Commit Graph

894 Commits

Author SHA1 Message Date
Mike Dalessio 4dc28943da Don't let cloudflare cache avatars
The issue here is that anyone else who views my avatar will cause it
to be cached, and then I can't easily bust the cache if I change my
avatar.
2025-11-22 09:48:28 -05:00
Mike Dalessio 64bac96545 User avatar responses have cache-control "public"
ref: https://app.fizzy.do/5986089/cards/3125
2025-11-21 16:11:39 -05:00
Mike Dalessio bcb43305b6 Improve avatar image handling
- redirect avatar image requests to the rails_blob_url, instead of
  streaming them through the web app
- use a thumbnail variant for avatar images
- only put avatar initials behind the stale? check (not the image
  redirect, which would result in browsers rendering broken images when
  an avatar is changed, until max-age expires)
2025-11-21 15:16:46 -05:00
Stanko K.R. fe909d6dc5 Disable stale while revalidate for own avatar
Locally, having stale_while_revalidate works great, but in production when we are behind CloudFlare, this results in an old image being shown after you upload a new one

See: https://app.fizzy.do/5986089/cards/2978
2025-11-21 19:26:38 +01:00
Jason Zimdars 2c4d2df469 Merge pull request #1679 from basecamp/notifications
Cap the max number of unread notifications to 500
2025-11-21 09:34:26 -06:00
Jorge Manrubia 42a39b224c Cap the max number of unread notifications to 500
Simpler than adding 2 levels of pagination here
2025-11-21 15:55:24 +01:00
Jorge Manrubia 93ee8899a0 More robust implementation to prevent method injection attacks 2025-11-21 10:38:16 +01:00
Jorge Manrubia e4558f00ab Merge branch 'main' into expand-activity-columns 2025-11-21 10:25:39 +01:00
Jorge Manrubia e813b7eaf0 Invalidate HTTP caching when the cards change
https://app.fizzy.do/5986089/cards/3067
2025-11-21 09:32:02 +01:00
Mike Dalessio 1341830ed2 Add total counts and restructure admin stats dashboard
- Add total counts for accounts and identities alongside 7-day and 24-hour metrics
- Change layout from horizontal to vertical stacking

Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-20 14:39:19 -05:00
Jason Zimdars 133a17a75e Just pass the column name string, no need to both with numbers 2025-11-20 11:43:17 -06:00
Mike Dalessio c53b56c1db Display a helpful error message when join code is exhausted
ref: https://app.fizzy.do/5986089/cards/3015
2025-11-19 15:53:25 -05:00
Mike Dalessio 2fe578c5e5 Small improvements to the stats dashboard 2025-11-19 14:31:13 -05:00
Mike Dalessio 362be963c0 Add a very rudimentary admin dashboard. 2025-11-19 14:23:47 -05:00
Mike Dalessio 4636b31f06 Authorization ensure_staff uses identity.staff
for use on untenanted routes
2025-11-19 14:23:47 -05:00
Mike Dalessio 47c05e6d6a Restore basic auth on signup
broken in 6e304958
2025-11-19 14:12:59 -05:00
Jason Zimdars eba749a193 Expand activity columns 2025-11-19 12:48:36 -06:00
David Heinemeier Hansson 9ddcfa5c4b Conventional order and remove redundant filtering of actions 2025-11-18 15:49:50 +01:00
David Heinemeier Hansson 7d86aae67e Inline anemic method 2025-11-18 15:48:40 +01:00
David Heinemeier Hansson b63d79d7a2 Style 2025-11-18 15:45:28 +01:00
David Heinemeier Hansson c606de7b41 Instead of trying to suppress from the wrong layer of the stick, just don't touch until published? 2025-11-18 15:35:40 +01:00
David Heinemeier Hansson 444d43f2ac Its been a few days 2025-11-18 14:52:07 +01:00
David Heinemeier Hansson 6e304958be No need to protect local dev/test 2025-11-18 14:32:54 +01:00
Stanko K.R. 0f7b1312eb Fix tests broken by optimizations 2025-11-17 17:45:24 +01:00
Stanko K.R. 0b8c51c2e9 Preload cards for columns 2025-11-17 16:16:19 +01:00
Stanko K.R. e539754e2c Preload cards 2025-11-17 09:12:41 -05:00
Mike Dalessio f5305b2fe6 Use Card number as the model param
instead of the UUID `id`
2025-11-17 09:12:41 -05:00
Kevin McConnell 9615753e1f Add routing header to see who served request 2025-11-17 09:12:41 -05:00
Stanko K.R. e0693de7c3 Scope jobs and controllers by account 2025-11-17 09:12:41 -05:00
Mike Dalessio 5a7f08067a Move setting Current.account into the middleware
so that code called from the Rails controllers can use Current.account
2025-11-17 09:12:40 -05:00
Stanko K.R. 56c41d45eb Reinstate email changes 2025-11-17 09:12:40 -05:00
Stanko K.R. 34d83aaa7c Fix tests after the removal of memberships 2025-11-17 09:12:40 -05:00
Stanko K.R. 8fa9566c07 Update sign up 2025-11-17 09:12:40 -05:00
Stanko K.R. edf837fed3 Drop memberships 2025-11-17 09:12:39 -05:00
Stanko K.R. 5c6b91ef77 Fix incorrect var setting 2025-11-17 09:12:36 -05:00
Stanko K.R. 71a332bb08 Remove dead code 2025-11-17 09:12:17 -05:00
Stanko K.R. db172bae4e Simplify authorization 2025-11-17 09:12:17 -05:00
Stanko K.R. 28a6dfce01 Simplify user deactivation 2025-11-17 09:12:17 -05:00
Stanko K.R. 6858b96619 Simplify join codes 2025-11-17 09:12:17 -05:00
Donal McBreen 3aa4a1a562 Shard the search index into 16 tables
Create search_index_0 to search_index_15 tables and shard each index by
account id. MySQL has no ability to pre-filter fulltext indexes by
another field so this is the best bet for improving performance.

Each fulltest index internally creates 11 sub tables (see
https://dev.mysql.com/doc/refman/8.4/en/innodb-fulltext-index.html) so
actually we have 192 tables in total here.

The search_index table name is generated dynamically based on the
account_id.
2025-11-17 09:12:17 -05:00
Donal McBreen ddd7fe082a Ensure the mentioning scope search works
Include the filter by accessible board ids to avoid large joins from the
search_index table. Drop the unused search scope.
2025-11-17 09:12:17 -05:00
Mike Dalessio dbf66f9a50 Constrain user queries to the current or relevant account 2025-11-17 09:11:57 -05:00
Mike Dalessio 89d1299ec0 Fix authentication on "untenanted" controllers
trying out the name "disallow_account_scope" for this, but I don't
think it's quite right yet.
2025-11-17 09:11:47 -05:00
Mike Dalessio 086a9ceada Revert some auth pieces of "Account.sole → Current.account" 2025-11-17 09:11:45 -05:00
Mike Dalessio 030433b99d Remove debugging statements 2025-11-17 09:11:42 -05:00
Mike Dalessio ec54014832 Add account slug middleware
and set Current.account
2025-11-17 09:11:42 -05:00
Mike Dalessio d41d50d52b Account.sole → Current.account
and some other de-tenant changes, including removing the controller
tenanting concerns
2025-11-17 09:11:40 -05:00
Kevin McConnell dc40d2b5b0 Remove custom read/writer routing 2025-11-17 09:11:28 -05:00
Jorge Manrubia a1bc6b7939 Do not use HTTP caching since the page is full of forms, and can result in 422s due to CSRF tokens
https://app.fizzy.do/5986089/cards/2977
2025-11-17 13:55:23 +01:00
Jorge Manrubia eea9afb639 Fix: dismiss grouped notifications by card from the notifications tray
This also splits the templates into two: index and tray, since the URL now changes.
2025-11-14 12:58:24 +01:00