Commit Graph

7804 Commits

Author SHA1 Message Date
Stanko Krtalić 6050f187ca Merge pull request #1895 from jbnunn/remove-legacy-join-pattern
Removed legacy join link
2025-12-04 09:21:08 +01:00
Jorge Manrubia af43ef4962 Merge pull request #1897 from Hacksore/fix/board-bell-title
Move the title to the button
2025-12-04 09:02:08 +01:00
Jorge Manrubia a0cb25a951 Merge pull request #1881 from basecamp/card-notification-removal-scope
Tighten scope on card notification removals
2025-12-04 08:44:52 +01:00
Jorge Manrubia 457a6d71b7 Merge pull request #1906 from basecamp/column-management-auth
Changing columns requires board admin
2025-12-04 08:34:49 +01:00
Jorge Manrubia 40f906f69f Merge pull request #1896 from umarhadi/main
Add Missing Production Databases for Solid Queue and Solid Cache
2025-12-04 08:34:15 +01:00
Jeremy Daer cecccadc14 Changing columns requires board admin 2025-12-03 23:24:25 -08:00
Jeremy Daer 7af93765a8 Security: close narrow window of exposure to DNS rebinding (#1903) 2025-12-03 23:12:17 -08:00
Sean Boult c1468de3d7 Fix title on bell icon 2025-12-03 21:20:34 -06:00
umarhadi 374fa1b5d0 Add production queue and cache database config 2025-12-04 09:50:45 +07:00
J. Nunn 383033b9d0 Removed legacy join link 2025-12-03 18:06:38 -08:00
Jeremy Daer cac0ca1656 Scope the single-board case to just the creator's boards (#1880) 2025-12-03 15:47:04 -08:00
Jeremy Daer f440b0243e Tighten scope on card notification removals
* Iterate each association separately to favor db indexing
* Pluck user IDs rather than select to avoid correlated subquery
2025-12-03 15:46:43 -08:00
Jeremy Daer 49139b7a14 SQLite import creates account-scoped tags
References #1879
2025-12-03 15:09:22 -08:00
Jorge Manrubia 9cf223aea1 Fix path 2025-12-03 23:53:18 +01:00
Jorge Manrubia efc809c23e Script to fix misassigned tags
See https://github.com/basecamp/fizzy/pull/1879
2025-12-03 23:46:08 +01:00
Jorge Manrubia 38d86fb17b Merge pull request #1879 from basecamp/scope-tags
Scope tags by account
2025-12-03 23:42:04 +01:00
Jorge Manrubia 4a30663df1 Scope tags by account
We missed this one when we went to MySQL. This can results in cards tagged with cards
from other accounts. No data leaked though: the symptom is that you see the card
tagged as expected but you don't see the tag in the menu.
2025-12-03 23:39:37 +01:00
Jorge Manrubia 6847c001ea Merge pull request #1876 from basecamp/column-reordering-auth
Fix unauthorized column reordering
2025-12-03 22:18:06 +01:00
Jorge Manrubia 367e5aa1dd Merge pull request #1871 from imbriaco/patch-2
Use environment variable for default mailer address
2025-12-03 22:07:39 +01:00
Jorge Manrubia 6c9ec052db Merge pull request #1874 from basecamp/bump-prometheus-client-mmap
Bump fizzy-saas to upgrade prometheus-client-mmap to ~> 1.4.0
2025-12-03 22:06:41 +01:00
Jeremy Daer 9f6a4f1cc6 Fix unauthorized column reordering
Users could reorder columns they didn't have access to. Fixed by
limiting ColumnScoped to User::Accessor#accessible_columns.

