Commit Graph

7954 Commits

Author SHA1 Message Date
kirrg001
2b76d7a492 Added lib.security.password lib
no issue

- move password hashing and password comparison to lib/security/password
- added two unit test
- FYI: password hashing takes ~100ms
  - we could probably mock password hashing in certain cases when unit testing
2018-02-15 21:13:04 +01:00
Katharina Irrgang
c6a95c6478
Sorted out the mixed usages of include and withRelated (#9425)
no issue

- this commit cleans up the usages of `include` and `withRelated`.

### API layer (`include`)
- as request parameter e.g. `?include=roles,tags`
- as theme API parameter e.g. `{{get .... include="author"}}`
- as internal API access e.g. `api.posts.browse({include: 'author,tags'})`
- the `include` notation is more readable than `withRelated`
- and it allows us to use a different easier format (comma separated list)
- the API utility transforms these more readable properties into model style (or into Ghost style)

### Model access (`withRelated`)
- e.g. `models.Post.findPage({withRelated: ['tags']})`
- driven by bookshelf

---

Commits explained.

* Reorder the usage of `convertOptions`

- 1. validation
- 2. options convertion
- 3. permissions
- the reason is simple, the permission layer access the model layer
  - we have to prepare the options before talking to the model layer
- added `convertOptions` where it was missed (not required, but for consistency reasons)

* Use `withRelated` when accessing the model layer and use `include` when accessing the API layer

* Change `convertOptions` API utiliy

- API Usage
  - ghost.api(..., {include: 'tags,authors'})
  - `include` should only be used when calling the API (either via request or via manual usage)
  - `include` is only for readability and easier format
- Ghost (Model Layer Usage)
  - models.Post.findOne(..., {withRelated: ['tags', 'authors']})
  - should only use `withRelated`
  - model layer cannot read 'tags,authors`
  - model layer has no idea what `include` means, speaks a different language
  - `withRelated` is bookshelf
  - internal usage

* include-count plugin: use `withRelated` instead of `include`

- imagine you outsource this plugin to git and publish it to npm
- `include` is an unknown option in bookshelf

* Updated `permittedOptions` in base model

- `include` is no longer a known option

* Remove all occurances of `include` in the model layer

* Extend `filterOptions` base function

- this function should be called as first action
- we clone the unfiltered options
- check if you are using `include` (this is a protection which could help us in the beginning)
- check for permitted and (later on default `withRelated`) options
- the usage is coming in next commit

* Ensure we call `filterOptions` as first action

- use `ghostBookshelf.Model.filterOptions` as first action
- consistent naming pattern for incoming options: `unfilteredOptions`
- re-added allowed options for `toJSON`
- one unsolved architecture problem:
  - if you override a function e.g. `edit`
  - then you should call `filterOptions` as first action
  - the base implementation of e.g. `edit` will call it again
  - future improvement

* Removed `findOne` from Invite model

- no longer needed, the base implementation is the same
2018-02-15 10:53:53 +01:00
Kevin Ansfield
d87fe38019 Version bump to 1.21.2 2018-02-14 18:24:04 +00:00
Kevin Ansfield
8fe73d9867 Updated Ghost-Admin to 1.21.2 2018-02-14 18:24:03 +00:00
Hannah Wolfe
fe0197b226 🐛Fixed {{get}} helper's date comparison (#9454)
no issue

- Date comparisons are possible via API, but there's no way to inject a valid date into the get helper
- JavaScript's Date.toString() function outputs dates in a useless format
- Swap to using Date.toISOString() and now the format can be understood anywhere!
- {{#get "posts" filter="published_at:<='{{published_at}}'"}}{{/get}} works now as expected
2018-02-14 18:33:07 +01:00
Katharina Irrgang
9ede5905f6
Reduce toJSON implementation: use the power of bookshelf (#9423)
refs #6103

- simplify `toJSON`
- `baseKey` was not used - have not find a single use case
- all the functionality of our `toJSON` is offered in bookshelf
- `omitPivot` does remove pivot elements from the JSON obj (bookshelf feature)
- `shallow` allows you to not return relations
- make use of `serialize`, see http://bookshelfjs.org/docs/src_base_model.js.html#line260
- fetching nested relations e.g. `users.roles` still works (unrelated to this refactoring)

> pick('shallow', 'baseKey', 'include', 'context')

We will re-add options validation in https://github.com/TryGhost/Ghost/pull/9427, but then with the official way: use `filterOptions`.

