Commit Graph

895 Commits

Author SHA1 Message Date
Mike Dalessio b05ecb7809 Update card buttons dynamically
User flows when editing a card look like:
- Click "Edit" → the closure buttons are replaced by "Save changes"
- Submit card form → Saves and restores closure buttons
- Press ESC while editing → Cancels and restores closure buttons

Also, renamed for clarity:
- _title.html.erb → _content.html.erb

Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-22 12:14:39 -05:00
Mike Dalessio 4dc28943da Don't let cloudflare cache avatars
The issue here is that anyone else who views my avatar will cause it
to be cached, and then I can't easily bust the cache if I change my
avatar.
2025-11-22 09:48:28 -05:00
Mike Dalessio 64bac96545 User avatar responses have cache-control "public"
ref: https://app.fizzy.do/5986089/cards/3125
2025-11-21 16:11:39 -05:00
Mike Dalessio bcb43305b6 Improve avatar image handling
- redirect avatar image requests to the rails_blob_url, instead of
  streaming them through the web app
- use a thumbnail variant for avatar images
- only put avatar initials behind the stale? check (not the image
  redirect, which would result in browsers rendering broken images when
  an avatar is changed, until max-age expires)
2025-11-21 15:16:46 -05:00
Stanko K.R. fe909d6dc5 Disable stale while revalidate for own avatar
Locally, having stale_while_revalidate works great, but in production when we are behind CloudFlare, this results in an old image being shown after you upload a new one

See: https://app.fizzy.do/5986089/cards/2978
2025-11-21 19:26:38 +01:00
Jason Zimdars 2c4d2df469 Merge pull request #1679 from basecamp/notifications
Cap the max number of unread notifications to 500
2025-11-21 09:34:26 -06:00
Jorge Manrubia 42a39b224c Cap the max number of unread notifications to 500
Simpler than adding 2 levels of pagination here
2025-11-21 15:55:24 +01:00
Jorge Manrubia 93ee8899a0 More robust implementation to prevent method injection attacks 2025-11-21 10:38:16 +01:00
Jorge Manrubia e4558f00ab Merge branch 'main' into expand-activity-columns 2025-11-21 10:25:39 +01:00
Jorge Manrubia e813b7eaf0 Invalidate HTTP caching when the cards change
https://app.fizzy.do/5986089/cards/3067
2025-11-21 09:32:02 +01:00
Mike Dalessio 1341830ed2 Add total counts and restructure admin stats dashboard
- Add total counts for accounts and identities alongside 7-day and 24-hour metrics
- Change layout from horizontal to vertical stacking

Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-20 14:39:19 -05:00
Jason Zimdars 133a17a75e Just pass the column name string, no need to both with numbers 2025-11-20 11:43:17 -06:00
Mike Dalessio c53b56c1db Display a helpful error message when join code is exhausted
ref: https://app.fizzy.do/5986089/cards/3015
2025-11-19 15:53:25 -05:00
Mike Dalessio 2fe578c5e5 Small improvements to the stats dashboard 2025-11-19 14:31:13 -05:00
Mike Dalessio 362be963c0 Add a very rudimentary admin dashboard. 2025-11-19 14:23:47 -05:00
Mike Dalessio 4636b31f06 Authorization ensure_staff uses identity.staff
for use on untenanted routes
2025-11-19 14:23:47 -05:00
Mike Dalessio 47c05e6d6a Restore basic auth on signup
broken in 6e304958
2025-11-19 14:12:59 -05:00
Jason Zimdars eba749a193 Expand activity columns 2025-11-19 12:48:36 -06:00
David Heinemeier Hansson 9ddcfa5c4b Conventional order and remove redundant filtering of actions 2025-11-18 15:49:50 +01:00
David Heinemeier Hansson 7d86aae67e Inline anemic method 2025-11-18 15:48:40 +01:00
David Heinemeier Hansson b63d79d7a2 Style 2025-11-18 15:45:28 +01:00
David Heinemeier Hansson c606de7b41 Instead of trying to suppress from the wrong layer of the stick, just don't touch until published? 2025-11-18 15:35:40 +01:00
David Heinemeier Hansson 444d43f2ac Its been a few days 2025-11-18 14:52:07 +01:00
David Heinemeier Hansson 6e304958be No need to protect local dev/test 2025-11-18 14:32:54 +01:00
Stanko K.R. 0f7b1312eb Fix tests broken by optimizations 2025-11-17 17:45:24 +01:00
Stanko K.R. 0b8c51c2e9 Preload cards for columns 2025-11-17 16:16:19 +01:00
Stanko K.R. e539754e2c Preload cards 2025-11-17 09:12:41 -05:00
Mike Dalessio f5305b2fe6 Use Card number as the model param
instead of the UUID `id`
2025-11-17 09:12:41 -05:00
Kevin McConnell 9615753e1f Add routing header to see who served request 2025-11-17 09:12:41 -05:00
Stanko K.R. e0693de7c3 Scope jobs and controllers by account 2025-11-17 09:12:41 -05:00
Mike Dalessio 5a7f08067a Move setting Current.account into the middleware
so that code called from the Rails controllers can use Current.account
2025-11-17 09:12:40 -05:00
Stanko K.R. 56c41d45eb Reinstate email changes 2025-11-17 09:12:40 -05:00
Stanko K.R. 34d83aaa7c Fix tests after the removal of memberships 2025-11-17 09:12:40 -05:00
Stanko K.R. 8fa9566c07 Update sign up 2025-11-17 09:12:40 -05:00
Stanko K.R. edf837fed3 Drop memberships 2025-11-17 09:12:39 -05:00
Stanko K.R. 5c6b91ef77 Fix incorrect var setting 2025-11-17 09:12:36 -05:00
Stanko K.R. 71a332bb08 Remove dead code 2025-11-17 09:12:17 -05:00
Stanko K.R. db172bae4e Simplify authorization 2025-11-17 09:12:17 -05:00
Stanko K.R. 28a6dfce01 Simplify user deactivation 2025-11-17 09:12:17 -05:00
Stanko K.R. 6858b96619 Simplify join codes 2025-11-17 09:12:17 -05:00
Donal McBreen 3aa4a1a562 Shard the search index into 16 tables
Create search_index_0 to search_index_15 tables and shard each index by
account id. MySQL has no ability to pre-filter fulltext indexes by
another field so this is the best bet for improving performance.

Each fulltest index internally creates 11 sub tables (see
https://dev.mysql.com/doc/refman/8.4/en/innodb-fulltext-index.html) so
actually we have 192 tables in total here.

The search_index table name is generated dynamically based on the
account_id.
2025-11-17 09:12:17 -05:00
Donal McBreen ddd7fe082a Ensure the mentioning scope search works
Include the filter by accessible board ids to avoid large joins from the
search_index table. Drop the unused search scope.
2025-11-17 09:12:17 -05:00
Mike Dalessio dbf66f9a50 Constrain user queries to the current or relevant account 2025-11-17 09:11:57 -05:00
Mike Dalessio 89d1299ec0 Fix authentication on "untenanted" controllers
trying out the name "disallow_account_scope" for this, but I don't
think it's quite right yet.
2025-11-17 09:11:47 -05:00
Mike Dalessio 086a9ceada Revert some auth pieces of "Account.sole → Current.account" 2025-11-17 09:11:45 -05:00
Mike Dalessio 030433b99d Remove debugging statements 2025-11-17 09:11:42 -05:00
Mike Dalessio ec54014832 Add account slug middleware
and set Current.account
2025-11-17 09:11:42 -05:00
Mike Dalessio d41d50d52b Account.sole → Current.account
and some other de-tenant changes, including removing the controller
tenanting concerns
2025-11-17 09:11:40 -05:00
Kevin McConnell dc40d2b5b0 Remove custom read/writer routing 2025-11-17 09:11:28 -05:00
Jorge Manrubia a1bc6b7939 Do not use HTTP caching since the page is full of forms, and can result in 422s due to CSRF tokens
https://app.fizzy.do/5986089/cards/2977
2025-11-17 13:55:23 +01:00