Commit Graph

7325 Commits

Author SHA1 Message Date
Rosa Gutierrez d88949288c Check and report on Sec-Fetch-Site header for forgery protection
This is a great, solid alternative to CSRF tokens for CSRF protection
when we aren't worried about older browsers or other kind of actors
doing modifying requests in our app, and could be a good test for future
upstreaming to Rails (although there we'd need to continue using CSRF
tokens or at least letting people opt out manually).

Let's start checking the header and reporting on it when CSRF fails or
when it doesn't match the other checks Rails does, and then promote this
to be the only way to defend from CSRF.
2025-11-25 19:19:50 +01:00
Mike Dalessio 51860d6c66 Merge pull request #1719 from basecamp/flavorjones/dep-update-20251125
bundle update - 20251125
2025-11-25 10:30:51 -05:00
Mike Dalessio f0a22ea608 bundle update 2025-11-25 10:28:12 -05:00
Mike Dalessio 9707ed0af9 Merge pull request #1615 from basecamp/dependabot/bundler/bootsnap-1.19.0
Bump bootsnap from 1.18.6 to 1.19.0
2025-11-25 10:22:47 -05:00
Mike Dalessio 0b4896654a Merge pull request #1706 from basecamp/dependabot/bundler/rails-17f6e00
Bump rails from `077c3ad` to `17f6e00`
2025-11-25 10:21:38 -05:00
dependabot[bot] 62dbae568b Bump bootsnap from 1.18.6 to 1.19.0
Bumps [bootsnap](https://github.com/rails/bootsnap) from 1.18.6 to 1.19.0.
- [Changelog](https://github.com/rails/bootsnap/blob/main/CHANGELOG.md)
- [Commits](https://github.com/rails/bootsnap/compare/v1.18.6...v1.19.0)

---
updated-dependencies:
- dependency-name: bootsnap
  dependency-version: 1.19.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-11-25 15:16:29 +00:00
dependabot[bot] e2f5eaa93f Bump rails from 077c3ad to 17f6e00
Bumps [rails](https://github.com/rails/rails) from `077c3ad` to `17f6e00`.
- [Release notes](https://github.com/rails/rails/releases)
- [Commits](https://github.com/rails/rails/compare/077c3ad60db4c43cccb8f4637b53b8d8eb7a3c19...17f6e00bce8c35b6c5355450331da170c768e3e0)

---
updated-dependencies:
- dependency-name: rails
  dependency-version: 17f6e00bce8c35b6c5355450331da170c768e3e0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-11-25 15:14:12 +00:00
Mike Dalessio 8ad59e75d4 Merge pull request #1709 from basecamp/dependabot/bundler/aws-sdk-s3-1.205.0
Bump aws-sdk-s3 from 1.201.0 to 1.205.0
2025-11-25 10:13:38 -05:00
Mike Dalessio 1059220b2a Merge pull request #1626 from basecamp/dependabot/bundler/development-dependencies-a98687e030
Bump the development-dependencies group across 1 directory with 3 updates
2025-11-25 10:12:22 -05:00
Mike Dalessio 2c838f2aa2 Merge pull request #1707 from basecamp/dependabot/bundler/prometheus-client-mmap-1.3.0
Bump prometheus-client-mmap from 1.2.10 to 1.3.0
2025-11-25 10:11:24 -05:00
Mike Dalessio 0ddf356e7d Merge pull request #1704 from basecamp/dependabot/bundler/yabeda-puma-plugin-0.9.0
Bump yabeda-puma-plugin from 0.8.0 to 0.9.0
2025-11-25 10:10:07 -05:00
Mike Dalessio 17011d4047 Merge pull request #1703 from basecamp/dependabot/bundler/solid_cache-1.0.10
Bump solid_cache from 1.0.8 to 1.0.10
2025-11-25 10:08:34 -05:00
Mike Dalessio 213f5749bb Merge pull request #1708 from basecamp/dependabot/bundler/autotuner-1.1.0
Bump autotuner from 1.0.2 to 1.1.0
2025-11-25 10:05:53 -05:00
Stanko Krtalić a165334cbd Merge pull request #1718 from basecamp/fix-cards-getting-stuck-in-edit-mode
Fix cards getting stuck in edit mode
2025-11-25 15:37:44 +01:00
Stanko K.R. a7df8260c3 Fix cards getting stuck in edit mode 2025-11-25 15:36:13 +01:00
Kevin McConnell f086981dac Merge pull request #1717 from basecamp/sentry-ignore-concurrent-migration-exception
Don't report `ConcurrentMigrationError` to Sentry
2025-11-25 13:28:42 +00:00
Kevin McConnell b238a5b45b Don't report ConcurrentMigrationError to Sentry 2025-11-25 13:24:07 +00:00
Stanko Krtalić 6753860c05 Merge pull request #1716 from basecamp/add-staff-flag-to-identities
Determine staff members based on flag
2025-11-25 14:11:38 +01:00
Kevin McConnell efae77efd6 Merge pull request #1715 from basecamp/mysql-max-execution-time
Set MySQL max statement timeout to 5s
2025-11-25 13:10:19 +00:00
Stanko K.R. f64a49dcc0 Determine staff members based on flag
This replaces the old system based on email addresses, the aim is to make it more generic and thus appropriate for OSS/self-hosting

