Commit Graph

5981 Commits

Author SHA1 Message Date
Andy Smith ffc19a864e Merge branch 'main' into mobile-columns-pt-iii
* main:
  Only hide the blank slate when there are no cards present
  Support local installations where the app is loaded over HTTP
  Revert "Make sure new card drafts are refreshed when reused"
  Make sure new card drafts are refreshed when reused
  Add a "*" to the queues handled by the solid queue worker pool
  Remove unnecessary recurring execution cleanup task
  Refactor: Replace pluck(:id) with ids method
2026-01-06 10:29:20 -06:00
Andy Smith 2ee7af6fde Only hide the blank slate when there are no cards present 2026-01-05 15:00:36 -06:00
Andy Smith a9666225e3 Fix scrolling on mobile 2026-01-05 13:21:00 -06:00
Andy Smith c8c6fbbb13 Remember expanded state on navigation 2026-01-05 12:49:38 -06:00
Rosa Gutierrez 5f390f72df Support local installations where the app is loaded over HTTP
In this case requests won't be performed from a secure context [1] and
the browser won't send the Sec-Fetch-Site header. This means non-GET
requests will be rejected because CSRF protection will fail.

With this change, we allow these requests with missing Sec-Fetch-Site
headers if:
- They happen over HTTP
- The app is not configured to force SSL

The Origin check happens in any case.

[1] https://developer.mozilla.org/en-US/docs/Web/Security/Defenses/Secure_Contexts#potentially_trustworthy_origins
2026-01-05 18:50:14 +01:00
Jorge Manrubia ffb9847a4e Merge pull request #2287 from italomatos/refactor/use-ids-method-instead-of-pluck
Refactor: Replace pluck(:id) with ids method
2026-01-05 16:03:41 +01:00
Jorge Manrubia 045ddf78f3 Revert "Make sure new card drafts are refreshed when reused"
This reverts commit 3008011175.
2026-01-05 15:58:16 +01:00
Jorge Manrubia 3008011175 Make sure new card drafts are refreshed when reused
To deal with old timestamps messing with card ordering and so.

https://app.fizzy.do/5986089/cards/3495
2026-01-05 15:57:48 +01:00
Italo Matos 4189261cd0 Refactor: Replace pluck(:id) with ids method
Use the more idiomatic ActiveRecord ids method instead of pluck(:id)
across controllers and models. The ids method is more readable and
explicitly conveys the intent to retrieve primary key values.

Changes:
- BoardsController#edit: Use @board.users.ids
- Board::Storage: Use cards.ids, Comment.where().ids, and ActionText::RichText.where().ids
- User::Accessor: Use account.boards.all_access.ids

This change improves code clarity while maintaining the same functionality.
2026-01-04 10:02:58 -03:00
Andy Smith 3fb45c14e3 Merge branch 'main' into mobile-columns-pt-iii
* main:
  Update Rails
  Ignore hotkeys with modifiers
  Fix 1Password account ID (was user UUID) (#2278)
  Switch 1Password account to 37signals.1password.com (#2276)
  Remove CSS testing comments
  Max card count equals geared pagination size
  Block IPv4-compatible IPv6 addresses in SSRF protection (#2273)
  Only enable transitions on user interaction
  Don't update counter if value hasn't changed
2026-01-02 14:50:27 -06:00
Andy Smith 5b6fdbfeae Fix mini bubble cropping, filters padding, and grid-style 2026-01-02 12:45:53 -06:00
Andy Smith 837b820291 Better scroll snapping 2026-01-02 12:22:07 -06:00
Andy Smith d3bfd14c22 Only auto-focus Maybe column on desktop 2026-01-02 12:11:17 -06:00
Andy Smith b4096d9f22 Move card__list outside pagination 2026-01-02 11:42:00 -06:00
Andy Smith 1686c48654 Show icons 2026-01-02 11:17:58 -06:00
Jason Zimdars d7ef796092 Ignore hotkeys with modifiers
Avoids unintentionally triggering when using system shortcuts like
`command+[` in macOS
2026-01-01 09:47:10 -06:00
Andy Smith f2759f1ca0 Remove CSS testing comments 2025-12-30 12:37:10 -06:00
Andy Smith 711eec133a Max card count equals geared pagination size 2025-12-30 12:30:55 -06:00
Jeremy Daer 0eefd67b68 Block IPv4-compatible IPv6 addresses in SSRF protection (#2273)
The SSRF filter checked ipv4_mapped? but not ipv4_compat?, allowing
addresses like ::169.254.169.254 to bypass the link-local check and
reach cloud metadata endpoints.

Changes:
- Add ipv4_compat? check to block deprecated IPv4-compatible format
- Rename private_address? to blocked_address? (more accurate - method
  blocks more than just RFC 1918 private ranges)
- Add IPv6 test coverage for both mapped and compat formats

Both ipv4_mapped and ipv4_compat formats are blocked entirely as
defense-in-depth: DNS never returns these formats, so they only
appear in attack scenarios.

