Commit Graph

691 Commits

Author SHA1 Message Date
Adrien Maston caafebbf22 Extract title to helper 2026-01-12 14:55:32 +01:00
Jay Ohms cf3efce57c Move the rest of the visible card perma buttons to the overflow menu 2026-01-09 13:39:05 -05:00
Jay Ohms 9ac34f8882 Only apply the "Don't/Watch this" bridge target for the text variant (for the overflow on the board perma) 2026-01-08 22:46:47 -05:00
Jay Ohms 2b0c4b4c69 Send icon urls with buttons and resolve duplicate bridge items on the board perma since there are duplicate hidden elements 2026-01-08 22:01:08 -05:00
Jay Ohms b9dcc3c08f Update bridged overflow menu items for settings links 2026-01-08 16:36:12 -05:00
Jay Ohms b6aac0ba73 Introduce a bridge helper to get icon asset urls 2026-01-08 16:35:17 -05:00
Adrien Maston f848a492a4 Use already existing buttons to populate the top nav bar 2026-01-08 17:32:21 +01:00
Denis Švara 37467743b3 Remove bridge button metadata from board settings link. 2026-01-08 16:37:42 +01:00
Denis Švara eae17b82b4 Merge branch 'main' into mobile/bridge-components
* main: (65 commits)
  Repair scope for card styles within the columns view
  Add missing list to cards page
  Account for simpler public views
  Fix public layout
  Pull board-tools outside of the list for mobile
  saas: move log_level setting into an environment variable
  Restore log level configurability in production environment
  Remove engagements
  Use notch class so Save button is positioned correctly
  Go back to board after clearing filters
  Revert "Use existing no_filtering_url to direct back to the board when clearing filters"
  Use existing no_filtering_url to direct back to the board when clearing filters
  Ensure filters sit on top of cards
  Fix public boards
  Fix card grid layout
  Fix Chinese/Japanese characters missing from printed PDFs on macOS
  Add SQLite FTS5 support for CJK search
  Add CJK (Chinese, Japanese, Korean) search support
  Fix scrolling on mobile
  Remember expanded state on navigation
  ...
2026-01-08 14:34:10 +01:00
Denis Švara 37f03fc4e7 Use bridge buttons controller in boards. 2026-01-08 10:18:56 +01:00
Andy Smith 897cac06c7 Pull board-tools outside of the list for mobile 2026-01-07 11:36:31 -06:00
Andy Smith 4cc44704e5 Merge branch 'main' into mobile-columns-pt-iii 2026-01-07 11:16:49 -06:00
Denis Švara dc9c544408 Use bridge nav-button for board settings action. 2026-01-07 12:54:04 +01:00
Denis Švara 58664f88de Add bridged_form_with helper for bridge form controller. 2026-01-07 11:30:09 +01:00
Andy Smith 5b6fdbfeae Fix mini bubble cropping, filters padding, and grid-style 2026-01-02 12:45:53 -06:00
Jay Ohms d273ab20a6 Merge branch 'main' into mobile-app/prepare-webviews
* main: (63 commits)
  Ignore hotkeys with modifiers
  Fix 1Password account ID (was user UUID) (#2278)
  Switch 1Password account to 37signals.1password.com (#2276)
  Remove CSS testing comments
  Max card count equals geared pagination size
  Block IPv4-compatible IPv6 addresses in SSRF protection (#2273)
  Only enable transitions on user interaction
  Don't update counter if value hasn't changed
  Add padding to upgrade message on larger screens
  Add test coverage for autolinking multiple URLs
  Add "noopener" to autolinks' rel attribute
  Avoid string manipulation when autolinking.
  Only bump z-index when nav is open
  Move nav and related elements above footer
  Delete Dockerfile.dev
  fix: use the right gh-cli arch package (#2232)
  Bump actions/attest-build-provenance from 3.0.0 to 3.1.0 (#2257)
  Bump docker/setup-buildx-action from 3.11.1 to 3.12.0 (#2256)
  Consider user avatars always public
  Implement authorization for Active Storage endpoints
  ...
2026-01-02 11:42:07 -05:00
Mike Dalessio 4579f7cd61 Avoid string manipulation when autolinking.
Instead, let's use a Loofah scrubber which will create DOM nodes
directly. This should be faster and is a tiny bit simpler, as well as
removing a potential HTML injection vector.

