Jorge Manrubia
f58a1aeb31
Use a dedicated resource for showing cards in draft mode
...
Mobile team needs this. Also, this lets us get rid from some conditionals for handling
both modes with a single template.
https://3.basecamp.com/2914079/buckets/44843469/messages/9437287330
2026-01-08 10:40:21 +01:00
Jorge Manrubia
6d05ab428e
Remove engagements
...
We are not using this anymore!
2026-01-07 16:43:33 +01:00
Jorge Manrubia
fb6bcaa18e
Merge pull request #2227 from scart88/main
...
Redirect back to account settings page when the user role is changed …
2026-01-07 16:27:05 +01:00
Jorge Manrubia
6e765a114c
Merge pull request #2294 from basecamp/refresh-drafts
...
Make sure new card drafts are refreshed when reused
2026-01-07 15:49:46 +01:00
Rosa Gutierrez
5f390f72df
Support local installations where the app is loaded over HTTP
...
In this case requests won't be performed from a secure context [1] and
the browser won't send the Sec-Fetch-Site header. This means non-GET
requests will be rejected because CSRF protection will fail.
With this change, we allow these requests with missing Sec-Fetch-Site
headers if:
- They happen over HTTP
- The app is not configured to force SSL
The Origin check happens in any case.
[1] https://developer.mozilla.org/en-US/docs/Web/Security/Defenses/Secure_Contexts#potentially_trustworthy_origins
2026-01-05 18:50:14 +01:00
Jorge Manrubia
ffb9847a4e
Merge pull request #2287 from italomatos/refactor/use-ids-method-instead-of-pluck
...
Refactor: Replace pluck(:id) with ids method
2026-01-05 16:03:41 +01:00
Jorge Manrubia
85bfa7aa48
Rename method
2026-01-05 16:01:25 +01:00
Jorge Manrubia
5f38e8957e
Reapply "Make sure new card drafts are refreshed when reused"
...
This reverts commit 045ddf78f3 .
2026-01-05 15:58:29 +01:00
Jorge Manrubia
045ddf78f3
Revert "Make sure new card drafts are refreshed when reused"
...
This reverts commit 3008011175 .
2026-01-05 15:58:16 +01:00
Jorge Manrubia
3008011175
Make sure new card drafts are refreshed when reused
...
To deal with old timestamps messing with card ordering and so.
https://app.fizzy.do/5986089/cards/3495
2026-01-05 15:57:48 +01:00
Italo Matos
4189261cd0
Refactor: Replace pluck(:id) with ids method
...
Use the more idiomatic ActiveRecord ids method instead of pluck(:id)
across controllers and models. The ids method is more readable and
explicitly conveys the intent to retrieve primary key values.
Changes:
- BoardsController#edit: Use @board.users.ids
- Board::Storage: Use cards.ids, Comment.where().ids, and ActionText::RichText.where().ids
- User::Accessor: Use account.boards.all_access.ids
This change improves code clarity while maintaining the same functionality.
2026-01-04 10:02:58 -03:00
Jason Zimdars
87977eb770
Merge pull request #2211 from basecamp/card-nav-hotkeys
...
Add hotkeys for triaging cards in columns
2025-12-23 09:45:24 -06:00
Rosa Gutierrez
3fcf5a9d08
Require authorization for direct uploads
...
Respond with 403 to JSON requests that are unauthorized, instead of
redirecting.
2025-12-23 11:08:51 +01:00
scart88
ba887225a5
Redirect back to account settings page when the user role is changed or when the user is removed from an account.
2025-12-22 10:47:23 +02:00
Jason Zimdars
d4ace2752c
Ensure the flash notice passes through the redirect
2025-12-20 18:04:56 -06:00
Jason Zimdars
0adcfabe4c
Stub welcome letter for newly created accounts
2025-12-19 15:36:52 -06:00
Rosa Gutierrez
641e67dc2e
Remove status from allowed parameters in CardsController#update
...
We don't allow changing the status via this action, and it's confusing
and can lead to cases where someone can set someone's else card as
draft, effectively hiding it.
2025-12-19 22:35:30 +01:00
Jason Zimdars
6e90a6dbfb
Add hotkeys for triaging cards in columns
...
Hover to select items
2025-12-19 14:33:47 -06:00
Stanko K.R.
ca388c2b84
Replace handle_ naming
2025-12-19 19:21:58 +01:00
Stanko K.R.
df1dfde2b3
Use same constant for fake magic links
2025-12-19 19:21:58 +01:00
Stanko K.R.
3af8bdbe37
Replace FakeMagicLink with a temporary object
2025-12-19 19:21:58 +01:00
Stanko K.R.
52d57c4681
Tidy up session_token
2025-12-19 19:21:57 +01:00
Stanko K.R.
e0270c6c49
Clean up interfaces
...
I talked to the mobile team, and to keep things simple we agreed to send
the token via a cookie.
