Commit Graph

5821 Commits

Author SHA1 Message Date
Jason Zimdars 8659e19671 Collapse and expand system comments 2025-12-16 14:21:48 -06:00
Jorge Manrubia 0278fe6ae4 Revert "Mobile app / Scoped stylesheets" (#1698)
This reverts commit 39c1906e67.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-16 17:20:18 +01:00
Mike Dalessio 2b388dd241 Merge pull request #2164 from basecamp/flavorjones/user-validate-name
Validate User name presence and handle blank names gracefully
2025-12-16 10:49:13 -05:00
Jorge Manrubia ee80b87c8c Add billing system with Stripe
🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Jason Zimdars <jz@37signals.com>
2025-12-16 16:44:20 +01:00
Mike Dalessio b75d2ae6d8 Validate User name presence and handle blank names gracefully
Addresses an issue where User#familiar_name assumed `name` was always
present, potentially raising an exception during view rendering. Now
User validates name presence, and User#familiar_name handles blank
strings without error, in case any existing invalid records exist.
2025-12-16 10:44:10 -05:00
Adrien Maston 04332bc526 Merge branch 'main' into mobile-app/scoped-stylesheets
* main:
  Use decimals for ordered lists
  Update cached fragments
  Revert "Merge pull request #1865 from basecamp/public-avatar-caching"
  Show only public cards on public boards
  Swap order of avatar links
  Limit length of full name during signup
  Make layout bulletproof
  Serve own avatar from its own endpoint
2025-12-16 15:30:31 +01:00
Andy Smith 2ea6f4e070 Use decimals for ordered lists 2025-12-15 13:14:11 -06:00
Kevin McConnell e2292a1739 Update cached fragments 2025-12-15 13:23:57 +00:00
Kevin McConnell 741eff7bdc Revert "Merge pull request #1865 from basecamp/public-avatar-caching"
This reverts commit c628f14c01, reversing
changes made to 4bafc73236.
2025-12-15 13:07:13 +00:00
Stanko Krtalić 2058743be9 Merge pull request #2146 from basecamp/show-only-published-cards-on-public-boards
Show only public cards on public boards
2025-12-15 13:26:12 +01:00
Kevin McConnell c628f14c01 Merge pull request #1865 from basecamp/public-avatar-caching
Serve own avatar from its own endpoint
2025-12-15 12:20:28 +00:00
Stanko K.R. 87081aa617 Show only public cards on public boards 2025-12-15 13:15:36 +01:00
Kevin McConnell d4cbc86113 Swap order of avatar links
If the conditional CSS rules failed to match for some reason, we should
prefer the general avatar image rather than the "my" avatar one. That
way the fallback mode will still look correct.
2025-12-15 11:22:00 +00:00
Kevin McConnell 87c6557747 Limit length of full name during signup
If we don't validate for length, then signups that overflow the database
columns will unnecessarily create and cancel a tenant. Adding a
validation means we can avoid this.
2025-12-15 09:56:35 +00:00
Adrien Maston 1f346085b9 Merge branch 'main' into mobile-app/scoped-stylesheets
* main: (119 commits)
  Bust comment view cache
  Update lexxy to bring fixes from https://github.com/basecamp/lexxy/releases/tag/v0.1.24.beta
  Fix unexpected remove empty line from README
  Lightbox uses Stimulus target callbacks instead of data-action
  Add test coverage for the image lightbox
  Add tests for tenancy middleware and timezone cookie
  Refactor: Simplify TimeWindowParser using Rails convenience methods
  SMTP: support SMTPS on port 465 (#2132)
  Bump fizzy-saas to retain fewer docker images (#2134)
  Add test coverage for with_golden_first scope (#2130)
  Refactor: improve query scope composition with merge syntax (#2131)
  Validate avatar sizes
  Introduce Vips configuration
  Tailscale serve support (#2126)
  Update tests with final method naming: record! -> record
  CSP config to allow Minio in development
  Update fizzy-saas to get employee restriction in staging
  Drop staff restriction in beta and staging
  Unused
  Use new FIZZY_GH_TOKEN with limited access
  ...
2025-12-15 10:43:32 +01:00
Mike Dalessio c6725fdca0 Bust comment view cache
because, unlike ordinary view file changes, the change to Action Text
attachment rendering in e9cb2956 doesn't bust the cache automatically.
2025-12-14 13:05:45 -05:00
Mike Dalessio 088b06bf95 Merge pull request #2137 from basecamp/flavorjones/data-action-fix
Image lightbox uses Stimulus target callbacks instead of `data-action`
2025-12-14 12:48:17 -05:00
Jorge Manrubia 31542373ee Merge pull request #2112 from JangoCG/feature/rate-limit-join-codes
feat: protect join codes from brute-force attacks
2025-12-14 09:43:28 +01:00
Jorge Manrubia 01a5d194ba Merge pull request #2135 from italomatos/refactor/improve-time-window-parser-readability
Refactor: Simplify TimeWindowParser using Rails convenience methods
2025-12-14 09:42:07 +01:00
Jorge Manrubia 95c82a234b Merge pull request #2114 from robzolkos/remove-unused-install-svg
Remove unused install.svg and its CSS class
2025-12-14 09:40:18 +01:00
Jorge Manrubia 57008e0026 Merge pull request #2111 from robzolkos/remove-unpaired-view-transition-name
Remove unpaired view-transition-name
2025-12-14 09:39:08 +01:00
Jorge Manrubia cac9088ad3 Merge pull request #2105 from seuros/main
feat: expose closed boolean in card JSON API
2025-12-14 09:36:32 +01:00
Jorge Manrubia e3987d2d08 Merge pull request #2063 from basecamp/lexxy-prompt-padding
Fix Lexxy prompt list padding by lowering rich-text specificity
2025-12-14 09:29:44 +01:00
Jorge Manrubia d7e5d4218f Merge pull request #2032 from tomycostantino/update-columns-on-actions
Fix: board columns actions are stale when moving a column moves
2025-12-14 09:28:57 +01:00
Mike Dalessio e9cb2956ee Lightbox uses Stimulus target callbacks instead of data-action
Remove data-action from the sanitizer allowlist to disallow injection
of potentially malicious Stimulus actions in user-provided
content. The lightbox controller now uses imageTarget callbacks to
handle clicks on image links.

