Commit Graph

5575 Commits

Author SHA1 Message Date
Andy Smith bc8ecc3e91 Account for browser button styled and adjust mobile padding for perma BG 2025-12-08 15:59:58 -06:00
Andy Smith 27585a75b2 Wrap the overflow menu 2025-12-08 15:01:47 -06:00
Mike Dalessio 3c4b838b25 Fix Identity destruction callback ordering
ref: #2003

Co-authored-by: Dylan <dylan@restaurantcare.com.au>
2025-12-08 15:12:38 -05:00
Mike Dalessio abe48f0efa Ensure user toggles on board edit page are cached properly
Not including the disabled flag as part of the cache resulted in
issues like the one described in #1992
2025-12-08 14:21:56 -05:00
Mike Dalessio c2380dc057 Merge pull request #2013 from basecamp/flavorjones/1992-board-admin
Disable board edit buttons for select all/none when not privileged
2025-12-08 13:46:53 -05:00
Mike Dalessio 48730d67e0 Disable board edit buttons for select all/none when not privileged
ref: https://github.com/basecamp/fizzy/discussions/1992
2025-12-08 13:32:41 -05:00
Jason Zimdars bc073a7e79 Merge pull request #2008 from nqst/involvement-button-label-restore
Restore "Watch this" / "Stop watching" button labels
2025-12-08 11:57:16 -06:00
Mike Dalessio 642506e79e Add datetime to the search results
I find it helpful (especially when going through a long list of
results) to know how far back in time I'm looking.

A note on the timestamp being used: it's the search index
timestamp. Using the card or comment `updated_at` is fraught because
we do so much touching of records (e.g., comment is touched when a
reaction is added; card is touched when a comment is added). Let's
display the search record's `created_at`, which is the ordering used
for the overall results.
2025-12-08 11:58:54 -05:00
Mike Dalessio 63805aee0f Merge pull request #1984 from gijigae/fix/japanese-ime-input
Fix Japanese IME input handling for tag, step, and reaction fields
2025-12-08 11:09:33 -05:00
Alexander Zaytsev c479235c60 Fix involvement button label 2025-12-08 15:54:36 +01:00
Jorge Manrubia 15983cede3 No need to pass Currentl.user since it is the default value for the param 2025-12-07 20:03:06 +01:00
Mike Dalessio 661a7e5e2d Validate email before creating identity during join code redemption
Avoid Sentry exceptions when attackers try to stuff invalid emails. The
browser performs form field validation that should normally prevent this
from occurring, so we just return 422 without validation error messages.

See similar change in #1996 for sign-in and sign-up
2025-12-07 13:26:34 -05:00
Jorge Manrubia c8c91259c7 Revert "Immediate avatar and embed variants" 2025-12-07 12:06:03 +01:00
Jorge Manrubia 568783efd1 Merge pull request #1905 from basecamp/web-push-ssrf
Security: Web Push SSRF
2025-12-07 11:58:14 +01:00
Jorge Manrubia 91017c9208 Merge pull request #1955 from basecamp/immediate-variants
Immediate avatar and embed variants
2025-12-07 11:50:02 +01:00
Jorge Manrubia 4a6f28b7c5 Merge pull request #1948 from jstarner/custom-delete-modals
Replace turbo confirmation dialogs with custom delete modals
2025-12-07 11:48:58 +01:00
Jorge Manrubia 9f20e8bfbb Merge pull request #1973 from basecamp/lightbox-transitionend-handler
Fix lightbox transitionend listener leak
2025-12-07 11:44:03 +01:00
Jorge Manrubia f2c676e69d Merge pull request #1983 from AmiasYaska/fix-activity-typo
Fix typo in back link: Actvity -> Activity
2025-12-07 11:42:20 +01:00
Jorge Manrubia 31a41e66c2 Make column have a proper ID instead of inferring it from the title 2025-12-07 11:34:54 +01:00
Mike Dalessio 0160f215f2 Validate email before creating identity during sign-up and sign-in
Avoid Sentry exceptions when attackers try to stuff invalid emails. The
browser performs form field validation that should normally prevent this
from occurring, so we just return 422 without validation error messages.

Also:

- extract redirect_to_session_magic_link helper
- some controller refactoring and cleanup
2025-12-06 16:52:16 -05:00
Mike Dalessio 95ba2c01b8 Add email validation to Signup 2025-12-06 16:50:39 -05:00
Mike Dalessio 0793400771 Merge pull request #1994 from basecamp/flavorjones/signup-dev-magic-link
Render verification code in dev for signups, too
2025-12-06 15:07:47 -05:00
Mike Dalessio b439a7695b Render verification code in dev for signups, too
Related to 5865d79e / #1991
2025-12-06 15:02:22 -05:00
Mike Dalessio 675600af72 Improve presentation of validation errors 2025-12-06 14:57:27 -05:00
Mike Dalessio c388f5ef20 Display validation errors for user profiles.
Specifically this will help people understand why their SVG avatar
uploads are being rejected, and will keep the RecordInvalid exception
out of Sentry logs.
2025-12-06 14:34:08 -05:00
Mike Dalessio 1883473de1 Remove duplication in the list of supported avatar file types 2025-12-06 14:34:08 -05:00
Mike Dalessio 5865d79ed9 Display the verification code in the dev env
This seems better and easier than the console log.
2025-12-06 13:46:13 -05:00
Jeremy Daer 529f5af5f6 CSP adherence: fix magic links console logging (#1989)
* CSP: fix magic link console logging by including nonce in the script tag

