no issue
- moved card definitions to a new library `@tryghost/kg-default-cards`
- moved `createCard` factory function to a new library `@tryghost/kg-card-factory`
- moved image.manipulation lib to a new package called @tryghost/image-transform
- new package has an updated API signature, so the method calls have changed but the underlying code is identical
- removed the optional sharp dependency from Ghost, as this is now optionally required by the image-transform module
no-issue
This ensures that running individual tests are not relying on other
tests having been run so they suceed, specifically the
regression/site/site_spec.js tests
- mock non existant module util was defined twice
- split it out properly from the rest of the utils, update all references
- this allows us to move this util out of the codebase along with other code, e.g. the image manipulation code
no issue
- Migrations within a minor have to be named with numbered prefixes like 01-, 02-, 03-.
- These two migrations were merged into master in the same time window which lead to having incorrect naming
- Moved zipFolder to a new package
- also exposing extract-zip from the new package
- new package has the API pre-promisified
- also uses @tryghost/extract-zip instead of extract-zip, which has bugfixes
- Show us how long it takes to start Ghost in each acceptance/regression test that uses this method
- Useful for debugging slow tests, and also Ghost boot time!
- Basic set of tests checks that our default behaviour works as expected
- Moved current acceptance tests to api-acceptance, and added this in frontend-acceptance
- This reduces nesting, and will help when we eventually separate the frontend out entirely
- Apps are marked as removed in 3.0, never officially launched and have been deprecated for at least 2 years.
- We've slowly removed bits that got in our way or were insecure over time meaning they mostly didn't work
- This cleans up the remainder of the logic
- The tables should be cleaned up in a future major
- Apps are marked as removed in 3.0, never officially launched and have been deprecated for at least 2 years.
- We've slowly removed bits that got in our way or were insecure over time meaning they mostly didn't work
- This cleans up the remainder of the logic
- The tables should be cleaned up in a future major
- The existing common.i18n library contained code for core and theme translations
- There is some shared logic and some theme-specific logic, and the theme-specific logic has dependencies we don't want in lib/common
- This refactor introduces an I18n base class that does all the main shared logic, with no dependencies on other parts of the codebase
- ThemeI18n then extends this logic, and replaces the functions it needs to handle differently and adds it's dependencies on config and settingsCache
- The class has several methods broken down into smaller pieces to make it easier to extend only the necessary parts
- The class also encapsulates all of its logic, without external functions or variables
- The function loadThemeTranslations becomes the 'init()' function overridden in themeI18n.
no issue
- prep for extraction of various Koenig repos
- html->mobiledoc doesn't really fit into the "renderer" naming as it's more of a converter than a renderer and doesn't follow the same pattern
refs #11464
- Combine reading + parsing of translation file into same step
- DRY reading / parsing logic
- Log an error when parsing fails and fall back as if the locale doesn't exist
closes https://github.com/TryGhost/Ghost/issues/10972
- adds `amp-youtube` to the allowed AMP components list
- adjusts `{{amp_components}}` output to include the `amp-youtube` script if any iframes with youtube urls are detected in the AMP content
Co-authored-by: Joseph Coffland <joseph@cauldrondevelopment.com>
no-issue
This adds two new endpoints, one at /ghost/.well-known/jwks.json for exposing
a public key, and one on the canary api /identities, which allows the
Owner user to fetch a JWT.
This token can then be used by external services to verify the domain
* Added ghost_{public,private}_key settings
This key can be used for generating tokens for communicating with
external services on behalf of Ghost
* Added .well-known directory to /ghost/.well-known
We add a jwks.json file to the .well-known directory which exposes a
public JWK which can be used to verify the signatures of JWT's created
by Ghost
This is added to the /ghost/ path so that it can live on the admin
domain, rather than the frontend. This is because most of its
uses/functions will be in relation to the admin domain.
* Improved settings model tests
This removes hardcoded positions in favour of testing that a particular
event wasn't emitted which is less brittle and more precise about what's
being tested
* Fixed parent app unit tests for well-known
This updates the parent app unit tests to check that the well-known
route is mounted. We all change proxyquire to use `noCallThru` which
ensures that the ubderlying modules are not required. This stops the
initialisation logic in ./well-known erroring in tests
https://github.com/thlorenz/proxyquire/issues/215
* Moved jwt signature to a separate 'token' propery
This structure corresponds to other resources and allows to exptend with
additional properties in future if needed
no issue
- The flag has not been used and can be removed, to make the `members_subscription_settings` JSON record in `settings` table easier to read.
