Mike Dalessio
2b388dd241
Merge pull request #2164 from basecamp/flavorjones/user-validate-name
...
Validate User name presence and handle blank names gracefully
2025-12-16 10:49:13 -05:00
Jorge Manrubia
ee80b87c8c
Add billing system with Stripe
...
🤖 Generated with [Claude Code](https://claude.com/claude-code )
Co-Authored-By: Jason Zimdars <jz@37signals.com >
2025-12-16 16:44:20 +01:00
Mike Dalessio
b75d2ae6d8
Validate User name presence and handle blank names gracefully
...
Addresses an issue where User#familiar_name assumed `name` was always
present, potentially raising an exception during view rendering. Now
User validates name presence, and User#familiar_name handles blank
strings without error, in case any existing invalid records exist.
2025-12-16 10:44:10 -05:00
Kevin McConnell
741eff7bdc
Revert "Merge pull request #1865 from basecamp/public-avatar-caching"
...
This reverts commit c628f14c01 , reversing
changes made to 4bafc73236 .
2025-12-15 13:07:13 +00:00
Stanko Krtalić
2058743be9
Merge pull request #2146 from basecamp/show-only-published-cards-on-public-boards
...
Show only public cards on public boards
2025-12-15 13:26:12 +01:00
Kevin McConnell
c628f14c01
Merge pull request #1865 from basecamp/public-avatar-caching
...
Serve own avatar from its own endpoint
2025-12-15 12:20:28 +00:00
Stanko K.R.
87081aa617
Show only public cards on public boards
2025-12-15 13:15:36 +01:00
Mike Dalessio
cbaf5d245f
Merge pull request #2136 from afurm/test/tenancy-timezone
...
Add focused tests for tenancy middleware and timezone cookie caching
2025-12-14 16:20:56 -05:00
Jorge Manrubia
31542373ee
Merge pull request #2112 from JangoCG/feature/rate-limit-join-codes
...
feat: protect join codes from brute-force attacks
2025-12-14 09:43:28 +01:00
Jorge Manrubia
cac9088ad3
Merge pull request #2105 from seuros/main
...
feat: expose closed boolean in card JSON API
2025-12-14 09:36:32 +01:00
Jorge Manrubia
d7e5d4218f
Merge pull request #2032 from tomycostantino/update-columns-on-actions
...
Fix: board columns actions are stale when moving a column moves
2025-12-14 09:28:57 +01:00
Andrii Furmanets
f3bd38ea79
Add tests for tenancy middleware and timezone cookie
2025-12-13 22:10:21 +02:00
Mike Dalessio
139bf3cf81
Validate avatar sizes
2025-12-13 13:05:30 -05:00
Mike Dalessio
9cff236f66
Drop staff restriction in beta and staging
...
because it was preventing testing of signups.
2025-12-12 15:12:46 -05:00
Rosa Gutierrez
7f5fa6d715
Use Sec-Fetch-Site exclusively for CSRF protection
...
And close the gap with JSON requests, which shouldn't be allowed if
Sec-Fetch-Site is 'cross-site' or 'none', only if it's empty as this
wouldn't be coming from a browser.
2025-12-12 18:37:32 +01:00
Cengiz Guertusgil
09a2e7d7d7
feat: add rate limit to join codes controller
2025-12-12 17:21:57 +01:00
Abdelkader Boudih
b5caa8716d
feat: expose closed boolean in card JSON API
...
Adds `closed` field to card JSON response, allowing API consumers
to detect closed status without parsing the status enum or making
additional API calls.
2025-12-12 10:12:21 +01:00
Kevin McConnell
eec96ff384
Serve own avatar from its own endpoint
...
This allows us to have different cache controls depending on whether
you're viewing your own avatar, or someone else's. Your own avatar will
always be fresh, while other folks' avatars can be pulled from the CDN.
2025-12-12 09:03:35 +00:00
Stanko Krtalić
c43c184691
Merge pull request #2093 from robzolkos/add-qr-codes-controller-test
...
Add QrCodesController test
2025-12-12 08:11:51 +01:00
Stanko Krtalić
23425cb67b
Merge pull request #2086 from basecamp/harden-magic-links
...
Pin sign in attempts to the current session
2025-12-12 07:23:19 +01:00
Stanko K.R.
f4ef9c9580
Test that you can't go to the magic link screen without an email
2025-12-12 07:16:07 +01:00
Jankees van Woezik
78fc80cf35
API: Allow updates to last_active_at ( #2076 )
...
* Allow Card#last_updated_at to be set
This is useful when doing an import from another system. I'm currently
working on a script to import our Github issues into Fizzy.
