Commit Graph

8290 Commits

Author SHA1 Message Date
Kevin McConnell 706fb8fade Merge pull request #2148 from basecamp/revert-avatar-change
Revert avatar change
2025-12-15 13:28:21 +00:00
Kevin McConnell e2292a1739 Update cached fragments 2025-12-15 13:23:57 +00:00
Kevin McConnell 741eff7bdc Revert "Merge pull request #1865 from basecamp/public-avatar-caching"
This reverts commit c628f14c01, reversing
changes made to 4bafc73236.
2025-12-15 13:07:13 +00:00
Stanko Krtalić 2058743be9 Merge pull request #2146 from basecamp/show-only-published-cards-on-public-boards
Show only public cards on public boards
2025-12-15 13:26:12 +01:00
Kevin McConnell c628f14c01 Merge pull request #1865 from basecamp/public-avatar-caching
Serve own avatar from its own endpoint
2025-12-15 12:20:28 +00:00
Stanko K.R. 87081aa617 Show only public cards on public boards 2025-12-15 13:15:36 +01:00
Kevin McConnell d4cbc86113 Swap order of avatar links
If the conditional CSS rules failed to match for some reason, we should
prefer the general avatar image rather than the "my" avatar one. That
way the fallback mode will still look correct.
2025-12-15 11:22:00 +00:00
Kevin McConnell 4bafc73236 Merge pull request #2142 from basecamp/validate-name-length
Limit length of full name during signup
2025-12-15 11:08:43 +00:00
Kevin McConnell 87c6557747 Limit length of full name during signup
If we don't validate for length, then signups that overflow the database
columns will unnecessarily create and cancel a tenant. Adding a
validation means we can avoid this.
2025-12-15 09:56:35 +00:00
Mike Dalessio cbaf5d245f Merge pull request #2136 from afurm/test/tenancy-timezone
Add focused tests for tenancy middleware and timezone cookie caching
2025-12-14 16:20:56 -05:00
Mike Dalessio c6725fdca0 Bust comment view cache
because, unlike ordinary view file changes, the change to Action Text
attachment rendering in e9cb2956 doesn't bust the cache automatically.
2025-12-14 13:05:45 -05:00
Jorge Manrubia b93cb3bcea Merge pull request #2139 from basecamp/update-lexxy-2
Update lexxy
2025-12-14 18:56:24 +01:00
Jorge Manrubia 2e66fdff4a Update lexxy to bring fixes from https://github.com/basecamp/lexxy/releases/tag/v0.1.24.beta 2025-12-14 18:53:23 +01:00
Mike Dalessio 088b06bf95 Merge pull request #2137 from basecamp/flavorjones/data-action-fix
Image lightbox uses Stimulus target callbacks instead of `data-action`
2025-12-14 12:48:17 -05:00
Jorge Manrubia 31542373ee Merge pull request #2112 from JangoCG/feature/rate-limit-join-codes
feat: protect join codes from brute-force attacks
2025-12-14 09:43:28 +01:00
Jorge Manrubia 01a5d194ba Merge pull request #2135 from italomatos/refactor/improve-time-window-parser-readability
Refactor: Simplify TimeWindowParser using Rails convenience methods
2025-12-14 09:42:07 +01:00
Jorge Manrubia 95c82a234b Merge pull request #2114 from robzolkos/remove-unused-install-svg
Remove unused install.svg and its CSS class
2025-12-14 09:40:18 +01:00
Jorge Manrubia 57008e0026 Merge pull request #2111 from robzolkos/remove-unpaired-view-transition-name
Remove unpaired view-transition-name
2025-12-14 09:39:08 +01:00
Jorge Manrubia cac9088ad3 Merge pull request #2105 from seuros/main
feat: expose closed boolean in card JSON API
2025-12-14 09:36:32 +01:00
Jorge Manrubia 4085c63d4f Merge pull request #2077 from hiendinhngoc/docs/add-missing-kamal-init-step
Add missing `kamal init` step to docs/kamal-deployment.md setup instructions
2025-12-14 09:30:47 +01:00
Jorge Manrubia e3987d2d08 Merge pull request #2063 from basecamp/lexxy-prompt-padding
Fix Lexxy prompt list padding by lowering rich-text specificity
2025-12-14 09:29:44 +01:00
Jorge Manrubia d7e5d4218f Merge pull request #2032 from tomycostantino/update-columns-on-actions
Fix: board columns actions are stale when moving a column moves
2025-12-14 09:28:57 +01:00
hiendinhngoc 90a48e3119 Fix unexpected remove empty line from README 2025-12-14 14:24:53 +07:00
hiendinhngoc 8a0180da40 Fix conflict and move the update from README to docs/kamal-deployment.md 2025-12-14 14:22:34 +07:00
Mike Dalessio e9cb2956ee Lightbox uses Stimulus target callbacks instead of data-action
Remove data-action from the sanitizer allowlist to disallow injection
of potentially malicious Stimulus actions in user-provided
content. The lightbox controller now uses imageTarget callbacks to
handle clicks on image links.

