Commit Graph

2852 Commits

Author SHA1 Message Date
Mike Dalessio 675600af72 Improve presentation of validation errors 2025-12-06 14:57:27 -05:00
Mike Dalessio c388f5ef20 Display validation errors for user profiles.
Specifically this will help people understand why their SVG avatar
uploads are being rejected, and will keep the RecordInvalid exception
out of Sentry logs.
2025-12-06 14:34:08 -05:00
Mike Dalessio 1883473de1 Remove duplication in the list of supported avatar file types 2025-12-06 14:34:08 -05:00
Mike Dalessio 5865d79ed9 Display the verification code in the dev env
This seems better and easier than the console log.
2025-12-06 13:46:13 -05:00
Jeremy Daer 529f5af5f6 CSP adherence: fix magic links console logging (#1989)
* CSP: fix magic link console logging by including nonce in the script tag

* Remove unused back-nav controller

Unused since c0f842427d

Eliminates a potential CSP violation with javascript: URI
2025-12-06 10:08:22 -08:00
Mike Dalessio 69f8216982 Pass correct params to webhook reactivation url helper.
ref: https://app.fizzy.do/5986089/cards/3219
2025-12-05 22:44:34 -05:00
Mike Dalessio fc8ef33332 Show unverified status on user profile page
Display "Unverified" with an explanation instead of the email address
for users who haven't confirmed their identity. Hide the card links
and activity timeline since unverified users won't have any activity.

Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-05 21:51:44 -05:00
Mike Dalessio 4602cd3cdd Add verified_at timestamp to use for spam prevention
User are marked as verified after a join code is redeemed. The user is
redirected to Users::VerificationsController, either:

- after submitting a valid magic link code,
- or immediately after redeeming the join code (if they're already
  authenticated with the correct identity)

Account owners are automatically verified when the account is
created (because they have already provided a magic link code at that
point).

This sets up for later commits that will backfill existing users and
require verification before sending notification emails.

Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-05 21:51:44 -05:00
Mike Dalessio fa549a370b Add a system test for joining an account
Reworked the magic link stimulus controller, because the system test
was causing double-submission of the form (because the event was
bubbling up). I think that change simplifies the form and will still
work well for iOS devices.
2025-12-05 21:51:44 -05:00
Jorge Manrubia 59ff50c1cb We can remove ad-hoc handling now that we rely on page refreshes in the card perma 2025-12-05 10:11:24 +01:00
Andy Smith d5337d0689 Merge pull request #1938 from basecamp/add-missing-attr-on-public-boards
Add missing data attribute on public board
2025-12-04 16:10:42 -06:00
Andy Smith 029c151a4e Add missing data-attr on public board 2025-12-04 15:43:19 -06:00
Jorge Manrubia fce6345fa6 Merge pull request #1936 from basecamp/use-self
Use buil-in support for :self in Stimulus
2025-12-04 22:42:55 +01:00
Jorge Manrubia effb96537a Use buil-in support for :self in Stimulus
Thanks to @brunoprietog for advice https://github.com/basecamp/fizzy/pull/1927/files/9639e07ab88f628f5f37ad2aa9acee2b86d4fb1a#diff-24a46f2ca97f2964d4d8940123b7f76578694567df84256f576aa4bee221179e
2025-12-04 22:16:00 +01:00
Andy Smith 1c5ead0096 Merge pull request #1930 from basecamp/prevent-blank-board-names
Prevent board names with only spaces and show validation message
2025-12-04 14:50:17 -06:00
Jorge Manrubia 9639e07ab8 Save a bunch of invocations on morph events from children elements 2025-12-04 21:27:22 +01:00
Jorge Manrubia a380492b32 Animate the column height with a stimulus controller so that it does not depend to the server to update when you D&D 2025-12-04 19:15:38 +01:00
Andy Smith 23ec3f129a Support custom validation messages 2025-12-04 11:43:55 -06:00
Andy Smith 5c4fe9fe8b Prevent board names with only spaces and show validation message 2025-12-04 11:37:27 -06:00
Jorge Manrubia 539d3721db Keep the column color when D&D cards 2025-12-04 18:31:23 +01:00
Jorge Manrubia 104bb5faa9 Add container to drop cards when the stream is empty 2025-12-04 18:31:23 +01:00
Jorge Manrubia 19051aec3e Append dropped cards instead of relying on server-side rendering to refresh the columns
This implements a simple strategy to optimistically insert cards in columns without waiting for the column refresh. Cards will be placed at the top respecting golden cards.