HackerOne: #3481701
2025-12-29 21:45:06 -08:00
Andy Smith b9c11ad768 Only enable transitions on user interaction 2025-12-29 15:30:55 -06:00
Andy Smith 67f39aad8a Don't update counter if value hasn't changed 2025-12-29 14:51:11 -06:00
Andy Smith 58a330aa17 Merge branch 'main' into mobile-columns-pt-iii
* main: (55 commits)
  Add padding to upgrade message on larger screens
  Add test coverage for autolinking multiple URLs
  Add "noopener" to autolinks' rel attribute
  Avoid string manipulation when autolinking.
  Only bump z-index when nav is open
  Move nav and related elements above footer
  Delete Dockerfile.dev
  fix: use the right gh-cli arch package (#2232)
  Bump actions/attest-build-provenance from 3.0.0 to 3.1.0 (#2257)
  Bump docker/setup-buildx-action from 3.11.1 to 3.12.0 (#2256)
  Consider user avatars always public
  Implement authorization for Active Storage endpoints
  Update documentation
  Expose the card ID and URL on comments
  Don't run application recurring jobs in betas
  This link is reduntant if you're over the limits
  Add obvious upgrade button when you're out of storage
  Internaly only view
  Target comment elements more precisely
  Better name for helper method
  ...
2025-12-29 14:07:00 -06:00
Mike Dalessio ae1168c16b Merge pull request #2268 from basecamp/flavorjones/better-autolinking
Better autolinking
2025-12-29 13:33:16 -05:00
Mike Dalessio 4579f7cd61 Avoid string manipulation when autolinking.
Instead, let's use a Loofah scrubber which will create DOM nodes
directly. This should be faster and is a tiny bit simpler, as well as
removing a potential HTML injection vector.

Also, add "noreferrer" to all `mailto:` links (already present on URLs).
2025-12-29 12:21:00 -05:00
Andy Smith 7f1bf76588 Only bump z-index when nav is open 2025-12-29 11:02:19 -06:00
Andy Smith 19d5a6a22c Move nav and related elements above footer 2025-12-29 10:55:39 -06:00
Rosa Gutierrez f66a2dc1ba Consider user avatars always public
Avatars are purposely accessible without authentication
(5e3b5b6d7c) because they can be in public
collections. Trying to restrict this by checking whether they're in fact
present in some public collection is rather expensive, so let's keep
them public.
2025-12-26 19:33:26 +01:00
Rosa Gutierrez 196d685f8d Implement authorization for Active Storage endpoints
Consider blobs attached to any public records accessible to anyone with
the URL.
2025-12-25 21:22:36 +01:00
Stanko Krtalić 24c20ad55f Merge pull request #2244 from basecamp/expose-card-ids-on-comments
Expose the card ID and URL on comments
2025-12-24 08:50:47 +01:00
Stanko K.R. 822c3bb2ad Expose the card ID and URL on comments 2025-12-24 08:45:31 +01:00
Jason Zimdars 0875d7369c Merge pull request #2241 from basecamp/improve-account-admin
Internaly only view
2025-12-23 12:21:19 -06:00
Jason Zimdars 472b1a1cad Internaly only view
Adds plan name and indicates when overrides exceed limits; cleans up UI
at bit
2025-12-23 12:02:18 -06:00
Andy Smith 35619857aa Target comment elements more precisely 2025-12-23 11:27:16 -06:00
Jason Zimdars 87977eb770 Merge pull request #2211 from basecamp/card-nav-hotkeys
Add hotkeys for triaging cards in columns
2025-12-23 09:45:24 -06:00
Rosa Gutierrez 3fcf5a9d08 Require authorization for direct uploads
Respond with 403 to JSON requests that are unauthorized, instead of
redirecting.
2025-12-23 11:08:51 +01:00
Jason Zimdars b044a4b355 Add Adwaita Sans to font stack
Even on Linux, Chromium "helps" by mapping `BlinkMacSystemFont` to the
system Helvetica equivalent, "Liberation Sans". But Liberations doesn't
have the 900 font weight that give Fizzy its characteristic chunky look.
Pushing the Gnome deafult, "Adwaita Sans" head of the system fonts for
Mac allows black weight. That's how it worked on Linux until we removed
`system-ui` from the font stack in #2000. This is largely for Omarchy
users, of which most of our developers are, so it seems fair.
2025-12-22 17:55:49 -06:00
Jason Zimdars 3a43e5e6c5 Don't render this at all in the preview template
Avoids situations where the hotkey could be triggered on the board view
2025-12-22 16:42:42 -06:00
Andy Smith ea61907397 Pass in data attribute to partial 2025-12-22 14:43:08 -06:00
Andy Smith 348808edc2 Replace span with li 2025-12-22 14:26:03 -06:00
Jason Zimdars 6de7b40024 Explicitly diable hotkeys in Not Now and Done 2025-12-22 14:14:50 -06:00
Jason Zimdars 72ffc2b974 Merge branch 'main' into smooth-theme-change 2025-12-22 11:34:48 -06:00
Jason Zimdars 806297eb12 Merge pull request #2230 from basecamp/refactor-system-comment-classes
Refactor system comment classes
2025-12-22 11:15:48 -06:00
Jason Zimdars 5716303c22 Rename
It feels odd to have a `.system` class in the `.comment` namespace.
Might as well make it really obvious if we're going to rename it
2025-12-22 11:12:46 -06:00
Jason Zimdars 563c530e3e Merge pull request #2213 from basecamp/welcome-letter
Stub welcome letter for newly created accounts
2025-12-22 10:17:41 -06:00
Stanko K.R. 0df667f4fb Fix HTML injection in webhooks through card titles 2025-12-22 12:20:32 +01:00
Jason Zimdars e724b3bf86 Move to variable 2025-12-20 18:19:13 -06:00
Jason Zimdars 71433718d5 Set view-transition-name so it gets calculated in the layer rendering
Prevents cards from briefly appearing on top of the letter while they
finish transitioning
2025-12-20 18:16:35 -06:00
Jason Zimdars c33b12aa14 We get this for free 2025-12-20 18:12:34 -06:00
Jason Zimdars d0587d5db8 turbo:load doesn't seem to be working, try a specific controller method to open it 2025-12-20 18:05:41 -06:00
Jason Zimdars d4ace2752c Ensure the flash notice passes through the redirect 2025-12-20 18:04:56 -06:00