Commit Graph

8723 Commits

Author SHA1 Message Date
Jorge Manrubia ffb9847a4e Merge pull request #2287 from italomatos/refactor/use-ids-method-instead-of-pluck
Refactor: Replace pluck(:id) with ids method
2026-01-05 16:03:41 +01:00
Jorge Manrubia 045ddf78f3 Revert "Make sure new card drafts are refreshed when reused"
This reverts commit 3008011175.
2026-01-05 15:58:16 +01:00
Jorge Manrubia 3008011175 Make sure new card drafts are refreshed when reused
To deal with old timestamps messing with card ordering and so.

https://app.fizzy.do/5986089/cards/3495
2026-01-05 15:57:48 +01:00
Mike Dalessio abe16bf055 Merge pull request #2290 from basecamp/flavorjones/console-incineration-queue
Add a "*" to the queues handled by the solid queue worker pool
2026-01-04 14:13:59 -05:00
Mike Dalessio 96dfcb9d4c Add a "*" to the queues handled by the solid queue worker pool
Specifically this is to make sure all queues are managed, like the one
we use for incineration in the fizzy-saas engine.
2026-01-04 14:09:42 -05:00
Mike Dalessio f7205594b5 Merge pull request #2289 from basecamp/flavorjones/remove-recurring-execution-cleanup
Remove unnecessary recurring execution cleanup task
2026-01-04 11:17:41 -05:00
Mike Dalessio 27093e4e78 Remove unnecessary recurring execution cleanup task
This task is unnecessary because the
`solid_queue_recurring_executions` table has a foreign key to
`solid_queue_jobs` with `on_delete: :cascade`.

This config was cargo-culted from HEY (in 44429644), which *does* need
this task to run because we've omitted the FK constraints there.
2026-01-04 11:12:01 -05:00
Italo Matos 4189261cd0 Refactor: Replace pluck(:id) with ids method
Use the more idiomatic ActiveRecord ids method instead of pluck(:id)
across controllers and models. The ids method is more readable and
explicitly conveys the intent to retrieve primary key values.

Changes:
- BoardsController#edit: Use @board.users.ids
- Board::Storage: Use cards.ids, Comment.where().ids, and ActionText::RichText.where().ids
- User::Accessor: Use account.boards.all_access.ids

This change improves code clarity while maintaining the same functionality.
2026-01-04 10:02:58 -03:00
Rosa Gutierrez 182d36aee9 Update Rails 2026-01-02 18:56:28 +01:00
Jason Zimdars 6b56fc112e Merge pull request #2281 from basecamp/fix-card-hotkeys
Ignore hotkeys with modifiers
2026-01-01 10:05:30 -06:00
Jason Zimdars d7ef796092 Ignore hotkeys with modifiers
Avoids unintentionally triggering when using system shortcuts like
`command+[` in macOS
2026-01-01 09:47:10 -06:00
Jeremy Daer 0634ddaebd Fix 1Password account ID (was user UUID) (#2278) 2025-12-31 13:58:01 -08:00
Jeremy Daer cda4f93e4a Switch 1Password account to 37signals.1password.com (#2276) 2025-12-31 10:15:39 -08:00
Andy Smith 7ed597ae06 Merge pull request #2275 from basecamp/polish-expander-transitions
Polish expander transitions
2025-12-30 12:49:18 -06:00
Andy Smith f2759f1ca0 Remove CSS testing comments 2025-12-30 12:37:10 -06:00
Andy Smith 711eec133a Max card count equals geared pagination size 2025-12-30 12:30:55 -06:00
Jeremy Daer 0eefd67b68 Block IPv4-compatible IPv6 addresses in SSRF protection (#2273)
The SSRF filter checked ipv4_mapped? but not ipv4_compat?, allowing
addresses like ::169.254.169.254 to bypass the link-local check and
reach cloud metadata endpoints.

Changes:
- Add ipv4_compat? check to block deprecated IPv4-compatible format
- Rename private_address? to blocked_address? (more accurate - method
  blocks more than just RFC 1918 private ranges)
- Add IPv6 test coverage for both mapped and compat formats

Both ipv4_mapped and ipv4_compat formats are blocked entirely as
defense-in-depth: DNS never returns these formats, so they only
appear in attack scenarios.

HackerOne: #3481701
2025-12-29 21:45:06 -08:00
Andy Smith 668ecd3a16 Merge pull request #2272 from basecamp/prevent-transtions-until-user-interactions
Only enable transitions on user interaction
2025-12-29 15:36:38 -06:00
Andy Smith b9c11ad768 Only enable transitions on user interaction 2025-12-29 15:30:55 -06:00
Andy Smith 19ec607b9f Merge pull request #2271 from basecamp/limit-column-transitions
Don't update counter if value hasn't changed
2025-12-29 15:12:59 -06:00
Andy Smith 67f39aad8a Don't update counter if value hasn't changed 2025-12-29 14:51:11 -06:00
Andy Smith 14464da29a Merge pull request #2270 from basecamp/saas-message-tweak
Add padding to upgrade message on larger screens
2025-12-29 13:59:02 -06:00
Andy Smith 4ca13516be Add padding to upgrade message on larger screens 2025-12-29 13:54:43 -06:00
Mike Dalessio ae1168c16b Merge pull request #2268 from basecamp/flavorjones/better-autolinking
Better autolinking
2025-12-29 13:33:16 -05:00
Mike Dalessio f952b953e6 Add test coverage for autolinking multiple URLs 2025-12-29 12:21:02 -05:00
Mike Dalessio 97d8d6a395 Add "noopener" to autolinks' rel attribute 2025-12-29 12:21:02 -05:00
Mike Dalessio 4579f7cd61 Avoid string manipulation when autolinking.
Instead, let's use a Loofah scrubber which will create DOM nodes
directly. This should be faster and is a tiny bit simpler, as well as
removing a potential HTML injection vector.

