Jason Zimdars
d4a50c996a
Merge pull request #1894 from Venkat-RK/main
...
Added 'Back to Home' link on notifications list page
2025-12-04 11:19:55 -06:00
Carmine Paolino
c9eb44119d
Fixed typo in VCR filters ( #1929 )
...
I know it's a small thing, but I just noticed that 🤷
Be careful if you reintroduce your old VCRs as they have OPEN_API_KEY
2025-12-04 08:58:12 -08:00
vkagithala
a92aab9981
Removed test to verify back button.
2025-12-04 08:44:37 -08:00
Mike Dalessio
373f4d5116
Merge pull request #1924 from basecamp/flavorjones/retry-mail-jobs
...
Retry mailer jobs on common networking and SMTP errors
2025-12-04 10:29:53 -05:00
Mike Dalessio
c4a8996562
Retry mailer jobs on common networking and SMTP errors
...
This concern is lifted nearly verbatim from Basecamp.
ref: https://app.fizzy.do/5986089/cards/3300
2025-12-04 10:26:24 -05:00
Kevin McConnell
dfe7095ee6
Merge pull request #1917 from basecamp/dont-resize-svg-avatars
...
Don't try to resize non-variable avatars
2025-12-04 14:53:00 +00:00
Mike Dalessio
394c5dbf03
Revert "Changing columns requires board admin"
...
This reverts commit cecccadc14 .
2025-12-04 09:46:30 -05:00
Kevin McConnell
2e47749739
Don't allow SVG avatar uploads in the first place
2025-12-04 14:27:28 +00:00
Mike Dalessio
89940d36f8
Gracefully handle ill-formed remote images in rich text
...
A better fix has been proposed upstream at
https://github.com/rails/rails/pull/56283 but this should be fine in
the meantime.
ref: https://app.fizzy.do/5986089/cards/3188
2025-12-04 09:24:52 -05:00
Kevin McConnell
6475ad3425
Don't try to resize non-variable avatars
2025-12-04 13:36:21 +00:00
Stanko K.R.
a8f328c921
Sign up new users on sign in
2025-12-04 11:30:21 +01:00
Jeremy Daer
cecccadc14
Changing columns requires board admin
2025-12-03 23:24:25 -08:00
Jeremy Daer
7af93765a8
Security: close narrow window of exposure to DNS rebinding ( #1903 )
2025-12-03 23:12:17 -08:00
vkagithala
8685b62232
Added 'Back to Home' link on notifications list page to improve navigation experience.
2025-12-03 17:21:50 -08:00
Jeremy Daer
cac0ca1656
Scope the single-board case to just the creator's boards ( #1880 )
2025-12-03 15:47:04 -08:00
Jorge Manrubia
38d86fb17b
Merge pull request #1879 from basecamp/scope-tags
...
Scope tags by account
2025-12-03 23:42:04 +01:00
Jorge Manrubia
4a30663df1
Scope tags by account
...
We missed this one when we went to MySQL. This can results in cards tagged with cards
from other accounts. No data leaked though: the symptom is that you see the card
tagged as expected but you don't see the tag in the menu.
2025-12-03 23:39:37 +01:00
Jorge Manrubia
6847c001ea
Merge pull request #1876 from basecamp/column-reordering-auth
...
Fix unauthorized column reordering
2025-12-03 22:18:06 +01:00
Jeremy Daer
9f6a4f1cc6
Fix unauthorized column reordering
...
Users could reorder columns they didn't have access to. Fixed by
limiting ColumnScoped to User::Accessor#accessible_columns.
References https://hackerone.com/reports/3449905
2025-12-03 13:00:49 -08:00
Stanko Krtalić
3520f97e33
Merge pull request #1857 from basecamp/friendly-error-message-when-changing-email-with-an-invalid-code
...
Render a friendly error message when using an invalid email change token
2025-12-03 20:06:24 +01:00
Jason Zimdars
7a45caa39d
Update test
2025-12-03 12:02:23 -06:00
Stanko K.R.
84213265e7
Render friendly error message when using an invalid token
2025-12-03 15:37:27 +01:00
Stanko Krtalić
61cc535c5b
Merge pull request #1851 from palkan/tests/connection-test
...
Add Connection tests
2025-12-03 14:56:15 +01:00
Vladimir Dementyev
3832b6230f
+ connection_test.rb
2025-12-03 16:40:44 +03:00
Stanko K.R.
6e9381abb8
Fix crash in join code redemption race condition
2025-12-03 13:29:20 +01:00
Stanko Krtalić
7a0290a4af
Merge pull request #1841 from basecamp/fix-access-control-issues
...
Allow only the owner of a reaction to delete it
2025-12-03 11:33:36 +01:00
Stanko K.R.
77f1110020
Allow only the owner of a reaction to delete it
2025-12-03 11:10:44 +01:00
Stanko K.R.
