* main:
Only hide the blank slate when there are no cards present
Support local installations where the app is loaded over HTTP
Revert "Make sure new card drafts are refreshed when reused"
Make sure new card drafts are refreshed when reused
Add a "*" to the queues handled by the solid queue worker pool
Remove unnecessary recurring execution cleanup task
Refactor: Replace pluck(:id) with ids method
In this case requests won't be performed from a secure context [1] and
the browser won't send the Sec-Fetch-Site header. This means non-GET
requests will be rejected because CSRF protection will fail.
With this change, we allow these requests with missing Sec-Fetch-Site
headers if:
- They happen over HTTP
- The app is not configured to force SSL
The Origin check happens in any case.
[1] https://developer.mozilla.org/en-US/docs/Web/Security/Defenses/Secure_Contexts#potentially_trustworthy_origins
This task is unnecessary because the
`solid_queue_recurring_executions` table has a foreign key to
`solid_queue_jobs` with `on_delete: :cascade`.
This config was cargo-culted from HEY (in 44429644), which *does* need
this task to run because we've omitted the FK constraints there.
Use the more idiomatic ActiveRecord ids method instead of pluck(:id)
across controllers and models. The ids method is more readable and
explicitly conveys the intent to retrieve primary key values.
Changes:
- BoardsController#edit: Use @board.users.ids
- Board::Storage: Use cards.ids, Comment.where().ids, and ActionText::RichText.where().ids
- User::Accessor: Use account.boards.all_access.ids
This change improves code clarity while maintaining the same functionality.
* main:
Update Rails
Ignore hotkeys with modifiers
Fix 1Password account ID (was user UUID) (#2278)
Switch 1Password account to 37signals.1password.com (#2276)
Remove CSS testing comments
Max card count equals geared pagination size
Block IPv4-compatible IPv6 addresses in SSRF protection (#2273)
Only enable transitions on user interaction
Don't update counter if value hasn't changed
The SSRF filter checked ipv4_mapped? but not ipv4_compat?, allowing
addresses like ::169.254.169.254 to bypass the link-local check and
reach cloud metadata endpoints.
Changes:
- Add ipv4_compat? check to block deprecated IPv4-compatible format
- Rename private_address? to blocked_address? (more accurate - method
blocks more than just RFC 1918 private ranges)
- Add IPv6 test coverage for both mapped and compat formats
Both ipv4_mapped and ipv4_compat formats are blocked entirely as
defense-in-depth: DNS never returns these formats, so they only
appear in attack scenarios.
HackerOne: #3481701
* main: (55 commits)
Add padding to upgrade message on larger screens
Add test coverage for autolinking multiple URLs
Add "noopener" to autolinks' rel attribute
Avoid string manipulation when autolinking.
Only bump z-index when nav is open
Move nav and related elements above footer
Delete Dockerfile.dev
fix: use the right gh-cli arch package (#2232)
Bump actions/attest-build-provenance from 3.0.0 to 3.1.0 (#2257)
Bump docker/setup-buildx-action from 3.11.1 to 3.12.0 (#2256)
Consider user avatars always public
Implement authorization for Active Storage endpoints
Update documentation
Expose the card ID and URL on comments
Don't run application recurring jobs in betas
This link is reduntant if you're over the limits
Add obvious upgrade button when you're out of storage
Internaly only view
Target comment elements more precisely
Better name for helper method
...
Instead, let's use a Loofah scrubber which will create DOM nodes
directly. This should be faster and is a tiny bit simpler, as well as
removing a potential HTML injection vector.
Also, add "noreferrer" to all `mailto:` links (already present on URLs).
Avatars are purposely accessible without authentication
(5e3b5b6d7c) because they can be in public
collections. Trying to restrict this by checking whether they're in fact
present in some public collection is rather expensive, so let's keep
them public.