Commit Graph

1926 Commits

Author SHA1 Message Date
Aileen Nowak
1bc1f165f1 💄 Add post image to AMP template and style fixes (#7272)
no issue

Will show the post image on top of the AMP page, if image is uploaded.
Some minor style changes.
2016-08-26 12:28:45 +02:00
Aileen Nowak
d59f199ee3 🐛 🎨 Improves AMP validation for video and iframe (#7270)
no issue

Video tags aren't supported in Amperize yet, therefore, we strip them out. If a `<video>` tag has nested `<source>` elements, they would stay because they are whitelisted regarding `Sanitize`, as we use them for `<audio>` tags as well.

This PR uses `cheerio` to strip out in `<video>` nested `<source>` tags, without removing the fallback text.
It also removes prohibites attributes for `<amp-iframe>` which are e. g. used by Vimeo embeds.

Removes every kind of inline `style` attributes, as they will cause validation errors as well.
2016-08-25 12:47:28 +02:00
Aileen Nowak
93ee19f36e 🐛 fix: make small media types not stretch (#7265)
no issue

Fixes a bug with displaying small media types like images or gif. Two reasons for that:
1. In many cases, we only have the relative URL instead of the absolute URL for the media source and therefore, `Amperize` module wasn't able to detect the image size and set the default image size of `width="600"` and `height="400"`.
2. Even if we have detected the correct image size, the attribute `layout="default"` would still make it strech. This issue is fixed in `Amperize`, but it wasn't merged at this time, so I set the dependency on my fork.

Adds `amp-anim` to the `.post-content` class, to have same CSS style as an image.
2016-08-25 11:09:25 +02:00
Hannah Wolfe
84a35a4753 🎨 Theme events (#7269)
no issue
- add events for uploaded, downloaded & deleted
2016-08-25 10:36:12 +02:00
Hannah Wolfe
545d2cb8b0 Use node-archiver to create zips (#7268)
closes #7266, closes #7267

- Adds node-archiver as a dependency
- Adds new zip-folder utility
- Switch out exec 'zip' for zip folder utility
- Store generated zips in os.tmpdir
- Don't delete zips from content/themes when uploading or deleting
- Fixes path resolution for delete
2016-08-25 09:22:22 +02:00
Aileen Nowak
f7129a0e39 🎨 Util to convert relative urls in absolute (#7264)
no issue

This PR takes the existing function `processUrls` in `data/xml/rss` and refactors it to be a stand-alone util.
The change is needed, as this functionality will be accessed from `apps/amp` to convert relative URLs.
2016-08-25 07:09:40 +01:00
Hannah Wolfe
5739411c51 🐛 Ensure sitemap items are valid (#7261)
closes #7186

- Add a concept of validity to each generator
- Refactor base generator to handle invalid (empty) nodes for both events & the initial generation
- Update the tests a bit, to fix some bugs in the tests
- Ensure the homepage is always present
2016-08-25 07:13:08 +02:00
Hannah Wolfe
02ca986ed7 🎨 Improve theme validation error messaging (#7253)
refs #7204

- Adds a new ThemeValidationError class
- This error has a top level message, but will also contain all the individual errors within the `errorDetails` property
- Updated the API error handling to return `errorDetails` if it is present
2016-08-24 14:45:54 +02:00
Katharina Irrgang
fb4a4817ef improvement: storage error handling (#7257)
no issue

- while testing different situations for custom storage adapters after switching from 0.9 to 0.10, it turned out the error output was not optimal
- this PR improves that
2016-08-24 13:32:29 +01:00
Katharina Irrgang
a91e54cf1a feature: theme upload/download/delete (#7209)
refs #7204

- added 3 new themes permissions
- change core/client
- add theme upload/download logic
- extended local file storage to serve zips
- added gscan dependency
- add ability to handle the express response within the api layer
- restrict theme upload to local file storage
- added 007 migration
2016-08-23 13:07:25 +01:00
Jesse Dijkstra
f546a5ce1d Remove open redirect by removing double slashes from redirects (#7247)
no issue

Double slashes are treated as a HTTP calls as specified in [RFC1801](http://www.ietf.org/rfc/rfc1808.txt). Because of this behaviour the uncapitalise created an open redirect. By removing double slashes in the path we ensure open redirects cannot be created.

As an example, please click the following URL: https://dev.ghost.org///Google.com/.

