Jorge Manrubia
ffb9847a4e
Merge pull request #2287 from italomatos/refactor/use-ids-method-instead-of-pluck
...
Refactor: Replace pluck(:id) with ids method
2026-01-05 16:03:41 +01:00
Jorge Manrubia
045ddf78f3
Revert "Make sure new card drafts are refreshed when reused"
...
This reverts commit 3008011175 .
2026-01-05 15:58:16 +01:00
Jorge Manrubia
3008011175
Make sure new card drafts are refreshed when reused
...
To deal with old timestamps messing with card ordering and so.
https://app.fizzy.do/5986089/cards/3495
2026-01-05 15:57:48 +01:00
Mike Dalessio
abe16bf055
Merge pull request #2290 from basecamp/flavorjones/console-incineration-queue
...
Add a "*" to the queues handled by the solid queue worker pool
2026-01-04 14:13:59 -05:00
Mike Dalessio
96dfcb9d4c
Add a "*" to the queues handled by the solid queue worker pool
...
Specifically this is to make sure all queues are managed, like the one
we use for incineration in the fizzy-saas engine.
2026-01-04 14:09:42 -05:00
Mike Dalessio
f7205594b5
Merge pull request #2289 from basecamp/flavorjones/remove-recurring-execution-cleanup
...
Remove unnecessary recurring execution cleanup task
2026-01-04 11:17:41 -05:00
Mike Dalessio
27093e4e78
Remove unnecessary recurring execution cleanup task
...
This task is unnecessary because the
`solid_queue_recurring_executions` table has a foreign key to
`solid_queue_jobs` with `on_delete: :cascade`.
This config was cargo-culted from HEY (in 44429644 ), which *does* need
this task to run because we've omitted the FK constraints there.
2026-01-04 11:12:01 -05:00
Italo Matos
4189261cd0
Refactor: Replace pluck(:id) with ids method
...
Use the more idiomatic ActiveRecord ids method instead of pluck(:id)
across controllers and models. The ids method is more readable and
explicitly conveys the intent to retrieve primary key values.
Changes:
- BoardsController#edit: Use @board.users.ids
- Board::Storage: Use cards.ids, Comment.where().ids, and ActionText::RichText.where().ids
- User::Accessor: Use account.boards.all_access.ids
This change improves code clarity while maintaining the same functionality.
2026-01-04 10:02:58 -03:00
Rosa Gutierrez
182d36aee9
Update Rails
2026-01-02 18:56:28 +01:00
Jason Zimdars
6b56fc112e
Merge pull request #2281 from basecamp/fix-card-hotkeys
...
Ignore hotkeys with modifiers
2026-01-01 10:05:30 -06:00
Jason Zimdars
d7ef796092
Ignore hotkeys with modifiers
...
Avoids unintentionally triggering when using system shortcuts like
`command+[` in macOS
2026-01-01 09:47:10 -06:00
Jeremy Daer
0634ddaebd
Fix 1Password account ID (was user UUID) ( #2278 )
2025-12-31 13:58:01 -08:00
Jeremy Daer
cda4f93e4a
Switch 1Password account to 37signals.1password.com ( #2276 )
2025-12-31 10:15:39 -08:00
Andy Smith
7ed597ae06
Merge pull request #2275 from basecamp/polish-expander-transitions
...
Polish expander transitions
2025-12-30 12:49:18 -06:00
Andy Smith
f2759f1ca0
Remove CSS testing comments
2025-12-30 12:37:10 -06:00
Andy Smith
711eec133a
Max card count equals geared pagination size
2025-12-30 12:30:55 -06:00
Jeremy Daer
0eefd67b68
Block IPv4-compatible IPv6 addresses in SSRF protection ( #2273 )
...
The SSRF filter checked ipv4_mapped? but not ipv4_compat?, allowing
addresses like ::169.254.169.254 to bypass the link-local check and
reach cloud metadata endpoints.
Changes:
- Add ipv4_compat? check to block deprecated IPv4-compatible format
- Rename private_address? to blocked_address? (more accurate - method
blocks more than just RFC 1918 private ranges)
- Add IPv6 test coverage for both mapped and compat formats
Both ipv4_mapped and ipv4_compat formats are blocked entirely as
defense-in-depth: DNS never returns these formats, so they only
appear in attack scenarios.
HackerOne: #3481701
2025-12-29 21:45:06 -08:00
Andy Smith
668ecd3a16
Merge pull request #2272 from basecamp/prevent-transtions-until-user-interactions
...
Only enable transitions on user interaction
2025-12-29 15:36:38 -06:00
Andy Smith
b9c11ad768
Only enable transitions on user interaction
2025-12-29 15:30:55 -06:00
Andy Smith
19ec607b9f
Merge pull request #2271 from basecamp/limit-column-transitions
...
Don't update counter if value hasn't changed
2025-12-29 15:12:59 -06:00
Andy Smith
67f39aad8a
Don't update counter if value hasn't changed
2025-12-29 14:51:11 -06:00
Andy Smith
14464da29a
Merge pull request #2270 from basecamp/saas-message-tweak
...
Add padding to upgrade message on larger screens
2025-12-29 13:59:02 -06:00
Andy Smith
4ca13516be
Add padding to upgrade message on larger screens
2025-12-29 13:54:43 -06:00
Mike Dalessio
ae1168c16b
Merge pull request #2268 from basecamp/flavorjones/better-autolinking
...