This is discussed in
https://github.com/basecamp/fizzy/pull/2056#discussion_r2609560246
* Add nil fallback and expand test coverage for last_active_at
Adds a safety fallback to Time.current if created_at is unexpectedly nil
during card creation.
Test coverage to verify:
* last_active_at defaults to created_at when not provided
* last_active_at can be updated via API on existing cards
* import workflow where last_active_at is restored after comments
* publishing doesn't overwrite explicit last_active_at values
---------
Co-authored-by: Jeremy Daer <jeremy@37signals.com >
2025-12-11 19:06:03 -08:00
Rob Zolkos
9ca5e792f1
Add QrCodesController test
2025-12-11 13:51:18 -05:00
Stanko K.R.
b6edb93c47
Pin sign in attempts to the current session
...
This makes it way more difficult to brute-force a magic link.
Original implementation by udiudi. Ref: https://github.com/udiudi/fizzy/pull/1/files
Discussion: https://github.com/basecamp/fizzy/discussions/1981
Co-Authored-By: Udi <udi@udi.codes >
2025-12-11 19:05:54 +01:00
Mike Dalessio
679a073c6b
Add test coverage for the require_unauthenticated_access redirect
2025-12-11 13:02:54 -05:00
Kevin McConnell
193a28f6c8
Merge pull request #2035 from harisadam/single_tenant
...
Add env-configurable option to disable public signups
2025-12-11 13:08:19 +00:00
Kevin McConnell
05d176cc31
Test that sign in respects single tenant state
2025-12-11 12:49:03 +00:00
Kevin McConnell
0e443d3602
Use initializer to configure tenant mode
2025-12-11 11:20:43 +00:00
Kevin McConnell
a5580666a7
Single tenant by default & update tests
2025-12-11 11:20:43 +00:00
Stanko K.R.
5ee10800a2
Allow direct uploads via API
2025-12-11 11:52:38 +01:00
Tomas Costantino
5eda42f2dd
update columns controller destroy test
2025-12-11 10:49:05 +01:00
Tomas Costantino
51d61b5cf8
update tests
2025-12-11 10:36:56 +01:00
Tomas Costantino
df7e597066
Merge branch 'main' into update-columns-on-actions
2025-12-11 10:17:15 +01:00
Adam Haris
f76309d116
Merge branch 'main' into single_tenant
2025-12-11 06:08:01 +01:00
Jankees van Woezik
477b4d65f2
API: Support created_at for API card and comment creation ( #2056 )
...
* Add support to set `created_at`
Discussed in
https://github.com/basecamp/fizzy/pull/1766#issuecomment-3637846074 ,
this allows users to import cards from another system with entries from
the past. For instance I'm importing all our Github issues (including
the closed onces) to Fizzy.
* Iron out published state tracking
---------
Co-authored-by: Jeremy Daer <jeremy@37signals.com >
2025-12-10 19:57:38 -08:00
Stanko K.R.
4e092407ab
Fix crash due to missing partial
2025-12-10 18:47:00 +01:00
Mike Dalessio
fa118a7d83
Add validation for the join code usage limit
...
which is preferred to generating a database error
2025-12-10 10:10:08 -05:00
Adam Haris
eb8655dc8e
refactor: use MULTI_TENANT env variable, model concern instead of controller (#accepting_signups?)
2025-12-10 15:14:22 +01:00
Stanko K.R.
5ce71bf941
Move Identities to My::Identities
2025-12-10 15:13:35 +01:00
Stanko K.R.
79e77a3780
Handle user update failures
2025-12-10 09:23:53 +01:00
Stanko K.R.
7b30ca203e
Add index actions for Comments and Columns
...
Also, fix crash when a deactivated user is serialized (they don't have
an identity).
2025-12-10 09:23:52 +01:00
Stanko K.R.
bf51950007
Add API for reading notifications
2025-12-10 09:23:52 +01:00
Stanko K.R.
1a24c1373c
Add API for creating and updating boards
2025-12-10 09:23:52 +01:00
Stanko K.R.
f3ff0c605e
Add pagination to most places and fix cards pagination
2025-12-10 09:23:52 +01:00
Stanko K.R.
ba30a301dc
Add API for updating and deactivating users
2025-12-10 09:23:52 +01:00
Stanko K.R.
7a0554774c
Add API for columns
2025-12-10 09:23:52 +01:00
Stanko K.R.
d16b3756de
Add API for reactions
2025-12-10 09:23:52 +01:00
Stanko K.R.
eeed2a8416
Add API for watching cards
2025-12-10 09:23:52 +01:00
Stanko K.R.
ed1002f6c5
Add API for card triage
2025-12-10 09:23:52 +01:00
Stanko K.R.
8a84785056
Add API for tagging cards
2025-12-10 09:23:52 +01:00