- It used to indicate Stripe configuration being present. Currently that is checked by looking up if Stripe config's `public_token` and `secret_token` values are present (example - https://github.com/TryGhost/Ghost/blob/3.11.0/core/frontend/helpers/ghost_head.js#L54)
no issue
Email template was incorrectly setting up publication icon url in case of subdirectory setup, leading to missing publication logo from newsletter emails in such cases. This adds the fix to use correct absolute url for publication icons in all setups.
no issue
- trying to read a file without the correct permissions would cause a
500 error
- this commit handles the error code and returns an appropriate
response
refs https://github.com/TryGhost/Ghost/issues/11648
- Removes Stripe plan entries from settings that are not formatted correctly.
- Incorrect formatting was caused by a bug in 3.10.0 Admin-Client where it wasn't able to find complimentary plan. Related fix for this here - 9e7a6b801a
no issue
- When created_at value is not provided it should be treated as an empty one instead of trying to import empty string.
- This scenario happens when the column is defined in CSV but no values are present (default parsed value is empty string '')
no issue
- prevent oembed fetching from accessing IP addresses or localhost domains
- prevent oembed endpoint from passing through fetched responses as-is
- reject any fetched data that does not validate against the oembed spec
- strip any unknown properties from the oembed response before returning
Credits: Nick Mykhailyshyn
no-issue
Essentially only active users should have their permissions loaded, this
means that suspended or inactive users are stripped of all permissions
until their status is changed.
closes#10323
* Fixed usage of hasMany for user->session
* Refactored changePassword to async function
* Deleted all user sessions when password changed
* Tested for session retained after password changed
* Added the session to the frame
* Skipped the current session when changing password
no issue
- Made date formatting coherent with the one used in API and the exporter
- Using JSON.stringify() here because that's exactly how API is getting it's formattting done atm
no issue
- Multiple currencies for membe plans were supported under the hood but never had a clear interface to manage them. This change allows to reference currently used currency and it's symbol from the theme layer with following syntax: `{{@price.currency}}` and `{{@price.currency_symbol}}
refs #11304
- Previously the schema publisher logo attribute was incorrectly given the logo url
- schema.org and Google's docs show the logo needing it's own type and url attributes
- I added the correct @type and moved the metaData.site.logo to the new url attribute
- This change now clears the error in Google's Structured Data tester
- A future improvement would be to size the site logo to 60px in height per Google's recommendation
fixes#11636
- malformed URLs passed to oembed API would cause `got` or `metascraper`
to throw an error and this would result in a 500 error from Ghost
- this commit catches the errors and returns a reasonable response
no issue
- Sentry flagged up a redirect URL for the POST action of accessing a
private site which would throw a 500
- `decodeURIComponent` would throw an error if it was passed bad data
- this commit moves the `decodeURIComponent` inside the try-catch to
handle the error
no issue
- Adds 'GET /members/:id/signin_urls' endpoint to Admin API allowing to fetch login URL for member. This URL allows to log in as a member which is useful in situations when you need to impersonate a member (for example to debug some issue they are having)
- Added member_signin_urls permission with migrations. Only the "Owner" user can read "signin_urls" resource. Admin and other users will be denied access
refs 91984b54ca
- For request effieciency we should be using a minified file just like we did previously with `ghost-sdk.js`
- Modified 'max-age' caching header to 1 year for both minified and non-minified files as thay won't affect dev environment and should be beneficial for self-hosting instances that don't use minification
- Along the way corrected an extra 301 redirect because `/public/member.js` path wasn't using a bakslach in the end.
no issue
- This functionality allows member to update their billing information, like credit card information.
