Kevin McConnell
dfe7095ee6
Merge pull request #1917 from basecamp/dont-resize-svg-avatars
...
Don't try to resize non-variable avatars
2025-12-04 14:53:00 +00:00
Mike Dalessio
394c5dbf03
Revert "Changing columns requires board admin"
...
This reverts commit cecccadc14 .
2025-12-04 09:46:30 -05:00
Kevin McConnell
6475ad3425
Don't try to resize non-variable avatars
2025-12-04 13:36:21 +00:00
Stanko Krtalić
d466b633fc
Merge pull request #1915 from basecamp/sign-up-new-users-on-sign-in
...
Sign up new users on sign in
2025-12-04 11:32:51 +01:00
Kevin McConnell
9e0b5593ad
Merge pull request #1848 from basecamp/rate-limit-warning
...
Show alert message on login when rate limited
2025-12-04 10:30:37 +00:00
Stanko K.R.
a8f328c921
Sign up new users on sign in
2025-12-04 11:30:21 +01:00
Stanko K.R.
5cfe6930ee
Change reaction admin permission check to be in-line with other controllers
2025-12-04 11:01:23 +01:00
Jeremy Daer
cecccadc14
Changing columns requires board admin
2025-12-03 23:24:25 -08:00
Jorge Manrubia
6847c001ea
Merge pull request #1876 from basecamp/column-reordering-auth
...
Fix unauthorized column reordering
2025-12-03 22:18:06 +01:00
Jeremy Daer
9f6a4f1cc6
Fix unauthorized column reordering
...
Users could reorder columns they didn't have access to. Fixed by
limiting ColumnScoped to User::Accessor#accessible_columns.
References https://hackerone.com/reports/3449905
2025-12-03 13:00:49 -08:00
Jason Zimdars
349c617aea
Minor copy edit
2025-12-03 12:18:22 -06:00
Stanko K.R.
84213265e7
Render friendly error message when using an invalid token
2025-12-03 15:37:27 +01:00
Stanko K.R.
6e9381abb8
Fix crash in join code redemption race condition
2025-12-03 13:29:20 +01:00
Kevin McConnell
184a827965
Show alert message on login when rate limited
...
When the auth-related controllers hit rate limits they set an alert in
the flash. But we weren't displaying the flash on the public layout, so
those were never seen.
Changed to surface the alert. But also change the "Try another code"
message to be shake-only instead, to match the current behaviour.
2025-12-03 11:29:42 +00:00
Stanko Krtalić
7a0290a4af
Merge pull request #1841 from basecamp/fix-access-control-issues
...
Allow only the owner of a reaction to delete it
2025-12-03 11:33:36 +01:00
Stanko K.R.
77f1110020
Allow only the owner of a reaction to delete it
2025-12-03 11:10:44 +01:00
Stanko K.R.
702865873d
Allow only people who can administer a board to delete it
2025-12-03 10:56:05 +01:00
Jeremy Daer
b755b3fead
Robots, begone ( #1812 )
...
* robots.txt: "Please, don't come in." If a page is directly linked, the
URL can still appear in search results, though.
* X-Robots-Tag: "If you're here, forget what you saw." Works even if the
crawler ignores robots.txt or reaches a page via external link. Can
remove already-indexed pages.
* Public boards may not be indexed. They're meant for "anyone with the
link" private sharing, not worldwide publishing.
2025-12-02 13:35:58 -08:00
Mike Dalessio
f038e61dab
Merge pull request #1796 from basecamp/flavorjones/dashboard-last-10
...
Add recent signups to the dashboard
2025-12-02 11:21:06 -05:00
Mike Dalessio
69b701c035
Add recent signups to the dashboard
2025-12-02 11:18:46 -05:00
Kevin McConnell
60e7e9ffd8
Merge pull request #1733 from basecamp/allow-all-signups
...
Remove basic auth restriction on signup
2025-12-02 15:46:04 +00:00
Kevin McConnell
d24726c1d3
Merge pull request #1768 from basecamp/data-exports
...
Add "data export" feature
2025-12-02 09:56:40 +00:00
Jorge Manrubia
c9ebb79dbd
Add some protections around sharing the magic link in development
2025-12-02 10:51:14 +01:00
Jorge Manrubia
23576d13ff
Extract method
2025-12-02 10:22:40 +01:00
Stanko K.R.
b97877dc30
Remove basic auth restriction on signup
2025-12-02 09:12:47 +01:00
Kevin McConnell
2c1ab1bb29
Formatting
2025-12-01 17:19:59 +00:00
Kevin McConnell
e16cc21b0a
Add "data export" feature
...
- Adds a button in Account Settings where you can request a ZIP export of your
Fizzy data
- Export files are created in the background. When ready, a link to
download them is sent to the requester.
