile
Don't hide quick filters on mobile
2025-12-03 13:18:09 -06:00
Stanko K.R. 7ab06d1dbd Use cryptographically secure randomness for Magic Link code generation
#sample uses PRNG under the hood which is pseudo random, which means that given enough magic link codes you can predict which code would come next. To fix that we have to switch to CSPRNG - SecureRandom.random_number - which isn't easy to predict based on previous results.
2025-12-03 20:15:27 +01:00
Stanko Krtalić 3520f97e33 Merge pull request #1857 from basecamp/friendly-error-message-when-changing-email-with-an-invalid-code
Render a friendly error message when using an invalid email change token
2025-12-03 20:06:24 +01:00
Dakota Chambers a98cb58348 Update app/views/boards/edit/_delete.html.erb
Co-authored-by: Jason Zimdars <jz@37signals.com>
2025-12-03 13:04:29 -06:00
Jorge Manrubia 60b1fe26e8 Merge pull request #1847 from javier-valencia-arch/patch-1
Refactor with_account and without_account methods
2025-12-03 19:33:31 +01:00
Jorge Manrubia 2e3c9374a5 Merge pull request #1833 from rossvz/fix/hide-add-step-on-closed-cards
hide "add a step" input when card is closed
2025-12-03 19:32:22 +01:00
Andy Smith e7cdeb1148 Don't monkey with input width 2025-12-03 11:51:23 -06:00
Jason Zimdars 443a6bd408 Merge pull request #1864 from basecamp/update-onboarding-text
Update seeder.rb to fix minor things in the onboarding content
2025-12-03 11:45:56 -06:00
Andy Smith 5118ca04b1 Don't hide quick filters on mobile 2025-12-03 11:43:50 -06:00
Jason Zimdars df04fb9250 Adjust for layout consistency and tighten up some copy 2025-12-03 11:21:34 -06:00
Jason Zimdars a6c5cc19b7 Copy and layout edits for the new invalid token screen 2025-12-03 11:21:13 -06:00
Brian Bailey 30a2149115 Update seeder.rb to fix a few minor things in the onboarding content 2025-12-03 12:20:37 -05:00
Andy Smith c3172c66ee Target tooltips instead of specific buttons 2025-12-03 11:16:37 -06:00
Andy Smith 8cc698b702 Merge pull request #1862 from basecamp/lexxy-attachment-margins
Repair margins for attachments
2025-12-03 11:07:21 -06:00
Andy Smith d62a608772 Repair margins for attachments 2025-12-03 11:02:02 -06:00
Karl Entwistle 59d7229500 Move Eventable concern to app/models/concerns
Aligns with Rails conventions for organizing concerns in a dedicated
concerns directory alongside existing concerns like Attachments,
Mentions, Searchable, etc.
2025-12-03 16:36:15 +00:00
Stanko K.R. 92b7c4a86c Update copy 2025-12-03 15:44:20 +01:00
Stanko K.R. 84213265e7 Render friendly error message when using an invalid token 2025-12-03 15:37:27 +01:00
Donal McBreen 13db384648 Auto default for UUID primary keys
Patch load_schmema! to set the default value for UUID primary keys. This
removes the need to patch ApplicationRecord + Rails models individually.

It also means we no longer need to patch the default in for the integer
primary key in Search::Record::SQLite.
2025-12-03 14:27:52 +00:00
Matheus Richard 7e95322776 Prefer find_by! over where + first! 2025-12-03 11:20:02 -03:00
Stanko Krtalić 372d46f2cc Merge pull request #1849 from basecamp/prevent-crash-in-join-code-race-condition
Fix crash in join code redemption race condition
2025-12-03 13:35:08 +01:00
Stanko K.R. 6e9381abb8 Fix crash in join code redemption race condition 2025-12-03 13:29:20 +01:00
Jorge Manrubia 0cb65685e5 Capture key presses inside the column edit form to prevent interferences with column navigation
https://app.fizzy.do/5986089/cards/3249
2025-12-03 13:28:44 +01:00
Javier Valencia 0d83e9b90c Refactor with_account and without_account methods
Remove variables name for block, not needed from Ruby >= 3.1
2025-12-03 12:26:39 +01:00
Stanko Krtalić 7a0290a4af Merge pull request #1841 from basecamp/fix-access-control-issues
Allow only the owner of a reaction to delete it
2025-12-03 11:33:36 +01:00
Stanko K.R. 77f1110020 Allow only the owner of a reaction to delete it 2025-12-03 11:10:44 +01:00
Stanko K.R. 702865873d Allow only people who can administer a board to delete it 2025-12-03 10:56:05 +01:00
Stanko Krtalić 297f727199 Merge pull request #1838 from basecamp/fix-crash-when-inserting-an-emoji-in-a-maxlength-reaction
Fix crash when inserting an emoji into a max length reaction
2025-12-03 10:36:38 +01:00
Stanko K.R. f8eda42187 Fix crash when inserting an emoji into a max length reaction 2025-12-03 10:32:49 +01:00
Stanko Krtalić 62e43c76fa Merge pull request #1817 from kobaltz/main
Fix Account Slug and Database yaml
2025-12-03 08:42:45 +01:00
Ross van Zyl 244d92d92a hide "add a step" input when card is closed 2025-12-02 22:22:24 -05:00
Andy Smith c1881ffb15 Merge pull request #1825 from basecamp/clean-media-queries
Consistent breakpoints for min- and max-width
2025-12-02 17:12:10 -06:00
Jason Zimdars f7e375a4ef We can't hide public boards like this 2025-12-02 16:41:32 -06:00
Andy Smith ccd8d5736b Consistent breakpoints for min- and max-width 2025-12-02 16:22:56 -06:00
Andy Smith f0804a151f Repair tooltip z-index selector 2025-12-02 15:47:16 -06:00
Andy Smith da57e2529b Merge pull request #1819 from basecamp/autoresize-padding
Account for input padding on autoresize pseudo-element
2025-12-02 15:41:04 -06:00
Jeremy Daer b755b3fead Robots, begone (#1812)
* robots.txt: "Please, don't come in." If a page is directly linked, the
  URL can still appear in search results, though.
* X-Robots-Tag: "If you're here, forget what you saw." Works even if the
  crawler ignores robots.txt or reaches a page via external link. Can
  remove already-indexed pages.
* Public boards may not be indexed. They're meant for "anyone with the
  link" private sharing, not worldwide publishing.
2025-12-02 13:35:58 -08:00
Dakota Chambers e606a142f1 Update board delete confirmation message 2025-12-02 15:25:50 -06:00
Andy Smith 657b3c04c5 Account for input padding on autoresize pseudo-element 2025-12-02 15:19:16 -06:00
Dave Kimura 337af0a575 Merge branch 'basecamp:main' into main 2025-12-02 16:08:26 -05:00
Dave Kimura 2f740c81c0 (account): encode external_account_id in slug
- Use `AccountSlug.encode` to generate slug instead of raw ID
  - Fixes where slug is /1 and will be in the proper format of /0000001
2025-12-02 16:07:04 -05:00