Commit Graph

31291 Commits

Author SHA1 Message Date
renovate[bot]
12801a4574 Update dependency ember-svg-jar to v2.4.0 2022-10-07 08:28:53 +07:00
renovate[bot]
4aa8be2e1c Update dependency @embroider/macros to v1.9.0 2022-10-07 08:25:31 +07:00
Naz
5e9d1d3178 Swapped member limit verification trigger event
closes https://github.com/TryGhost/Toolbox/issues/399

- The MemberCreatedEvent event is more accurate representation of the limit nature - counting the number of members created. The previous MemberSubscribeEvent was slightly hacky solution because a member could be subscribed/unsubscribed multiple times and distorting the limit counts.
2022-10-07 09:20:29 +08:00
renovate[bot]
0370dd258d
Update dependency body-parser to v1.20.1 2022-10-06 21:20:56 +00:00
Djordje Vlaisavljevic
ff4f93f4a5 Updated attribution widget design
refs https://github.com/TryGhost/Team/issues/1986
2022-10-06 22:26:54 +02:00
Djordje Vlaisavljevic
37dd97b5c5 Updated default mock state
refs https://github.com/TryGhost/Team/issues/1986
2022-10-06 22:26:54 +02:00
Djordje Vlaisavljevic
2a09d83023 Added an icon
refs https://github.com/TryGhost/Team/issues/1986
2022-10-06 22:26:54 +02:00
Simon Backx
9d27014aff Reverted change in post email serializer
refs d4540012dc

This was committed by accident
2022-10-06 20:16:02 +02:00
Ozan Uslan
220af3b276
🐛 Fixed timezone issue with min/max dates in datetime picker
fixes #15497

`'now'` option for min/max date used `moment()` function and did not consider the timezone of the site.
2022-10-06 20:09:36 +02:00
James Morris
e871aabb70 Updated the comments to 0.10.2 2022-10-06 16:39:42 +01:00
Kevin Ansfield
fc5f0f7c79 Refactored stripe settings form component with Octane patterns
refs https://github.com/TryGhost/Ghost/issues/14101

- migrated to native class syntax and Glimmer component patterns
2022-10-06 16:22:32 +01:00
Kevin Ansfield
c2d8950bd5 Moved and renamed stripe settings form component
no issue

- moved screen-specific component into the `settings/members` folder
- renamed to better reflect the component's purpose
2022-10-06 16:22:32 +01:00
James Morris
4e3380190b Improving the member filters
- Closes dropdown when removing labels
- Larger width to handle multiple labels better
- Subtle focuses when using tabs only
- Bigger close button hitpoints on labels
- Added text ellipis for larger labels in dropdown
- Added some event propagation stops

no issue
2022-10-06 12:21:55 +01:00
Sanne de Vries
a2bfdc7534 Updated error status in post list and the editor
Refs https://github.com/TryGhost/Team/issues/2009
2022-10-06 17:37:08 +07:00
Daniel Lockyer
0ecc6dc238
Added note about fetching the Stripe secret token
- this helps debug what is happening and when
2022-10-06 16:56:05 +07:00
Naz
1880c7c1ec
Updated webhook post.published test
refs https://github.com/TryGhost/Toolbox/issues/320

- Added more complex mobiledoc structure in the post.published test to check for correct transformation of special purpose `__GHOST_URL__`. The snapshot has a correct URL transformation, which gives confidence it works properly
2022-10-06 17:51:14 +08:00
Simon Backx
d4540012dc Added tests for click events in the activity feed
fixes https://github.com/TryGhost/Team/issues/2018

- Includes new test fixtures for redirects and click events
- Tests if post, and links are returned in the click events
2022-10-06 11:43:39 +02:00
Sanne de Vries
08da18e324 Fixed breadcrumbs responsive issues
Refs https://www.notion.so/ghost/Switch-breadcrumb-style-513a624c0e0d490ca39a2fdb97a6971a