This uses sorting by "created at" with sorting by "updated at" for the _Not now_ column, so that the treatment everywhere is homogenous.
2025-12-04 18:31:23 +01:00
Jason Zimdars d4a50c996a Merge pull request #1894 from Venkat-RK/main
Added 'Back to Home' link on notifications list page
2025-12-04 11:19:55 -06:00
Andy Smith 78ea18b5da Merge pull request #1872 from basecamp/filters-no-results
Nicer blank slates
2025-12-04 10:52:08 -06:00
Kevin McConnell dfe7095ee6 Merge pull request #1917 from basecamp/dont-resize-svg-avatars
Don't try to resize non-variable avatars
2025-12-04 14:53:00 +00:00
Kevin McConnell 2e47749739 Don't allow SVG avatar uploads in the first place 2025-12-04 14:27:28 +00:00
Mike Dalessio 89940d36f8 Gracefully handle ill-formed remote images in rich text
A better fix has been proposed upstream at
https://github.com/rails/rails/pull/56283 but this should be fine in
the meantime.

ref: https://app.fizzy.do/5986089/cards/3188
2025-12-04 09:24:52 -05:00
Kevin McConnell 9e0b5593ad Merge pull request #1848 from basecamp/rate-limit-warning
Show alert message on login when rate limited
2025-12-04 10:30:37 +00:00
vkagithala 8685b62232 Added 'Back to Home' link on notifications list page to improve navigation experience. 2025-12-03 17:21:50 -08:00
Andy Smith 0ef6f8a822 Nicer blank slates 2025-12-03 14:11:08 -06:00
Jason Zimdars 8f2ec267f6 Merge pull request #1820 from dcchambers/delete-board-confirmation
Add card deletion warning to board deletion confirmation message
2025-12-03 13:42:06 -06:00
Stanko Krtalić 3520f97e33 Merge pull request #1857 from basecamp/friendly-error-message-when-changing-email-with-an-invalid-code
Render a friendly error message when using an invalid email change token
2025-12-03 20:06:24 +01:00
Dakota Chambers a98cb58348 Update app/views/boards/edit/_delete.html.erb
Co-authored-by: Jason Zimdars <jz@37signals.com>
2025-12-03 13:04:29 -06:00
Jorge Manrubia 2e3c9374a5 Merge pull request #1833 from rossvz/fix/hide-add-step-on-closed-cards
hide "add a step" input when card is closed
2025-12-03 19:32:22 +01:00
Jason Zimdars df04fb9250 Adjust for layout consistency and tighten up some copy 2025-12-03 11:21:34 -06:00
Jason Zimdars a6c5cc19b7 Copy and layout edits for the new invalid token screen 2025-12-03 11:21:13 -06:00
Stanko K.R. 92b7c4a86c Update copy 2025-12-03 15:44:20 +01:00
Stanko K.R. 84213265e7 Render friendly error message when using an invalid token 2025-12-03 15:37:27 +01:00
Jorge Manrubia 0cb65685e5 Capture key presses inside the column edit form to prevent interferences with column navigation
https://app.fizzy.do/5986089/cards/3249
2025-12-03 13:28:44 +01:00
Kevin McConnell 184a827965 Show alert message on login when rate limited
When the auth-related controllers hit rate limits they set an alert in
the flash. But we weren't displaying the flash on the public layout, so
those were never seen.

Changed to surface the alert. But also change the "Try another code"
message to be shake-only instead, to match the current behaviour.
2025-12-03 11:29:42 +00:00
Ross van Zyl 244d92d92a hide "add a step" input when card is closed 2025-12-02 22:22:24 -05:00
Dakota Chambers e606a142f1 Update board delete confirmation message 2025-12-02 15:25:50 -06:00
Kevin McConnell cdc1f9b143 Allow typing magic links on mobile
When typing a magic link, rather than pasting it, iOS seems to send
`keydown.enter`, and we weren't submitting the form in that case.

Changed to submit the form in either case, and use the state of the
input target to help guard against double submissions.
2025-12-02 20:09:26 +00:00
Jorge Manrubia dfe8e7bd5d Scope general broadcasts by account
Because DoS ourselves is not fun
2025-12-02 18:10:49 +01:00
David Heinemeier Hansson ff496f915b Merge pull request #1797 from marcoroth/herb
Address HTML markup issues reported by Herb
2025-12-02 08:30:47 -08:00
Marco Roth 2f88908cdf Address HTML markup issues reported by Herb 2025-12-02 17:23:51 +01:00
Mike Dalessio 69b701c035 Add recent signups to the dashboard 2025-12-02 11:18:46 -05:00
Jason Zimdars 8c1d3c6c42 Copy edits 2025-12-02 09:08:57 -06:00
Mike Dalessio 80a6ffc55e Add an expiration note to emails and the magic link page.
ref: https://app.fizzy.do/5986089/cards/3211
2025-12-02 08:41:00 -05:00
Kevin McConnell d24726c1d3 Merge pull request #1768 from basecamp/data-exports
Add "data export" feature
2025-12-02 09:56:40 +00:00