Ghost/core/server/services/themes/validate.js

const _ = require('lodash');
const Promise = require('bluebird');
const config = require('../../config');
const common = require('../../lib/common');

let checkTheme;

checkTheme = function checkTheme(theme, isZip) {
    var checkPromise,
        // gscan can slow down boot time if we require on boot, for now nest the require.
        gscan = require('gscan');

    if (isZip) {
        checkPromise = gscan.checkZip(theme, {
            keepExtractedDir: true
        });
    } else {
        checkPromise = gscan.check(theme.path);
    }

    return checkPromise
        .then(function resultHandler(checkedTheme) {
            checkedTheme = gscan.format(checkedTheme, {
                onlyFatalErrors: config.get('env') === 'production'
            });

            // CASE: production and no fatal errors
            // CASE: development returns fatal and none fatal errors, theme is only invalid if fatal errors
            if (!checkedTheme.results.error.length ||
                config.get('env') === 'development' && !checkedTheme.results.hasFatalErrors) {
                return checkedTheme;
            }

            return Promise.reject(new common.errors.ThemeValidationError({
                message: common.i18n.t('errors.api.themes.invalidTheme'),
                errorDetails: Object.assign(
                    _.pick(checkedTheme, ['checkedVersion', 'name', 'path', 'version']), {
                        errors: checkedTheme.results.error
                    }
                ),
                // NOTE: needs to be removed but first has to be decoupled
                //       from logic here: https://github.com/TryGhost/Ghost/blob/9810834/core/server/services/themes/index.js#L56-L57
                context: checkedTheme
            }));
        }).catch(function (error) {
            return Promise.reject(error);
        });
};

module.exports.check = checkTheme;
Improved error context usage (#10669) refs #10571 - Reduced the amount of log output for collision errors - Improved data passed into `errorDetails` during theme check - After discovering https://github.com/TryGhost/Ghost/blob/9810834/core/server/services/themes/index.js#L56-L57 wasn't able to remove `checkedTheme` from `context`. Left a note to be refactored later 2019-04-09 08:00:56 +03:00			`const _ = require('lodash');`
			`const Promise = require('bluebird');`
			`const config = require('../../config');`
			`const common = require('../../lib/common');`