Also, add "noreferrer" to all `mailto:` links (already present on URLs).
2025-12-29 12:21:00 -05:00
Jason Zimdars 6de7b40024 Explicitly diable hotkeys in Not Now and Done 2025-12-22 14:14:50 -06:00
Jay Ohms e379721c2f Merge branch 'main' into mobile-app/prepare-webviews
* main: (107 commits)
  Document the new sign in method
  Replace handle_ naming
  Use same constant for fake magic links
  Replace FakeMagicLink with a temporary object
  Tidy up session_token
  Clean up interfaces
  Split tests by controller or responsibility
  Simplify auth logic
  Fix due to unit test when creating with invalid emails
  Restore sessions_controller test on creating invalid email address
  Move magic link api tests to their own files
  Rename test to clarify what they're about
  Cleanup session creation
  Update to always return a pending auth token for JSON responses.
  Update API test for cross code
  Change test expectation on single tenant mode account creation
  Add unit tests for the new endpoints
  Pass a server token when creating a magic link via API
  Simplify code a bit
  Simplify session create logic for both html and json
  ...
2025-12-19 13:52:04 -05:00
Jorge Manrubia 2cbbdfbd19 Merge pull request #2138 from italomatos/refactor/replace-reverse-merge-with-with-defaults
Refactor: Replace reverse_merge with with_defaults for improved readability
2025-12-19 11:24:46 +01:00
Oleh Khomei e67e658e98 Remove unused method 2025-12-18 20:37:28 +02:00
Adrien Maston 12bc237665 Horizontal column picker
... in card perma
2025-12-17 11:34:31 +01:00
Jason Zimdars 8659e19671 Collapse and expand system comments 2025-12-16 14:21:48 -06:00
Jorge Manrubia 0278fe6ae4 Revert "Mobile app / Scoped stylesheets" (#1698)
This reverts commit 39c1906e67.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-16 17:20:18 +01:00
Adrien Maston 1f346085b9 Merge branch 'main' into mobile-app/scoped-stylesheets
* main: (119 commits)
  Bust comment view cache
  Update lexxy to bring fixes from https://github.com/basecamp/lexxy/releases/tag/v0.1.24.beta
  Fix unexpected remove empty line from README
  Lightbox uses Stimulus target callbacks instead of data-action
  Add test coverage for the image lightbox
  Add tests for tenancy middleware and timezone cookie
  Refactor: Simplify TimeWindowParser using Rails convenience methods
  SMTP: support SMTPS on port 465 (#2132)
  Bump fizzy-saas to retain fewer docker images (#2134)
  Add test coverage for with_golden_first scope (#2130)
  Refactor: improve query scope composition with merge syntax (#2131)
  Validate avatar sizes
  Introduce Vips configuration
  Tailscale serve support (#2126)
  Update tests with final method naming: record! -> record
  CSP config to allow Minio in development
  Update fizzy-saas to get employee restriction in staging
  Drop staff restriction in beta and staging
  Unused
  Use new FIZZY_GH_TOKEN with limited access
  ...
2025-12-15 10:43:32 +01:00
Italo Matos cd4fbc011c Refactor: Replace reverse_merge with with_defaults for improved readability
Replace all occurrences of reverse_merge with with_defaults across the codebase.
The with_defaults method provides clearer intent and better readability when
setting default values for hash parameters.

Changes:
- app/helpers/columns_helper.rb: Update column_frame_tag method
- app/models/user/email_address_changeable.rb: Update generate_email_address_change_token method
- app/models/account.rb: Update create_with_owner method
- app/controllers/concerns/filter_scoped.rb: Update filter_params method

This refactoring maintains the same functionality while improving code clarity.
2025-12-14 14:22:06 -03:00
Mike Dalessio 3d523b84fc Explicitly use main_app for URL helpers
in controller concerns that are mixed into other engines' controllers. This prevents errors like:

> NoMethodError: undefined method 'session_menu_url' for an instance of ActiveStorage::DirectUploadsController

