Mike Dalessio
abe48f0efa
Ensure user toggles on board edit page are cached properly
...
Not including the disabled flag as part of the cache resulted in
issues like the one described in #1992
2025-12-08 14:21:56 -05:00
Rosa Gutierrez
2352f30b61
Adopt a cooldown period for dependency updates
...
As suggested by @flavorjones, and explained in:
https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns
This applies:
- 7 days as default: from the article, a 7-day
cooldown would have prevented 8 out of 10 recent
supply chain attacks. It seems reasonably long
but not crazy long.
- 14 days for major versions, to give some time
to the community to find problems.
2025-12-08 20:05:03 +01:00
Jeremy Daer
dcc005be34
Add lazy error context for Rails error reporter ( #2014 )
...
Register a middleware with Rails.error that adds identity_id and
account_id from Current attributes. Only evaluated when an error
is actually reported, avoiding the cost on successful requests.
2025-12-08 11:00:40 -08:00
Mike Dalessio
c2380dc057
Merge pull request #2013 from basecamp/flavorjones/1992-board-admin
...
Disable board edit buttons for select all/none when not privileged
2025-12-08 13:46:53 -05:00
Mike Dalessio
48730d67e0
Disable board edit buttons for select all/none when not privileged
...
ref: https://github.com/basecamp/fizzy/discussions/1992
2025-12-08 13:32:41 -05:00
Jeremy Daer
b88182c3ad
Autotuner: use structured logging instead of Sentry ( #2011 )
...
Move thousands of info-level Sentry events to logs. Query Loki rather
than downsampling events: `event.action = "run.ruby-script",
script.name = "autotuner"`
2025-12-08 10:01:28 -08:00
Jason Zimdars
bc073a7e79
Merge pull request #2008 from nqst/involvement-button-label-restore
...
Restore "Watch this" / "Stop watching" button labels
2025-12-08 11:57:16 -06:00
Mike Dalessio
cf6d3e2361
Merge pull request #2010 from basecamp/flavorjones/search-results-datetime
...
Add datetime to the search results
2025-12-08 12:12:36 -05:00
Mike Dalessio
642506e79e
Add datetime to the search results
...
I find it helpful (especially when going through a long list of
results) to know how far back in time I'm looking.
A note on the timestamp being used: it's the search index
timestamp. Using the card or comment `updated_at` is fraught because
we do so much touching of records (e.g., comment is touched when a
reaction is added; card is touched when a comment is added). Let's
display the search record's `created_at`, which is the ordering used
for the overall results.
2025-12-08 11:58:54 -05:00
Mike Dalessio
63805aee0f
Merge pull request #1984 from gijigae/fix/japanese-ime-input
...
Fix Japanese IME input handling for tag, step, and reaction fields
2025-12-08 11:09:33 -05:00
Alexander Zaytsev
c479235c60
Fix involvement button label
2025-12-08 15:54:36 +01:00
Robin Brandt
2110fba227
Bump mittens to 0.3.1 ( #2006 )
2025-12-08 15:26:39 +01:00
Jorge Manrubia
15983cede3
No need to pass Currentl.user since it is the default value for the param
2025-12-07 20:03:06 +01:00
Mike Dalessio
30422486df
Merge pull request #2005 from basecamp/flavorjones/join-code-email-validation
...
Validate email before creating identity during join code redemption
2025-12-07 13:33:01 -05:00
Mike Dalessio
661a7e5e2d
Validate email before creating identity during join code redemption
...
Avoid Sentry exceptions when attackers try to stuff invalid emails. The
browser performs form field validation that should normally prevent this
from occurring, so we just return 422 without validation error messages.
See similar change in #1996 for sign-in and sign-up
2025-12-07 13:26:34 -05:00
user
0b1a25c6b9
Ignore RubyMine project files in .gitignore
2025-12-07 20:47:25 +09:00
Jorge Manrubia
12eceb97eb
Merge pull request #2001 from basecamp/revert-1955-immediate-variants
...
Revert "Immediate avatar and embed variants"
2025-12-07 12:09:03 +01:00
Jorge Manrubia
c8c91259c7
Revert "Immediate avatar and embed variants"
2025-12-07 12:06:03 +01:00
Jorge Manrubia
7fe22b5767
Merge pull request #1971 from ari-party/patch-02
...
README.md codeblock consistency
2025-12-07 11:59:52 +01:00
Jorge Manrubia
2ef0377f56
Merge pull request #1966 from ari-party/main
...
Add WEB_CONCURRENCY env support for Puma worker count
2025-12-07 11:59:15 +01:00
Jorge Manrubia
568783efd1
Merge pull request #1905 from basecamp/web-push-ssrf
...
Security: Web Push SSRF
2025-12-07 11:58:14 +01:00
Jorge Manrubia
91017c9208
Merge pull request #1955 from basecamp/immediate-variants
...
Immediate avatar and embed variants
2025-12-07 11:50:02 +01:00
Jorge Manrubia
4a6f28b7c5
Merge pull request #1948 from jstarner/custom-delete-modals
...