702865873d
Allow only people who can administer a board to delete it
2025-12-03 10:56:05 +01:00
Jeremy Daer
b755b3fead
Robots, begone ( #1812 )
...
* robots.txt: "Please, don't come in." If a page is directly linked, the
URL can still appear in search results, though.
* X-Robots-Tag: "If you're here, forget what you saw." Works even if the
crawler ignores robots.txt or reaches a page via external link. Can
remove already-indexed pages.
* Public boards may not be indexed. They're meant for "anyone with the
link" private sharing, not worldwide publishing.
2025-12-02 13:35:58 -08:00
Mike Dalessio
a2e024c1b5
Disconnect action cable when user is deactivated
...
ref: https://app.fizzy.do/5986089/cards/2785
2025-12-02 14:26:04 -05:00
Kevin McConnell
d24726c1d3
Merge pull request #1768 from basecamp/data-exports
...
Add "data export" feature
2025-12-02 09:56:40 +00:00
Jorge Manrubia
c9ebb79dbd
Add some protections around sharing the magic link in development
2025-12-02 10:51:14 +01:00
Kevin McConnell
b9899e7154
Fix test
2025-12-02 08:26:09 +00:00
Jorge Manrubia
af0113c9ee
After touch should trigger board touch too
...
The change in https://github.com/basecamp/fizzy/commit/c606de7b41f57734c4c859c5fc3d98c952b26d58#diff-1ecde9fb1ee2494e5d94e807f51f861928f77cfcfb0884889911b62a32c2ff4cL4-R23 was preventing marking cards as golden from broadcasting
2025-12-02 05:55:49 +01:00
Kevin McConnell
e16cc21b0a
Add "data export" feature
...
- Adds a button in Account Settings where you can request a ZIP export of your
Fizzy data
- Export files are created in the background. When ready, a link to
download them is sent to the requester.
- Exports expire after 24 hours. And are limited to 10 per day.
2025-12-01 15:23:26 +00:00
Jorge Manrubia
7dd3497d3a
Extract common setup step
2025-12-01 15:42:03 +01:00
Jorge Manrubia
29d07e7326
Fix: not detecting mentions when publishing saved drafts
...
The problem was that publishing a card with `#publish` was tracking the event
after updating the status, which was clearing the saved changes and preventing the
code from detecting the mention.
See:
https://app.fizzy.do/5986089/cards/2835
2025-12-01 15:39:45 +01:00
Mike Dalessio
edf6b53469
Introduce an "owner" role, and prevent it from being administered
...
to prevent the owner from being demoted or kicked out.
ref: https://app.fizzy.do/5986089/cards/3213
2025-11-29 14:13:29 -05:00
Stanko K.R.
2311efd03e
Make sign up Magic Links work across devices
...
Previously if someone started signing in on their phone, but finished it on their laptop, they'd end up on the menu screen with no account. Bu tracking the purpose of a Magic Link we can always direct the user to sign up if they requested a magic link through sign up. This also makes the logic for changing the copy in the email more robust.
2025-11-29 12:36:00 +01:00
Stanko K.R.
658b5a07cf
Organize everything under Signups
2025-11-29 11:46:09 +01:00
Mike Dalessio
434a9671cc
Ensure Account::ExternalIdSequenceTest.value is never nil
...
If no record exists, create it. This fixes a test in fizzy-saas in
test/models/signup_test.rb that was not actually testing with a valid
external account id.
2025-11-28 14:27:14 -05:00
Rosa Gutierrez
f8a1e0500d
Switch from report-only to actually using Sec-Fetch-Site for CSRF protection
...
As a fallback for Rails's token-based mechanism. To use Sec-Fetch-Site
exclusively, we'll wait until Rails offers that (when we upstream this).
2025-11-28 16:26:03 +01:00
Jorge Manrubia
2f4a05a39f
Format
2025-11-28 15:53:58 +01:00
Jorge Manrubia
3223ba53c3
We need the check in both test/code
2025-11-28 15:53:58 +01:00
Jorge Manrubia
1897cc238f
Only staff can access beta/staging
...
https://app.fizzy.do/5986089/cards/3208
2025-11-28 15:53:58 +01:00
Jorge Manrubia
6bfed6d048
Format
2025-11-28 15:53:58 +01:00
Jorge Manrubia
166ff83611
Rename tests
2025-11-28 15:53:58 +01:00
Jorge Manrubia
4e09352c09
Bring simple signup flow from the fizzy-saas gem
...
We skip the QB code and we fill external account ids automatically on creation with a sequence
See:
https://github.com/basecamp/fizzy-saas/pull/7
2025-11-28 15:53:58 +01:00
Jorge Manrubia
2061ab4ab2
Use dedicated sequence record instead of deal with issues with ids and uuids when using the previous approach
2025-11-28 15:53:58 +01:00
Jorge Manrubia
07b4c55185
Auto-increment external_account_id automatically by default to allow upcoming simple signups
2025-11-28 15:53:58 +01:00