- New breadcrumb style broke posts list on smaller screens
- Updated copy to reflect the action taken on the page (e.g. Edit tag)
2022-10-06 16:25:57 +07:00
Daniel Lockyer
7308bb9122
Switched to accessing config loader directly
- I lowered the code coverage on the repo to the point where
  it started failing because I added a new export to the config library
- this wasn't easy to add tests for because the existing config tests
  use the loader directly and not the library export
- instead, I'm just going to make the dev script access the loader, and
  make a note to clean this up in the future when we pull out the config
  module
2022-10-06 16:25:29 +07:00
Simon Backx
aaabf4b103
🎨 Improved email failure handling and retrying (#15504)
fixes https://github.com/TryGhost/Team/issues/2009

- When an email is sent, but it failed there was no way to retry once you left the retry screen
- There was no indication that the email failed to send in the post list and editor
2022-10-06 11:12:11 +02:00
Daniel Lockyer
0bfbee5523
Fixed yarn dev --stripe ignoring HTTPS configured sites
- because the cwd of `.github/dev.js` is not `ghost/core`, it doesn't
  pick up config.local.json files, so any configuration you set in there
  isn't applied
- this meant that developers with HTTPS configured locally couldn't use
  `--stripe` because it wouldn't configure the Stripe listening URL
  correctly
- this adds an exports to the config lib to allow passing options in,
  which I then utilize to pass the directory that config resides in
- this should fix the aforementioned problem with HTTPS
2022-10-06 15:58:51 +07:00
Daniel Lockyer
a35d388543
Fixed missing return when fetching Stripe key fails
- we should protect against the stripe command throwing an error because
  it's not installed or it errors etc
2022-10-06 15:42:19 +07:00
Daniel Lockyer
28cc88c2cd
Added --stripe support to yarn dev
refs https://ghost.slack.com/archives/C02G9E68C/p1665043198507819?thread_ts=1664955131.950719&cid=C02G9E68C

- this adds support for `yarn dev --stripe` which will spin up the
  Stripe CLI to listen for webhooks, and configures Ghost with the
  secret key it needs to communicate
- also fixes a minor typing error with a missing `env: {}`
2022-10-06 15:32:08 +07:00
Daniel Lockyer
12aaaa6d6e
Removed Portal's .editorconfig file
- this should no longer be needed because we have a top-level
  .editorconfig file
2022-10-06 11:23:39 +07:00
Naz
78c97d10a6
Improved post's webhook test annotations
refs https://github.com/TryGhost/Toolbox/issues/320

- There noe "roles" attached to the post's author when the 'post.added' event is fired. Webhooks function based of the model events and differ slightly with it's output comparing to the API response. For example, in case of Posts API, there'a an additional 'findOne' call (ref.: https://github.com/TryGhost/Ghost/blob/main/ghost/core/core/server/models/post.js#L1224-L1227) before returning the post to the endpoint handler and then passing that to the output serializer.
- If we want to have 1:1 copy of webhooks outputs and API outputs, we should rethink how we rely on model event data which is never the same as API controller level data.
2022-10-06 10:50:02 +08:00
Naz
4315b21d25
Fixed note copy 2022-10-06 10:26:23 +08:00
Naz
fe1d0e44b4
Moved Ghost agent matcher to common framework
refs a499f866f3
refs d817e5830d

