Commit Graph

469 Commits

Author SHA1 Message Date
Mike Dalessio 139bf3cf81 Validate avatar sizes 2025-12-13 13:05:30 -05:00
Mike Dalessio 9cff236f66 Drop staff restriction in beta and staging
because it was preventing testing of signups.
2025-12-12 15:12:46 -05:00
Rosa Gutierrez 7f5fa6d715 Use Sec-Fetch-Site exclusively for CSRF protection
And close the gap with JSON requests, which shouldn't be allowed if
Sec-Fetch-Site is 'cross-site' or 'none', only if it's empty as this
wouldn't be coming from a browser.
2025-12-12 18:37:32 +01:00
Stanko Krtalić c43c184691 Merge pull request #2093 from robzolkos/add-qr-codes-controller-test
Add QrCodesController test
2025-12-12 08:11:51 +01:00
Stanko Krtalić 23425cb67b Merge pull request #2086 from basecamp/harden-magic-links
Pin sign in attempts to the current session
2025-12-12 07:23:19 +01:00
Stanko K.R. f4ef9c9580 Test that you can't go to the magic link screen without an email 2025-12-12 07:16:07 +01:00
Jankees van Woezik 78fc80cf35 API: Allow updates to last_active_at (#2076)
* Allow Card#last_updated_at to be set

This is useful when doing an import from another system. I'm currently
working on a script to import our Github issues into Fizzy.

This is discussed in
https://github.com/basecamp/fizzy/pull/2056#discussion_r2609560246

* Add nil fallback and expand test coverage for last_active_at

Adds a safety fallback to Time.current if created_at is unexpectedly nil
during card creation.

Test coverage to verify:
* last_active_at defaults to created_at when not provided
* last_active_at can be updated via API on existing cards
* import workflow where last_active_at is restored after comments
* publishing doesn't overwrite explicit last_active_at values

---------

Co-authored-by: Jeremy Daer <jeremy@37signals.com>
2025-12-11 19:06:03 -08:00
Rob Zolkos 9ca5e792f1 Add QrCodesController test 2025-12-11 13:51:18 -05:00
Stanko K.R. b6edb93c47 Pin sign in attempts to the current session
This makes it way more difficult to brute-force a magic link.

Original implementation by udiudi. Ref: https://github.com/udiudi/fizzy/pull/1/files

Discussion: https://github.com/basecamp/fizzy/discussions/1981

Co-Authored-By: Udi <udi@udi.codes>
2025-12-11 19:05:54 +01:00
Mike Dalessio 679a073c6b Add test coverage for the require_unauthenticated_access redirect 2025-12-11 13:02:54 -05:00
Kevin McConnell 193a28f6c8 Merge pull request #2035 from harisadam/single_tenant
Add env-configurable option to disable public signups
2025-12-11 13:08:19 +00:00
Kevin McConnell 05d176cc31 Test that sign in respects single tenant state 2025-12-11 12:49:03 +00:00
Kevin McConnell 0e443d3602 Use initializer to configure tenant mode 2025-12-11 11:20:43 +00:00
Kevin McConnell a5580666a7 Single tenant by default & update tests 2025-12-11 11:20:43 +00:00
Stanko K.R. 5ee10800a2 Allow direct uploads via API 2025-12-11 11:52:38 +01:00
Adam Haris f76309d116 Merge branch 'main' into single_tenant 2025-12-11 06:08:01 +01:00
Jankees van Woezik 477b4d65f2 API: Support created_at for API card and comment creation (#2056)
* Add support to set `created_at`

Discussed in
https://github.com/basecamp/fizzy/pull/1766#issuecomment-3637846074,
this allows users to import cards from another system with entries from
the past. For instance I'm importing all our Github issues (including
the closed onces) to Fizzy.