			`let checkTheme;`
🔥 🎨 Themes & settings misc cleanup (#8061) no issue 🔥 remove unused loadThemes API method 🚨 Add tests for themes.readOne 🔥 Don't update settings cache for imports - this isn't needed as of #8057 - settings.edit fires an event, that will result in the update happening automatically 🎨 Move validation to themes - slowly collecting all theme-related code together 🔥 Reduce DEBUG output - all this info is a bit tooooo much! 2017-02-28 01:30:49 +03:00
✨ Themes API activation permissions & validation (#8104) refs #8093 ✨ Add activate theme permission - add permission to activate themes - update tests - also: update tests for invites TODO: change how the active theme setting is updated to reduce extra permissions ✨ Move theme validation to gscan - add a new gscan validation method and use it for upload - update activate endpoint to do validation also using gscan - change to using SettingsModel instead of API so that we don't call validation or permissions on the settings API - remove validation from the settings model - remove the old validation function - add new invalid theme message to translations & remove a bunch of theme validation related unused keys 📖 Planned changes 🚨 Tests for theme activation API endpoint 🐛 Don't allow deleting the active theme 🚫 Prevent activeTheme being set via settings API - We want to control how this happens in future. - We still want to store the information in settings, via the model. - We just don't want to be able to change this info via the settings edit endpoint 🐛 ✨ Fix warnings for uploads & add for activations - warnings for uploads were broken in f8b498d - fix the response + adds tests to cover that warnings are correctly returned - add the same response to activations + more tests - activations now return a single theme object - the theme that was activated + any warnings 🎨 Improve how we generate theme API responses - remove the requirement to pass in the active theme! - move this to a specialist function, away from the list 🎨 Do not load gscan on boot 2017-03-13 14:44:44 +03:00			`checkTheme = function checkTheme(theme, isZip) {`
			`var checkPromise,`
			`// gscan can slow down boot time if we require on boot, for now nest the require.`
			`gscan = require('gscan');`
🔥 🎨 Themes & settings misc cleanup (#8061) no issue 🔥 remove unused loadThemes API method 🚨 Add tests for themes.readOne 🔥 Don't update settings cache for imports - this isn't needed as of #8057 - settings.edit fires an event, that will result in the update happening automatically 🎨 Move validation to themes - slowly collecting all theme-related code together 🔥 Reduce DEBUG output - all this info is a bit tooooo much! 2017-02-28 01:30:49 +03:00
✨ Themes API activation permissions & validation (#8104) refs #8093 ✨ Add activate theme permission - add permission to activate themes - update tests - also: update tests for invites TODO: change how the active theme setting is updated to reduce extra permissions ✨ Move theme validation to gscan - add a new gscan validation method and use it for upload - update activate endpoint to do validation also using gscan - change to using SettingsModel instead of API so that we don't call validation or permissions on the settings API - remove validation from the settings model - remove the old validation function - add new invalid theme message to translations & remove a bunch of theme validation related unused keys 📖 Planned changes 🚨 Tests for theme activation API endpoint 🐛 Don't allow deleting the active theme 🚫 Prevent activeTheme being set via settings API - We want to control how this happens in future. - We still want to store the information in settings, via the model. - We just don't want to be able to change this info via the settings edit endpoint 🐛 ✨ Fix warnings for uploads & add for activations - warnings for uploads were broken in f8b498d - fix the response + adds tests to cover that warnings are correctly returned - add the same response to activations + more tests - activations now return a single theme object - the theme that was activated + any warnings 🎨 Improve how we generate theme API responses - remove the requirement to pass in the active theme! - move this to a specialist function, away from the list 🎨 Do not load gscan on boot 2017-03-13 14:44:44 +03:00			`if (isZip) {`
🎨 gscan 1.1.0 & optimisations refs #8222 - differentiate between errors and fatal errors - use gscan errors in theme middleware - Adds a new `error()` method to `currentActiveTheme` constructor which will return the errors we receive from gscan - In middleware, if a theme couldn't be activated because it's invalid, we'll fetch the erros and send them to our error handler. We also use a new property `hideStack` to control, if the stack (in dev mode and if available) should be shown or the gscan errors (in prod mode, or in dev if no stack error) - In our error handler we use this conditional to send a new property `gscan` to our error theme - In `error.hbs` we'll iterate through possible `gscan` error objects and render them. - remove stack printing - stack for theme developers in development mode doesn't make sense - stack in production doesn't make sense - the stack is usually hard to read - if you are developer you can read the error stack on the server log - utils.packages: transform native error into Ghost error - use `onlyFatalErrors` for gscan format and differeniate fatal errors vo.2 - optimise bootstrap error handling - transform theme is missing into an error - add new translation key - show html tags for error.hbs template: rule 2017-05-31 19:42:42 +03:00			`checkPromise = gscan.checkZip(theme, {`
			`keepExtractedDir: true`
			`});`
✨ Themes API activation permissions & validation (#8104) refs #8093 ✨ Add activate theme permission - add permission to activate themes - update tests - also: update tests for invites TODO: change how the active theme setting is updated to reduce extra permissions ✨ Move theme validation to gscan - add a new gscan validation method and use it for upload - update activate endpoint to do validation also using gscan - change to using SettingsModel instead of API so that we don't call validation or permissions on the settings API - remove validation from the settings model - remove the old validation function - add new invalid theme message to translations & remove a bunch of theme validation related unused keys 📖 Planned changes 🚨 Tests for theme activation API endpoint 🐛 Don't allow deleting the active theme 🚫 Prevent activeTheme being set via settings API - We want to control how this happens in future. - We still want to store the information in settings, via the model. - We just don't want to be able to change this info via the settings edit endpoint 🐛 ✨ Fix warnings for uploads & add for activations - warnings for uploads were broken in f8b498d - fix the response + adds tests to cover that warnings are correctly returned - add the same response to activations + more tests - activations now return a single theme object - the theme that was activated + any warnings 🎨 Improve how we generate theme API responses - remove the requirement to pass in the active theme! - move this to a specialist function, away from the list 🎨 Do not load gscan on boot 2017-03-13 14:44:44 +03:00			`} else {`
			`checkPromise = gscan.check(theme.path);`
🔥 🎨 Themes & settings misc cleanup (#8061) no issue 🔥 remove unused loadThemes API method 🚨 Add tests for themes.readOne 🔥 Don't update settings cache for imports - this isn't needed as of #8057 - settings.edit fires an event, that will result in the update happening automatically 🎨 Move validation to themes - slowly collecting all theme-related code together 🔥 Reduce DEBUG output - all this info is a bit tooooo much! 2017-02-28 01:30:49 +03:00			`}`