Also add the file name as a caption in the light box, and fix the
caption color for dark mode visibility.
2025-12-13 17:06:03 -05:00
Italo Matos 5ade7e1a52 Refactor: Simplify TimeWindowParser using Rails convenience methods
- Replace `beginning_of_day..end_of_day` with `all_day`
- Replace `beginning_of_week..end_of_week` with `all_week`
- Replace `beginning_of_month..end_of_month` with `all_month`
- Replace `beginning_of_year..end_of_year` with `all_year`

These changes improve code readability by using idiomatic Rails
methods that accomplish the same thing in a more concise and
expressive way.
2025-12-13 16:31:48 -03:00
Mike Dalessio 3584df6816 Merge pull request #2133 from basecamp/flavorjones/handle-image-uploads-better
Improve avatar image handling
2025-12-13 13:25:54 -05:00
Ítalo Matos fbc586646f Refactor: improve query scope composition with merge syntax (#2131)
* Refactor: improve query scope composition with merge syntax

Replace manual WHERE clause concatenation with Rails' merge method
for more elegant and maintainable scope composition across Card,
Comment, and Filter models. This approach better follows Rails
conventions and improves code readability.

* Extend scope composition improvements to Card::Closeable

Apply the same nested hash syntax pattern to closures table references
in order and where clauses.

