Commit Graph

7823 Commits

Author SHA1 Message Date
Kevin McConnell dfe7095ee6 Merge pull request #1917 from basecamp/dont-resize-svg-avatars
Don't try to resize non-variable avatars
2025-12-04 14:53:00 +00:00
Mike Dalessio 2fcdd921fc Merge pull request #1922 from basecamp/flavorjones/revert-board-column-restriction
Revert "Changing columns requires board admin"
2025-12-04 09:50:59 -05:00
Mike Dalessio 394c5dbf03 Revert "Changing columns requires board admin"
This reverts commit cecccadc14.
2025-12-04 09:46:30 -05:00
Mike Dalessio 916be75bed Merge pull request #1859 from basecamp/flavorjones/fix-broken-remote-images
Gracefully handle ill-formed remote images in rich text
2025-12-04 09:39:26 -05:00
Kevin McConnell 2e47749739 Don't allow SVG avatar uploads in the first place 2025-12-04 14:27:28 +00:00
Mike Dalessio 89940d36f8 Gracefully handle ill-formed remote images in rich text
A better fix has been proposed upstream at
https://github.com/rails/rails/pull/56283 but this should be fine in
the meantime.

ref: https://app.fizzy.do/5986089/cards/3188
2025-12-04 09:24:52 -05:00
Kevin McConnell 6475ad3425 Don't try to resize non-variable avatars 2025-12-04 13:36:21 +00:00
Kevin McConnell 069e0ca0b2 Merge pull request #1920 from basecamp/routes-trailing-whitespace
Remove trailing whitespace
2025-12-04 13:36:02 +00:00
Kevin McConnell 08c380cc71 Remove trailing whitespace
Appease the Rubocop
2025-12-04 13:32:47 +00:00
Stanko Krtalić 150e7caf03 Merge pull request #1908 from basecamp/install-runtime-and-ci-dependencies-on-mac
Install any runtime or ci dependencies in bin/setup on MacOS
2025-12-04 13:16:46 +01:00
David Heinemeier Hansson b3481b10a8 Move legacy out of sight 2025-12-04 03:34:30 -08:00
Stanko Krtalić d466b633fc Merge pull request #1915 from basecamp/sign-up-new-users-on-sign-in
Sign up new users on sign in
2025-12-04 11:32:51 +01:00
Kevin McConnell 9e0b5593ad Merge pull request #1848 from basecamp/rate-limit-warning
Show alert message on login when rate limited
2025-12-04 10:30:37 +00:00
Stanko K.R. a8f328c921 Sign up new users on sign in 2025-12-04 11:30:21 +01:00
Stanko Krtalić 06478f23d2 Merge pull request #1912 from basecamp/refactor-reaction-permission-check
Change reaction admin permission check to be in-line with other controllers
2025-12-04 11:04:12 +01:00
Stanko K.R. 5cfe6930ee Change reaction admin permission check to be in-line with other controllers 2025-12-04 11:01:23 +01:00
Stanko Krtalić 6050f187ca Merge pull request #1895 from jbnunn/remove-legacy-join-pattern
Removed legacy join link
2025-12-04 09:21:08 +01:00
Stanko K.R. ea826860e0 Install any runtime or ci dependencies in bin/setup 2025-12-04 09:16:30 +01:00
Jorge Manrubia af43ef4962 Merge pull request #1897 from Hacksore/fix/board-bell-title
Move the title to the button
2025-12-04 09:02:08 +01:00
Jorge Manrubia a0cb25a951 Merge pull request #1881 from basecamp/card-notification-removal-scope
Tighten scope on card notification removals
2025-12-04 08:44:52 +01:00
Jorge Manrubia 457a6d71b7 Merge pull request #1906 from basecamp/column-management-auth
Changing columns requires board admin
2025-12-04 08:34:49 +01:00
Jorge Manrubia 40f906f69f Merge pull request #1896 from umarhadi/main
Add Missing Production Databases for Solid Queue and Solid Cache
2025-12-04 08:34:15 +01:00
Jeremy Daer cecccadc14 Changing columns requires board admin 2025-12-03 23:24:25 -08:00
Jeremy Daer 7af93765a8 Security: close narrow window of exposure to DNS rebinding (#1903) 2025-12-03 23:12:17 -08:00
Sean Boult c1468de3d7 Fix title on bell icon 2025-12-03 21:20:34 -06:00
umarhadi 374fa1b5d0 Add production queue and cache database config 2025-12-04 09:50:45 +07:00
J. Nunn 383033b9d0 Removed legacy join link 2025-12-03 18:06:38 -08:00
Jeremy Daer cac0ca1656 Scope the single-board case to just the creator's boards (#1880) 2025-12-03 15:47:04 -08:00
Jeremy Daer f440b0243e Tighten scope on card notification removals
* Iterate each association separately to favor db indexing
* Pluck user IDs rather than select to avoid correlated subquery
2025-12-03 15:46:43 -08:00
Jeremy Daer 49139b7a14 SQLite import creates account-scoped tags
References #1879
2025-12-03 15:09:22 -08:00
Jorge Manrubia 9cf223aea1 Fix path 2025-12-03 23:53:18 +01:00
Jorge Manrubia efc809c23e Script to fix misassigned tags
See https://github.com/basecamp/fizzy/pull/1879
2025-12-03 23:46:08 +01:00
Jorge Manrubia 38d86fb17b Merge pull request #1879 from basecamp/scope-tags
Scope tags by account
2025-12-03 23:42:04 +01:00
Jorge Manrubia 4a30663df1 Scope tags by account
We missed this one when we went to MySQL. This can results in cards tagged with cards
from other accounts. No data leaked though: the symptom is that you see the card
tagged as expected but you don't see the tag in the menu.
2025-12-03 23:39:37 +01:00
Jorge Manrubia 6847c001ea Merge pull request #1876 from basecamp/column-reordering-auth
Fix unauthorized column reordering
2025-12-03 22:18:06 +01:00
Jorge Manrubia 367e5aa1dd Merge pull request #1871 from imbriaco/patch-2
Use environment variable for default mailer address
2025-12-03 22:07:39 +01:00
Jorge Manrubia 6c9ec052db Merge pull request #1874 from basecamp/bump-prometheus-client-mmap
Bump fizzy-saas to upgrade prometheus-client-mmap to ~> 1.4.0
2025-12-03 22:06:41 +01:00
Jeremy Daer 9f6a4f1cc6 Fix unauthorized column reordering
Users could reorder columns they didn't have access to. Fixed by
limiting ColumnScoped to User::Accessor#accessible_columns.