2025-12-19 19:21:57 +01:00
Stanko K.R.
1a1f4a077b
Simplify auth logic
2025-12-19 19:21:57 +01:00
Fernando Olivares
cddddcf83a
Fix due to unit test when creating with invalid emails
2025-12-19 19:21:57 +01:00
Fernando Olivares
b3c8d02709
Cleanup session creation
2025-12-19 19:21:57 +01:00
Fernando Olivares
6e8d6a3df0
Update to always return a pending auth token for JSON responses.
2025-12-19 19:21:57 +01:00
Fernando Olivares
877f82c0cc
Pass a server token when creating a magic link via API
2025-12-19 19:21:57 +01:00
Fernando Olivares
a75a939289
Simplify code a bit
2025-12-19 19:21:57 +01:00
Fernando Olivares
360e14352f
Simplify session create logic for both html and json
2025-12-19 19:21:57 +01:00
Stanko K.R.
e5bdb3b071
Add back missing development magic link prompt
2025-12-19 19:21:57 +01:00
Stanko K.R.
c0a0786539
Return the session cookie
...
We had a call about this. In short, we could reuse access tokens but then the user would see access tokens for every mobile device they have without any indication as to what is going on. So, since this really is just logging in instead of an integration which seems to be the primary purpose of access tokens, we can just use our regular session cookie for authentication.
2025-12-19 19:21:57 +01:00
Stanko K.R.
54ceb4df7c
Remove email address and users from magic link response
...
The identity endpoint can be used to fetch that information
2025-12-19 19:21:57 +01:00
Stanko K.R.
b92982b244
Cleanup & simplify sign in
2025-12-19 19:21:57 +01:00
Fernando Olivares
093240c6f7
Return email and users too
2025-12-19 19:21:57 +01:00
Fernando Olivares
ab0f7a3ea5
Dev: Set magic link as header when JSON request in development
2025-12-19 19:21:57 +01:00
Fernando Olivares
7644bb7411
Allow JSON requests submitting a magic link code
2025-12-19 19:21:57 +01:00
Fernando Olivares
c8eb592746
Allow JSON requests to send a magic link
2025-12-19 19:21:57 +01:00
Jorge Manrubia
eb1d112013
Merge pull request #2203 from basecamp/remove-unused-param
...
Remove unused `tag_ids` parameter from `CardsController#update`
2025-12-19 12:16:32 +01:00
Jorge Manrubia
33fc239571
Merge pull request #2140 from dilberryhoundog/fix-stale-account-cache
...
Fix: resolve stale account names in jump menu and page titles
2025-12-19 11:26:23 +01:00
Jorge Manrubia
2cbbdfbd19
Merge pull request #2138 from italomatos/refactor/replace-reverse-merge-with-with-defaults
...
Refactor: Replace reverse_merge with with_defaults for improved readability
2025-12-19 11:24:46 +01:00
Rosa Gutierrez
1e640643e9
Remove unused tag_ids parameter from CardsController#update
...
This is no longer used in the normal flow of the app. The tags are added
via `Cards::TaggingsController`.
2025-12-19 11:16:20 +01:00
Stanko Krtalić
42185a8d6d
Merge pull request #2153 from basecamp/limit-the-number-of-asignees-on-a-card
...
Limit the number of asignees on a card
2025-12-18 12:08:45 +01:00
Jorge Manrubia
ee80b87c8c
Add billing system with Stripe
...
🤖 Generated with [Claude Code](https://claude.com/claude-code )
Co-Authored-By: Jason Zimdars <jz@37signals.com >
2025-12-16 16:44:20 +01:00
Stanko K.R.
15cb1f7fe1
Add UI to prevent assigning more than 10 asignees
2025-12-15 16:40:52 +01:00
Kevin McConnell
741eff7bdc
Revert "Merge pull request #1865 from basecamp/public-avatar-caching"
...
This reverts commit c628f14c01 , reversing
changes made to 4bafc73236 .
2025-12-15 13:07:13 +00:00
Stanko Krtalić
2058743be9
Merge pull request #2146 from basecamp/show-only-published-cards-on-public-boards
...
Show only public cards on public boards
2025-12-15 13:26:12 +01:00
Kevin McConnell
c628f14c01
Merge pull request #1865 from basecamp/public-avatar-caching
...
Serve own avatar from its own endpoint
2025-12-15 12:20:28 +00:00
Stanko K.R.
87081aa617
Show only public cards on public boards
2025-12-15 13:15:36 +01:00
Dylan
f01a648441
🐛 fix: resolve stale account names in jump menu and page titles
...
Add account data to fresh_when etag arrays so Rails serves fresh responses after account changes.
- Add @accounts to menus controller etag
- Add Current.account to boards controller etag
- Add ETag cache invalidation tests for both controllers
2025-12-15 15:59:25 +08:00