✨ Themes API activation permissions & validation (#8104) refs #8093 ✨ Add activate theme permission - add permission to activate themes - update tests - also: update tests for invites TODO: change how the active theme setting is updated to reduce extra permissions ✨ Move theme validation to gscan - add a new gscan validation method and use it for upload - update activate endpoint to do validation also using gscan - change to using SettingsModel instead of API so that we don't call validation or permissions on the settings API - remove validation from the settings model - remove the old validation function - add new invalid theme message to translations & remove a bunch of theme validation related unused keys 📖 Planned changes 🚨 Tests for theme activation API endpoint 🐛 Don't allow deleting the active theme 🚫 Prevent activeTheme being set via settings API - We want to control how this happens in future. - We still want to store the information in settings, via the model. - We just don't want to be able to change this info via the settings edit endpoint 🐛 ✨ Fix warnings for uploads & add for activations - warnings for uploads were broken in f8b498d - fix the response + adds tests to cover that warnings are correctly returned - add the same response to activations + more tests - activations now return a single theme object - the theme that was activated + any warnings 🎨 Improve how we generate theme API responses - remove the requirement to pass in the active theme! - move this to a specialist function, away from the list 🎨 Do not load gscan on boot 2017-03-13 14:44:44 +03:00
🐛 Fixed gscan errors not caught for corrupted zips closes TryGhost/Support#426 refs TryGhost/gscan#106 needs TryGhost/gscan#107 GScan can return errors, which was not handled in our theme validator and caused Ghost to crash completely. GScan will now return an Ignition error when its not able to read the `.zip` file. e. g.: `{"errors":[{"message":"Failed to read zip file","context":"tife.zip","errorType":"ValidationError","errorDetails":"invalid relative path: ../tife/"}]}` 2018-05-11 08:12:15 +03:00			`return checkPromise`
			`.then(function resultHandler(checkedTheme) {`
			`checkedTheme = gscan.format(checkedTheme, {`
			`onlyFatalErrors: config.get('env') === 'production'`
			`});`
✨ Themes API activation permissions & validation (#8104) refs #8093 ✨ Add activate theme permission - add permission to activate themes - update tests - also: update tests for invites TODO: change how the active theme setting is updated to reduce extra permissions ✨ Move theme validation to gscan - add a new gscan validation method and use it for upload - update activate endpoint to do validation also using gscan - change to using SettingsModel instead of API so that we don't call validation or permissions on the settings API - remove validation from the settings model - remove the old validation function - add new invalid theme message to translations & remove a bunch of theme validation related unused keys 📖 Planned changes 🚨 Tests for theme activation API endpoint 🐛 Don't allow deleting the active theme 🚫 Prevent activeTheme being set via settings API - We want to control how this happens in future. - We still want to store the information in settings, via the model. - We just don't want to be able to change this info via the settings edit endpoint 🐛 ✨ Fix warnings for uploads & add for activations - warnings for uploads were broken in f8b498d - fix the response + adds tests to cover that warnings are correctly returned - add the same response to activations + more tests - activations now return a single theme object - the theme that was activated + any warnings 🎨 Improve how we generate theme API responses - remove the requirement to pass in the active theme! - move this to a specialist function, away from the list 🎨 Do not load gscan on boot 2017-03-13 14:44:44 +03:00
🐛 Fixed gscan errors not caught for corrupted zips closes TryGhost/Support#426 refs TryGhost/gscan#106 needs TryGhost/gscan#107 GScan can return errors, which was not handled in our theme validator and caused Ghost to crash completely. GScan will now return an Ignition error when its not able to read the `.zip` file. e. g.: `{"errors":[{"message":"Failed to read zip file","context":"tife.zip","errorType":"ValidationError","errorDetails":"invalid relative path: ../tife/"}]}` 2018-05-11 08:12:15 +03:00			`// CASE: production and no fatal errors`
			`// CASE: development returns fatal and none fatal errors, theme is only invalid if fatal errors`
			`if (!checkedTheme.results.error.length \|\|`
			`config.get('env') === 'development' && !checkedTheme.results.hasFatalErrors) {`
			`return checkedTheme;`
			`}`
✨ Themes API activation permissions & validation (#8104) refs #8093 ✨ Add activate theme permission - add permission to activate themes - update tests - also: update tests for invites TODO: change how the active theme setting is updated to reduce extra permissions ✨ Move theme validation to gscan - add a new gscan validation method and use it for upload - update activate endpoint to do validation also using gscan - change to using SettingsModel instead of API so that we don't call validation or permissions on the settings API - remove validation from the settings model - remove the old validation function - add new invalid theme message to translations & remove a bunch of theme validation related unused keys 📖 Planned changes 🚨 Tests for theme activation API endpoint 🐛 Don't allow deleting the active theme 🚫 Prevent activeTheme being set via settings API - We want to control how this happens in future. - We still want to store the information in settings, via the model. - We just don't want to be able to change this info via the settings edit endpoint 🐛 ✨ Fix warnings for uploads & add for activations - warnings for uploads were broken in f8b498d - fix the response + adds tests to cover that warnings are correctly returned - add the same response to activations + more tests - activations now return a single theme object - the theme that was activated + any warnings 🎨 Improve how we generate theme API responses - remove the requirement to pass in the active theme! - move this to a specialist function, away from the list 🎨 Do not load gscan on boot 2017-03-13 14:44:44 +03:00
🐛 Fixed gscan errors not caught for corrupted zips closes TryGhost/Support#426 refs TryGhost/gscan#106 needs TryGhost/gscan#107 GScan can return errors, which was not handled in our theme validator and caused Ghost to crash completely. GScan will now return an Ignition error when its not able to read the `.zip` file. e. g.: `{"errors":[{"message":"Failed to read zip file","context":"tife.zip","errorType":"ValidationError","errorDetails":"invalid relative path: ../tife/"}]}` 2018-05-11 08:12:15 +03:00			`return Promise.reject(new common.errors.ThemeValidationError({`
			`message: common.i18n.t('errors.api.themes.invalidTheme'),`
Improved error context usage (#10669) refs #10571 - Reduced the amount of log output for collision errors - Improved data passed into `errorDetails` during theme check - After discovering https://github.com/TryGhost/Ghost/blob/9810834/core/server/services/themes/index.js#L56-L57 wasn't able to remove `checkedTheme` from `context`. Left a note to be refactored later 2019-04-09 08:00:56 +03:00			`errorDetails: Object.assign(`
			`_.pick(checkedTheme, ['checkedVersion', 'name', 'path', 'version']), {`
			`errors: checkedTheme.results.error`
			`}`
			`),`
			`// NOTE: needs to be removed but first has to be decoupled`
			`// from logic here: https://github.com/TryGhost/Ghost/blob/9810834/core/server/services/themes/index.js#L56-L57`
🐛 Fixed gscan errors not caught for corrupted zips closes TryGhost/Support#426 refs TryGhost/gscan#106 needs TryGhost/gscan#107 GScan can return errors, which was not handled in our theme validator and caused Ghost to crash completely. GScan will now return an Ignition error when its not able to read the `.zip` file. e. g.: `{"errors":[{"message":"Failed to read zip file","context":"tife.zip","errorType":"ValidationError","errorDetails":"invalid relative path: ../tife/"}]}` 2018-05-11 08:12:15 +03:00			`context: checkedTheme`
			`}));`
			`}).catch(function (error) {`
			`return Promise.reject(error);`
			`});`
🔥 🎨 Themes & settings misc cleanup (#8061) no issue 🔥 remove unused loadThemes API method 🚨 Add tests for themes.readOne 🔥 Don't update settings cache for imports - this isn't needed as of #8057 - settings.edit fires an event, that will result in the update happening automatically 🎨 Move validation to themes - slowly collecting all theme-related code together 🔥 Reduce DEBUG output - all this info is a bit tooooo much! 2017-02-28 01:30:49 +03:00			`};`