See also 912bb8a8 and 5ee10800
2025-12-11 12:55:32 -05:00
Adrien Maston 865fbdcf66 Merge branch 'main' into mobile-app/scoped-stylesheets
* main: (117 commits)
  Explain that the upload URL is account-scope
  Allow direct uploads via API
  Storage: ignore jobs for now-deleted targets
  API: Support `created_at` for API card and comment creation (#2056)
  Enforce CSP (#2070)
  CSP: full config with env vars per source (#2069)
  Speedy, auditable, deadlock-resistant storage tracking (#2026)
  Gitleaks: ignore legit non-sensitive API keys and tokens in docs/ and test/ (#2068)
  Get gitleaks-audit green again
  Bump actions/checkout from 4 to 6 (#2047)
  Bump docker/login-action from 3.5.0 to 3.6.0 (#2046)
  Bump docker/metadata-action from 5.8.0 to 5.10.0 (#2045)
  Bump sigstore/cosign-installer from 3.9.2 to 4.0.0 (#2044)
  make MySQL SSL mode configurable via env var (#2036)
  Update tip text for turning a card into a Golden Ticket
  Revert "Fix Lexxy prompt list padding by lowering rich-text specificity"
  Fix Lexxy prompt list padding by lowering rich-text specificity
  Improve phrasing
  Fix crash due to missing partial
  Fix status and filter mistakes
  ...
2025-12-11 13:42:48 +01:00
Mike Dalessio e0c821f69b Autolinking is more robust
and handles URLs with CGI params, recognizes more (and multiple)
trailing punctuation marks including entity-encoded punctuation like
`&quot;`.
2025-12-10 10:42:24 -05:00
Mike Dalessio c5721b8187 Avoid unescaping characters when auto-linking
which could lead to Nokogiri unintentionally parsing tags from a
previously-escaped text node.
2025-12-10 10:38:43 -05:00
Adrien Maston 6c53fdb525 Merge branch 'main' into mobile-app/scoped-stylesheets
* main: (70 commits)
  bin/ci: run OSS suite in SAAS mode for full coverage (#2029)
  Fix flaky tests caused by leaky show_exceptions twiddling (#2028)
  Fix ActiveStorage FileNotFoundError with immediate variant processing (#2022)
  Immediate avatar and embed variants (#2002)
  Should be in global gitignore
  Account for browser button styled and adjust mobile padding for perma BG
  Wrap the overflow menu
  doc: update style doc reference for LLM agents
  Fix Identity destruction callback ordering
  Ensure user toggles on board edit page are cached properly
  Adopt a cooldown period for dependency updates
  Add lazy error context for Rails error reporter (#2014)
  Disable board edit buttons for select all/none when not privileged
  Autotuner: use structured logging instead of Sentry (#2011)
  Add datetime to the search results
  Fix involvement button label
  Bump mittens to 0.3.1 (#2006)
  No need to pass Currentl.user since it is the default value for the param
  Validate email before creating identity during join code redemption
  Ignore RubyMine project files in .gitignore
  ...
2025-12-09 09:11:51 +01:00
Mike Dalessio abe48f0efa Ensure user toggles on board edit page are cached properly
Not including the disabled flag as part of the cache resulted in
issues like the one described in #1992
2025-12-08 14:21:56 -05:00
Alexander Zaytsev c479235c60 Fix involvement button label 2025-12-08 15:54:36 +01:00
Adrien Maston 7a5a3c91f8 Merge branch 'main' into mobile-app/scoped-stylesheets
* main: (82 commits)
  We can remove ad-hoc handling now that we rely on page refreshes in the card perma
  Only broadcast when the preview changes, use the _later variant for the broadcast, add tests
  Update pinned cards when the title changes
  Rename to be more consistent
  Beautify board watchers list (#1946)
  Add missing data-attr on public board
  Fix hotkey text size on tiny viewports
  Use buil-in support for :self in Stimulus
  Save a bunch of invocations on morph events from children elements
  Fix: memoization was showing stale values when morphing
  GitHub actions: limit GITHUB_TOKEN permissions (#1933)
  Validate Identity email address
  Drop defunct user creation script
  Golden cards should be placed at the top
  Animate the column height with a stimulus controller so that it does not depend to the server to update when you D&D
  mise: respect .ruby-version
  Support custom validation messages
  Move css bit to the new blank slates CSS
  Prevent board names with only spaces and show validation message
  Keep the column color when D&D cards
  ...
2025-12-05 12:20:05 +01:00
Justin Starner d28fbaa101 Refactor card deletion to use custom modal
Replaces the standard turbo_confirm attribute with a custom dialog modal for a better user experience.