References https://hackerone.com/reports/3449905
2025-12-03 13:00:49 -08:00
Jorge Manrubia 7fcf660f05 Merge pull request #1854 from MatheusRich/find-by-over-where-first
Prefer find_by! over where + first!
2025-12-03 21:51:18 +01:00
Lewis Buckley 4bcedbbd77 Upgrade prometheus-client-mmap to ~> 1.4.0 2025-12-03 20:46:23 +00:00
Mike Dalessio cd23a54bb5 Merge pull request #1873 from basecamp/flavorjones/seed-staff-users
Update seeds to use `@example.com`
2025-12-03 15:44:54 -05:00
Mike Dalessio 6345aa4787 Update seeds to use @example.com
See also https://www.rfc-editor.org/rfc/rfc2606.html
2025-12-03 15:40:58 -05:00
Mike Dalessio 8064e017dc db:seeds create staff users for testing in development 2025-12-03 15:29:36 -05:00
Mark Imbriaco 56033d0a8e Use environment variable for default mailer address 2025-12-03 14:56:19 -05:00
Jason Zimdars 8f2ec267f6 Merge pull request #1820 from dcchambers/delete-board-confirmation
Add card deletion warning to board deletion confirmation message
2025-12-03 13:42:06 -06:00
Stanko Krtalić f41b1b098a Merge pull request #1868 from basecamp/use-cryptographically-secure-randomness-for-magic-link-code-generation
Use cryptographically secure randomness for Magic Link code generation
2025-12-03 20:21:52 +01:00
Andy Smith 4b86399ae9 Merge pull request #1866 from basecamp/quick-filters-on-mobile
Don't hide quick filters on mobile
2025-12-03 13:18:09 -06:00
Stanko K.R. 7ab06d1dbd Use cryptographically secure randomness for Magic Link code generation
#sample uses PRNG under the hood which is pseudo random, which means that given enough magic link codes you can predict which code would come next. To fix that we have to switch to CSPRNG - SecureRandom.random_number - which isn't easy to predict based on previous results.
2025-12-03 20:15:27 +01:00
Stanko Krtalić 3520f97e33 Merge pull request #1857 from basecamp/friendly-error-message-when-changing-email-with-an-invalid-code
Render a friendly error message when using an invalid email change token
2025-12-03 20:06:24 +01:00
Dakota Chambers a98cb58348 Update app/views/boards/edit/_delete.html.erb
Co-authored-by: Jason Zimdars <jz@37signals.com>
2025-12-03 13:04:29 -06:00