Replace turbo confirmation dialogs with custom delete modals
2025-12-07 11:48:58 +01:00
Jorge Manrubia
9f20e8bfbb
Merge pull request #1973 from basecamp/lightbox-transitionend-handler
...
Fix lightbox transitionend listener leak
2025-12-07 11:44:03 +01:00
Jorge Manrubia
d19c02d19d
Merge pull request #1998 from felixefelip/test-notifications_settings_controller
...
Test Notifications::SettingsController
2025-12-07 11:43:13 +01:00
Jorge Manrubia
f2c676e69d
Merge pull request #1983 from AmiasYaska/fix-activity-typo
...
Fix typo in back link: Actvity -> Activity
2025-12-07 11:42:20 +01:00
Jorge Manrubia
d90548873d
Merge pull request #1999 from basecamp/refactor-column-title-route
...
Make column have a proper ID instead of inferring it from the title
2025-12-07 11:39:35 +01:00
Jorge Manrubia
31a41e66c2
Make column have a proper ID instead of inferring it from the title
2025-12-07 11:34:54 +01:00
Felipe Felix
4c9d8edbc6
Test Notifications::SettingsController
2025-12-07 04:25:11 -03:00
Mike Dalessio
a6cb569945
Merge pull request #1996 from basecamp/flavorjones/email-validation-in-signup-signin
...
Validate email before creating identity during sign-up and sign-in
2025-12-06 16:56:38 -05:00
Mike Dalessio
0160f215f2
Validate email before creating identity during sign-up and sign-in
...
Avoid Sentry exceptions when attackers try to stuff invalid emails. The
browser performs form field validation that should normally prevent this
from occurring, so we just return 422 without validation error messages.
Also:
- extract redirect_to_session_magic_link helper
- some controller refactoring and cleanup
2025-12-06 16:52:16 -05:00
Mike Dalessio
95ba2c01b8
Add email validation to Signup
2025-12-06 16:50:39 -05:00
Mike Dalessio
3ff45d77bb
Ensure test coverage for invalid Signup#complete
2025-12-06 16:46:51 -05:00
Mike Dalessio
b2250b6d35
Ensure test coverage for all branches of JoinCodesController#create
2025-12-06 16:40:51 -05:00
Mike Dalessio
d747d1bfa3
Ensure we have good test coverage on Signup.create_identity
...
because we're relying on it returning a MagicLink
2025-12-06 16:40:17 -05:00
Mike Dalessio
0793400771
Merge pull request #1994 from basecamp/flavorjones/signup-dev-magic-link
...
Render verification code in dev for signups, too
2025-12-06 15:07:47 -05:00
Mike Dalessio
c32685981f
Merge pull request #1993 from basecamp/flavorjones/avatar-image-type-error-message
...
User profile edit form shows validation errors
2025-12-06 15:04:42 -05:00
Mike Dalessio
b439a7695b
Render verification code in dev for signups, too
...
Related to 5865d79e / #1991
2025-12-06 15:02:22 -05:00
Mike Dalessio
675600af72
Improve presentation of validation errors
2025-12-06 14:57:27 -05:00
Mike Dalessio
c388f5ef20
Display validation errors for user profiles.
...
Specifically this will help people understand why their SVG avatar
uploads are being rejected, and will keep the RecordInvalid exception
out of Sentry logs.
2025-12-06 14:34:08 -05:00
Mike Dalessio
1883473de1
Remove duplication in the list of supported avatar file types
2025-12-06 14:34:08 -05:00
Mike Dalessio
8992a45c35
Merge pull request #1991 from basecamp/flavorjones/dev-mode-verification-code
...
Display the verification code in the development environment
2025-12-06 13:49:29 -05:00
Mike Dalessio
5865d79ed9
Display the verification code in the dev env
...
This seems better and easier than the console log.
2025-12-06 13:46:13 -05:00
Jeremy Daer
529f5af5f6
CSP adherence: fix magic links console logging ( #1989 )
...
* CSP: fix magic link console logging by including nonce in the script tag
* Remove unused back-nav controller
Unused since c0f842427d
Eliminates a potential CSP violation with javascript: URI
2025-12-06 10:08:22 -08:00
Jorge Manrubia
e6e0048103
Merge pull request #1987 from basecamp/indented-list-alignment
...
Small visual tweak for indented list style
2025-12-06 18:58:01 +01:00
Zoltan Hosszu
e562c72ec9
Small visual tweak for indented list style
2025-12-06 17:58:01 +01:00
AmiasYaska
7d4775d249
Fix typo in back link: Actvity -> Activity
2025-12-06 14:32:05 +03:00
Stanko Krtalić
acedb76598
Merge pull request #1952 from luojiyin1987/chore/dockerfile-prod-exclude-test-gems
...
chore: exclude test gems from production bundle
2025-12-06 11:31:17 +01:00
Stanko Krtalić
f3e47901ec
Merge pull request #1980 from basecamp/reverv-ssrf-acronym
...
Rever to using Ssrf instead of SSRF
2025-12-06 11:10:24 +01:00
Stanko K.R.
73c2b00211
Rever to using Ssrf instead of SSRF
...
Ref: https://github.com/basecamp/fizzy/pull/1967#discussion_r2593750027
2025-12-06 11:04:55 +01:00