* Remove unused back-nav controller

Unused since c0f842427d

Eliminates a potential CSP violation with javascript: URI
2025-12-06 10:08:22 -08:00
Zoltan Hosszu e562c72ec9 Small visual tweak for indented list style 2025-12-06 17:58:01 +01:00
AmiasYaska 7d4775d249 Fix typo in back link: Actvity -> Activity 2025-12-06 14:32:05 +03:00
Stanko K.R. 73c2b00211 Rever to using Ssrf instead of SSRF
Ref: https://github.com/basecamp/fizzy/pull/1967#discussion_r2593750027
2025-12-06 11:04:55 +01:00
Jorge Manrubia ffb357becf Merge pull request #1742 from basecamp/latest-lexxy
Update lexxy to latest
2025-12-06 10:31:19 +01:00
gijigae e03c002efd Fix Japanese IME input handling for tags and form fields
When typing in Japanese, the Enter key is used to confirm kanji conversion
during IME composition. Previously, pressing Enter would immediately save
the tag, which prevented users from completing the conversion.

Changes:
- Add isComposing check to navigable_list_controller.js Enter handler
- Add IME composition tracking to form_controller.js
- Add compositionstart/compositionend event handlers to tag, step, and
  reaction input fields
- Add preventComposingSubmit action to prevent form submission during
  composition

This fix supports all IME input methods (Japanese, Chinese, Korean, etc.)
using standard browser composition events.
2025-12-06 17:26:35 +09:00
Mike Dalessio 69f8216982 Pass correct params to webhook reactivation url helper.
ref: https://app.fizzy.do/5986089/cards/3219
2025-12-05 22:44:34 -05:00
Mike Dalessio fc8ef33332 Show unverified status on user profile page
Display "Unverified" with an explanation instead of the email address
for users who haven't confirmed their identity. Hide the card links
and activity timeline since unverified users won't have any activity.

Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-05 21:51:44 -05:00
Mike Dalessio 1ad52d2590 Only send notification emails to verified users
Adds verified? check to bundling_emails? to prevent notification emails
from being sent to users who have never authenticated. This closes the
spam vector where bad actors could create users for known email
addresses and trigger unwanted notifications by mentioning them.

Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-05 21:51:44 -05:00
Mike Dalessio 4602cd3cdd Add verified_at timestamp to use for spam prevention
User are marked as verified after a join code is redeemed. The user is
redirected to Users::VerificationsController, either:

- after submitting a valid magic link code,
- or immediately after redeeming the join code (if they're already
  authenticated with the correct identity)

Account owners are automatically verified when the account is
created (because they have already provided a magic link code at that
point).

This sets up for later commits that will backfill existing users and
require verification before sending notification emails.

Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-05 21:51:44 -05:00
Mike Dalessio fa549a370b Add a system test for joining an account
Reworked the magic link stimulus controller, because the system test
was causing double-submission of the form (because the event was
bubbling up). I think that change simplifies the form and will still
work well for iOS devices.
2025-12-05 21:51:44 -05:00
Jeremy Daer db55923fdb Fix lightbox transitionend listener leak
Switch to a Stimulus action for automatic handling
2025-12-05 16:19:01 -08:00
Justin Starner 330be4ec72 Position modal buttons using justify-center. 2025-12-05 15:25:24 -05:00
Stanko K.R. 1b3d7d4276 Fix ipaddr setter 2025-12-05 20:43:56 +01:00
Stanko K.R. cd3751f4c1 Fix Resolv::DNS always returning no results 2025-12-05 20:09:39 +01:00
Andy Smith 2cf718835b Style updates for latest Lexxy version
Style nested lists, highlight dropdown, and link dropdown. Also organizes the CSS file a bit better.
2025-12-05 11:16:11 -06:00
Jorge Manrubia 1ac5867d5c These are textareas now 2025-12-05 11:41:11 +01:00
Jorge Manrubia 48ef7d0b98 Update Lexxy and hide the highlighter for now 2025-12-05 11:24:52 +01:00
Jorge Manrubia 67f36886a1 Update lexxy to latest
Color highlighter, more code languages...
2025-12-05 11:17:29 +01:00
Jorge Manrubia 59ff50c1cb We can remove ad-hoc handling now that we rely on page refreshes in the card perma 2025-12-05 10:11:24 +01:00
Jorge Manrubia c89db89f2a Only broadcast when the preview changes, use the _later variant for the broadcast, add tests 2025-12-05 10:09:20 +01:00
Andy Smith bcad6b913c Update pinned cards when the title changes 2025-12-05 10:09:20 +01:00
Jeremy Daer 21f3f72647 Immediate avatar and embed variants
Process variants synchronously on attachment to close the window between
image upload and variant availability, guaranteeing that we won't have
lazy variant processing attempts in GET requests.

Tradeoff is that we do variant processing in upload requests, which is
actually desirable. We're working with images that should take
milliseconds to resize given that we'll already have the file on hand.

References https://github.com/rails/rails/pull/51951
2025-12-04 23:54:37 -08:00