This issue  has been reported by pentesters of our product [LearningSpaces.io](http://learningspaces.io).
2016-08-23 13:47:59 +02:00
Katharina Irrgang
6a1c10516e improvement: ensure custom storage adapter has required functions (#7234)
refs #2852

- improvement: ensure custom storage adapter has required functions
- serve, save and exists are from now on required functions for a custom storage adapter
- add delete as required storage function
2016-08-22 22:51:42 +01:00
Katharina Irrgang
41ae8c03b9 feature: storage adapter for images and themes (#7241)
refs #2852
- we offer the option to define a storage for themes and a storage for images
2016-08-22 18:55:28 +01:00
Aileen Nowak
a5c29dfc34 [FEATURE] AMP (#7229)
closes #6588, #7095

* `ImageObject` with image dimensions (#7152, #7151, #7153)
- Returns meta data as promise
    - returns a new Promise from meta data
    - uses `Promise.props()` to resolve `getClient()` and `getMetaData()`

- Adds 'image-size' util
The util returns an object like this
```
{
    height: 50,
    url: 'http://myblog.com/images/cat.jpg',
    width: 50
};
```
if the dimensions can be fetched and rejects with error, if not.
In case we get a locally stored image or a not complete url (like `//www.gravatar.com/andsoon`), we add the protocol to the incomplete one and use `urlFor()` to get the absolute URL. If the request fails or `image-size` is not able to read the file, we reject with error.
- adds 'image-size' module to dependencies
- adds `getImageSizeFromUrl` function that returns image dimensions

- In preparation of AMP support and to improve our schema.org JSON-LD and structured data, I made the following changes:
    - Changes the following properties to be `Objects`, which have a `url` property by default and a `dimensions` property, if `width` and `height` are available:
        - `metaData.coverImage`
        - `metaData.authorImage`
        - `metaData.blog.logo`
    - Checks cache by calling `getCachedImageSizeFromUrl`. If image dimensions were fetched already, returns them from cache instead of fetching them again.
    - If we have image dimensions on hand, the output in our JSON-LD changes from normal urls to be full `ImageObjects`. Applies to all images and logos.
    - Special case for `publisher.logo` as it has size restrictions: if the image doesn't fulfil the restrictions (<=600 width and <=60 height), we simply output the url instead, so like before.
    - Adds new property for schema.org JSON-LD: `mainEntityOfPage` as an Object.
    - Adds additional Open Graph data (if we have the image size): `og:image:width` and `og:image:height`
    - Adds/updates tests

* AMP router and controller (#7171, #7157)
Implements AMP in `/apps/`:
- renders `amp.hbs` if route is `/:slug/amp/`
- updates `setResponseContext` to set context to `['amp', 'post']` for a amp post and `['amp', 'page']` for a page, but will not render amp template for a page
- updates `context_spec`
- registers 'amp' as new internal app
- adds the `amp.hbs` template to `core/server/apps/amp` which will be the default template for AMP posts.
- adds `isAmpURL` to `post-lookup`

* 🎨 Use `context` in meta as array (#7205)
Instead of reading the first value of the context array, we're checking if it includes certain context values.
This is a preparation change for AMP, where the context will be delivered as `['amp', 'post']`.

*  AMP helpers (#7174, #7216, #7215, #7223)
- Adds AMP helpers `{{amp_content}}`, `{{amp_component}}` and  `{{amp_ghost_head}}` to support AMP:
- `{{amp_content}}`:
    - Adds `Amperize` as dependency
    - AMP app uses new helper `{{amp_content}}` to render AMP HTML
    - `Amperize` transforms regular HTML into AMP HTML
    - Adds test for `{{amp_content}}` helper
    - Adds 'Sanitize-HTML` as dependendy
    - After the HTML get 'amperized' we still might have some HTML tags, which are prohibited in AMP HTML, so we use `sanitize-html` to remove those. With every update, `Amperize` gets and it is able to transform more HTML tags, they valid AMP HTML tags (e. g. `video` and `amp-video`) and will therefore not be removed.
- `{{amp_ghost_head}}`:
    - registers `{{amp_ghost_head}}` helper, but uses `{{ghost_head}}` code
    - uses `{{amp_ghost_head}}` in `amp.hbs` instead of `{{ghost_head}}`
- `{{ghost_head}}`:
    - Render `amphtml` link in metadata for post, which links to the amp post (`getAmpUrl`)
    - Updates all test in metadata to support `amp` context
    - Changes context conditionals to work with full array instead of first array value
    - Adds conditionals, so no additional javascript gets rendered in `{{ghost_head}}`
    - Removes trailing `/amp/` in URLs, so only `amphtml` link on regular post renders it
    - Adds a conditional, so no code injection will be included, for an `amp` context.
- `{{amp_components}}`:
    - AMP app uses new helper `{{amp_components}}` to render necessary script tags for AMP extended components as `amp-iframe`, `amp-anime` and `amp-form`
    - Adds test for `{{amp_components}}`
2016-08-22 18:49:27 +02:00
Aileen Nowak
2875f5a9bc 🐛 config.theme.timezone must not be overwritten (#7232)
closes #7182