---

We return all fetched relations (pre-defined with `withRelated`) by default.
You can disable it with `shallow:true`.
2018-02-14 17:32:11 +01:00
Katharina Irrgang
58157b1411
🐛Fixed asset redirects (#9455)
closes #9445

- redirects all asset requests if https is configured (theme, core, images)
- re-use and extend our url-redirect middleware
- add proper integration tests for our express site app (no db interaction, component testing required for such important use cases)
- i added some more general tests
- should avoid mixed content warnings in the browser
2018-02-14 17:21:31 +01:00
kirrg001
bfd3286b61 Version bump to 1.21.1 2018-02-07 12:35:33 +01:00
kirrg001
2822d725d8 Updated Ghost-Admin to 1.21.1 2018-02-07 12:35:33 +01:00
kirrg001
ed4fde4f00 🐛 Fixed migrating from < 1.13 to 1.21
no issue

- discovered while testing
- the fixture utility needed a protection against non existent roles in the database
  - it tries to fetch the contributor role from the database, which does not exist yet
2018-02-07 12:31:21 +01:00
kirrg001
a8ac58be71 Version bump to 1.21.0 2018-02-07 10:51:41 +01:00
kirrg001
c6ec2777ed Updated Ghost-Admin to 1.21.0 2018-02-07 10:51:41 +01:00
Austin Burdine
777247cbc7 Contributor Role (#9315)
closes #9314 

* added fixtures for contributor role
* update post api tests to prevent contributor publishing post
* update permissible function in role/user model
* fix additional author code in invites
* update contributor role migration for knex-migrator v3
* fix paths in contrib migration
* ensure contributors can't edit or delete published posts, fix routing tests [ci skip]
* update db fixtures hash
* strip tags from post if contributor
* cleanup post permissible function
* excludedAttrs to ignore tag updates for now (might be removed later)
* ensure contributors can't edit another's post
* migration script for 1.21
2018-02-07 10:46:22 +01:00
Katharina Irrgang
a274d61a8c Removed html usage in error messages (#9444)
no issue

- all of the error message keys were unused
- the only html anchor i found was for mail, but this doesn't change anything, because the admin does only show the message and not the context at the moment
2018-02-07 09:35:48 +01:00
Katharina Irrgang
f9d4d01088
Reordered error logging on ghost start (#9440)
no issue

- if we trigger the IPC message to the CLI and the process manager is systemd, systemd will restart Ghost too early (same for local process manager) - this is a timing issue
- the consequence is that the error log won't happen in Ghost (`content/logs/[domain].error.log`  won't contain that error)
- let's reorder both executions

[See](https://github.com/TryGhost/Ghost-CLI/pull/612/files#r165817172) this comment on the CLI PR.
2018-02-04 17:34:55 +01:00
Kevin Ansfield
fb973dbbf2 Fixed missing export of card-markdown card and broken tests
no issue
- fixes rendering bug introduced in 0833b28557
- updates test generators/fixtures to use new card names
2018-02-01 16:26:56 +01:00
Kevin Ansfield
05bcf7ee6a Fixed missing export of card-markdown card
no issue
- fixes the bug introduced in 0833b28557
2018-02-01 15:50:43 +01:00
Kevin Ansfield
0833b28557 Koenig - Rename server-side cards
refs https://github.com/TryGhost/Ghost/issues/9311
- match card names to the new generic Koenig card names introduced in 95a068615d
2018-02-01 12:40:49 +01:00
Kevin Ansfield
6f4e112c87 Updated Ghost-Admin: fix Warning: Task "setup" not found. Use --force to continue.
Aborted due to warnings.
2018-01-29 08:49:47 +00:00
Chuck Lam
ffc6088c7a Fixed comment in facebook_url helper (#9430)
no issue
2018-01-28 18:25:06 +01:00
kirrg001
39ee95cc07 Make use of ES6 arrow functions in our data importer
no issue

- reduces the usage of `self`
2018-01-28 15:48:24 +01:00
kirrg001
2a10c83d92 Improved memory usage in importer
no issue

- returning and remembering the data, which was imported, is...
  - not required when using the API
  - not required when importing via script
  - required for tests
  - added an option to have control over it
- make more usage of local variables
  - the GC cannot tidy up variables, which are defined outside of a loop, but used in the loop
- try to keep less memory in process
  - reduce the number of properties we have to remember
2018-01-28 14:26:38 +01:00
kirrg001
5f9c3b92bd Improved Base importer constructor readability
no issue

