David Heinemeier Hansson
caa4cd491e
Smooth out the finder API
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
9254d17359
The magic of it is not needing to manually yield it!
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
7d2c284726
Clarify
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
467843fe22
Inline now anemic helper methods
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
3329008dd8
Handle everything in the same method
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
895b0e13b8
Drop the need for access tokens to have a session
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
660fcff558
Authenticate api requests without needing a session
2025-12-10 09:23:52 +01:00
Jason Zimdars
073d1af862
List, create, and revoke access tokens
2025-12-10 09:23:52 +01:00
Jason Zimdars
48c83f34b0
Add developer section to user profile
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
db29562c4c
Tie access token directly to session
...
We need to present them differently in the session list and prevent them
from being deleted
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
c65cb77ac4
API index for cards
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
a81c681a8d
Add access token authentication via HTTP AUTHORIZATION bearer header
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
ea697b7143
Add API to boards
2025-12-10 09:23:52 +01:00
Robin Brandt
d60643f5ef
Allow chromium unstable endpoint
2025-12-09 20:24:09 -05:00
Andy Smith
6074ed2347
Add blank slate to the main menu
2025-12-09 15:56:10 -06:00
Andy Smith
fbb0c9d795
Merge pull request #2007 from basecamp/prompt-spacing-fix
...
Fixing Lexxy prompt menu spacing
2025-12-09 15:43:01 -06:00
Zoltan Hosszu
d12eaa4073
Fixing Lexxy prompt menu spacing
2025-12-09 17:36:22 +01:00
Jorge Manrubia
94c59a2399
Merge pull request #2033 from basecamp/limit-webhook-response-size
...
Stream response in webhook request manually to check size
2025-12-09 12:16:42 +01:00
Rosa Gutierrez
29c7926307
Stream response in webhook request manually to check size
...
This addresses a DoS vulnerability where the response might be massive
leading to OOM errors, as the response is read in full in memory by
default.
To prevent this, we need to read the body in chunks, checking the
size of the chunks we've read and raising if we go over a certain limit.
I've set the limit to 100 KB because the responses to these requests
should be fairly small or even empty, and we only care about the status
code in the end.
2025-12-09 11:25:12 +01:00
Jeremy Daer
ea8a78cc22
Fix stale-read race when creating push subscriptions
...
(Caught one such uniqueness exception in the wild)
* 200 OK -> 204 No Content, default status
* No need to touch the subscription when found
* Drop superflous test
2025-12-09 01:34:37 -08:00
Jeremy Daer
bec46e15a9
Drop defunct Account upload attachments ( #2030 )
...
Controller and routes removed in 6a62df470c
2025-12-09 00:36:39 -08:00
Jorge Manrubia
cb0e9b9962
Immediate avatar and embed variants ( #2002 )
...
Reverts #2001
Restores #1955
2025-12-08 14:17:06 -08:00
Jason Zimdars
f8a812f038
Merge pull request #2021 from basecamp/internal/pr-2000
...
Update font stack
2025-12-08 16:10:23 -06:00
Andy Smith
bc8ecc3e91
Account for browser button styled and adjust mobile padding for perma BG
2025-12-08 15:59:58 -06:00
Andy Smith
27585a75b2
Wrap the overflow menu
2025-12-08 15:01:47 -06:00
Mike Dalessio
3c4b838b25
Fix Identity destruction callback ordering
...
ref: #2003
Co-authored-by: Dylan <dylan@restaurantcare.com.au >
2025-12-08 15:12:38 -05:00
Mike Dalessio
abe48f0efa
Ensure user toggles on board edit page are cached properly
...
Not including the disabled flag as part of the cache resulted in
issues like the one described in #1992
2025-12-08 14:21:56 -05:00
Mike Dalessio
c2380dc057
Merge pull request #2013 from basecamp/flavorjones/1992-board-admin
...
Disable board edit buttons for select all/none when not privileged
2025-12-08 13:46:53 -05:00
Mike Dalessio
48730d67e0
Disable board edit buttons for select all/none when not privileged
...
ref: https://github.com/basecamp/fizzy/discussions/1992
2025-12-08 13:32:41 -05:00
Jason Zimdars
bc073a7e79
Merge pull request #2008 from nqst/involvement-button-label-restore
...