References https://hackerone.com/reports/3449905
2025-12-03 13:00:49 -08:00
Jorge Manrubia 7fcf660f05 Merge pull request #1854 from MatheusRich/find-by-over-where-first
Prefer find_by! over where + first!
2025-12-03 21:51:18 +01:00
Lewis Buckley 4bcedbbd77 Upgrade prometheus-client-mmap to ~> 1.4.0 2025-12-03 20:46:23 +00:00
Mike Dalessio cd23a54bb5 Merge pull request #1873 from basecamp/flavorjones/seed-staff-users
Update seeds to use `@example.com`
2025-12-03 15:44:54 -05:00
Mike Dalessio 6345aa4787 Update seeds to use @example.com
See also https://www.rfc-editor.org/rfc/rfc2606.html
2025-12-03 15:40:58 -05:00
Mike Dalessio 8064e017dc db:seeds create staff users for testing in development 2025-12-03 15:29:36 -05:00
Mark Imbriaco 56033d0a8e Use environment variable for default mailer address 2025-12-03 14:56:19 -05:00
Jason Zimdars 8f2ec267f6 Merge pull request #1820 from dcchambers/delete-board-confirmation
Add card deletion warning to board deletion confirmation message
2025-12-03 13:42:06 -06:00
Stanko Krtalić f41b1b098a Merge pull request #1868 from basecamp/use-cryptographically-secure-randomness-for-magic-link-code-generation
Use cryptographically secure randomness for Magic Link code generation
2025-12-03 20:21:52 +01:00
Andy Smith 4b86399ae9 Merge pull request #1866 from basecamp/quick-filters-on-mobile
Don't hide quick filters on mobile
2025-12-03 13:18:09 -06:00
Stanko K.R. 7ab06d1dbd Use cryptographically secure randomness for Magic Link code generation
#sample uses PRNG under the hood which is pseudo random, which means that given enough magic link codes you can predict which code would come next. To fix that we have to switch to CSPRNG - SecureRandom.random_number - which isn't easy to predict based on previous results.
2025-12-03 20:15:27 +01:00
Stanko Krtalić 3520f97e33 Merge pull request #1857 from basecamp/friendly-error-message-when-changing-email-with-an-invalid-code
Render a friendly error message when using an invalid email change token
2025-12-03 20:06:24 +01:00
Dakota Chambers a98cb58348 Update app/views/boards/edit/_delete.html.erb
Co-authored-by: Jason Zimdars <jz@37signals.com>
2025-12-03 13:04:29 -06:00
Jorge Manrubia 60b1fe26e8 Merge pull request #1847 from javier-valencia-arch/patch-1
Refactor with_account and without_account methods
2025-12-03 19:33:31 +01:00
Jorge Manrubia 2e3c9374a5 Merge pull request #1833 from rossvz/fix/hide-add-step-on-closed-cards
hide "add a step" input when card is closed
2025-12-03 19:32:22 +01:00
Jason Zimdars 7a45caa39d Update test 2025-12-03 12:02:23 -06:00
Andy Smith e7cdeb1148 Don't monkey with input width 2025-12-03 11:51:23 -06:00
Jason Zimdars 443a6bd408 Merge pull request #1864 from basecamp/update-onboarding-text
Update seeder.rb to fix minor things in the onboarding content
2025-12-03 11:45:56 -06:00
Andy Smith 5118ca04b1 Don't hide quick filters on mobile 2025-12-03 11:43:50 -06:00
Andy Smith b26284402e Merge pull request #1863 from basecamp/filters-z-index-fix
Target tooltips instead of specific buttons
2025-12-03 11:26:55 -06:00
Jason Zimdars df04fb9250 Adjust for layout consistency and tighten up some copy 2025-12-03 11:21:34 -06:00
Jason Zimdars a6c5cc19b7 Copy and layout edits for the new invalid token screen 2025-12-03 11:21:13 -06:00
Brian Bailey 30a2149115 Update seeder.rb to fix a few minor things in the onboarding content 2025-12-03 12:20:37 -05:00
Andy Smith c3172c66ee Target tooltips instead of specific buttons 2025-12-03 11:16:37 -06:00
Andy Smith 8cc698b702 Merge pull request #1862 from basecamp/lexxy-attachment-margins
Repair margins for attachments
2025-12-03 11:07:21 -06:00
Andy Smith d62a608772 Repair margins for attachments 2025-12-03 11:02:02 -06:00
Jorge Manrubia 31fa58817c Merge pull request #1861 from karlentwistle/move-eventable-to-concerns
Move Eventable concern to app/models/concerns
2025-12-03 18:00:56 +01:00
Karl Entwistle 59d7229500 Move Eventable concern to app/models/concerns
Aligns with Rails conventions for organizing concerns in a dedicated
concerns directory alongside existing concerns like Attachments,
Mentions, Searchable, etc.
2025-12-03 16:36:15 +00:00
Stanko K.R. 92b7c4a86c Update copy 2025-12-03 15:44:20 +01:00
Donal McBreen 684f665cad Merge pull request #1856 from basecamp/auto-set-uuid-defaults
Auto default for UUID primary keys
2025-12-03 14:38:35 +00:00