Also, add "noreferrer" to all `mailto:` links (already present on URLs).
2025-12-29 12:21:00 -05:00
Andy Smith 2e05eb70e4 Merge pull request #2269 from basecamp/negotioate-z-index
Move nav and related elements above footer
2025-12-29 11:06:22 -06:00
Andy Smith 7f1bf76588 Only bump z-index when nav is open 2025-12-29 11:02:19 -06:00
Andy Smith 19d5a6a22c Move nav and related elements above footer 2025-12-29 10:55:39 -06:00
Rosa Gutierrez 55257c83f1 Merge pull request #2251 from basecamp/active-storage-authorization
Implement authorization for Active Storage endpoints
2025-12-29 12:12:41 +01:00
Mike Dalessio d9a861ece2 Merge pull request #2261 from basecamp/flavorjones/remove-dockerfile-dev
Delete Dockerfile.dev
2025-12-27 12:57:11 -05:00
Mike Dalessio 522cf5155f Delete Dockerfile.dev
which was part of the beamer testbed and was missed when that was all
ripped out in f66544b9
2025-12-27 12:50:21 -05:00
Luis Fernando Jiménez cca845a3e0 fix: use the right gh-cli arch package (#2232) 2025-12-26 21:11:02 -08:00
dependabot[bot] 6ec61df7d7 Bump actions/attest-build-provenance from 3.0.0 to 3.1.0 (#2257)
Bumps [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) from 3.0.0 to 3.1.0.
- [Release notes](https://github.com/actions/attest-build-provenance/releases)
- [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md)
- [Commits](https://github.com/actions/attest-build-provenance/compare/v3.0.0...v3.1.0)

---
updated-dependencies:
- dependency-name: actions/attest-build-provenance
  dependency-version: 3.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-12-26 21:10:05 -08:00
dependabot[bot] e221833571 Bump docker/setup-buildx-action from 3.11.1 to 3.12.0 (#2256)
Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 3.11.1 to 3.12.0.
- [Release notes](https://github.com/docker/setup-buildx-action/releases)
- [Commits](https://github.com/docker/setup-buildx-action/compare/v3.11.1...v3.12.0)

---
updated-dependencies:
- dependency-name: docker/setup-buildx-action
  dependency-version: 3.12.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-12-26 21:09:38 -08:00
Rosa Gutierrez f66a2dc1ba Consider user avatars always public
Avatars are purposely accessible without authentication
(5e3b5b6d7c) because they can be in public
collections. Trying to restrict this by checking whether they're in fact
present in some public collection is rather expensive, so let's keep
them public.
2025-12-26 19:33:26 +01:00
Rosa Gutierrez 196d685f8d Implement authorization for Active Storage endpoints
Consider blobs attached to any public records accessible to anyone with
the URL.
2025-12-25 21:22:36 +01:00
Stanko Krtalić 24c20ad55f Merge pull request #2244 from basecamp/expose-card-ids-on-comments
Expose the card ID and URL on comments
2025-12-24 08:50:47 +01:00
Stanko K.R. 21fa6ba458 Update documentation 2025-12-24 08:47:38 +01:00
Stanko K.R. 822c3bb2ad Expose the card ID and URL on comments 2025-12-24 08:45:31 +01:00
Rosa Gutierrez 329e9ef7cb Don't run application recurring jobs in betas
Betas use the same application DB as production, so all these tasks
already take place there. Moreover, since betas have different Solid
Queue instances, we can't prevent simultaneous runs of the same
recurring jobs because each Solid Queue instance is isolated from the
others, so they don't know these jobs are running already, leading to
all sort of issues.
2025-12-23 22:12:08 +01:00
Jason Zimdars cba554268f Merge pull request #2242 from basecamp/restore-upgrade-button
Restore upgrade button
2025-12-23 12:35:23 -06:00
Jason Zimdars d977d51501 This link is reduntant if you're over the limits
No need to show this link and the big upgrade button. The subtle footer
link is for people who *want* to ugprade but don't *need* to.
2025-12-23 12:30:37 -06:00
Jason Zimdars 2f9d6bf7cd Add obvious upgrade button when you're out of storage 2025-12-23 12:28:15 -06:00
Jason Zimdars 0875d7369c Merge pull request #2241 from basecamp/improve-account-admin
Internaly only view
2025-12-23 12:21:19 -06:00
Andy Smith fdcdd5b542 Merge pull request #2214 from basecamp/billing-decimals
Ensure 2 decimal precision when dealing with currency decimals
2025-12-23 12:18:19 -06:00
Andy Smith 5a3991681f Merge pull request #2239 from basecamp/lexxy-comment-cleanup
Target comment elements more precisely
2025-12-23 12:09:18 -06:00
Jason Zimdars 472b1a1cad Internaly only view
Adds plan name and indicates when overrides exceed limits; cleans up UI
at bit
2025-12-23 12:02:18 -06:00
Andy Smith 35619857aa Target comment elements more precisely 2025-12-23 11:27:16 -06:00