user
7b6dfeced4
Update --font-sans variable for better cross-platform compatibility
2025-12-05 14:59:39 +09:00
Andy Smith
78ea18b5da
Merge pull request #1872 from basecamp/filters-no-results
...
Nicer blank slates
2025-12-04 10:52:08 -06:00
Mike Dalessio
373f4d5116
Merge pull request #1924 from basecamp/flavorjones/retry-mail-jobs
...
Retry mailer jobs on common networking and SMTP errors
2025-12-04 10:29:53 -05:00
Mike Dalessio
c4a8996562
Retry mailer jobs on common networking and SMTP errors
...
This concern is lifted nearly verbatim from Basecamp.
ref: https://app.fizzy.do/5986089/cards/3300
2025-12-04 10:26:24 -05:00
Kevin McConnell
dfe7095ee6
Merge pull request #1917 from basecamp/dont-resize-svg-avatars
...
Don't try to resize non-variable avatars
2025-12-04 14:53:00 +00:00
Mike Dalessio
394c5dbf03
Revert "Changing columns requires board admin"
...
This reverts commit cecccadc14 .
2025-12-04 09:46:30 -05:00
Kevin McConnell
2e47749739
Don't allow SVG avatar uploads in the first place
2025-12-04 14:27:28 +00:00
Mike Dalessio
89940d36f8
Gracefully handle ill-formed remote images in rich text
...
A better fix has been proposed upstream at
https://github.com/rails/rails/pull/56283 but this should be fine in
the meantime.
ref: https://app.fizzy.do/5986089/cards/3188
2025-12-04 09:24:52 -05:00
Kevin McConnell
6475ad3425
Don't try to resize non-variable avatars
2025-12-04 13:36:21 +00:00
Stanko Krtalić
d466b633fc
Merge pull request #1915 from basecamp/sign-up-new-users-on-sign-in
...
Sign up new users on sign in
2025-12-04 11:32:51 +01:00
Kevin McConnell
9e0b5593ad
Merge pull request #1848 from basecamp/rate-limit-warning
...
Show alert message on login when rate limited
2025-12-04 10:30:37 +00:00
Stanko K.R.
a8f328c921
Sign up new users on sign in
2025-12-04 11:30:21 +01:00
Stanko K.R.
5cfe6930ee
Change reaction admin permission check to be in-line with other controllers
2025-12-04 11:01:23 +01:00
Jorge Manrubia
af43ef4962
Merge pull request #1897 from Hacksore/fix/board-bell-title
...
Move the title to the button
2025-12-04 09:02:08 +01:00
Jorge Manrubia
a0cb25a951
Merge pull request #1881 from basecamp/card-notification-removal-scope
...
Tighten scope on card notification removals
2025-12-04 08:44:52 +01:00
Jeremy Daer
cecccadc14
Changing columns requires board admin
2025-12-03 23:24:25 -08:00
Jeremy Daer
7af93765a8
Security: close narrow window of exposure to DNS rebinding ( #1903 )
2025-12-03 23:12:17 -08:00
Sean Boult
c1468de3d7
Fix title on bell icon
2025-12-03 21:20:34 -06:00
Jeremy Daer
cac0ca1656
Scope the single-board case to just the creator's boards ( #1880 )
2025-12-03 15:47:04 -08:00
Jeremy Daer
f440b0243e
Tighten scope on card notification removals
...
* Iterate each association separately to favor db indexing
* Pluck user IDs rather than select to avoid correlated subquery
2025-12-03 15:46:43 -08:00
Jorge Manrubia
38d86fb17b
Merge pull request #1879 from basecamp/scope-tags
...
Scope tags by account
2025-12-03 23:42:04 +01:00
Jorge Manrubia
4a30663df1
Scope tags by account
...
We missed this one when we went to MySQL. This can results in cards tagged with cards
from other accounts. No data leaked though: the symptom is that you see the card
tagged as expected but you don't see the tag in the menu.
2025-12-03 23:39:37 +01:00
Jorge Manrubia
6847c001ea
Merge pull request #1876 from basecamp/column-reordering-auth
...
Fix unauthorized column reordering
2025-12-03 22:18:06 +01:00
Jorge Manrubia
367e5aa1dd
Merge pull request #1871 from imbriaco/patch-2
...
Use environment variable for default mailer address
2025-12-03 22:07:39 +01:00
Jeremy Daer
9f6a4f1cc6
Fix unauthorized column reordering
...
