Commit Graph

8769 Commits

Author SHA1 Message Date
Denis Švara b8bb4cf381 Remove option to toggle header visibility from mobile apps in bridge page controller. 2026-01-08 10:15:14 +01:00
Denis Švara e2f99892b1 Remove form related events from bridge page controller. 2026-01-08 09:59:44 +01:00
Denis Švara 9331c37f6f Remove bridge nav-button controller. 2026-01-07 17:55:23 +01:00
Denis Švara 76eaf326c0 Add bridge buttons controller.
It sends all buttons in one connect payload.
2026-01-07 17:54:52 +01:00
Denis Švara dc9c544408 Use bridge nav-button for board settings action. 2026-01-07 12:54:04 +01:00
Denis Švara 75431e0bf9 Hide bridged nav-button elements when native nav component is active. 2026-01-07 11:41:52 +01:00
Denis Švara ce0538d43b Move bridge insets controller to bridge/controllers. 2026-01-07 11:35:01 +01:00
Denis Švara de10717bd8 Use bridged_form_with for board creation form. 2026-01-07 11:31:11 +01:00
Denis Švara 58664f88de Add bridged_form_with helper for bridge form controller. 2026-01-07 11:30:09 +01:00
Denis Švara 4cbc2c676d Hide bridged submit button when native form component is active. 2026-01-07 11:27:16 +01:00
Denis Švara c61942d57b Add bridge form controller. 2026-01-07 09:58:06 +01:00
Denis Švara 367edfcbac Add bridge nav-button controller. 2026-01-07 09:49:31 +01:00
Denis Švara cdc4f2c211 Wire bridge insets controller into the layout. 2026-01-07 09:39:56 +01:00
Denis Švara 69c17a786b Add bridge insets controller. 2026-01-07 09:39:12 +01:00
Denis Švara 367a7ab4f7 Use raw page_title in bridge page title attribute 2026-01-06 17:23:12 +01:00
Denis Švara 2d7b76ff78 Fix bridge viewport safe-area insets. 2026-01-06 17:14:51 +01:00
Denis Švara 37f0a2cfe9 Add hotwire-native-bridge vendor js. 2026-01-06 17:02:20 +01:00
Denis Švara ecf0921af9 Add bridge page targets. 2026-01-06 16:03:28 +01:00
Denis Švara 177afe1a41 Add bridge page controller and helpers. 2026-01-06 15:54:10 +01:00
Denis Švara b84da94016 Add Hotwire Native Bridge wiring. 2026-01-06 15:46:47 +01:00
Jay Ohms 4919e571fb Merge pull request #2293 from basecamp/mobile-local-dev
Support mobile app local development access from devices over nip.io (wildcard DNS)
2026-01-06 09:05:38 -05:00
Jay Ohms 504e4fa5e2 Merge pull request #2178 from basecamp/mobile-app/prepare-webviews
Mobile app / Prepare webviews
2026-01-06 09:05:13 -05:00
Andy Smith 047dca4dbf Merge pull request #2295 from basecamp/public-column-placeholders
Only hide the blank slate when there are no cards present
2026-01-05 15:06:28 -06:00
Andy Smith 2ee7af6fde Only hide the blank slate when there are no cards present 2026-01-05 15:00:36 -06:00
Rosa Gutierrez 5f390f72df Support local installations where the app is loaded over HTTP
In this case requests won't be performed from a secure context [1] and
the browser won't send the Sec-Fetch-Site header. This means non-GET
requests will be rejected because CSRF protection will fail.

With this change, we allow these requests with missing Sec-Fetch-Site
headers if:
- They happen over HTTP
- The app is not configured to force SSL

The Origin check happens in any case.

[1] https://developer.mozilla.org/en-US/docs/Web/Security/Defenses/Secure_Contexts#potentially_trustworthy_origins
2026-01-05 18:50:14 +01:00
Jorge Manrubia ffb9847a4e Merge pull request #2287 from italomatos/refactor/use-ids-method-instead-of-pluck
Refactor: Replace pluck(:id) with ids method
2026-01-05 16:03:41 +01:00
Jorge Manrubia 045ddf78f3 Revert "Make sure new card drafts are refreshed when reused"
This reverts commit 3008011175.
2026-01-05 15:58:16 +01:00
Jorge Manrubia 3008011175 Make sure new card drafts are refreshed when reused
To deal with old timestamps messing with card ordering and so.

https://app.fizzy.do/5986089/cards/3495
2026-01-05 15:57:48 +01:00
Jay Ohms ea43d81850 Support mobile app local development access from devices over nip.io 2026-01-05 09:31:27 -05:00
Mike Dalessio abe16bf055 Merge pull request #2290 from basecamp/flavorjones/console-incineration-queue
Add a "*" to the queues handled by the solid queue worker pool
2026-01-04 14:13:59 -05:00
Mike Dalessio 96dfcb9d4c Add a "*" to the queues handled by the solid queue worker pool
Specifically this is to make sure all queues are managed, like the one
we use for incineration in the fizzy-saas engine.
2026-01-04 14:09:42 -05:00
Mike Dalessio f7205594b5 Merge pull request #2289 from basecamp/flavorjones/remove-recurring-execution-cleanup
Remove unnecessary recurring execution cleanup task
2026-01-04 11:17:41 -05:00
Mike Dalessio 27093e4e78 Remove unnecessary recurring execution cleanup task
This task is unnecessary because the
`solid_queue_recurring_executions` table has a foreign key to
`solid_queue_jobs` with `on_delete: :cascade`.

