public/once-campfire
1
0
Fork 0
mirror of https://github.com/basecamp/once-campfire.git synced 2026-02-21 04:00:34 +09:00
Code Issues Packages Projects Releases Wiki Activity
129 Commits 1 Branch 5 Tags
main
Commit Graph

129 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Rosa Gutierrez
dde94b06ed Delete server-side session on logout 
When it's set. Also, store it in current attributes for convenience.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-16 09:31:22 +01:00
Jeremy Daer
1852adb06c Fix 1Password account ID (was user UUID) (#156) 2025-12-31 13:59:12 -08:00
Jeremy Daer
e983e3f79f Block IPv6 SSRF bypass via ipv4_compat addresses (#153) 
Adds ipv4_mapped? and ipv4_compat? checks to PrivateNetworkGuard.private_ip?
to block SSRF bypass attempts using IPv6 address formats like:
- ::ffff:169.254.169.254 (IPv4-mapped)
- ::169.254.169.254 (IPv4-compatible)

These formats could previously bypass the link_local? check since Ruby
treats them as IPv6 addresses, not IPv4.

Ref: HackerOne #3481701
 2025-12-31 13:01:43 -08:00
Jeremy Daer
53e36a16ea Latest Brakeman 2025-12-31 12:56:01 -08:00
Jeremy Daer
a05292f548 Switch 1Password account to 37signals.1password.com (#154) 2025-12-31 11:54:27 -08:00
Stanko Krtalić
71ffeeea78 Merge pull request #147 from basecamp/fix-sgid-decoding 
Try to decodde SGIDs in multiple ways
v1.4.3 		2025-12-15 17:05:01 +01:00
Stanko K.R.
77bcad65b5 Try to decode SGIDs in multiple ways 
This should avoid message decoding failures between different versions
of sgids
 2025-12-15 17:00:50 +01:00
Mike Dalessio
238f73c26f Merge pull request #146 from basecamp/flavorjones/fix-account-creation-race 
Address race condition during "first run" account creation
 2025-12-12 11:14:52 -05:00
Mike Dalessio
1feb2d94b9 Address race condition during "first run" account creation 2025-12-12 10:51:28 -05:00
Jason Zimdars
49c0ce496c Merge pull request #144 from basecamp/user-self 
User self
 2025-12-08 23:03:07 -06:00
Jason Zimdars
88f3f942f7 Ensure edit (not trash) is displayed 
Fix conditional
 2025-12-08 22:57:38 -06:00
Jason Zimdars
6f256f5f2d Show admin toggle, but disable for current user 
You shouldn't be able to demote yourself but displaying the disabled
toggle helps explain the group of admins at the top of the list. Builds
upon #140
 2025-12-08 22:53:11 -06:00
Jason Zimdars
089a8b35c0 Merge pull request #140 from ashwin47/admin-ordering 
Sort users with administrators appearing first in ordered scope
 2025-12-08 22:33:49 -06:00
Ashwin M
b52c318518 Group administrators separately from members with visual divider 2025-12-09 08:42:00 +05:30
Stanko Krtalić
de5493d8a9 Merge pull request #124 from ashwin47/ban_typo 
Fix button label to 'UnBan' for clarity
 2025-12-06 11:42:50 +01:00
Ashwin M
74346342df Rewrite label 2025-12-06 16:09:13 +05:30
Stanko Krtalić
e4a49d52b2 Merge pull request #125 from mphalliday/involvement-fix 
Allow non-admins to update their room involvements
 2025-12-04 21:43:31 +01:00
Michael Halliday
b8919161a8 Allow non-admins to update their room involvements 2025-12-03 09:56:15 -05:00
Ashwin M
80585a9585 Fix button label to 'UnBan' for clarity 2025-12-03 17:50:16 +05:30
Stanko K.R.
b3d97ecb0e Add safety checks to release script 2025-12-03 08:24:04 +01:00
