Jorge Manrubia
31542373ee
Merge pull request #2112 from JangoCG/feature/rate-limit-join-codes
...
feat: protect join codes from brute-force attacks
2025-12-14 09:43:28 +01:00
Jorge Manrubia
cac9088ad3
Merge pull request #2105 from seuros/main
...
feat: expose closed boolean in card JSON API
2025-12-14 09:36:32 +01:00
Jorge Manrubia
d7e5d4218f
Merge pull request #2032 from tomycostantino/update-columns-on-actions
...
Fix: board columns actions are stale when moving a column moves
2025-12-14 09:28:57 +01:00
Mike Dalessio
139bf3cf81
Validate avatar sizes
2025-12-13 13:05:30 -05:00
Mike Dalessio
9cff236f66
Drop staff restriction in beta and staging
...
because it was preventing testing of signups.
2025-12-12 15:12:46 -05:00
Rosa Gutierrez
7f5fa6d715
Use Sec-Fetch-Site exclusively for CSRF protection
...
And close the gap with JSON requests, which shouldn't be allowed if
Sec-Fetch-Site is 'cross-site' or 'none', only if it's empty as this
wouldn't be coming from a browser.
2025-12-12 18:37:32 +01:00
Cengiz Guertusgil
09a2e7d7d7
feat: add rate limit to join codes controller
2025-12-12 17:21:57 +01:00
Abdelkader Boudih
b5caa8716d
feat: expose closed boolean in card JSON API
...
Adds `closed` field to card JSON response, allowing API consumers
to detect closed status without parsing the status enum or making
additional API calls.
2025-12-12 10:12:21 +01:00
Stanko Krtalić
c43c184691
Merge pull request #2093 from robzolkos/add-qr-codes-controller-test
...
Add QrCodesController test
2025-12-12 08:11:51 +01:00
Stanko Krtalić
23425cb67b
Merge pull request #2086 from basecamp/harden-magic-links
...
Pin sign in attempts to the current session
2025-12-12 07:23:19 +01:00
Stanko K.R.
f4ef9c9580
Test that you can't go to the magic link screen without an email
2025-12-12 07:16:07 +01:00
Jankees van Woezik
78fc80cf35
API: Allow updates to last_active_at ( #2076 )
...
* Allow Card#last_updated_at to be set
This is useful when doing an import from another system. I'm currently
working on a script to import our Github issues into Fizzy.
This is discussed in
https://github.com/basecamp/fizzy/pull/2056#discussion_r2609560246
* Add nil fallback and expand test coverage for last_active_at
Adds a safety fallback to Time.current if created_at is unexpectedly nil
during card creation.
Test coverage to verify:
* last_active_at defaults to created_at when not provided
* last_active_at can be updated via API on existing cards
* import workflow where last_active_at is restored after comments
* publishing doesn't overwrite explicit last_active_at values
---------
Co-authored-by: Jeremy Daer <jeremy@37signals.com >
2025-12-11 19:06:03 -08:00
Rob Zolkos
9ca5e792f1
Add QrCodesController test
2025-12-11 13:51:18 -05:00
Stanko K.R.
b6edb93c47
Pin sign in attempts to the current session
...
This makes it way more difficult to brute-force a magic link.
Original implementation by udiudi. Ref: https://github.com/udiudi/fizzy/pull/1/files
Discussion: https://github.com/basecamp/fizzy/discussions/1981
Co-Authored-By: Udi <udi@udi.codes >
2025-12-11 19:05:54 +01:00
Mike Dalessio
679a073c6b
Add test coverage for the require_unauthenticated_access redirect
2025-12-11 13:02:54 -05:00
Kevin McConnell
193a28f6c8
Merge pull request #2035 from harisadam/single_tenant
...
Add env-configurable option to disable public signups
2025-12-11 13:08:19 +00:00
Kevin McConnell
05d176cc31
Test that sign in respects single tenant state
2025-12-11 12:49:03 +00:00
Kevin McConnell
0e443d3602
Use initializer to configure tenant mode
2025-12-11 11:20:43 +00:00
Kevin McConnell
a5580666a7
Single tenant by default & update tests
2025-12-11 11:20:43 +00:00
Stanko K.R.