When calling `config.set()` in the settings api, we want to set the active timezone of the blog to make it available in our `settingsCache`. But because the `theme` object in the `set` prototype was already set to `Etc/UTC` as default, the `_.merge` function would always overwrite our `activeTimezone` with the default value.

This PR changes the code in the way, that we always set 'Etc/UTC' for the timezone as default, _until_ we fetched our settings and therefore the `activeTimezone` setting, so we can overwrite it.

This issue had not only influence on the date helper, but everywhere in our codebase, where we rely on reading the `timezone` from our config, instead of our settings. The `{{@blog.timezone}}` helper reflected that quiet well, as it would always show `Etc/UTC`
2016-08-22 17:56:35 +02:00
Katharina Irrgang
07e59cf27e fixes: storage base getUniqueFileName (#7230)
no issue
- getUniqueFileName does not replace . by -
- added poor extensions validation
2016-08-22 16:54:10 +01:00
Katharina Irrgang
3b8f08e0ec fix: delete unused theme endpoints (#7231)
no issue
2016-08-22 10:54:54 +01:00
Aileen Nowak
18eda54cf0 🐛 Change default referrer policy (#7240)
closes #7235

Changes the default referrer policy to `no-referrer-when-downgrade` because Safari can't deal with `origin-when-crossorigin`.
2016-08-22 11:20:56 +02:00
Aileen Nowak
7fca4c8a4f 🐛 Don't overwrite config.theme.title in GhostMail (#7224)
closes #7212

When no Blog title is set and there is a `from` mail adress without custom name set up in `config.js`, it will overwrite `config.theme.title` in `GhostMailer.from` and forces to have a (wrong) Blog title after sending a test mail or an invitation.

- Uses a variable `defaultBlogTitle` instead of overwriting `config.theme.title`, when no blog title is set and therefore `config.theme.title` has no value.
2016-08-19 10:22:07 +02:00
John O'Nolan
61a8845ab5 Switch to new native system font stack (#7219)
no issue

Based on an increasingly popular trend and modern web typography capabilities, switch out Google Fonts for default native system fonts, tailored in a stack to suit every device. Also makes some very minor visual adjustments to suit.

Nixes all references to Google Fonts, and provides a faster rendering experience and fewer http requests. 💃

Reference material:

https://www.smashingmagazine.com/2015/11/using-system-ui-fonts-practical-guide/
https://medium.design/system-shock-6b1dc6d6596f#.rhqx5fmyz
Dependencies:

TryGhost/Ghost-Admin#211
TryGhost/Ghost-Desktop#190
2016-08-18 20:29:46 +01:00
Katharina Irrgang
663b410fd4 feature: upload validation middleware (#7208)
no issue

- Source out validation logic into a upload validation middleware for all upload types (csv, image, subscribers). This unit can be later used for Ghost 1.0 as a pre validation core unit. 
- More usage of route tests than controller tests. These are use case tests, a use case only changes if the product changes
2016-08-18 20:25:51 +01:00
Hannah Wolfe
3381449d78 Added new setup.completed event (#7217)
refs #6924

- New event allows us to hook into setup in other ways
2016-08-17 20:59:15 +02:00
Misha Wakerman
634956e7db Removes internal tags from sitemap (#7199)
closes #7186
2016-08-13 07:00:43 -06:00
Katharina Irrgang
9cd9e03fdb fix: notification store without duplicates (#7135)
closes #7133
- ensure we don't add duplicate notifications to the in process notification store
2016-08-11 08:58:51 +01:00
Tim Walling
a0288303f6 Check file type and file extension when importing csv (#7185)
issue #7144
- added a check for file type and file extension
- added an error message to the localization file
- added integration test
2016-08-11 08:46:06 +01:00
Aileen Nowak
3c669cdd1f Swap order of apps & catch-all route (#7194)
no issue

This small change swaps over the order in which the app routes, and catch-all `*` routes are processed.