See: https://3.basecamp.com/2914079/buckets/37331921/todos/9302705265#__recording_9320051455
2025-11-25 14:09:31 +01:00
Kevin McConnell b6e31a234a Set MySQL max statement timeout to 5s 2025-11-25 12:58:17 +00:00
Stanko Krtalić aab3a56d31 Merge pull request #1714 from basecamp/allow-long-user-agent-strings
Allow long user agent strings
2025-11-25 12:11:50 +01:00
Stanko K.R. cc49a1b772 Allow long user agent strings
Copied this from BC and HEY which also use a string with a 4096 character length

See: https://app.fizzy.do/5986089/cards/3066
2025-11-25 12:09:02 +01:00
Stanko Krtalić 01dc7c1ce0 Merge pull request #1713 from basecamp/put-tags-the-card-is-tagged-with-first
Show tags the card is tagged with first
2025-11-25 11:34:04 +01:00
Stanko K.R. 4e52f9b9a9 Show tags the card is tagged with first 2025-11-25 11:24:21 +01:00
Stanko Krtalić c8169c1972 Merge pull request #1712 from basecamp/fix-background-image-previews
Fix background images not showing up after upload
2025-11-25 08:15:20 +01:00
Stanko K.R. c11a13dc20 Replace the whole card on update 2025-11-25 08:13:18 +01:00
Jason Zimdars 30f50d6715 Merge pull request #1711 from basecamp/jz-11-24-25
JZ 11/24/25
2025-11-24 21:31:06 -06:00
Jason Zimdars 3e0d2d8b4d Include bottom inset on the modal and footer, too
Makes sure everything moves together on mobile
2025-11-24 21:28:48 -06:00
Jason Zimdars 5215c5ccb9 Attempt to fix expanded search input 2025-11-24 21:24:09 -06:00
Jason Zimdars b45554966f Lose the second close button 2025-11-24 17:48:21 -06:00
Jason Zimdars 0c05694a3c This seems to have caused the unwanted effect of not focusing the field in Mobile Safari
Looks like it regressed in
https://github.com/basecamp/fizzy/commit/250935530f86eb628d6b54ec6b7212dac9e76f8b.
Let's see if we can get focus in Safari without sacrificing select in
other browsers by simply moving the nextFrame() call
2025-11-24 17:48:02 -06:00
Jason Zimdars 74cd88d626 Always display the cancel button, esc isn't obvious 2025-11-24 17:19:01 -06:00
Jason Zimdars cfc61c318d Nothing should cover the bar, trays or search results 2025-11-24 17:18:44 -06:00
Jason Zimdars 789c00b87f Dark theme color isn't black
I *think* we don't need the theme color in the manifest since it doesn't
have dark mode support anyway
2025-11-24 16:37:50 -06:00
Jason Zimdars a1fcabf01e Add env constaints for mobile layout
In theory, this prevents overlapping device elements like the dynamic
island in landscape
2025-11-24 16:33:32 -06:00
Jason Zimdars b93224b45c Smaller on mobile
It really takes up a lot of space in landscape
2025-11-24 16:22:33 -06:00
Jason Zimdars 4e14c0df27 Reasonalbe max heights
Use all the available space above the search/trays footer. On mobile use
the full viewport height
2025-11-24 16:16:09 -06:00
Jason Zimdars ed19e6d494 Remove top orientation (it doesn't work well), make right and left classes exclusive
In certain cases (board picker) both classes would be applied making a
mess
2025-11-24 15:49:42 -06:00
Jason Zimdars 9cc63c6dce This is too fancy, remove it 2025-11-24 15:48:08 -06:00
Jason Zimdars 2f6f4cd3f5 Set reasonable maxes 2025-11-24 15:47:57 -06:00
Jason Zimdars 3a2b347aba Restore bubble to Maybe
Stalled cards in Maybe are often out of view
2025-11-24 15:17:45 -06:00
Mike Dalessio dc2d86ca54 Merge pull request #1710 from basecamp/flavorjones/plan-b-cleanup
Restore structured logging of `queenbee_id`
2025-11-24 15:59:14 -05:00
Mike Dalessio 9f117159a6 Restore structured logging of queenbee_id
and clean up some other small remaining "plan b" to-dos.
2025-11-24 15:50:45 -05:00
dependabot[bot] 143723a384 Bump aws-sdk-s3 from 1.201.0 to 1.205.0
Bumps [aws-sdk-s3](https://github.com/aws/aws-sdk-ruby) from 1.201.0 to 1.205.0.
- [Release notes](https://github.com/aws/aws-sdk-ruby/releases)
- [Changelog](https://github.com/aws/aws-sdk-ruby/blob/version-3/gems/aws-sdk-s3/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-ruby/commits)

