Sebastian Gierlinger
2ee8f96829
Revert sessions to cookieSessions
...
no issue
- modified sessions to use cookieSession
- set max-age to 12 hrs
- modified logout to delete cookie completely
2013-10-18 13:24:01 +02:00
Hannah Wolfe
0437e16a7a
Version bump to 0.3.3
2013-10-17 22:49:24 +01:00
Hannah Wolfe
158d237122
Improved error handling
...
fixes #845
- only returns an error page for get requests, otherwise returns a response
- no more admin menu when not logged in
- no more error message about theme error template
- logWarn is available
2013-10-17 22:49:14 +01:00
Hannah Wolfe
f12a3cecf7
Fixing URL-based image uploads on settings screen
2013-10-17 21:54:51 +01:00
Hannah Wolfe
4f8ac2a4fd
Current user data update
2013-10-17 21:38:49 +01:00
Hannah Wolfe
5916844835
Fixes for content screen
...
fixes #1125
- fixes an error in the console when there are no posts
- resolves the issue whereby content disappears after scroll
2013-10-17 21:06:01 +01:00
Hannah Wolfe
e29a598fa5
CSRF for debug screen
2013-10-17 20:52:09 +01:00
Hannah Wolfe
2a6e77752f
API JSON updates
2013-10-17 20:52:05 +01:00
Hannah Wolfe
d9c9ca0e33
Merge pull request #4 from sebgie/sec/3
...
Sec/3
2013-10-17 10:49:40 -07:00
Hannah Wolfe
491651da59
Merge pull request #2 from ErisDS/bookshelf-knex-update
...
Updating to bookshelf 0.5.7 & knex 0.4.11
2013-10-17 10:49:28 -07:00
Tim Griesser
13639ad8d1
Updating to bookshelf 0.5.7 & knex 0.4.11
2013-10-17 18:23:36 +01:00
Sebastian Gierlinger
374c41e138
Remove private data from API
...
no issue
- added removal to user.browse, posts.read, posts.browse
- fixed removal for user.read
2013-10-17 17:15:25 +02:00
Hannah Wolfe
a230b5adcd
Merge pull request #1 from sebgie/security
...
Security improvements
2013-10-17 07:53:21 -07:00
Sebastian Gierlinger
90176e1f40
Security improvements
...
no issue
- added CSRF protection
- changed session handling to express.session
- changed session handling to change session id
- added config property useCookieSession
- added file extension check for /ghost/upload
- removed /ghost/debug/db/reset
2013-10-17 15:28:28 +02:00
Hannah Wolfe
daa87e92c2
Merge pull request #1026 from jenius/master
...
Remove unneeded info from /user api response
2013-10-17 14:12:13 +01:00
John O'Nolan
1bd8002858
Fixed further firefox display bugs
...
See #1090
Conflicts:
core/client/tpl/settings/user-profile.hbs
2013-10-17 14:10:49 +01:00
John O'Nolan
c6d805cd28
Merge pull request #1090 from bnchdrff/user-image-ff-fix
...
fixes firefox user image disappearance
2013-10-17 14:04:34 +01:00
Hannah Wolfe
b544ee7ed6
Revert "Updated to latest version of express-hbs"
...
This reverts commit d169bba3f8
.
Conflicts:
package.json
2013-10-11 20:14:58 +01:00
Hannah Wolfe
f30e356e7c
Revert "Updated to latest version of express"
...
This reverts commit c95d469eb3
.
Conflicts:
package.json
2013-10-11 20:13:44 +01:00
Hannah Wolfe
b4d5918fac
Version bump for 0.3.2
...
- added optional mysql dependency
- removed .afignore
- updates to .gitignore to ignore any additional themes or plugins
2013-10-11 18:21:14 +01:00
Hannah Wolfe
d47b19b491
Added grunt release task
...
closes #941
Conflicts:
Gruntfile.js
2013-10-11 18:19:03 +01:00
Hannah Wolfe
4c89422b0d
Added SECURITY.md file
...
closes #989
2013-10-11 18:17:37 +01:00
Hannah Wolfe
e613d88167
Merge pull request #997 from cobbspur/uploadrefactor
2013-10-11 18:15:45 +01:00
cobbspur
c52a10cd1a
fixed image upload url synchronicity and url removed on cancel
...
closes #988 , closes #956 , closes #975
- fixed multiple ids and refactored triggers
- persistence requirement overridden
- trash can now removes url in editor
- if empty url is saved http:// is inserted and dropzone initialized
Conflicts:
core/client/assets/lib/uploader.js
2013-10-11 18:15:17 +01:00
Hannah Wolfe
0bb5e8702a
Merge pull request #980 from jamesbloomer/lockdown-assets-rebase
2013-10-11 18:06:11 +01:00
jamesbloomer
9d114c7fa6
Lock down theme static directory to not serve templates, markdown and text files.