Better autolinking
2025-12-29 13:33:16 -05:00
Mike Dalessio
f952b953e6
Add test coverage for autolinking multiple URLs
2025-12-29 12:21:02 -05:00
Mike Dalessio
97d8d6a395
Add "noopener" to autolinks' rel attribute
2025-12-29 12:21:02 -05:00
Mike Dalessio
4579f7cd61
Avoid string manipulation when autolinking.
...
Instead, let's use a Loofah scrubber which will create DOM nodes
directly. This should be faster and is a tiny bit simpler, as well as
removing a potential HTML injection vector.
Also, add "noreferrer" to all `mailto:` links (already present on URLs).
2025-12-29 12:21:00 -05:00
Andy Smith
2e05eb70e4
Merge pull request #2269 from basecamp/negotioate-z-index
...
Move nav and related elements above footer
2025-12-29 11:06:22 -06:00
Andy Smith
7f1bf76588
Only bump z-index when nav is open
2025-12-29 11:02:19 -06:00
Andy Smith
19d5a6a22c
Move nav and related elements above footer
2025-12-29 10:55:39 -06:00
Rosa Gutierrez
55257c83f1
Merge pull request #2251 from basecamp/active-storage-authorization
...
Implement authorization for Active Storage endpoints
2025-12-29 12:12:41 +01:00
Mike Dalessio
d9a861ece2
Merge pull request #2261 from basecamp/flavorjones/remove-dockerfile-dev
...
Delete Dockerfile.dev
2025-12-27 12:57:11 -05:00
Mike Dalessio
522cf5155f
Delete Dockerfile.dev
...
which was part of the beamer testbed and was missed when that was all
ripped out in f66544b9
2025-12-27 12:50:21 -05:00
Luis Fernando Jiménez
cca845a3e0
fix: use the right gh-cli arch package ( #2232 )
2025-12-26 21:11:02 -08:00
dependabot[bot]
6ec61df7d7
Bump actions/attest-build-provenance from 3.0.0 to 3.1.0 ( #2257 )
...
Bumps [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance ) from 3.0.0 to 3.1.0.
- [Release notes](https://github.com/actions/attest-build-provenance/releases )
- [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md )
- [Commits](https://github.com/actions/attest-build-provenance/compare/v3.0.0...v3.1.0 )
---
updated-dependencies:
- dependency-name: actions/attest-build-provenance
dependency-version: 3.1.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-12-26 21:10:05 -08:00
dependabot[bot]
e221833571
Bump docker/setup-buildx-action from 3.11.1 to 3.12.0 ( #2256 )
...
Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action ) from 3.11.1 to 3.12.0.
- [Release notes](https://github.com/docker/setup-buildx-action/releases )
- [Commits](https://github.com/docker/setup-buildx-action/compare/v3.11.1...v3.12.0 )
---
updated-dependencies:
- dependency-name: docker/setup-buildx-action
dependency-version: 3.12.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-12-26 21:09:38 -08:00
Rosa Gutierrez
f66a2dc1ba
Consider user avatars always public
...
Avatars are purposely accessible without authentication
(5e3b5b6d7c ) because they can be in public
collections. Trying to restrict this by checking whether they're in fact
present in some public collection is rather expensive, so let's keep
them public.
2025-12-26 19:33:26 +01:00
Rosa Gutierrez
196d685f8d
Implement authorization for Active Storage endpoints
...
Consider blobs attached to any public records accessible to anyone with
the URL.
2025-12-25 21:22:36 +01:00
Stanko Krtalić
24c20ad55f
Merge pull request #2244 from basecamp/expose-card-ids-on-comments
...
Expose the card ID and URL on comments
2025-12-24 08:50:47 +01:00
Stanko K.R.
21fa6ba458
Update documentation
2025-12-24 08:47:38 +01:00
Stanko K.R.
822c3bb2ad
Expose the card ID and URL on comments
2025-12-24 08:45:31 +01:00
Rosa Gutierrez
329e9ef7cb
Don't run application recurring jobs in betas
...
Betas use the same application DB as production, so all these tasks
already take place there. Moreover, since betas have different Solid
Queue instances, we can't prevent simultaneous runs of the same
recurring jobs because each Solid Queue instance is isolated from the
others, so they don't know these jobs are running already, leading to
all sort of issues.
2025-12-23 22:12:08 +01:00
Jason Zimdars
cba554268f
Merge pull request #2242 from basecamp/restore-upgrade-button
...
Restore upgrade button
2025-12-23 12:35:23 -06:00
Jason Zimdars
d977d51501
This link is reduntant if you're over the limits
...
No need to show this link and the big upgrade button. The subtle footer
link is for people who *want* to ugprade but don't *need* to.
2025-12-23 12:30:37 -06:00
Jason Zimdars
2f9d6bf7cd
Add obvious upgrade button when you're out of storage
2025-12-23 12:28:15 -06:00
Jason Zimdars
0875d7369c
Merge pull request #2241 from basecamp/improve-account-admin
...
Internaly only view
2025-12-23 12:21:19 -06:00
Andy Smith
fdcdd5b542
Merge pull request #2214 from basecamp/billing-decimals
...
Ensure 2 decimal precision when dealing with currency decimals
2025-12-23 12:18:19 -06:00
Andy Smith
5a3991681f
Merge pull request #2239 from basecamp/lexxy-comment-cleanup
...
Target comment elements more precisely
2025-12-23 12:09:18 -06:00
Jason Zimdars
472b1a1cad
Internaly only view
...
Adds plan name and indicates when overrides exceed limits; cleans up UI
at bit
2025-12-23 12:02:18 -06:00
Andy Smith
35619857aa
Target comment elements more precisely
2025-12-23 11:27:16 -06:00