- Exports expire after 24 hours. And are limited to 10 per day.
2025-12-01 15:23:26 +00:00
Stanko K.R.
2311efd03e
Make sign up Magic Links work across devices
...
Previously if someone started signing in on their phone, but finished it on their laptop, they'd end up on the menu screen with no account. Bu tracking the purpose of a Magic Link we can always direct the user to sign up if they requested a magic link through sign up. This also makes the logic for changing the copy in the email more robust.
2025-11-29 12:36:00 +01:00
Stanko K.R.
658b5a07cf
Organize everything under Signups
2025-11-29 11:46:09 +01:00
Stanko K.R.
5747445977
Create signups controller
2025-11-29 10:15:48 +01:00
Rosa Gutierrez
f8a1e0500d
Switch from report-only to actually using Sec-Fetch-Site for CSRF protection
...
As a fallback for Rails's token-based mechanism. To use Sec-Fetch-Site
exclusively, we'll wait until Rails offers that (when we upstream this).
2025-11-28 16:26:03 +01:00
Jorge Manrubia
3223ba53c3
We need the check in both test/code
2025-11-28 15:53:58 +01:00
Jorge Manrubia
6ccf655597
Move yabeda/prometheus stuff to the gem
2025-11-28 15:53:58 +01:00
Jorge Manrubia
3b0ddf4cfb
Move sentry to engine
2025-11-28 15:53:58 +01:00
Jorge Manrubia
1897cc238f
Only staff can access beta/staging
...
https://app.fizzy.do/5986089/cards/3208
2025-11-28 15:53:58 +01:00
Jorge Manrubia
d4ad62109c
Rename/extract methods
2025-11-28 15:53:58 +01:00
Jorge Manrubia
4e09352c09
Bring simple signup flow from the fizzy-saas gem
...
We skip the QB code and we fill external account ids automatically on creation with a sequence
See:
https://github.com/basecamp/fizzy-saas/pull/7
2025-11-28 15:53:58 +01:00
Jorge Manrubia
e30709f6a7
Remove structured logging moved to the engine
2025-11-28 15:53:58 +01:00
Jorge Manrubia
8baf5b8abd
Make mission control only accessible for staff members
2025-11-28 15:53:58 +01:00
Jorge Manrubia
c1334f7ffe
Don't choke if no structured logging
...
Temporary workaround, we need a better solution here.
2025-11-28 15:53:58 +01:00
Mike Dalessio
3f8d10d679
Merge pull request #1747 from basecamp/flavorjones/perf-20251127
...
Address some N+1 query situations
2025-11-27 12:46:56 -05:00
Stanko K.R.
e3d91f4ba2
Fix join codes skipping user setup
...
If someone joined an account with the same identity as they were signed in with the old logic would skip the user setup step
2025-11-27 17:59:17 +01:00
Mike Dalessio
198e404eb0
Avoid N+1 on account and board settings pages
2025-11-27 11:44:16 -05:00
Mike Dalessio
79c9ea2ce1
Remove a bunch of N+1s
...
related to notification and comment rendering
2025-11-27 11:08:45 -05:00
Rosa Gutierrez
3e716bfa26
Fix a couple of typos
2025-11-26 13:16:44 +01:00
Rosa Gutierrez
fac9f3c369
Clean up a little bit the CSRF reporting code
...
Small follow-up to https://github.com/basecamp/fizzy/pull/1721
2025-11-25 21:28:50 +01:00
Mike Dalessio
396c1ffdcf
Merge pull request #1722 from basecamp/fwt-user-list-improvement
...
Prioritize current user and assigned users in assignment dropdown
2025-11-25 14:36:14 -05:00
Mike Dalessio
3811088db3
Prioritize current user and assigned users in assignment dropdown
...
🤖 Generated with [Claude Code](https://claude.com/claude-code )
Co-Authored-By: Claude <noreply@anthropic.com >
2025-11-25 13:46:14 -05:00
Rosa Gutierrez
d88949288c
Check and report on Sec-Fetch-Site header for forgery protection
...
This is a great, solid alternative to CSRF tokens for CSRF protection
when we aren't worried about older browsers or other kind of actors
doing modifying requests in our app, and could be a good test for future
upstreaming to Rails (although there we'd need to continue using CSRF
tokens or at least letting people opt out manually).
Let's start checking the header and reporting on it when CSRF fails or
when it doesn't match the other checks Rails does, and then promote this
to be the only way to defend from CSRF.
2025-11-25 19:19:50 +01:00
Stanko K.R.
4e52f9b9a9
Show tags the card is tagged with first
2025-11-25 11:24:21 +01:00