This will have an impact on the behaviour of all of our internal apps. Both the private blogging and subscribers apps have a route where they render their own template. Private blogging has `/private/` which renders `private.hbs` and subscribers has a similar `/subscribe/` route (and in future `/unsubscribe/`).

Because these routes weren't listed in our reserved words list, it is possible for a blog to already have a post or a page that lives at `/private/` or, perhaps more likely `/subscribe/`. Prior to this change, their already setup page would be rendered instead of the app's page. After this change, the app's own route will be correctly rendered.

This is effectively a bug fix, because if you enable these features then you would expect them to work.

Moving forward, this change is absolutely required for the AMP app, because the route for that app is `*/amp/`. If the app routes aren't processed first, then this will not work.
2016-08-10 11:11:41 +01:00
Austin Burdine
58bb111c56 ensure static page edit route redirects to editor (#7169)
closes #7168
- double check that page matches the page format in post-lookup
- add tests
2016-08-08 09:42:04 +02:00
Katharina Irrgang
20bf744df3 fix: added missing client translation (#7180)
no issue
2016-08-06 04:55:45 -06:00
Katharina Irrgang
c6f1a8de13 fix: refresh settings cache for migration 006 (#7147)
no issue
- refresh settings cache after 006/001 migration fixture
2016-07-26 13:53:17 +01:00
Katharina Irrgang
e5a0471c9d improvement: set activeTimezone when transforming dates (#7142)
no issue
- sets `settings.activeTimezone` to best-guess based on current server time when performing the timezones migration in order to prevent unexpected changes in timezone when upgrading
2016-07-26 12:05:39 +01:00
Katharina Irrgang
c9dc367bf0 improvement: validate timezones (#7143)
no issue
- add isTimezone to schema validation
2016-07-26 10:23:20 +01:00
Katharina Irrgang
417b9b6b7c fix: enable maintenance mode only if there is an upgrade to perform (#7129)
refs #7125
- create isDatabaseOutOfDate fn for initial migration update checks
- only set maintenance.enabled to true if migration needs to happen
2016-07-26 09:56:07 +01:00
Hannah Wolfe
d08926c347 Allow maintenance mode to be set in config.js (#7124)
refs #6976, #7019, #7125

- Ensure maintenance mode flag is set back to what is in config.js rather than defaulted to false on boot
- Remove stack trace from 503 errors
- Add error message to 503 error
- Ensure error page is rendered for Ghost-Admin on reload with 503
2016-07-25 21:28:35 +02:00
Austin Burdine
218bc06278 don't populate settings defaults twice on startup (#7121) 2016-07-22 20:01:36 +01:00
Vijay Kandy
f2d09df512 Support for custom notifications (#7077)
closes #5071

- Send application/json requests to UpdateCheck service. New UpdateCheck service accepts JSON request
- If UpdateCheck service respponse has messages[] array, iterate over the array and create custom notifications intended for current version
- Save custom notification if its not already in the store AND its uuid is not in seenNotifications array
- When a custom notification is dismissed, store its uuid in seenNotifications array
- setup test fixtures to trigger tests properly
- api_notification_spec test to ensure custom notification can be added to store and added to seenNotifications when dismissed
- update_check_spec test to ensure custom notification can be displayed for a specific Ghost version
- added test to ensure messages meant for other versions don't create notifications
2016-07-22 14:02:10 +01:00
Lukas Strassel
9d1848ce5c Allow usage of blogurl:port inside of navigation (#6998)
closes #6893

- modified logic to allow urls in form of domain:port to be referenced in navigation
- added a test a domain:port link
2016-07-21 14:05:13 +01:00
Kevin Ansfield
302702c740 Revert "fix: ensure we initialise activeTheme on bootstrap (#6950)"
This reverts commit 8f2afeed03.
2016-07-21 12:26:16 +01:00
Katharina Irrgang
8f2afeed03 fix: ensure we initialise activeTheme on bootstrap (#6950)
closes #6948
- the hbs engine was never initialised  when server starts
- when you request a page which does not exist, express jumps directly into the error handlers
- delete some dynamic hbs engine setters in theme handler
2016-07-21 12:09:11 +01:00
Vijay Kandy
ffd3ec563a fix: "url" field is undefined when restricting returned fields (#7089)
closes #6625