...
closes #942
- insert custom middleware to check for blacklisted files
- redirect to express.static if file accepted
- if not valid return next() to do nothing
- currently black listing .hbs, .txt, .md and .json
- debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting
a theme serve unknown types
2013-10-11 18:05:31 +01:00
Hannah Wolfe
6db7e6d96e
Merge pull request #1000 from sebgie/issue#872
2013-10-11 13:19:12 +01:00
Sebastian Gierlinger
b040ea3365
Change from address
...
closes #872
- changed from address to use config.mail.fromaddress
- changed from address to default to settings.email
2013-10-11 12:49:33 +01:00
Hannah Wolfe
a37d487ffd
Merge pull request #992 from pmgarman/spacelys-sprockets-n-sockets
2013-10-10 16:19:42 +01:00
Hannah Wolfe
31e2737cfd
Update config validation to allow for socket only
...
issue #887
2013-10-10 16:13:02 +01:00
Patrick Garman
97f592aa41
Allow Ghost to run using sockets
...
Closes #887
- Adds getSocket function > Returns the socket location if sockets are enabled or false
- Adds startGhost function > Callback for server.listen
2013-10-10 16:12:28 +01:00
Hannah Wolfe
54f8a04779
Merge pull request #996 from ErisDS/0.3.2-tagfixes
...
Improving tag handling in post_class and body_class
2013-10-10 07:05:15 -07:00
Hannah Wolfe
7b28056849
Merge pull request #995 from ErisDS/xss
...
XSS
2013-10-10 07:04:50 -07:00
Hannah Wolfe
f1317b84af
Improving tag handling in post_class and body_class
...
closes #967 , closes #987
- use slug instead of name (it's unique)
- get tags even if we aren't inside the post context
- add tag handling to body_class too
2013-10-09 19:51:55 +01:00
Hannah Wolfe
14ac437763
Updating to latest Casper
...
- triple braces for post titles everywhere
2013-10-09 19:29:38 +01:00
Hannah Wolfe
95f9fce3be
Swapping escape to sanitze
...
issue #938
- rather than using escape, use node-validatiors santize function which is designed for preventing xss vectors
- added listener for changes to both editor and settings page
- added more sanitization to the user model
- consistently use triple-braces when outputting blog post titles
2013-10-09 19:13:16 +01:00
Tim Griesser
c9235ccb0b
Escaping several fields to prevent XSS
...
issue #938
- escapes post's title field
- escapes settings title, description, email
- escapes user's name field
- includes test for post title
2013-10-09 19:13:13 +01:00
Hannah Wolfe
d169bba3f8
Updated to latest version of express-hbs
...
issue #830
2013-10-07 16:42:25 +01:00
Hannah Wolfe
c95d469eb3
Updated to latest version of express
...
closes #875
2013-10-07 14:31:57 +01:00
Hannah Wolfe
c0d5167f7d
Merge pull request #948 from javorszky/0.3.2-wip
...
Fixes config.example.js
2013-10-05 12:16:32 -07:00
Gabor Javorszky
a37c7958b1
Fixes config.example.js
...
Closes #945
2013-09-30 15:06:54 +01:00
Hannah Wolfe
6bd62538af
Merge branch '0.3.1-wip'
...
Conflicts:
core/server/controllers/admin.js
2013-09-27 17:22:55 +01:00
Hannah Wolfe
0169b78f35
Updating to Latest Casper, more gist fixes
2013-09-27 17:21:06 +01:00
Hannah Wolfe
d866f0f31a
Version bump for 0.3.1 bugfix release
2013-09-27 17:20:52 +01:00
Hannah Wolfe
a5bf8bf1e2
Removing reset button
...
- noone needs this, and someone is bound to press it and then complain.
2013-09-27 17:20:41 +01:00
Hannah Wolfe
4d6455e6d1
Updating to latest Casper, includes fix for gists
2013-09-27 14:17:32 +01:00
Hannah Wolfe
e86958fdb7
Further fix to image markdown
...
issue #866 again
2013-09-27 14:17:19 +01:00
Hannah Wolfe
d841e749f9
Adding extra class for url uploads
2013-09-27 13:34:39 +01:00
Hannah Wolfe
ee8d8102db
Merge pull request #923 from ErisDS/0.3.1-wip-mysql
...
0.3.1 wip mysql
2013-09-27 05:04:45 -07:00
Hannah Wolfe
9ae1dc26db
Merge pull request #914 from gotdibbs/Issue874
2013-09-27 13:03:42 +01:00