- Adds handler to update Stripe billing when element with `data-members-edit-billing` attribute is present on the page. Additional `data-members-success` and `data-members-cancel` attributes could be used to control the redirects on billing update success or failure. They work in the same fission as for 'members-plan' (https://ghost.org/docs/members/checkout-buttons/#redirects)
no issue
- teardown is an internal Mocha hook, and eslint would complain about it
being used outside a test
- our use of teardown is actually a custom function, so it's better to
rename the function across the board
no issue
The email data attached to a post when published with send email flag was not filtered on member access, and picked up the whole member list for email data. This resulted in incorrect data stored in emails table even in case of paid-members-only publish, and also incorrect count of "emails sent" being displayed on Admin.
NOTE: The actual emails being sent are still gated by member access, so no emails were sent to anyone without access, this only affected the associated email data and count. Also, the fix here will show correct email sent status for any future post, but will still show incorrect data for any already published posts as the email data in DB is already wrong and will probably need a migration
no issue
- After investigating effects of allowing editing email there were no significant blockers found, so there is no reason not to allow editing this field
no issue
- This field is usefult when importing from external sources.
- The date format should be compatible with one used internally by Ghost which is RFC 2822 compliant format
refs https://github.com/TryGhost/Team/issues/243
- uses `member.toJSON()` to add a computed `avatar_image` property
- if the member has an email address and gravatar is not disabled then we generate a gravatar url using the `?d=blank` parameter to return a transparent image if the member's email has no gravatar
no issue
- 3.6.0 contained incorrect references in the `schema.js` file for the `members_label` table that was added in that version. On MySQL knex created a foreign key constraint for that reference which stopped member labels from being createable
- this fixes the schema file and has a migration to drop and recreate the table. Knex handles removal and addition of foreign keys during table drop/create
no issue
- When importing through CSV we should remain the defaults of 'subscribed' fields (`true` at the moment), unless it is explicitly set to `false` or `FALSE` (the latter uppercase value often comes from scpredsheets)
no issue
- some errors weren't being reported because they were being passed to
Sentry before our middleware could populate the error information
- this commit inserts the Sentry middleware into these steps
no issue
- when `servePublicFile` middleware serves an image it resulted in a "Cannot set headers after they are sent to the client" error because `next()` was erroneously called for successful requests which then tripped the `prettyUrls` middleware which tries to perform a redirect
- only calling `next()` when an error is present allows errors to be picked up by later middleware but successful requests end in the `servePublicFile` middleware
no issue
* Updated sendEmailWithMagicLink syntax
* Updated label name selection from theme
* Updated migration version for labels
* Added labels to export/import of members
* Added member labels sanitization for case-insensitive duplicates
* Fixed tests
* Fixed label serialization bug on import
* Bumped @tryghost/members-api to 0.15.0
* Fixed lint
* Cleanup
no issue
- Allows for syntax like `{{#has visibility="paid"}}` to be used on Content API resources (posts, pages, etc.)|
- The need for this change cropped out from being able to distinguish paid/member-only/public posts in member-enabled themes.
no issue
We missed handling `undefined` values for fields during csv export for memebrs, which causes csv entries as `undefined` for fields that don't exist. It also added need for extra handling of `undefined` entries during csv import. This PR fixes the bug by properly handling empty/undefined values in export
no issue
- When new Ghost instance is initialized "Complimentary" plan doesn't have to wait for the rest of plans to be configured.
- Without configured plans the admin would still be able to assign "Complimentary" plan to members or import same kind of members.
- There is no error handling at the moment when plan initialization fails, that's why it was very confusing when all of the sudden it wasn't possible to create a member record
closes#11589
- `findOne` method in destroy method was usinng wrong options object (unlinke read method id comes from frame.options not frame.data) thus this was causing 404 errors
- The filename is returned to be able to fetch the backup on demand
- Wasn't able to limit exported tables as exporter doesn't support such functionality
no issue
- serving of our public asset images was broken
- we were reading the binary file in as a string so we could do url transforms, this meant data was lost/corrupted and browsers could not display the served data
- we were using the wrong mime-type for pngs which meant browsers were triggering downloads rather than displaying images (at least when accessed directly)
- updates uses of `servePublicFile` to have the correct png mimetype
- adjusts `servePublicFile` to treat any mime type starting with `image` as a binary file, passing the file directly through express using `res.sendFile` and skipping the in-memory content caching which is mostly only useful for text files with URL transforms