✨ Themes API activation permissions & validation (#8104) refs #8093 ✨ Add activate theme permission - add permission to activate themes - update tests - also: update tests for invites TODO: change how the active theme setting is updated to reduce extra permissions ✨ Move theme validation to gscan - add a new gscan validation method and use it for upload - update activate endpoint to do validation also using gscan - change to using SettingsModel instead of API so that we don't call validation or permissions on the settings API - remove validation from the settings model - remove the old validation function - add new invalid theme message to translations & remove a bunch of theme validation related unused keys 📖 Planned changes 🚨 Tests for theme activation API endpoint 🐛 Don't allow deleting the active theme 🚫 Prevent activeTheme being set via settings API - We want to control how this happens in future. - We still want to store the information in settings, via the model. - We just don't want to be able to change this info via the settings edit endpoint 🐛 ✨ Fix warnings for uploads & add for activations - warnings for uploads were broken in f8b498d - fix the response + adds tests to cover that warnings are correctly returned - add the same response to activations + more tests - activations now return a single theme object - the theme that was activated + any warnings 🎨 Improve how we generate theme API responses - remove the requirement to pass in the active theme! - move this to a specialist function, away from the list 🎨 Do not load gscan on boot 2017-03-13 14:44:44 +03:00			`module.exports.check = checkTheme;`