Commit Graph

20 Commits

Author SHA1 Message Date
Rosa Gutierrez f66a2dc1ba Consider user avatars always public
Avatars are purposely accessible without authentication
(5e3b5b6d7c) because they can be in public
collections. Trying to restrict this by checking whether they're in fact
present in some public collection is rather expensive, so let's keep
them public.
2025-12-26 19:33:26 +01:00
Rosa Gutierrez 196d685f8d Implement authorization for Active Storage endpoints
Consider blobs attached to any public records accessible to anyone with
the URL.
2025-12-25 21:22:36 +01:00
Stanko K.R. 79b012f319 Add Join Codes 2025-10-31 16:24:30 +01:00
Stanko K.R. 5cef4ffeb0 Add sign in flow using magic links 2025-10-31 16:22:12 +01:00
Mike Dalessio 1277cc065b Introduce untenanted Identity and Membership models
The new integration test shows the desired user-facing behavior, which
is to make it easy to login without a tenanted URL and to jump between
tenants.

Note that we track two things in the identity_token cookie: a signed
id, and the updated_at for the underlying Identity object. This allows
us to effectively cache on the Identity without having to hit the
database, by using an Identity::Mock object that is compatible with
etag and cache methods.
2025-10-31 16:22:12 +01:00
Mike Dalessio 3399e45130 Introduce an "Identity" model to ease login
- New untenanted Identity and Membership models
- New `identity_token` cookie with path "/" holds state across tenants

We're not sure whether the untenanted database will be sqlite or
MySQL, and so I've been careful to minimize

- database reads, placing them behind etags and caching
- database writes, only writing when a new Session is created (login)

Note that we track two things in the identity_token cookie: a signed
id, and the updated_at for the underlying Identity object. This allows
us to effectively cache on the Identity without having to hit the
database, by using an Identity::Mock object that is compatible with
etag and cache methods.

The new integration test shows the desired user-facing behavior, which
is to make it easy to login without a tenanted URL and to jump between
tenants.

- the untenanted "login_help" page shows all linked memberships
- the jump menu shows all linked memberships (except the current)

Also introduced a utility script to populate existing employee
Identities, grouping accounts by email address.
2025-10-10 10:12:25 -04:00
Jorge Manrubia b6c3e5c090 Add tests and clean unused events 2025-04-30 09:45:41 +02:00
Jorge Manrubia e03f1f7f9b Rename test that was being skipped 2025-04-29 19:23:56 +02:00
Jorge Manrubia 18cc24e1d3 Add an event prefix named after the model now that events are generic 2025-04-24 13:20:09 +02:00
David Heinemeier Hansson 3d28203224 Use singular staging resource and beef up testing 2025-04-22 14:44:55 +02:00
David Heinemeier Hansson dbf61f4fc3 Use _path in all cases where we are not potentially changing the domain 2025-04-13 08:17:36 +02:00
David Heinemeier Hansson 760cbb6c99 Drop boosts
Killed by design.
2025-04-12 18:52:54 +02:00
Jorge Manrubia 723e6d94f5 Rename bubbles => cards 2025-04-09 14:50:58 +02:00
David Heinemeier Hansson bcd6c6dd66 Move bubble stagings out from double nesting 2025-04-07 14:00:30 +02:00
David Heinemeier Hansson c06802856e Move boosts under bubbles
But also remove the need for a bucket nesting
2025-04-06 21:04:28 +02:00
Jason Zimdars bbcbb77082 Update tests 2025-03-27 17:09:05 -05:00
Jason Zimdars 28a569c49b Tickets 2025-03-17 21:24:08 -05:00
Jose Farias a64752e573 Clear up messages integration test 2024-10-27 20:21:32 -06:00
Jose Farias 9e60362ca7 Write messages integration test 2024-10-27 20:17:34 -06:00
Kevin McConnell 564a0f48ae New Rails app 2024-06-21 13:19:56 +01:00