- The user-agent used in outgoing Ghost requests (webhooks mostly) is dependent on the Ghost version - snapshots break if the matcher is not dynamic.
- There will be a few more webhooks tests coming soon, so makes sense to have this matcher moved to a common "framework matchers"
2022-10-06 08:56:10 +08:00
renovate[bot]
57f09fc8b7 Update dependency semver to v7.3.8 2022-10-05 23:34:22 +00:00
renovate[bot]
ce495969d1
Update dependency terser to v5.15.1 2022-10-05 18:29:24 +00:00
renovate[bot]
fa7a582c78
Update dependency knex-migrator to v5.0.7 2022-10-05 15:06:09 +00:00
Djordje Vlaisavljevic
94aaa168cd Added disabled state with CTA for Zapier integration
refs https://github.com/TryGhost/Team/issues/1157
2022-10-05 15:36:52 +02:00
Simon Backx
a499f866f3 Prevented posts webhook tests from breaking on every release 2022-10-05 14:25:00 +02:00
Simon Backx
f17934a5d2 Updated snapshots for latest release 2022-10-05 14:18:29 +02:00
Daniel Lockyer
f0a0ff66de
Deleted extraneous file
- this snook in at some point
2022-10-05 18:33:32 +07:00
Daniel Lockyer
c4981a71a2
Merged v5.17.2 into main
v5.17.2
2022-10-05 18:33:12 +07:00
Ghost CI
267f1530f0 v5.17.2 2022-10-05 12:32:04 +01:00
Simon Backx
8900db8614
Fixed snapshots for Portal update
refs e86e78fb6b
2022-10-05 18:11:06 +07:00
Simon Backx
811f37e18a
Bumped used Portal version to v2.14.x
refs eac8fbfdfd
refs e7378520a0
refs https://github.com/TryGhost/Ghost/issues/14508
2022-10-05 18:11:06 +07:00
Simon Backx
41a0945592
🐛 Prevented member creation when logging in (#15526)
fixes https://github.com/TryGhost/Ghost/issues/14508

This change requires the frontend to send an explicit `emailType` when sending a magic link. We default to `subscribe` (`signin` for invite only sites) for now to remain compatible with the existing behaviour.

**Problem:**
When a member tries to login and that member doesn't exist, we created a new member in the past.

- This caused the creation of duplicate accounts when members were guessing the email address they used.
- This caused the creation of new accounts when using an old impersonation token, login link or email change link that was sent before member deletion.

**Fixed:**
- Trying to login with an email address that doesn't exist will throw an error now.
- Added new and separate rate limiting to login (to prevent user enumeration). This rate limiting has a higher default limit of 8. I think it needs a higher default limit (because it is rate limited on every call instead of per email address. And it should be configurable independent from administrator rate limiting. It also needs a lower lifetime value because it is never reset.
- Updated error responses in the `sendMagicLink` endpoint to use the default error encoding middleware.
- The type (`signin`, `signup`, `updateEmail` or `subscribe`) is now stored in the magic link. This is used to prevent signups with a sign in token.

**Notes:**
- Between tests, we truncate the database, but this is not enough for the rate limits to be truly reset. I had to add a method to the spam prevention service to reset all the instances between tests. Not resetting them caused random failures because every login in every test was hitting those spam prevention middlewares and somehow left a trace of that in those instances (even when the brute table is reset). Maybe those instances were doing some in memory caching.
2022-10-05 18:11:06 +07:00
Kevin Ansfield
524b23c182
Migrated staff user screen to Ember Octane patterns (#15532)
refs https://github.com/TryGhost/Ghost/issues/14101

- migrated staff user controller to native class syntax
- removed use of `{{action}}` helper
- moved from custom components to native `<input>` and `<textarea>` for form fields
  - added `{{select-on-click}}` modifier to cover the `<GhTextingInput @selectOnClick>` option behaviour for any input element
- added `submitForm()` test helper that finds closest `form` element and trigger's a `submit` event on it simulating <kbd>Enter</kbd> being pressed whilst a field has focus
2022-10-05 12:05:31 +01:00
Simon Backx
b96ff6ae4a Fixed snapshots for Portal update
refs e86e78fb6b
2022-10-05 12:52:50 +02:00
Simon Backx
e86e78fb6b Bumped used Portal version to v2.14.x
refs eac8fbfdfd
refs e7378520a0
refs https://github.com/TryGhost/Ghost/issues/14508
2022-10-05 12:47:03 +02:00
Simon Backx
eac8fbfdfd Released Portal v2.14.0 2022-10-05 12:44:18 +02:00
Simon Backx
e7378520a0
🔒 Prevented member creation when logging in (#15526)
fixes https://github.com/TryGhost/Ghost/issues/14508

This change requires the frontend to send an explicit `emailType` when sending a magic link. We default to `subscribe` (`signin` for invite only sites) for now to remain compatible with the existing behaviour.

