refs #7204
- Adds a new ThemeValidationError class
- This error has a top level message, but will also contain all the individual errors within the `errorDetails` property
- Updated the API error handling to return `errorDetails` if it is present
no issue
- while testing different situations for custom storage adapters after switching from 0.9 to 0.10, it turned out the error output was not optimal
- this PR improves that
no issue
Double slashes are treated as a HTTP calls as specified in [RFC1801](http://www.ietf.org/rfc/rfc1808.txt). Because of this behaviour the uncapitalise created an open redirect. By removing double slashes in the path we ensure open redirects cannot be created.
As an example, please click the following URL: https://dev.ghost.org///Google.com/.
This issue has been reported by pentesters of our product [LearningSpaces.io](http://learningspaces.io).
refs #2852
- improvement: ensure custom storage adapter has required functions
- serve, save and exists are from now on required functions for a custom storage adapter
- add delete as required storage function
closes#6588, #7095
* `ImageObject` with image dimensions (#7152, #7151, #7153)
- Returns meta data as promise
- returns a new Promise from meta data
- uses `Promise.props()` to resolve `getClient()` and `getMetaData()`
- Adds 'image-size' util
The util returns an object like this
```
{
height: 50,
url: 'http://myblog.com/images/cat.jpg',
width: 50
};
```
if the dimensions can be fetched and rejects with error, if not.
In case we get a locally stored image or a not complete url (like `//www.gravatar.com/andsoon`), we add the protocol to the incomplete one and use `urlFor()` to get the absolute URL. If the request fails or `image-size` is not able to read the file, we reject with error.
- adds 'image-size' module to dependencies
- adds `getImageSizeFromUrl` function that returns image dimensions
- In preparation of AMP support and to improve our schema.org JSON-LD and structured data, I made the following changes:
- Changes the following properties to be `Objects`, which have a `url` property by default and a `dimensions` property, if `width` and `height` are available:
- `metaData.coverImage`
- `metaData.authorImage`
- `metaData.blog.logo`
- Checks cache by calling `getCachedImageSizeFromUrl`. If image dimensions were fetched already, returns them from cache instead of fetching them again.
- If we have image dimensions on hand, the output in our JSON-LD changes from normal urls to be full `ImageObjects`. Applies to all images and logos.
- Special case for `publisher.logo` as it has size restrictions: if the image doesn't fulfil the restrictions (<=600 width and <=60 height), we simply output the url instead, so like before.
- Adds new property for schema.org JSON-LD: `mainEntityOfPage` as an Object.
- Adds additional Open Graph data (if we have the image size): `og:image:width` and `og:image:height`
- Adds/updates tests
* AMP router and controller (#7171, #7157)
Implements AMP in `/apps/`:
- renders `amp.hbs` if route is `/:slug/amp/`
- updates `setResponseContext` to set context to `['amp', 'post']` for a amp post and `['amp', 'page']` for a page, but will not render amp template for a page
- updates `context_spec`
- registers 'amp' as new internal app
- adds the `amp.hbs` template to `core/server/apps/amp` which will be the default template for AMP posts.
- adds `isAmpURL` to `post-lookup`
* 🎨 Use `context` in meta as array (#7205)
Instead of reading the first value of the context array, we're checking if it includes certain context values.
This is a preparation change for AMP, where the context will be delivered as `['amp', 'post']`.
* ✨ AMP helpers (#7174, #7216, #7215, #7223)
- Adds AMP helpers `{{amp_content}}`, `{{amp_component}}` and `{{amp_ghost_head}}` to support AMP:
- `{{amp_content}}`:
- Adds `Amperize` as dependency
- AMP app uses new helper `{{amp_content}}` to render AMP HTML
- `Amperize` transforms regular HTML into AMP HTML
- Adds test for `{{amp_content}}` helper
- Adds 'Sanitize-HTML` as dependendy
- After the HTML get 'amperized' we still might have some HTML tags, which are prohibited in AMP HTML, so we use `sanitize-html` to remove those. With every update, `Amperize` gets and it is able to transform more HTML tags, they valid AMP HTML tags (e. g. `video` and `amp-video`) and will therefore not be removed.
- `{{amp_ghost_head}}`:
- registers `{{amp_ghost_head}}` helper, but uses `{{ghost_head}}` code
- uses `{{amp_ghost_head}}` in `amp.hbs` instead of `{{ghost_head}}`
- `{{ghost_head}}`:
- Render `amphtml` link in metadata for post, which links to the amp post (`getAmpUrl`)
- Updates all test in metadata to support `amp` context
- Changes context conditionals to work with full array instead of first array value
- Adds conditionals, so no additional javascript gets rendered in `{{ghost_head}}`
- Removes trailing `/amp/` in URLs, so only `amphtml` link on regular post renders it
- Adds a conditional, so no code injection will be included, for an `amp` context.
- `{{amp_components}}`:
- AMP app uses new helper `{{amp_components}}` to render necessary script tags for AMP extended components as `amp-iframe`, `amp-anime` and `amp-form`
- Adds test for `{{amp_components}}`
closes#7182
When calling `config.set()` in the settings api, we want to set the active timezone of the blog to make it available in our `settingsCache`. But because the `theme` object in the `set` prototype was already set to `Etc/UTC` as default, the `_.merge` function would always overwrite our `activeTimezone` with the default value.
This PR changes the code in the way, that we always set 'Etc/UTC' for the timezone as default, _until_ we fetched our settings and therefore the `activeTimezone` setting, so we can overwrite it.