This config was cargo-culted from HEY (in 44429644), which *does* need
this task to run because we've omitted the FK constraints there.
2026-01-04 11:12:01 -05:00
Italo Matos 4189261cd0 Refactor: Replace pluck(:id) with ids method
Use the more idiomatic ActiveRecord ids method instead of pluck(:id)
across controllers and models. The ids method is more readable and
explicitly conveys the intent to retrieve primary key values.

Changes:
- BoardsController#edit: Use @board.users.ids
- Board::Storage: Use cards.ids, Comment.where().ids, and ActionText::RichText.where().ids
- User::Accessor: Use account.boards.all_access.ids

This change improves code clarity while maintaining the same functionality.
2026-01-04 10:02:58 -03:00
Rosa Gutierrez 182d36aee9 Update Rails 2026-01-02 18:56:28 +01:00
Jay Ohms d273ab20a6 Merge branch 'main' into mobile-app/prepare-webviews
* main: (63 commits)
  Ignore hotkeys with modifiers
  Fix 1Password account ID (was user UUID) (#2278)
  Switch 1Password account to 37signals.1password.com (#2276)
  Remove CSS testing comments
  Max card count equals geared pagination size
  Block IPv4-compatible IPv6 addresses in SSRF protection (#2273)
  Only enable transitions on user interaction
  Don't update counter if value hasn't changed
  Add padding to upgrade message on larger screens
  Add test coverage for autolinking multiple URLs
  Add "noopener" to autolinks' rel attribute
  Avoid string manipulation when autolinking.
  Only bump z-index when nav is open
  Move nav and related elements above footer
  Delete Dockerfile.dev
  fix: use the right gh-cli arch package (#2232)
  Bump actions/attest-build-provenance from 3.0.0 to 3.1.0 (#2257)
  Bump docker/setup-buildx-action from 3.11.1 to 3.12.0 (#2256)
  Consider user avatars always public
  Implement authorization for Active Storage endpoints
  ...
2026-01-02 11:42:07 -05:00
Jason Zimdars 6b56fc112e Merge pull request #2281 from basecamp/fix-card-hotkeys
Ignore hotkeys with modifiers
2026-01-01 10:05:30 -06:00
Jason Zimdars d7ef796092 Ignore hotkeys with modifiers
Avoids unintentionally triggering when using system shortcuts like
`command+[` in macOS
2026-01-01 09:47:10 -06:00
Jeremy Daer 0634ddaebd Fix 1Password account ID (was user UUID) (#2278) 2025-12-31 13:58:01 -08:00
Jeremy Daer cda4f93e4a Switch 1Password account to 37signals.1password.com (#2276) 2025-12-31 10:15:39 -08:00
Andy Smith 7ed597ae06 Merge pull request #2275 from basecamp/polish-expander-transitions
Polish expander transitions
2025-12-30 12:49:18 -06:00
Andy Smith f2759f1ca0 Remove CSS testing comments 2025-12-30 12:37:10 -06:00
Andy Smith 711eec133a Max card count equals geared pagination size 2025-12-30 12:30:55 -06:00
Jeremy Daer 0eefd67b68 Block IPv4-compatible IPv6 addresses in SSRF protection (#2273)
The SSRF filter checked ipv4_mapped? but not ipv4_compat?, allowing
addresses like ::169.254.169.254 to bypass the link-local check and
reach cloud metadata endpoints.

Changes:
- Add ipv4_compat? check to block deprecated IPv4-compatible format
- Rename private_address? to blocked_address? (more accurate - method
  blocks more than just RFC 1918 private ranges)
- Add IPv6 test coverage for both mapped and compat formats

Both ipv4_mapped and ipv4_compat formats are blocked entirely as
defense-in-depth: DNS never returns these formats, so they only
appear in attack scenarios.

HackerOne: #3481701
2025-12-29 21:45:06 -08:00
Andy Smith 668ecd3a16 Merge pull request #2272 from basecamp/prevent-transtions-until-user-interactions
Only enable transitions on user interaction
2025-12-29 15:36:38 -06:00
Andy Smith b9c11ad768 Only enable transitions on user interaction 2025-12-29 15:30:55 -06:00
Andy Smith 19ec607b9f Merge pull request #2271 from basecamp/limit-column-transitions
Don't update counter if value hasn't changed
2025-12-29 15:12:59 -06:00
Andy Smith 67f39aad8a Don't update counter if value hasn't changed 2025-12-29 14:51:11 -06:00
Andy Smith 14464da29a Merge pull request #2270 from basecamp/saas-message-tweak
Add padding to upgrade message on larger screens
2025-12-29 13:59:02 -06:00
Andy Smith 4ca13516be Add padding to upgrade message on larger screens 2025-12-29 13:54:43 -06:00