- better differentiation between options and data
- better readability how to access required data from file
2018-01-28 13:35:21 +01:00
kirrg001
82bb3aaea1 Do not import unknown author id, fallback to owner id
no issue

- if you import a JSON file with a post, which has an unknown author,
  the target user was removed from the blog
- Ghost can handle this case and still succeeds with import
  - but we have stored an `author_id` in the database, which does not map to any user and won't map in the future
- this can trouble if we add support for multiple authors
  - currently, we only return the `author_id` to the client and the client can map with `author_id` with users fetched by the API
    - if it does not find a user, it just falls back to a different user
  - but multiple authors have to be included explicit (`include=authors`) and we will return a mapped (author_id => user) result
  - it won't be able to find the user, because we lookup the database
  - this would result in an error
- there is in general no reason to import (or store) an unknown/invalid `author_id` into the database
- on import, we show you a warning and you can choose a different author if you want
- solution: fallback to owner user and extend warning
  - it's not a behaviour change, you still can import unknown author id's and the import won't fail
  - but we ensure valid author id's
- updated test
- further more: returning `author={}` when requesting `include=author` could trouble with ember currently
  - it expects the author to be returned
2018-01-27 12:54:36 +01:00
kirrg001
c6f30a46d2 Avoid knex warning when destroying a user
no issue

- the warning is "Transaction was already complete"
- destroying a user happens in a transaction, but the event is not asynchronous
  - so we have to ensure that we don't operate on a finished transaction
2018-01-27 12:31:51 +01:00
kirrg001
b4f355f713 Removed the usages of this.forge(null, {context: options.context})
no issue

- refs fe461da110
- the access plugin was removed
- no need to pass `context` as parameter for `.forge`
2018-01-26 00:35:39 +01:00
kirrg001
fe461da110 Deleted bookshelf access plugin
refs #9127

- permission checks can happen everywhere in the code base
  - we would like to create a context class
- global access to `options.context.is(...)`
- please read more about the access plugin in #9127 section "Model layer and the access plugin".
- removed the plugin and use direct context checks
2018-01-25 17:54:28 +01:00
kirrg001
20d1f86fb6 Fixed broken payload in posts_spec.js
no issue

- the affected test had a wrong payload, but passed anyway because the previous test edited the same title ;)
- this routing test does currently truncate the tables after each test case
  - the test can run faster
  - if we achieve reducing the routing tests, we can reconsider truncating the db
2018-01-25 01:05:59 +01:00
Katharina Irrgang
80a1128016
Bump dependencies (#9421)
no issue

- bookshelf-relations@0.1.5
- ghost-ignition@2.8.18
- sanitize-html@1.17.0
- semver@5.5.0
- uuid@3.2.1
- eslint@4.16.0
- should@13.2.1
- sinon@4.2.1
2018-01-24 22:50:20 +01:00
Kevin Ansfield
8ab9f38ab2 Version bump to 1.20.3 2018-01-23 16:26:10 +00:00
Kevin Ansfield
1ba834f078 Updated Ghost-Admin to 1.20.3 2018-01-23 16:26:10 +00:00
Kevin Ansfield
e78f14bd43 Upgrading Casper to 2.1.9 2018-01-23 16:24:20 +00:00
Hannah Wolfe
c5224b4d31
🛠 Change setup tooling to use yarn setup (#9413)
no issue

1. renamed alias:
  - we have a special alias that does initial setup tasks that are only supposed to be run once
  - changing the alias to be `setup` rather than `init` otherwise it is too easy to confuse with `grunt init`
2. require globals to be installed manually
  - yarn is RUBBISH at managing globals
  - internally we use npm for this (actually we have a managed list of globals) and yarn for everything else
  - by moving this to documentation, rather than a command, we have flexibility to do this differently
  - also explicit globals are better than installing these without the user knowing IMO
3. setup includes knex-migrator
  - do this automatically instead of knex-migrator init being a separate command
  - every other time knex-migrator is needed, Ghost _should_ tell you what to do
2018-01-22 14:48:33 +00:00
Kevin Ansfield
69d5fac61e
Resurrect the old alpha Koenig editor (#9277)
requires https://github.com/TryGhost/Ghost-Admin/pull/916
- add "enableDeveloperExperiments" config flag
- allow any HTML payload through in the HTML mobiledoc card
  - same approach as taken in the markdown card, running the markup through SimpleDOM isn't necessary and is prone to breaking because of it's limited parsing and error handling abilities

To use Koenig modify your `config.development.json` file and add the following flag to the top-level object:

```
"enableDeveloperExperiments": true
```

If you restart the dev server you will then see a new section on the Labs screen with a Koenig Editor checkbox to enable/disable the editor.

