Mike Dalessio
139bf3cf81
Validate avatar sizes
2025-12-13 13:05:30 -05:00
Mike Dalessio
9cff236f66
Drop staff restriction in beta and staging
...
because it was preventing testing of signups.
2025-12-12 15:12:46 -05:00
Rosa Gutierrez
7f5fa6d715
Use Sec-Fetch-Site exclusively for CSRF protection
...
And close the gap with JSON requests, which shouldn't be allowed if
Sec-Fetch-Site is 'cross-site' or 'none', only if it's empty as this
wouldn't be coming from a browser.
2025-12-12 18:37:32 +01:00
Stanko Krtalić
c43c184691
Merge pull request #2093 from robzolkos/add-qr-codes-controller-test
...
Add QrCodesController test
2025-12-12 08:11:51 +01:00
Stanko Krtalić
23425cb67b
Merge pull request #2086 from basecamp/harden-magic-links
...
Pin sign in attempts to the current session
2025-12-12 07:23:19 +01:00
Stanko K.R.
f4ef9c9580
Test that you can't go to the magic link screen without an email
2025-12-12 07:16:07 +01:00
Jankees van Woezik
78fc80cf35
API: Allow updates to last_active_at ( #2076 )
...
* Allow Card#last_updated_at to be set
This is useful when doing an import from another system. I'm currently
working on a script to import our Github issues into Fizzy.
This is discussed in
https://github.com/basecamp/fizzy/pull/2056#discussion_r2609560246
* Add nil fallback and expand test coverage for last_active_at
Adds a safety fallback to Time.current if created_at is unexpectedly nil
during card creation.
Test coverage to verify:
* last_active_at defaults to created_at when not provided
* last_active_at can be updated via API on existing cards
* import workflow where last_active_at is restored after comments
* publishing doesn't overwrite explicit last_active_at values
---------
Co-authored-by: Jeremy Daer <jeremy@37signals.com >
2025-12-11 19:06:03 -08:00
Rob Zolkos
9ca5e792f1
Add QrCodesController test
2025-12-11 13:51:18 -05:00
Stanko K.R.
b6edb93c47
Pin sign in attempts to the current session
...
This makes it way more difficult to brute-force a magic link.
Original implementation by udiudi. Ref: https://github.com/udiudi/fizzy/pull/1/files
Discussion: https://github.com/basecamp/fizzy/discussions/1981
Co-Authored-By: Udi <udi@udi.codes >
2025-12-11 19:05:54 +01:00
Mike Dalessio
679a073c6b
Add test coverage for the require_unauthenticated_access redirect
2025-12-11 13:02:54 -05:00
Kevin McConnell
193a28f6c8
Merge pull request #2035 from harisadam/single_tenant
...
Add env-configurable option to disable public signups
2025-12-11 13:08:19 +00:00
Kevin McConnell
05d176cc31
Test that sign in respects single tenant state
2025-12-11 12:49:03 +00:00
Kevin McConnell
0e443d3602
Use initializer to configure tenant mode
2025-12-11 11:20:43 +00:00
Kevin McConnell
a5580666a7
Single tenant by default & update tests
2025-12-11 11:20:43 +00:00
Stanko K.R.
5ee10800a2
Allow direct uploads via API
2025-12-11 11:52:38 +01:00
Adam Haris
f76309d116
Merge branch 'main' into single_tenant
2025-12-11 06:08:01 +01:00
Jankees van Woezik
477b4d65f2
API: Support created_at for API card and comment creation ( #2056 )
...
* Add support to set `created_at`
Discussed in
https://github.com/basecamp/fizzy/pull/1766#issuecomment-3637846074 ,
this allows users to import cards from another system with entries from
the past. For instance I'm importing all our Github issues (including
the closed onces) to Fizzy.
* Iron out published state tracking
---------
Co-authored-by: Jeremy Daer <jeremy@37signals.com >
2025-12-10 19:57:38 -08:00
Stanko K.R.
4e092407ab
Fix crash due to missing partial
2025-12-10 18:47:00 +01:00
Mike Dalessio
fa118a7d83
Add validation for the join code usage limit
...
which is preferred to generating a database error
2025-12-10 10:10:08 -05:00
Adam Haris
eb8655dc8e
refactor: use MULTI_TENANT env variable, model concern instead of controller (#accepting_signups?)
2025-12-10 15:14:22 +01:00
Stanko K.R.
5ce71bf941
Move Identities to My::Identities
2025-12-10 15:13:35 +01:00
Stanko K.R.
79e77a3780
Handle user update failures
2025-12-10 09:23:53 +01:00
Stanko K.R.
7b30ca203e
Add index actions for Comments and Columns
...
Also, fix crash when a deactivated user is serialized (they don't have
an identity).
2025-12-10 09:23:52 +01:00
Stanko K.R.
bf51950007
Add API for reading notifications
2025-12-10 09:23:52 +01:00
Stanko K.R.
1a24c1373c
Add API for creating and updating boards
2025-12-10 09:23:52 +01:00
Stanko K.R.
f3ff0c605e
Add pagination to most places and fix cards pagination
2025-12-10 09:23:52 +01:00
Stanko K.R.
ba30a301dc
Add API for updating and deactivating users
2025-12-10 09:23:52 +01:00
Stanko K.R.
7a0554774c
Add API for columns
2025-12-10 09:23:52 +01:00
Stanko K.R.
d16b3756de
Add API for reactions
2025-12-10 09:23:52 +01:00
Stanko K.R.
eeed2a8416
Add API for watching cards
2025-12-10 09:23:52 +01:00
Stanko K.R.
ed1002f6c5
Add API for card triage
2025-12-10 09:23:52 +01:00
Stanko K.R.
8a84785056
Add API for tagging cards
2025-12-10 09:23:52 +01:00
Stanko K.R.
c517ef6063
Add API for CRUD actions on steps
2025-12-10 09:23:52 +01:00
Stanko K.R.
8a61ca2a79
Add API for postponing cards
2025-12-10 09:23:52 +01:00
Stanko K.R.
52e65b3c08
Add API for removing card images
2025-12-10 09:23:52 +01:00
Stanko K.R.
1caeea541d
Add API for gilding cards
2025-12-10 09:23:52 +01:00
Stanko K.R.
41115eaf87
Add API for comments CRUD
2025-12-10 09:23:52 +01:00
Stanko K.R.
b4012dfb40
Add API for closing and opening cards
2025-12-10 09:23:52 +01:00
Stanko K.R.
cf52982b8b
Add API for mobing cards between boards
2025-12-10 09:23:52 +01:00
Stanko K.R.
23e6f3b095
Add API for assigning cards
2025-12-10 09:23:52 +01:00
Stanko K.R.
235a94355e
Add card update & delete actions
2025-12-10 09:23:52 +01:00
Stanko K.R.
ae03f2b283
Move tests into their controller tests
2025-12-10 09:23:52 +01:00
Stanko K.R.
259707bf70
Fix identity tests
2025-12-10 09:23:52 +01:00
Jay Ohms
26fc9ecad4
Add an /identity.json endpoint to obtain the identity accounts and users
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
3f393c1423
Include card description and tags
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
a8dc4fb310
Excess whitespace
2025-12-10 09:23:52 +01:00
Jay Ohms
680f9c0c4d
Add top-level API index support for tags
2025-12-10 09:23:52 +01:00
Jay Ohms
5ad7b973cb
Add API support for users
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
983a19fd8a
Create cards via API
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
f0c0a87c74
Return json URLs for API actions
2025-12-10 09:23:52 +01:00