This issue had not only influence on the date helper, but everywhere in our codebase, where we rely on reading the `timezone` from our config, instead of our settings. The `{{@blog.timezone}}` helper reflected that quiet well, as it would always show `Etc/UTC`
closes#7212
When no Blog title is set and there is a `from` mail adress without custom name set up in `config.js`, it will overwrite `config.theme.title` in `GhostMailer.from` and forces to have a (wrong) Blog title after sending a test mail or an invitation.
- Uses a variable `defaultBlogTitle` instead of overwriting `config.theme.title`, when no blog title is set and therefore `config.theme.title` has no value.
no issue
- Source out validation logic into a upload validation middleware for all upload types (csv, image, subscribers). This unit can be later used for Ghost 1.0 as a pre validation core unit.
- More usage of route tests than controller tests. These are use case tests, a use case only changes if the product changes
no issue
This small change swaps over the order in which the app routes, and catch-all `*` routes are processed.
This will have an impact on the behaviour of all of our internal apps. Both the private blogging and subscribers apps have a route where they render their own template. Private blogging has `/private/` which renders `private.hbs` and subscribers has a similar `/subscribe/` route (and in future `/unsubscribe/`).
Because these routes weren't listed in our reserved words list, it is possible for a blog to already have a post or a page that lives at `/private/` or, perhaps more likely `/subscribe/`. Prior to this change, their already setup page would be rendered instead of the app's page. After this change, the app's own route will be correctly rendered.
This is effectively a bug fix, because if you enable these features then you would expect them to work.
Moving forward, this change is absolutely required for the AMP app, because the route for that app is `*/amp/`. If the app routes aren't processed first, then this will not work.
no issue
- sets `settings.activeTimezone` to best-guess based on current server time when performing the timezones migration in order to prevent unexpected changes in timezone when upgrading
refs #6976, #7019, #7125
- Ensure maintenance mode flag is set back to what is in config.js rather than defaulted to false on boot
- Remove stack trace from 503 errors
- Add error message to 503 error
- Ensure error page is rendered for Ghost-Admin on reload with 503
closes#5071
- Send application/json requests to UpdateCheck service. New UpdateCheck service accepts JSON request
- If UpdateCheck service respponse has messages[] array, iterate over the array and create custom notifications intended for current version
- Save custom notification if its not already in the store AND its uuid is not in seenNotifications array
- When a custom notification is dismissed, store its uuid in seenNotifications array
- setup test fixtures to trigger tests properly
- api_notification_spec test to ensure custom notification can be added to store and added to seenNotifications when dismissed
- update_check_spec test to ensure custom notification can be displayed for a specific Ghost version
- added test to ensure messages meant for other versions don't create notifications
closes#6948
- the hbs engine was never initialised when server starts
- when you request a page which does not exist, express jumps directly into the error handlers
- delete some dynamic hbs engine setters in theme handler
closes#6625
- "url" and "author" fields depend on {id, published_at, slug, author_id} to construct post url.
- implemented a generic solution by defining defaultColumnsToFetch() in
base class for models.
- findPage() calls defaultColumnsToFetch() before loading models
- results are transformed by filtering out additional properties to return just the requested fields
- Added a test case to check for url and author fields
- Renamed allColumns as requestedColumns and used _.map instead of Promise.map
closes#6691
- removes dependency on semver & package.json in preinstall script
- has a simplified proxy of semver to look for the right version numbers
refs #6958 (first task of it)
-includes additional tests
-Instead of removing all slashes "/g" we now specifically remove leading and trailing slashes.
closes#6932
- new default order of posts: scheduled, draft, published
- invent orderDefaultRaw fn for each model
- each model is able to create a default raw order query
- separate count and fetch query for fetchPage, because the count query where group/order statements attached
closes#7060
- changed meta referrer from origin to origin-when-cross-origi
- made referrer policy configurable via referrerPolicy option in config js
- added example to config.example.js
-modified test to reflect new defaul origin-when-cross-origin
-added a test for configuration changed referrerPolicy
closes#6984
-the backlink had a static href to {{@blog.url}} which is now changed to {{#if subscribed_url}}{{subscribed_url}}{{else}}{{@blog.url}}{{/if}} to reflect the referring url.
-This PR makes the back link on the subscribe page to link back to the referring page instead of linking back to /
refs #7023
The template can be used for all cases (different newsletter interval, different amount of blog posts, with or without blog picture).
The template can be filled with the following data structure:
- `blog.logo` is the blog logo from settings
- `blog.title` is the title of the current blog
- `blog.url` is the URL of the blog
- `blog.twitterURL` is the twitter profile URL of the blog from settings
- `blog.facebookURL` is the facebook page URL of the blog from settings
- `blog.unsubscribe` is the link for the reader to unsubscribe from the blog
- `newsletter.interval` is the interval in words like 'weekly', 'daily', 'monthly'
- `newsletter.date` is the date of the newsletter issue in a format like 'June 9th, 2016'
- `blog.post` is expected to be an array:
- `blog.post[i].picture` is the picture of the blog post. There are also conditionals, which change the inline CSS to either show a border-top if there's no picture (in that case the HTML code, that shows the picture is not active)
- `blog.post[i].title` is the title of the current blog post
- `blog.post[i].text` is the text of the current blog post, which needs to be cut down to 278 letters, plus ending with `…`
- `blog.post[i].url` is the URL of the current blog post
- `blog.post[i].tag` is the tag of the current blog post
- `blog.post[i].author` is the author of the current blog post
Important is, that only HEX HTML entities will work, especially in Outlook. So instead of `—` we need to use `—` and `’` instead of `'` or `'` and so on.
Added unit test for newsletter template in `test/unit/mail/utils_spec.js`.
no issue
This is a fix for the default-scheduler.
When a post never had a published_at value, the oldTime for removing the job would be null. And in this case we would try to delete a job with an invalidate date.