⚠️ The editor is in a _very_ broken state, it's there for developer testing and on-going development. _Do not_ try to use this on any production data!
2018-01-18 15:43:22 +00:00
kirrg001
357ea3dffd 🐛 Fixed showing old release notifications in the about page
no issue

- reported in slack (https://ghost.slack.com/files/U8QV8DXQB/F8TSBQ532/image.png)
- do not expose old release notification
  - e.g. you are on 1.20.0
  - you receive a notification for 1.20.1 to update
  - you update to 1.20.1
- ensure we protect exposing the release notification (compare against blog version)
- protect against wrong formats
- @TODO: the notifications could store a `version` property
  - by that we could use `notification.version` and don't have to match the version in the message
2018-01-18 12:19:55 +01:00
kirrg001
147813c2d8 Version bump to 1.20.2 2018-01-17 18:13:44 +01:00
kirrg001
1fd9b2cbd6 Updated Ghost-Admin to 1.20.2 2018-01-17 18:13:44 +01:00
Katharina Irrgang
9a8acd5517
Downgraded dependencies (#9403)
no issue

- knex@0.12.9
- bookshelf@0.10.3
- and any dependency, which relies on knex@0.14
- we experienced an unwated behaviour where the blog keeps too many connections open
- we have to investigate
2018-01-17 17:49:07 +01:00
Peter Garland
35fbba3bcb Fixed bad references to common.i18n (#9402)
no issue

- happened during refactoring (search+replace)
2018-01-17 17:28:42 +01:00
kirrg001
0121683fd8 Version bump to 1.20.1 2018-01-16 14:36:25 +01:00
kirrg001
b5a4160578 Updated Ghost-Admin to 1.20.1 2018-01-16 14:36:25 +01:00
Katharina Irrgang
c062114e47
Increased cache-control for ghost-sdk.min.js and ghost.min.css (#9399)
no issue

- we increase the client in-memory expiry for production built assets
- as soon as there will be another release, a new asset hash is generated and the client cache is invalidated automatically (doesn't matter how long we store the file in the client)
- the next step is to get rid of having asset hashs part as query params
  - ghost-sdk.min.js?v=1234 is becoming e.g. ghost-sdk-1234.min.js
  - reasons:
    - A: performance tools complain about it
    - B: we no longer invalidate the asset hashs for built assets if the theme changes
2018-01-16 12:22:29 +01:00
Katharina Irrgang
e480c7c50d 🐛 Reload translations if active theme get's overridden (#9392)
no issue

- discovered while testing
  - activate theme
  - download theme
  - modify theme
  - upload theme
  - override? yes
  - translation files are not reloaded, because the database is up-to-date
- remove un-used events in theme api layer
- trigger event from theme service
2018-01-12 09:19:28 +00:00
kirrg001
042b18cb69 Bump dependencies
no issue

- brute-knex@4feff38ad2e4ccd8d9de05f04a2ad7a5eb3e0ac1
- knex-migrator@3.1.4
- ghost-ignition@2.8.17
2018-01-11 22:59:22 +01:00
Katharina Irrgang
4d6538fbca
Bump dependencies (#9391)
no issue

- bookshelf@0.12.1
- knex@0.14.2
- moment@2.20.1
- eslint@4.15.0
- nock@9.1.6
- sinon@4.1.4
2018-01-11 21:19:34 +01:00
Hugo Marisco
ccb5fd837e Fixed wrong status code for incorrect token requests (#9374)
closes #9346

- server returned 500, happened when you send an empty username/password
- return 400 instead
- error message is/was correct
2018-01-11 16:17:03 +01:00
David Wolfe
b69b9780a9 Backup endpoint improvements (#9365)
closes #9297

- backup endpoint returns JSON
- allows setting of export filename
- DRY up code
- the endpoint is not documented, no breaking change
2018-01-11 16:03:21 +01:00
kirrg001
b9d3f45402 Version bump to 1.20.0 2018-01-09 21:42:08 +01:00
kirrg001
bf31d562a1 Updated Ghost-Admin to 1.20.0 2018-01-09 21:42:08 +01:00
kirrg001
ccb3b3de38 Fixed 1.20 migration script
no issue

- `models.Settings.destroy` only accepts one argument
2018-01-09 21:38:13 +01:00