Users could reorder columns they didn't have access to. Fixed by
limiting ColumnScoped to User::Accessor#accessible_columns.
References https://hackerone.com/reports/3449905
2025-12-03 13:00:49 -08:00
Jorge Manrubia
7fcf660f05
Merge pull request #1854 from MatheusRich/find-by-over-where-first
...
Prefer find_by! over where + first!
2025-12-03 21:51:18 +01:00
Andy Smith
bb149da532
Move blank slates to its own file
2025-12-03 14:13:04 -06:00
Andy Smith
0ef6f8a822
Nicer blank slates
2025-12-03 14:11:08 -06:00
Mark Imbriaco
56033d0a8e
Use environment variable for default mailer address
2025-12-03 14:56:19 -05:00
Jason Zimdars
8f2ec267f6
Merge pull request #1820 from dcchambers/delete-board-confirmation
...
Add card deletion warning to board deletion confirmation message
2025-12-03 13:42:06 -06:00
Stanko Krtalić
f41b1b098a
Merge pull request #1868 from basecamp/use-cryptographically-secure-randomness-for-magic-link-code-generation
...
Use cryptographically secure randomness for Magic Link code generation
2025-12-03 20:21:52 +01:00
Andy Smith
4b86399ae9
Merge pull request #1866 from basecamp/quick-filters-on-mobile
...
Don't hide quick filters on mobile
2025-12-03 13:18:09 -06:00
Stanko K.R.
7ab06d1dbd
Use cryptographically secure randomness for Magic Link code generation
...
#sample uses PRNG under the hood which is pseudo random, which means that given enough magic link codes you can predict which code would come next. To fix that we have to switch to CSPRNG - SecureRandom.random_number - which isn't easy to predict based on previous results.
2025-12-03 20:15:27 +01:00
Stanko Krtalić
3520f97e33
Merge pull request #1857 from basecamp/friendly-error-message-when-changing-email-with-an-invalid-code
...
Render a friendly error message when using an invalid email change token
2025-12-03 20:06:24 +01:00
Dakota Chambers
a98cb58348
Update app/views/boards/edit/_delete.html.erb
...
Co-authored-by: Jason Zimdars <jz@37signals.com >
2025-12-03 13:04:29 -06:00
Jorge Manrubia
60b1fe26e8
Merge pull request #1847 from javier-valencia-arch/patch-1
...
Refactor with_account and without_account methods
2025-12-03 19:33:31 +01:00
Jorge Manrubia
2e3c9374a5
Merge pull request #1833 from rossvz/fix/hide-add-step-on-closed-cards
...
hide "add a step" input when card is closed
2025-12-03 19:32:22 +01:00
Jason Zimdars
349c617aea
Minor copy edit
2025-12-03 12:18:22 -06:00
Andy Smith
e7cdeb1148
Don't monkey with input width
2025-12-03 11:51:23 -06:00
Jason Zimdars
443a6bd408
Merge pull request #1864 from basecamp/update-onboarding-text
...
Update seeder.rb to fix minor things in the onboarding content
2025-12-03 11:45:56 -06:00
Andy Smith
5118ca04b1
Don't hide quick filters on mobile
2025-12-03 11:43:50 -06:00
Jason Zimdars
df04fb9250
Adjust for layout consistency and tighten up some copy
2025-12-03 11:21:34 -06:00
Jason Zimdars
a6c5cc19b7
Copy and layout edits for the new invalid token screen
2025-12-03 11:21:13 -06:00
Brian Bailey
30a2149115
Update seeder.rb to fix a few minor things in the onboarding content
2025-12-03 12:20:37 -05:00
Andy Smith
c3172c66ee
Target tooltips instead of specific buttons
2025-12-03 11:16:37 -06:00
Andy Smith
8cc698b702
Merge pull request #1862 from basecamp/lexxy-attachment-margins
...
Repair margins for attachments
2025-12-03 11:07:21 -06:00
Andy Smith
d62a608772
Repair margins for attachments
2025-12-03 11:02:02 -06:00
Karl Entwistle
59d7229500
Move Eventable concern to app/models/concerns
...
Aligns with Rails conventions for organizing concerns in a dedicated
concerns directory alongside existing concerns like Attachments,
Mentions, Searchable, etc.
2025-12-03 16:36:15 +00:00
Stanko K.R.
92b7c4a86c
Update copy
2025-12-03 15:44:20 +01:00
Stanko K.R.
84213265e7
Render friendly error message when using an invalid token
2025-12-03 15:37:27 +01:00