---
updated-dependencies:
- dependency-name: aws-sdk-s3
  dependency-version: 1.205.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-11-24 20:30:51 +00:00
dependabot[bot] 41a7d55672 Bump autotuner from 1.0.2 to 1.1.0
Bumps [autotuner](https://github.com/Shopify/autotuner) from 1.0.2 to 1.1.0.
- [Release notes](https://github.com/Shopify/autotuner/releases)
- [Commits](https://github.com/Shopify/autotuner/compare/v1.0.2...v1.1.0)

---
updated-dependencies:
- dependency-name: autotuner
  dependency-version: 1.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-11-24 20:30:36 +00:00
dependabot[bot] 50332d0a4f Bump prometheus-client-mmap from 1.2.10 to 1.3.0
Bumps [prometheus-client-mmap](https://gitlab.com/gitlab-org/prometheus-client-mmap) from 1.2.10 to 1.3.0.
- [Release notes](https://gitlab.com/gitlab-org/prometheus-client-mmap/tags)
- [Changelog](https://gitlab.com/gitlab-org/prometheus-client-mmap/blob/master/CHANGELOG.md)
- [Commits](https://gitlab.com/gitlab-org/prometheus-client-mmap/compare/1.2.10...1.3.0)

---
updated-dependencies:
- dependency-name: prometheus-client-mmap
  dependency-version: 1.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-11-24 20:30:23 +00:00
dependabot[bot] 9df6919e9e Bump the development-dependencies group across 1 directory with 3 updates
Bumps the development-dependencies group with 3 updates in the / directory: [brakeman](https://github.com/presidentbeef/brakeman), [webmock](https://github.com/bblimke/webmock) and [mocha](https://github.com/freerange/mocha).


Updates `brakeman` from 7.1.0 to 7.1.1
- [Release notes](https://github.com/presidentbeef/brakeman/releases)
- [Changelog](https://github.com/presidentbeef/brakeman/blob/main/CHANGES.md)
- [Commits](https://github.com/presidentbeef/brakeman/compare/v7.1.0...v7.1.1)

Updates `webmock` from 3.26.0 to 3.26.1
- [Release notes](https://github.com/bblimke/webmock/releases)
- [Changelog](https://github.com/bblimke/webmock/blob/master/CHANGELOG.md)
- [Commits](https://github.com/bblimke/webmock/compare/3.26.0...v3.26.1)

Updates `mocha` from 2.7.1 to 2.8.2
- [Changelog](https://github.com/freerange/mocha/blob/main/RELEASE.md)
- [Commits](https://github.com/freerange/mocha/compare/v2.7.1...v2.8.2)

---
updated-dependencies:
- dependency-name: brakeman
  dependency-version: 7.1.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: development-dependencies
- dependency-name: webmock
  dependency-version: 3.26.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: development-dependencies
- dependency-name: mocha
  dependency-version: 2.8.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: development-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-11-24 20:29:32 +00:00
dependabot[bot] c4487581bb Bump yabeda-puma-plugin from 0.8.0 to 0.9.0
Bumps [yabeda-puma-plugin](https://github.com/yabeda-rb/yabeda-puma-plugin) from 0.8.0 to 0.9.0.
- [Release notes](https://github.com/yabeda-rb/yabeda-puma-plugin/releases)
- [Changelog](https://github.com/yabeda-rb/yabeda-puma-plugin/blob/master/CHANGELOG.md)
- [Commits](https://github.com/yabeda-rb/yabeda-puma-plugin/compare/v0.8.0...v0.9.0)

---
updated-dependencies:
- dependency-name: yabeda-puma-plugin
  dependency-version: 0.9.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-11-24 20:29:30 +00:00
dependabot[bot] 9adcd2f02f Bump solid_cache from 1.0.8 to 1.0.10
Bumps [solid_cache](https://github.com/rails/solid_cache) from 1.0.8 to 1.0.10.
- [Release notes](https://github.com/rails/solid_cache/releases)
- [Commits](https://github.com/rails/solid_cache/compare/v1.0.8...v1.0.10)

---
updated-dependencies:
- dependency-name: solid_cache
  dependency-version: 1.0.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-11-24 20:29:13 +00:00