* Remove unnecessary outer braces from where clause

---------

Co-authored-by: Jeremy Daer <jeremy@37signals.com>
2025-12-13 10:10:13 -08:00
Mike Dalessio 139bf3cf81 Validate avatar sizes 2025-12-13 13:05:30 -05:00
Jeremy Daer 82626f020d Tailscale serve support (#2126)
Ensure we can serve the app from multiple hosts without breaking links.
* Switch unnecessary full URLs to paths
* Drop default host/port URL options for controllers

Shell 1
```bash
bin/dev
```

Shell 2
```bash
tailscale serve http://fizzy.localhost:3006
```
2025-12-13 09:29:50 -08:00
Jason Zimdars 88ab0beb24 Make layout bulletproof 2025-12-12 22:40:53 -06:00
Mike Dalessio 08525282de Merge pull request #2122 from basecamp/flavorjones/limit-staging-beta-to-internal
Drop the `staff?` requirement in beta and staging
2025-12-12 15:36:18 -05:00
Mike Dalessio 9cff236f66 Drop staff restriction in beta and staging
because it was preventing testing of signups.
2025-12-12 15:12:46 -05:00
David Heinemeier Hansson c9e9e7be55 Unused 2025-12-12 20:40:47 +01:00
Jason Zimdars 0bc3ccb528 Merge pull request #2109 from basecamp/theme-tweak
Apply theme preference before body renders
2025-12-12 11:48:47 -06:00
Rosa Gutierrez 7f5fa6d715 Use Sec-Fetch-Site exclusively for CSRF protection
And close the gap with JSON requests, which shouldn't be allowed if
Sec-Fetch-Site is 'cross-site' or 'none', only if it's empty as this
wouldn't be coming from a browser.
2025-12-12 18:37:32 +01:00
Andy Smith 0181b1df84 Merge pull request #2115 from basecamp/maybe-mini-bubble-position
Better mini-bubble position for the Maybe column
2025-12-12 11:17:44 -06:00
Rob Zolkos 412bf09e30 Remove unused install.svg and its CSS class
The install.svg file and .icon--install CSS class (which was duplicated)
appear to have never been used. Added in c3b946c96.
2025-12-12 12:08:10 -05:00
Andy Smith 9649880b62 Ensure images and videos are centered 2025-12-12 11:03:31 -06:00
Andy Smith e97e3b126e Merge branch 'main' into lexxy-prompt-padding 2025-12-12 11:00:08 -06:00
Cengiz Guertusgil 09a2e7d7d7 feat: add rate limit to join codes controller 2025-12-12 17:21:57 +01:00
Rob Zolkos a12dfea3c8 Remove unpaired view-transition-name from public card show 2025-12-12 10:50:51 -05:00
Kevin McConnell 87ad234f32 Apply theme preference before body
To avoid any visual flashes of the old theme before the Stimulus
controllers load, we can apply the saved theme from `<head>` whenever
there is a full page load.

This applies to both the regular and public views, as we're doing it in
the shared head partial.
2025-12-12 14:17:58 +00:00
Kevin McConnell e13565ee70 Merge pull request #2104 from basecamp/remove-unused-include
Remove redundant include
2025-12-12 09:14:15 +00:00
Abdelkader Boudih b5caa8716d feat: expose closed boolean in card JSON API
Adds `closed` field to card JSON response, allowing API consumers
to detect closed status without parsing the status enum or making
additional API calls.
2025-12-12 10:12:21 +01:00
Kevin McConnell eec96ff384 Serve own avatar from its own endpoint
This allows us to have different cache controls depending on whether
you're viewing your own avatar, or someone else's. Your own avatar will
always be fresh, while other folks' avatars can be pulled from the CDN.
2025-12-12 09:03:35 +00:00
Stanko K.R. c8a5d01771 Wrap join code redemption in a lock 2025-12-12 09:59:42 +01:00
Kevin McConnell 8d32a322e9 Remove redundant include
This is no longer needed since af0e2488 removed the streaming of
avatar images.
2025-12-12 08:58:52 +00:00
Stanko K.R. a4d11e169f Replace custom code generator with Base32 2025-12-12 07:45:23 +01:00
Stanko Krtalić 23425cb67b Merge pull request #2086 from basecamp/harden-magic-links
Pin sign in attempts to the current session
2025-12-12 07:23:19 +01:00