- "url" and "author" fields depend on {id, published_at, slug, author_id} to construct post url.
- implemented a generic solution by defining defaultColumnsToFetch() in
  base class for models.
- findPage() calls defaultColumnsToFetch() before loading models
- results are transformed by filtering out additional properties to return just the requested fields
- Added a test case to check for url and author fields
- Renamed allColumns as requestedColumns and used _.map instead of Promise.map
2016-07-18 22:21:47 +02:00
Hannah Wolfe
37da544dcc Node version check w/o semver (#7097)
closes #6691

- removes dependency on semver & package.json in preinstall script
- has a simplified proxy of semver to look for the right version numbers
2016-07-16 01:20:05 +02:00
Joris Berthelot
795a59d677 Allow @ in image name for retina JS support (#7081)
no issue

- Updates unique filename generator to not replace `@` with `-`, but to leave it in place instead.
2016-07-15 17:50:41 +01:00
Katharina Irrgang
8c6ba47b0e fix: offset bug when switching timezones (#7101)
no issue
2016-07-15 17:44:22 +01:00
Katharina Irrgang
748c664b78 feature: maintenance mode (#7019)
closes #6976
- add maintenance mode when running migrations
- refactor update/populate migrations
2016-07-15 17:22:41 +01:00
Lukas Strassel
9222577c27 allow multiple subdirectories (#7062)
refs #6958 (first task of it)
-includes additional tests
-Instead of removing all slashes "/g" we now specifically remove leading and trailing slashes.
2016-07-15 12:35:39 +02:00
Katharina Irrgang
416c215018 change default order of posts (#7096)
closes #6932
- new default order of posts: scheduled, draft, published
- invent orderDefaultRaw fn for each model
- each model is able to create a default raw order query
- separate count and fetch query for fetchPage, because the count query where group/order statements attached
2016-07-15 11:04:10 +01:00
Lukas Strassel
6439d60bc8 meta referrer improvements (#7088)
closes #7060
- changed meta referrer from origin to origin-when-cross-origi
- made referrer policy configurable via referrerPolicy option in config js
- added example to config.example.js
-modified test to reflect new defaul origin-when-cross-origin
-added a test for configuration changed referrerPolicy
2016-07-14 18:14:59 +02:00
Lukas Strassel
9c2d14949d Fix: back link on the subscribe page (#7059)
closes #6984
-the backlink had a static href to {{@blog.url}} which is now changed to {{#if subscribed_url}}{{subscribed_url}}{{else}}{{@blog.url}}{{/if}} to reflect the referring url.
-This PR makes the back link on the subscribe page to link back to the referring page instead of linking back to /
2016-07-14 17:09:40 +02:00
Katharina Irrgang
6e1bd2838e improvement: migrations (#7000)
closes #6972, #6574

- run each database version as top level transaction
- run migrations in correct order
2016-07-14 11:59:42 +01:00
Aileen Nowak
24c86b49d1 HTML newsletter template for subscribers (#7045)
refs #7023

The template can be used for all cases (different newsletter interval, different amount of blog posts, with or without blog picture).

The template can be filled with the following data structure:
- `blog.logo` is the blog logo from settings
- `blog.title` is the title of the current blog
- `blog.url` is the URL of the blog
- `blog.twitterURL` is the twitter profile URL of the blog from settings
- `blog.facebookURL` is the facebook page URL of the blog from settings
- `blog.unsubscribe` is the link for the reader to unsubscribe from the blog
- `newsletter.interval` is the interval in words like 'weekly', 'daily', 'monthly'
- `newsletter.date` is the date of the newsletter issue in a format like 'June 9th, 2016'
- `blog.post` is expected to be an array:
	- `blog.post[i].picture` is the picture of the blog post. There are also conditionals, which change the inline CSS to either show a border-top if there's no picture (in that case the HTML code, that shows the picture is not active)
	- `blog.post[i].title` is the title of the current blog post
	- `blog.post[i].text` is the text of the current blog post, which needs to be cut down to 278 letters, plus ending with `&#x2026;`
	- `blog.post[i].url` is the URL of the current blog post
	- `blog.post[i].tag` is the tag of the current blog post
	- `blog.post[i].author` is the author of the current blog post

Important is, that only HEX HTML entities will work, especially in Outlook. So instead of `&mdash;` we need to use `&#x2014;` and `&#x2019;` instead of `&apos;` or `'` and so on.

Added unit test for newsletter template in `test/unit/mail/utils_spec.js`.
2016-07-08 21:40:32 -06:00
Austin Burdine
a1a5e55bf7 improve styling on private blogging password page (#7021)
refs TryGhost/Casper#253
- make private.hbs styling consistent with the ghost signin page
2016-07-07 15:37:42 +01:00