Restore "Watch this" / "Stop watching" button labels
2025-12-08 11:57:16 -06:00
Mike Dalessio
642506e79e
Add datetime to the search results
...
I find it helpful (especially when going through a long list of
results) to know how far back in time I'm looking.
A note on the timestamp being used: it's the search index
timestamp. Using the card or comment `updated_at` is fraught because
we do so much touching of records (e.g., comment is touched when a
reaction is added; card is touched when a comment is added). Let's
display the search record's `created_at`, which is the ordering used
for the overall results.
2025-12-08 11:58:54 -05:00
Mike Dalessio
63805aee0f
Merge pull request #1984 from gijigae/fix/japanese-ime-input
...
Fix Japanese IME input handling for tag, step, and reaction fields
2025-12-08 11:09:33 -05:00
Alexander Zaytsev
c479235c60
Fix involvement button label
2025-12-08 15:54:36 +01:00
Jorge Manrubia
15983cede3
No need to pass Currentl.user since it is the default value for the param
2025-12-07 20:03:06 +01:00
Mike Dalessio
661a7e5e2d
Validate email before creating identity during join code redemption
...
Avoid Sentry exceptions when attackers try to stuff invalid emails. The
browser performs form field validation that should normally prevent this
from occurring, so we just return 422 without validation error messages.
See similar change in #1996 for sign-in and sign-up
2025-12-07 13:26:34 -05:00
Jorge Manrubia
c8c91259c7
Revert "Immediate avatar and embed variants"
2025-12-07 12:06:03 +01:00
Jorge Manrubia
568783efd1
Merge pull request #1905 from basecamp/web-push-ssrf
...
Security: Web Push SSRF
2025-12-07 11:58:14 +01:00
Jorge Manrubia
91017c9208
Merge pull request #1955 from basecamp/immediate-variants
...
Immediate avatar and embed variants
2025-12-07 11:50:02 +01:00
Jorge Manrubia
4a6f28b7c5
Merge pull request #1948 from jstarner/custom-delete-modals
...
Replace turbo confirmation dialogs with custom delete modals
2025-12-07 11:48:58 +01:00
Jorge Manrubia
9f20e8bfbb
Merge pull request #1973 from basecamp/lightbox-transitionend-handler
...
Fix lightbox transitionend listener leak
2025-12-07 11:44:03 +01:00
Jorge Manrubia
f2c676e69d
Merge pull request #1983 from AmiasYaska/fix-activity-typo
...
Fix typo in back link: Actvity -> Activity
2025-12-07 11:42:20 +01:00
Jorge Manrubia
31a41e66c2
Make column have a proper ID instead of inferring it from the title
2025-12-07 11:34:54 +01:00
Mike Dalessio
0160f215f2
Validate email before creating identity during sign-up and sign-in
...
Avoid Sentry exceptions when attackers try to stuff invalid emails. The
browser performs form field validation that should normally prevent this
from occurring, so we just return 422 without validation error messages.
Also:
- extract redirect_to_session_magic_link helper
- some controller refactoring and cleanup
2025-12-06 16:52:16 -05:00
Mike Dalessio
95ba2c01b8
Add email validation to Signup
2025-12-06 16:50:39 -05:00
Mike Dalessio
0793400771
Merge pull request #1994 from basecamp/flavorjones/signup-dev-magic-link
...
Render verification code in dev for signups, too
2025-12-06 15:07:47 -05:00
Mike Dalessio
b439a7695b
Render verification code in dev for signups, too
...
Related to 5865d79e / #1991
2025-12-06 15:02:22 -05:00
Mike Dalessio
675600af72
Improve presentation of validation errors
2025-12-06 14:57:27 -05:00
Mike Dalessio
c388f5ef20
Display validation errors for user profiles.
...
Specifically this will help people understand why their SVG avatar
uploads are being rejected, and will keep the RecordInvalid exception
out of Sentry logs.
2025-12-06 14:34:08 -05:00
Mike Dalessio
1883473de1
Remove duplication in the list of supported avatar file types
2025-12-06 14:34:08 -05:00
Mike Dalessio
5865d79ed9
Display the verification code in the dev env
...
This seems better and easier than the console log.
2025-12-06 13:46:13 -05:00