5ee10800a2
Allow direct uploads via API
2025-12-11 11:52:38 +01:00
Tomas Costantino
5eda42f2dd
update columns controller destroy test
2025-12-11 10:49:05 +01:00
Tomas Costantino
51d61b5cf8
update tests
2025-12-11 10:36:56 +01:00
Tomas Costantino
df7e597066
Merge branch 'main' into update-columns-on-actions
2025-12-11 10:17:15 +01:00
Adam Haris
f76309d116
Merge branch 'main' into single_tenant
2025-12-11 06:08:01 +01:00
Jankees van Woezik
477b4d65f2
API: Support created_at for API card and comment creation ( #2056 )
...
* Add support to set `created_at`
Discussed in
https://github.com/basecamp/fizzy/pull/1766#issuecomment-3637846074 ,
this allows users to import cards from another system with entries from
the past. For instance I'm importing all our Github issues (including
the closed onces) to Fizzy.
* Iron out published state tracking
---------
Co-authored-by: Jeremy Daer <jeremy@37signals.com >
2025-12-10 19:57:38 -08:00
Stanko K.R.
4e092407ab
Fix crash due to missing partial
2025-12-10 18:47:00 +01:00
Mike Dalessio
fa118a7d83
Add validation for the join code usage limit
...
which is preferred to generating a database error
2025-12-10 10:10:08 -05:00
Adam Haris
eb8655dc8e
refactor: use MULTI_TENANT env variable, model concern instead of controller (#accepting_signups?)
2025-12-10 15:14:22 +01:00
Stanko K.R.
5ce71bf941
Move Identities to My::Identities
2025-12-10 15:13:35 +01:00
Stanko K.R.
79e77a3780
Handle user update failures
2025-12-10 09:23:53 +01:00
Stanko K.R.
7b30ca203e
Add index actions for Comments and Columns
...
Also, fix crash when a deactivated user is serialized (they don't have
an identity).
2025-12-10 09:23:52 +01:00
Stanko K.R.
bf51950007
Add API for reading notifications
2025-12-10 09:23:52 +01:00
Stanko K.R.
1a24c1373c
Add API for creating and updating boards
2025-12-10 09:23:52 +01:00
Stanko K.R.
f3ff0c605e
Add pagination to most places and fix cards pagination
2025-12-10 09:23:52 +01:00
Stanko K.R.
ba30a301dc
Add API for updating and deactivating users
2025-12-10 09:23:52 +01:00
Stanko K.R.
7a0554774c
Add API for columns
2025-12-10 09:23:52 +01:00
Stanko K.R.
d16b3756de
Add API for reactions
2025-12-10 09:23:52 +01:00
Stanko K.R.
eeed2a8416
Add API for watching cards
2025-12-10 09:23:52 +01:00
Stanko K.R.
ed1002f6c5
Add API for card triage
2025-12-10 09:23:52 +01:00
Stanko K.R.
8a84785056
Add API for tagging cards
2025-12-10 09:23:52 +01:00
Stanko K.R.
c517ef6063
Add API for CRUD actions on steps
2025-12-10 09:23:52 +01:00
Stanko K.R.
8a61ca2a79
Add API for postponing cards
2025-12-10 09:23:52 +01:00
Stanko K.R.
52e65b3c08
Add API for removing card images
2025-12-10 09:23:52 +01:00
Stanko K.R.
1caeea541d
Add API for gilding cards
2025-12-10 09:23:52 +01:00
Stanko K.R.
41115eaf87
Add API for comments CRUD
2025-12-10 09:23:52 +01:00
Stanko K.R.
b4012dfb40
Add API for closing and opening cards
2025-12-10 09:23:52 +01:00
Stanko K.R.
cf52982b8b
Add API for mobing cards between boards
2025-12-10 09:23:52 +01:00
Stanko K.R.
23e6f3b095
Add API for assigning cards
2025-12-10 09:23:52 +01:00
Stanko K.R.
235a94355e
Add card update & delete actions
2025-12-10 09:23:52 +01:00
Stanko K.R.
ae03f2b283
Move tests into their controller tests
2025-12-10 09:23:52 +01:00