Stanko K.R.
bf51950007
Add API for reading notifications
2025-12-10 09:23:52 +01:00
Stanko K.R.
1a24c1373c
Add API for creating and updating boards
2025-12-10 09:23:52 +01:00
Stanko K.R.
f3ff0c605e
Add pagination to most places and fix cards pagination
2025-12-10 09:23:52 +01:00
Stanko K.R.
ba30a301dc
Add API for updating and deactivating users
2025-12-10 09:23:52 +01:00
Stanko K.R.
7a0554774c
Add API for columns
2025-12-10 09:23:52 +01:00
Stanko K.R.
d16b3756de
Add API for reactions
2025-12-10 09:23:52 +01:00
Stanko K.R.
eeed2a8416
Add API for watching cards
2025-12-10 09:23:52 +01:00
Stanko K.R.
ed1002f6c5
Add API for card triage
2025-12-10 09:23:52 +01:00
Stanko K.R.
8a84785056
Add API for tagging cards
2025-12-10 09:23:52 +01:00
Stanko K.R.
c517ef6063
Add API for CRUD actions on steps
2025-12-10 09:23:52 +01:00
Stanko K.R.
8a61ca2a79
Add API for postponing cards
2025-12-10 09:23:52 +01:00
Stanko K.R.
52e65b3c08
Add API for removing card images
2025-12-10 09:23:52 +01:00
Stanko K.R.
1caeea541d
Add API for gilding cards
2025-12-10 09:23:52 +01:00
Stanko K.R.
41115eaf87
Add API for comments CRUD
2025-12-10 09:23:52 +01:00
Stanko K.R.
b4012dfb40
Add API for closing and opening cards
2025-12-10 09:23:52 +01:00
Stanko K.R.
cf52982b8b
Add API for mobing cards between boards
2025-12-10 09:23:52 +01:00
Stanko K.R.
23e6f3b095
Add API for assigning cards
2025-12-10 09:23:52 +01:00
Stanko K.R.
235a94355e
Add card update & delete actions
2025-12-10 09:23:52 +01:00
Stanko K.R.
ae03f2b283
Move tests into their controller tests
2025-12-10 09:23:52 +01:00
Stanko K.R.
259707bf70
Fix identity tests
2025-12-10 09:23:52 +01:00
Jay Ohms
26fc9ecad4
Add an /identity.json endpoint to obtain the identity accounts and users
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
3f393c1423
Include card description and tags
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
a8dc4fb310
Excess whitespace
2025-12-10 09:23:52 +01:00
Jay Ohms
680f9c0c4d
Add top-level API index support for tags
2025-12-10 09:23:52 +01:00
Jay Ohms
5ad7b973cb
Add API support for users
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
983a19fd8a
Create cards via API
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
f0c0a87c74
Return json URLs for API actions
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
129b81984f
Creating a new board will return the location header
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
0ce3a85778
Only allow writing when the access token has permission
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
96b62d6ec4
Only allow new token to be viewed within 10 seconds
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
895b0e13b8
Drop the need for access tokens to have a session
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
db29562c4c
Tie access token directly to session
...
We need to present them differently in the session list and prevent them
from being deleted
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
b53c0a5385
Correct
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
d384971ea2
Test the boards API
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
a81c681a8d
Add access token authentication via HTTP AUTHORIZATION bearer header
2025-12-10 09:23:52 +01:00
Robin Brandt
d60643f5ef
Allow chromium unstable endpoint
2025-12-09 20:24:09 -05:00
Jeremy Daer
85bd5c2df5
Rails seeded parallel tests ( #2037 )
...
Enable work stealing by default for a tiny speedup at the cost of small
loss in reproducibility.
References https://github.com/rails/rails/pull/56175
2025-12-09 15:50:01 -08:00
Jorge Manrubia
94c59a2399
Merge pull request #2033 from basecamp/limit-webhook-response-size
...
Stream response in webhook request manually to check size
2025-12-09 12:16:42 +01:00
Rosa Gutierrez
29c7926307
Stream response in webhook request manually to check size
...
This addresses a DoS vulnerability where the response might be massive
leading to OOM errors, as the response is read in full in memory by
default.
To prevent this, we need to read the body in chunks, checking the
size of the chunks we've read and raising if we go over a certain limit.
I've set the limit to 100 KB because the responses to these requests
should be fairly small or even empty, and we only care about the status
code in the end.
2025-12-09 11:25:12 +01:00
Jeremy Daer
ea8a78cc22
Fix stale-read race when creating push subscriptions
...
(Caught one such uniqueness exception in the wild)
* 200 OK -> 204 No Content, default status
* No need to touch the subscription when found
* Drop superflous test
2025-12-09 01:34:37 -08:00
Jeremy Daer
b23a5d0b7c
Fix flaky tests caused by leaky show_exceptions twiddling ( #2028 )
...
Rails memoizes `@app_env_config`, so running push subscriptions test
after join codes test will result in running with `show_exceptions:
:none`, causing RecordInvalid to raise instead of returning 422 status.
References #1996
2025-12-08 23:27:36 -08:00
Jeremy Daer
49c4f2adc6
Fix ActiveStorage FileNotFoundError with immediate variant processing ( #2022 )
...
When ActiveStorage::Record uses `connects_to` for read replica support,
it creates a separate connection pool from ApplicationRecord. This causes
`after_commit` callbacks to fire in non-deterministic order - the
Attachment's `create_variants` callback can fire before the User model's
upload callback completes, resulting in FileNotFoundError.
The fix removes replica connection configuration from ActiveStorage::Record
so it shares the same connection pool as application models, ensuring
proper callback ordering.
Also reverts test workarounds that were added to work around this issue,
since the root cause is now fixed.
See: https://github.com/rails/rails/issues/53694
2025-12-08 14:44:49 -08:00
Jorge Manrubia
cb0e9b9962
Immediate avatar and embed variants ( #2002 )
...
Reverts #2001
Restores #1955
2025-12-08 14:17:06 -08:00
Mike Dalessio
3c4b838b25
Fix Identity destruction callback ordering
...
ref: #2003
Co-authored-by: Dylan <dylan@restaurantcare.com.au >
2025-12-08 15:12:38 -05:00
Mike Dalessio
abe48f0efa
Ensure user toggles on board edit page are cached properly
...
Not including the disabled flag as part of the cache resulted in
issues like the one described in #1992
2025-12-08 14:21:56 -05:00
Mike Dalessio
48730d67e0
Disable board edit buttons for select all/none when not privileged
...
ref: https://github.com/basecamp/fizzy/discussions/1992
2025-12-08 13:32:41 -05:00
Mike Dalessio
661a7e5e2d
Validate email before creating identity during join code redemption
...
Avoid Sentry exceptions when attackers try to stuff invalid emails. The
browser performs form field validation that should normally prevent this
from occurring, so we just return 422 without validation error messages.
See similar change in #1996 for sign-in and sign-up
2025-12-07 13:26:34 -05:00
Jorge Manrubia
c8c91259c7
Revert "Immediate avatar and embed variants"
2025-12-07 12:06:03 +01:00
Jorge Manrubia
568783efd1
Merge pull request #1905 from basecamp/web-push-ssrf
...
Security: Web Push SSRF
2025-12-07 11:58:14 +01:00
Jorge Manrubia
91017c9208
Merge pull request #1955 from basecamp/immediate-variants
...
Immediate avatar and embed variants
2025-12-07 11:50:02 +01:00