Stanko Krtalić
94692026d3 Merge pull request #122 from basecamp/unfurl-blind-ssrf 
Security: disallow blind SSRF to link-local IPs via URL unfurling
v1.4.2 		2025-12-03 08:12:24 +01:00
Stanko K.R.
0672673916 Disallow SSRF via IPv6 addresses mapped to IPv4 addresses 2025-12-03 08:08:34 +01:00
Jeremy Daer
5667262d1c Security: disallow blind SSRF to link-local IPs via URL unfurling 2025-12-02 21:33:44 -08:00
Stanko Krtalić
1babf3f9ed Merge pull request #121 from basecamp/fix-crash-on-mentions-when-upgrading-from-rails-7-to-8 
Parse Rails 7 GIDs
v1.4.1 		2025-12-02 11:37:51 +01:00
Stanko K.R.
4d04f9beee Use urlsafe base64 decode 2025-12-02 11:34:12 +01:00
Stanko K.R.
bebe518c74 Parse Rails 7 GIDs 2025-12-02 11:06:23 +01:00
Stanko K.R.
13897eac59 Set title on new releases to be the version number v1.4.0 2025-12-02 08:36:15 +01:00
Stanko Krtalić
6bb0ee2436 Merge pull request #120 from basecamp/allow-restricting-new-room-creation-to-admins 
Add new has_json to add Account#settings to restrict room creation to only administrators
 2025-12-02 08:27:29 +01:00
Stanko K.R.
550d4c75bd Invert the icon color in dark mode 2025-12-02 08:22:32 +01:00
Jason Zimdars
7b7b3f8a67 Rework toggle as switch 2025-12-01 23:13:54 -06:00
Stanko K.R.
aec8747710 Fix failing system tests 
Something broke when the dependencies were updated so I copied over the Gemfile.lock file from main - which is known to work
 2025-12-01 16:34:51 +01:00
Stanko K.R.
71b5edae01 Run migrations 2025-12-01 15:31:53 +01:00
Stanko K.R.
b1325ccee7 Bump Redis 2025-12-01 15:31:07 +01:00
David Heinemeier Hansson
5266ffc049 Always just go through the settings object 2025-12-01 15:26:06 +01:00
David Heinemeier Hansson
bd3b0c5988 Not needed 2025-12-01 15:26:06 +01:00
David Heinemeier Hansson
e8626f9d5d Use rails edge that now includes the feature 2025-12-01 15:26:06 +01:00
David Heinemeier Hansson
796195c2cc Give up on the auto delegation to get a cleaner API 2025-12-01 15:26:06 +01:00
David Heinemeier Hansson
559629537b We don't need to specify the default any more 2025-12-01 15:26:06 +01:00
David Heinemeier Hansson
42c411b660 Use upstream version of has_json 2025-12-01 15:25:39 +01:00
David Heinemeier Hansson
6c59b8c82b Use public_send instead of send 2025-12-01 15:25:39 +01:00
David Heinemeier Hansson
20ba1cf2ae Ensure mutable string is used to prevent warning 2025-12-01 15:25:06 +01:00
David Heinemeier Hansson
d323c3cfc0 Now required to be explicitly included 
Not sure why
 2025-12-01 15:23:57 +01:00
David Heinemeier Hansson
53671b48e0 Update to latest Rails 8.2.0 alpha 2025-12-01 15:23:23 +01:00
David Heinemeier Hansson
66b4e41281 Rename 2025-12-01 15:23:23 +01:00
David Heinemeier Hansson
6476bab4cc Use consistent yield naming 2025-12-01 15:23:23 +01:00
David Heinemeier Hansson
f7c3aaa2a9 Allow for default values 2025-12-01 15:23:23 +01:00
David Heinemeier Hansson
593f8dd04c No need for self 2025-12-01 15:23:23 +01:00
David Heinemeier Hansson
d3b6507ce2 Layer on top a more pleasant API for the default case 2025-12-01 15:23:23 +01:00
David Heinemeier Hansson
32be03a240 Rely on method missing 2025-12-01 15:23:23 +01:00
David Heinemeier Hansson
8e94a4aa1e Better wording 2025-12-01 15:23:23 +01:00