- Removes `button_to_delete_card` helper in favor of inline markup.
- Implements `keydown.esc->dialog#close:stop` to prevent the Escape key from inadvertently closing selected card.
2025-12-04 21:47:09 -05:00
David Heinemeier Hansson d729cf59f9 Beautify board watchers list (#1946)
* Beautify board_watchers_list by escaping the concat jungle

* Correct it and clean it

* Latest Rails to get the content tag fix

* Test against original collection
2025-12-04 16:14:52 -08:00
Jorge Manrubia e3e57a6a7e Merge pull request #1927 from basecamp/speed-up-sorting
Faster D&D by optimistically inserting dropped cards
2025-12-04 21:31:21 +01:00
Mike Dalessio 00eee29837 Validate Identity email address
using the "standard" email regexp URI::MailTo::EMAIL_REGEXP. The form
field will validate this in the browser, but if bots are creating
identities, they can put whatever they want in here. So let's add some
protection against that.

The HtmlHelper regex was renamed here to avoid confusing Brakeman,
which does imprecise constant lookup and was confusing the two
constants, one of which uses `\A` and `\z` and the other does
not (intentionally).

ref: https://app.fizzy.do/5986089/cards/3276
2025-12-04 14:01:15 -05:00
Jorge Manrubia a380492b32 Animate the column height with a stimulus controller so that it does not depend to the server to update when you D&D 2025-12-04 19:15:38 +01:00
Jorge Manrubia 539d3721db Keep the column color when D&D cards 2025-12-04 18:31:23 +01:00
Jorge Manrubia 19051aec3e Append dropped cards instead of relying on server-side rendering to refresh the columns
This implements a simple strategy to optimistically insert cards in columns without waiting for the column refresh. Cards will be placed at the top respecting golden cards.

This uses sorting by "created at" with sorting by "updated at" for the _Not now_ column, so that the treatment everywhere is homogenous.
2025-12-04 18:31:23 +01:00
Mike Dalessio 912bb8a8e5 Bump fizzy-saas to enable console auditing
ref: https://app.fizzy.do/5986089/cards/2469
ref: https://github.com/basecamp/fizzy-saas/pull/20
2025-12-04 12:25:54 -05:00
Sean Boult c1468de3d7 Fix title on bell icon 2025-12-03 21:20:34 -06:00
Adrien Maston a770f614c0 Merge branch 'main' into mobile-app/scoped-stylesheets
* main: (85 commits)
  Fix crash when inserting an emoji into a max length reaction
  change the object type in the example code (#1824)
  We can't hide public boards like this
  Consistent breakpoints for min- and max-width
  Repair tooltip z-index selector
  Fix bin/setup to explicitly use bash syntax for mise hook-env (#1813)
  Update AGENTS.md (#1818)
  Bundler: normalize platforms (#1822)
  Robots, begone (#1812)
  Account for input padding on autoresize pseudo-element
  Updated database.sqlite.yml
  (account): encode external_account_id in slug
  Allow typing magic links on mobile
  Add contributing guide
  Disconnect action cable when user is deactivated
  Disable ARM image builds
  Disable image builds for PRs
  Add libssl-dev
  Add automated Docker image builds
  Make the jump nav hotkeys look like the others
  ...
2025-12-03 10:57:27 +01:00
Jorge Manrubia 11249949eb Fix: edit comment button disappears when morphing the page
This also replaces the ad-hoc stimulus controller with the pure-css based
solution we recently added.

https://app.fizzy.do/5986089/cards/3243
2025-12-02 07:06:50 +01:00
Jason Zimdars 06a1473f5b Allow using '#' to match tags when filtering 2025-12-01 15:22:42 -06:00
Andy Smith 67921430a6 Merge pull request #1776 from basecamp/fizzy-menu-ui-updates
Add dividers and move icon to left
2025-12-01 14:51:24 -06:00
Andy Smith 9bbaee4f3a Add dividers and move icon to left 2025-12-01 14:43:06 -06:00
Jason Zimdars 6bb1a7238c No need to special case shift
The symbol isn't doing it
2025-12-01 14:12:46 -06:00
Jason Zimdars 7644b0e793 ESC is primary back hotkey, use helper in more places 2025-12-01 13:54:08 -06:00