**Problem:**
When a member tries to login and that member doesn't exist, we created a new member in the past.

- This caused the creation of duplicate accounts when members were guessing the email address they used.
- This caused the creation of new accounts when using an old impersonation token, login link or email change link that was sent before member deletion.

**Fixed:**
- Trying to login with an email address that doesn't exist will throw an error now.
- Added new and separate rate limiting to login (to prevent user enumeration). This rate limiting has a higher default limit of 8. I think it needs a higher default limit (because it is rate limited on every call instead of per email address. And it should be configurable independent from administrator rate limiting. It also needs a lower lifetime value because it is never reset.
- Updated error responses in the `sendMagicLink` endpoint to use the default error encoding middleware.
- The type (`signin`, `signup`, `updateEmail` or `subscribe`) is now stored in the magic link. This is used to prevent signups with a sign in token.

**Notes:**
- Between tests, we truncate the database, but this is not enough for the rate limits to be truly reset. I had to add a method to the spam prevention service to reset all the instances between tests. Not resetting them caused random failures because every login in every test was hitting those spam prevention middlewares and somehow left a trace of that in those instances (even when the brute table is reset). Maybe those instances were doing some in memory caching.
2022-10-05 12:42:42 +02:00
Daniel Lockyer
609fcb17c0
Removed main from yarn ship
- we might not necessarily be pushing to `main`, for example, if we're
  doing a patch release
2022-10-05 16:47:39 +07:00
Naz
0bf6268091
Updated content-length header matchers
no issue

- All content-length snapshots should be using the same matcher for consistency - anyContentLength. It's more explicit about what the matcher is all about and might be useful to have content-length matchers in one place if it ever changes (the header value should be a damn digit after all, not a string!) (ref. https://www.rfc-editor.org/rfc/rfc7230#section-3.3.2)
2022-10-05 17:34:17 +08:00
Fabien "egg" O'Carroll
28de1720c1 🔒 Fixed magic link endpoint sending multiple emails
refs https://github.com/TryGhost/Team/issues/2024

Without validation it was possible to send a string of comma separated
email addresses to the endpoint, and an email would be sent to each
address, bypassing any rate limiting.

This bug does not allow for an authentication bypass exploit. It is purely a
spam email concern.

Credit: Sandip Maity <maitysandip925@gmail.com>
2022-10-05 10:28:13 +01:00
Naz
2288289ae9
Added notes for maxAge config using express.static
no issue

- The milliseconds configuration here is different to "seconds" used in the max-age header value itself and other middlewares (like CORS). It's not going to be fixed upstream, so whenever this piece of code is touched again would be smart to get our own converter from seconds to milliseconds going, or some other mechanism making max-age configuration uniform across codebase
2022-10-05 17:26:21 +08:00
Naz
320c6e0dd3
Abstracted a hacky local URL matcher
refs https://github.com/TryGhost/Toolbox/issues/320

- The URL matcher is very likely to be reused in the future, so having it abstracted away gives two benefits:
1. Central place to document hacky behavior and easier future cleanup
2. The implementer of the e2e test does not have to see the "hacky note" and just concentrate on the implementation of the test
2022-10-05 17:23:02 +08:00
Naz
d817e5830d
Added header snapshots to webhook e2e tests
refs https://github.com/TryGhost/Toolbox/issues/320

- Header snapshot matching was missing from webhook e2e tests. With a bumped version of webhook-mock-receiver it's now possible to record and match webhook request headers.
2022-10-05 17:23:02 +08:00