When concurrent NotifyRecipientsJobs process an Event and a Mention for
the same user+card, Rails' dirty tracking can skip writing source_type
in the UPDATE if it hasn't changed from the stale in-memory value,
leaving source_type and source_id mismatched (e.g. source_type='Event'
with a Mention's source_id, resulting in a nil source).
Force source_type to always be included in the UPDATE via
source_type_will_change! to prevent this.
Here's a sample timeline of this race condition happening in the real
world (with simplified IDs):
Two `NotifyRecipientsJob` involving notification `03fklpu`, same card,
same user, same comment — enqueued within 50ms of each other:
1. Both jobs load notification `03fklpu` — it has source_type='Mention'
(from a previous job)
2. `EventNotifier` writes at 21:22:36.051: ```sql SET
source_type='Event', source_id=<event_id>, unread_count=1 ```
3. `source_type` included because it changed ('Mention' → 'Event')
4. `MentionNotifier` writes at 21:22:36.057 (~6ms later): ```sql SET
source_id=<mention_id>, unread_count=1 ```
5. No `source_type`! It was `'Mention'` when loaded and `'Mention'` is
what it's setting → not dirty → skipped
6. Final DB state: `source_type='Event'` (from step 2, untouched),
`source_id=<mention_id>` (from step 3)
`Notification.source` now does `Event.find(<mention_id>) → nil.`
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The convert_gids_to_sgids method resolved GIDs globally and minted
valid SGIDs without verifying the record belongs to the importing
account. This adds the same account_id check that the export path
already has, plus RecordNotFound handling for invalid GIDs.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Remove unused marked JS dependency
* Remove unused redcarpet dependency
* Render inline code in card titles
Add card_html_title helper that HTML-escapes input then converts
backtick-wrapped text to <code> elements. Apply to card titles in
board preview, card detail, public views, and notification emails.
Style inline code elements in titles to match description styling.
Co-authored-by: Andy Smith <andy@37signals.com>
---------
Co-authored-by: Andy Smith <andy@37signals.com>
We had client-side notification stacking in the tray since launch, but now we want to stack notifications in the notifications page, in API responses and in email bundles.
* Group notification emails by board
Notification bundle emails now group items by board instead of
showing the board name redundantly for each card. Each board
section has a linked header and an <hr> separator.
* Adjust board title styles and remove rem units
* Sort board groups alphabetically
Sort notification email board sections alphabetically by name
(case-insensitive).
Also, rewrite mailer tests to use Nokogiri::HTML5 for precise DOM
assertions instead of regex matching.
---------
Co-authored-by: Andy Smith <andy@37signals.com>
The board-scoped mention prompt was returning all users with board access,
including those marked as inactive. This adds the `.active` scope to match
the behavior of the account-wide mention prompt.
Fixes https://app.fizzy.do/5986089/cards/3861
ActionTextRichTextRecordSet now calls check_associations_dont_exist to
ensure imported ActionText records only reference records within the
same import, matching the behavior of the parent RecordSet class.
When updating a draft card (e.g., adding a background image), the turbo
stream response was using the published card container partial, which
includes the reactions/boost button. Draft cards should use the draft
container partial which intentionally omits reactions.
Fixes https://app.fizzy.do/5986089/cards/3970
The magic link verification endpoint now returns `requires_signup_completion`
to indicate whether the client needs to collect a name and complete signup.
The signup completion endpoint now supports JSON responses with the account ID.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This is so that native API clients can get the session record deleted
server-side. They still need to take care of clearing any cookies
they've set in web views.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* main: (127 commits)
Align board name start so it doesn't get too big
Clean up card/events header layout
Sync email to Stripe when user changes email address (#2432)
Fix IDOR in webhook activation endpoint (#2431)
Add card reactions to API docs and reactions_url to card JSON (#2427)
Remove unnecessary claude plan
Allow boosts on cards (#2411)
Revert "Fix notification click URL by using correct data property"
Add migration to remove draft cards from search index
Guard search indexing with searchable? check
Forbid comments on draft cards
prefactor: update search to use published cards
Fix notification click URL by using correct data property
Wait for service worker to be active before subscribing
Fix stuck state when permission granted but no subscription
Extract Card::Commentable
Include arm64 build in Docker workflow
Remove unnecessary `await` in push handler
Correctly initialise WebPush connection (#2417)
Update models, views, and fixtures for polymorphic reactions
...
The webhook activation controller was using account-scoped lookup
instead of board-scoped lookup, allowing users to reactivate webhooks
on boards they don't have access to.
This was an oversight when board-scoping was added to the main webhooks
controller - the activations controller was missed in that update.
The fix adds the BoardScoped concern to properly restrict webhook
activation to boards the user has explicit access to.