Also add the file name as a caption in the light box, and fix the
caption color for dark mode visibility.
2025-12-13 17:06:03 -05:00
Mike Dalessio 51df4af6ba Add test coverage for the image lightbox
because we're about to mess with it.
2025-12-13 16:00:54 -05:00
Andrii Furmanets f3bd38ea79 Add tests for tenancy middleware and timezone cookie 2025-12-13 22:10:21 +02:00
Italo Matos 5ade7e1a52 Refactor: Simplify TimeWindowParser using Rails convenience methods
- Replace `beginning_of_day..end_of_day` with `all_day`
- Replace `beginning_of_week..end_of_week` with `all_week`
- Replace `beginning_of_month..end_of_month` with `all_month`
- Replace `beginning_of_year..end_of_year` with `all_year`

These changes improve code readability by using idiomatic Rails
methods that accomplish the same thing in a more concise and
expressive way.
2025-12-13 16:31:48 -03:00
nu-wa 472dbeee8c SMTP: support SMTPS on port 465 (#2132)
* Add more configuration options for the SMTP connection

* Add SMTP_TLS option for implicit TLS connections

For SMTPS servers (typically port 465), set SMTP_TLS=true.
Port auto-defaults to 465 when TLS is enabled, 587 otherwise.
STARTTLS is used by default and automatically disabled when TLS is on.

Fixes boolean conversion bug in original PR (string "false" is truthy)
and removes insecure default for certificate verification.

---------

Co-authored-by: Jeremy Daer <jeremy@37signals.com>
2025-12-13 10:57:08 -08:00
Jeremy Daer 3d3593c8f6 Bump fizzy-saas to retain fewer docker images (#2134)
References https://github.com/basecamp/fizzy-saas/pull/32
2025-12-13 10:39:01 -08:00
Ítalo Matos 2066109003 Add test coverage for with_golden_first scope (#2130)
* Add test coverage for with_golden_first scope

Test verifies that the with_golden_first scope correctly orders
golden cards before non-golden cards in query results.

* Refactor golden test: use instance variables, add subordering coverage

Extract @golden and @non_golden fixtures into setup for reuse across
all tests. Simplify with_golden_first test to verify both primary
ordering (golden before non-golden) and subordering preservation.

---------

Co-authored-by: Jeremy Daer <jeremy@37signals.com>
2025-12-13 10:34:35 -08:00
Mike Dalessio 3584df6816 Merge pull request #2133 from basecamp/flavorjones/handle-image-uploads-better
Improve avatar image handling
2025-12-13 13:25:54 -05:00
Ítalo Matos fbc586646f Refactor: improve query scope composition with merge syntax (#2131)
* Refactor: improve query scope composition with merge syntax

Replace manual WHERE clause concatenation with Rails' merge method
for more elegant and maintainable scope composition across Card,
Comment, and Filter models. This approach better follows Rails
conventions and improves code readability.

* Extend scope composition improvements to Card::Closeable

Apply the same nested hash syntax pattern to closures table references
in order and where clauses.

* Remove unnecessary outer braces from where clause

---------

Co-authored-by: Jeremy Daer <jeremy@37signals.com>
2025-12-13 10:10:13 -08:00
Mike Dalessio 139bf3cf81 Validate avatar sizes 2025-12-13 13:05:30 -05:00
Mike Dalessio db4c8c1138 Introduce Vips configuration 2025-12-13 12:41:37 -05:00
Jeremy Daer 82626f020d Tailscale serve support (#2126)
Ensure we can serve the app from multiple hosts without breaking links.
* Switch unnecessary full URLs to paths
* Drop default host/port URL options for controllers

Shell 1
```bash
bin/dev
```

Shell 2
```bash
tailscale serve http://fizzy.localhost:3006
```
2025-12-13 09:29:50 -08:00
Jeremy Daer 43ab17df2f Update tests with final method naming: record! -> record 2025-12-12 21:47:10 -08:00
Jason Zimdars 88ab0beb24 Make layout bulletproof 2025-12-12 22:40:53 -06:00
Mike Dalessio 202a2f599e Merge pull request #2123 from basecamp/flavorjones/development-minio-csp
CSP config to allow Minio in development
2025-12-12 17:15:36 -05:00
Mike Dalessio 7d6cf62665 CSP config to allow Minio in development 2025-12-12 17:00:17 -05:00
Mike Dalessio 08525282de Merge pull request #2122 from basecamp/flavorjones/limit-staging-beta-to-internal
Drop the `staff?` requirement in beta and staging
2025-12-12 15:36:18 -05:00
Mike Dalessio 43fd8ab691 Update fizzy-saas to get employee restriction in staging 2025-12-12 15:31:22 -05:00
Mike Dalessio 9cff236f66 Drop staff restriction in beta and staging
because it was preventing testing of signups.
2025-12-12 15:12:46 -05:00
David Heinemeier Hansson c9e9e7be55 Unused 2025-12-12 20:40:47 +01:00
Mike Dalessio 029227af0a Merge pull request #2113 from basecamp/flavorjones/queenbee-staging-update
saas: Bump queenbee gem for new staging location
2025-12-12 13:10:20 -05:00
Mike Dalessio 6a244b17e6 Use new FIZZY_GH_TOKEN with limited access
because this is a public repo and so doesn't have access to the
private org secret GH_TOKEN anymore.
2025-12-12 13:04:26 -05:00
Jason Zimdars 0bc3ccb528 Merge pull request #2109 from basecamp/theme-tweak
Apply theme preference before body renders
2025-12-12 11:48:47 -06:00
Rosa Gutierrez 7f5fa6d715 Use Sec-Fetch-Site exclusively for CSRF protection
And close the gap with JSON requests, which shouldn't be allowed if
Sec-Fetch-Site is 'cross-site' or 'none', only if it's empty as this
wouldn't be coming from a browser.
2025-12-12 18:37:32 +01:00
Kevin McConnell c636e1a0bd Merge pull request #2116 from basecamp/docker-docs
Document Docker image deployment
2025-12-12 17:30:11 +00:00
Kevin McConnell 4218f2e161 Document Docker image deployment
Also split the README a bit, to move the details under /docs.
2025-12-12 17:26:50 +00:00