* Iron out published state tracking

---------

Co-authored-by: Jeremy Daer <jeremy@37signals.com>
2025-12-10 19:57:38 -08:00
Stanko K.R. 4e092407ab Fix crash due to missing partial 2025-12-10 18:47:00 +01:00
Mike Dalessio fa118a7d83 Add validation for the join code usage limit
which is preferred to generating a database error
2025-12-10 10:10:08 -05:00
Adam Haris eb8655dc8e refactor: use MULTI_TENANT env variable, model concern instead of controller (#accepting_signups?) 2025-12-10 15:14:22 +01:00
Stanko K.R. 5ce71bf941 Move Identities to My::Identities 2025-12-10 15:13:35 +01:00
Stanko K.R. 79e77a3780 Handle user update failures 2025-12-10 09:23:53 +01:00
Stanko K.R. 7b30ca203e Add index actions for Comments and Columns
Also, fix crash when a deactivated user is serialized (they don't have
an identity).
2025-12-10 09:23:52 +01:00
Stanko K.R. bf51950007 Add API for reading notifications 2025-12-10 09:23:52 +01:00
Stanko K.R. 1a24c1373c Add API for creating and updating boards 2025-12-10 09:23:52 +01:00
Stanko K.R. f3ff0c605e Add pagination to most places and fix cards pagination 2025-12-10 09:23:52 +01:00
Stanko K.R. ba30a301dc Add API for updating and deactivating users 2025-12-10 09:23:52 +01:00
Stanko K.R. 7a0554774c Add API for columns 2025-12-10 09:23:52 +01:00
Stanko K.R. d16b3756de Add API for reactions 2025-12-10 09:23:52 +01:00
Stanko K.R. eeed2a8416 Add API for watching cards 2025-12-10 09:23:52 +01:00
Stanko K.R. ed1002f6c5 Add API for card triage 2025-12-10 09:23:52 +01:00
Stanko K.R. 8a84785056 Add API for tagging cards 2025-12-10 09:23:52 +01:00
Stanko K.R. c517ef6063 Add API for CRUD actions on steps 2025-12-10 09:23:52 +01:00
Stanko K.R. 8a61ca2a79 Add API for postponing cards 2025-12-10 09:23:52 +01:00
Stanko K.R. 52e65b3c08 Add API for removing card images 2025-12-10 09:23:52 +01:00
Stanko K.R. 1caeea541d Add API for gilding cards 2025-12-10 09:23:52 +01:00
Stanko K.R. 41115eaf87 Add API for comments CRUD 2025-12-10 09:23:52 +01:00
Stanko K.R. b4012dfb40 Add API for closing and opening cards 2025-12-10 09:23:52 +01:00
Stanko K.R. cf52982b8b Add API for mobing cards between boards 2025-12-10 09:23:52 +01:00
Stanko K.R. 23e6f3b095 Add API for assigning cards 2025-12-10 09:23:52 +01:00
Stanko K.R. 235a94355e Add card update & delete actions 2025-12-10 09:23:52 +01:00
Stanko K.R. ae03f2b283 Move tests into their controller tests 2025-12-10 09:23:52 +01:00
Stanko K.R. 259707bf70 Fix identity tests 2025-12-10 09:23:52 +01:00
Jay Ohms 26fc9ecad4 Add an /identity.json endpoint to obtain the identity accounts and users 2025-12-10 09:23:52 +01:00
David Heinemeier Hansson 3f393c1423 Include card description and tags 2025-12-10 09:23:52 +01:00
David Heinemeier Hansson a8dc4fb310 Excess whitespace 2025-12-10 09:23:52 +01:00
Jay Ohms 680f9c0c4d Add top-level API index support for tags 2025-12-10 09:23:52 +01:00
Jay Ohms 5ad7b973cb Add API support for users 2025-12-10 09:23:52 +01:00
David Heinemeier Hansson 983a19fd8a Create cards via API 2025-12-10 09:23:52 +01:00
David Heinemeier Hansson f0c0a87c74 Return json URLs for API actions 2025-12-10 09:23:52 +01:00