TryGhost/Ghost
1
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2024-12-26 04:13:30 +03:00
Code Issues Projects Releases Wiki Activity
1,082 Commits 253 Branches 1,686 Tags 400 MiB
2ee8f96829
Commit Graph

265 Commits

Author SHA1 Message Date
Sebastian Gierlinger
2ee8f96829 Revert sessions to cookieSessions 
no issue
- modified sessions to use cookieSession
- set max-age to 12 hrs
- modified logout to delete cookie completely
 2013-10-18 13:24:01 +02:00
Hannah Wolfe
158d237122 Improved error handling 
fixes #845

- only returns an error page for get requests, otherwise returns a response
- no more admin menu when not logged in
- no more error message about theme error template
- logWarn is available
 2013-10-17 22:49:14 +01:00
Hannah Wolfe
e29a598fa5 CSRF for debug screen 2013-10-17 20:52:09 +01:00
Hannah Wolfe
2a6e77752f API JSON updates 2013-10-17 20:52:05 +01:00
Hannah Wolfe
d9c9ca0e33 Merge pull request #4 from sebgie/sec/3 
Sec/3
 2013-10-17 10:49:40 -07:00
Hannah Wolfe
491651da59 Merge pull request #2 from ErisDS/bookshelf-knex-update 
Updating to bookshelf 0.5.7 & knex 0.4.11
 2013-10-17 10:49:28 -07:00
Tim Griesser
13639ad8d1 Updating to bookshelf 0.5.7 & knex 0.4.11 2013-10-17 18:23:36 +01:00
Sebastian Gierlinger
374c41e138 Remove private data from API 
no issue
- added removal to user.browse, posts.read, posts.browse
- fixed removal for user.read
 2013-10-17 17:15:25 +02:00
Sebastian Gierlinger
90176e1f40 Security improvements 
no issue
- added CSRF protection
- changed session handling to express.session
- changed session handling to change session id
- added config property useCookieSession
- added file extension check for /ghost/upload
- removed /ghost/debug/db/reset
 2013-10-17 15:28:28 +02:00
Hannah Wolfe
daa87e92c2 Merge pull request #1026 from jenius/master 
Remove unneeded info from /user api response
 2013-10-17 14:12:13 +01:00
jamesbloomer
9d114c7fa6 Lock down theme static directory to not serve templates, markdown and text files. 
closes #942
- insert custom middleware to check for blacklisted files
- redirect to express.static if file accepted
- if not valid return next() to do nothing
- currently black listing .hbs, .txt, .md and .json
- debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting
a theme serve unknown types
 2013-10-11 18:05:31 +01:00
Sebastian Gierlinger
b040ea3365 Change from address 
closes #872
- changed from address to use config.mail.fromaddress
- changed from address to default to settings.email
 2013-10-11 12:49:33 +01:00
Hannah Wolfe
54f8a04779 Merge pull request #996 from ErisDS/0.3.2-tagfixes 
Improving tag handling in post_class and body_class
 2013-10-10 07:05:15 -07:00
Hannah Wolfe
f1317b84af Improving tag handling in post_class and body_class 
closes #967, closes #987

- use slug instead of name (it's unique)
- get tags even if we aren't inside the post context
- add tag handling to body_class too
 2013-10-09 19:51:55 +01:00
Hannah Wolfe
95f9fce3be Swapping escape to sanitze 
issue #938

- rather than using escape, use node-validatiors santize function which is designed for preventing xss vectors
- added listener for changes to both editor and settings page
- added more sanitization to the user model
- consistently use triple-braces when outputting blog post titles
 2013-10-09 19:13:16 +01:00
Tim Griesser
c9235ccb0b Escaping several fields to prevent XSS 
issue #938
- escapes post's title field
- escapes settings title, description, email
- escapes user's name field
- includes test for post title
 2013-10-09 19:13:13 +01:00
Hannah Wolfe
6bd62538af Merge branch '0.3.1-wip' 
Conflicts:
	core/server/controllers/admin.js
 2013-09-27 17:22:55 +01:00
Hannah Wolfe
a5bf8bf1e2 Removing reset button 
- noone needs this, and someone is bound to press it and then complain.
 2013-09-27 17:20:41 +01:00
Hannah Wolfe
ee8d8102db Merge pull request #923 from ErisDS/0.3.1-wip-mysql 
0.3.1 wip mysql
 2013-09-27 05:04:45 -07:00
Hannah Wolfe
d544b4aebb Custom destroy method for posts 
issue #858

- correctly handles detaching tags before deleting the post
 2013-09-27 11:56:20 +01:00
Hannah Wolfe
e6b779330f Correctly test for an empty Tag array 
issue #858

- fixes syntax errors in mysql
 2013-09-27 11:55:02 +01:00
Hannah Wolfe
71711c1fd2 Drop tables in correct order 
issue #858

- unit tests now run for MySQL
 2013-09-27 11:54:09 +01:00
Hannah Wolfe
6369eb20be Remove broken image from fixture 
issue #866

- this fixes the problem inside the fixture
 2013-09-27 09:18:02 +01:00
Hannah Wolfe
681aa71bf5 Merge pull request #848 from jamesbloomer/705-image-Upload-file-storage-amends-type 
Use file mime type to check server side if image upload is a valid file
 2013-09-26 15:18:04 -07:00
Sebastian Gierlinger
3def65ee11 Fix for sendmail problem 
closes #871
- added solution from email
- tested on OSX
 2013-09-26 15:45:34 +01:00
Sebastian Gierlinger
fa43ca79d3 Add content to RSS 
closes #886
- removed meta_description which is empty and would have crashed
- added content
- img src converted to absolute path
- a href converted to absolute path
 2013-09-26 15:37:25 +01:00
John O'Nolan
d1957958e3 Cleanup indentation and quotes 
Aligns all requirements vertically for easier reading + adds single quote standard consistently throughout Ghost, except in long strings.
 2013-09-26 15:06:31 +01:00
jamesbloomer
8e3ddcbdcc Trim version number to major and minor numbers only in meta tag 
closes #880
- as the version number is under control from package.json use regex to trim
 2013-09-26 15:00:05 +01:00
Hannah Wolfe
0b87c42e84 Merge pull request #891 from ErisDS/0.3.1-importerfix 
0.3.1 Import & Export fixes
 2013-09-26 04:14:56 -07:00
John O'Nolan
78775f1976 Added email to username if no name is given 
Gets rid of generic "Ghost" - we know a user will always have an email address as it is a required field.
 2013-09-26 12:02:48 +01:00
John O'Nolan
bf5ab32fe9 Renamed user image data helper to make more sense 2013-09-26 12:02:44 +01:00
Hannah Wolfe
02a02054e8 Handle duplicate tags on import 
closes #890

- importer only adds tags which don't exist.
- added back the import unit tests - these are basic for now
 2013-09-25 11:30:59 +01:00
Hannah Wolfe
f68633df20 Adding missing return to MySQL exporter 
closes #888
 2013-09-25 09:38:03 +01:00
Sebastian Gierlinger
6697d8a097 Add invalidate cache headers 
closes #570
- added X-Cach-Invalidate headers for PUT, POST, DELETE requests
 2013-09-24 17:21:43 +02:00
Matthew Harrison-Jones
340958cfcf Updated 'Help / Support' link 2013-09-23 18:46:03 +01:00
John O'Nolan
472406d157 Removed version number from user menu 
Fixes #855
 2013-09-22 22:54:07 +02:00
jamesbloomer
c215626d2b Use file mime type rather than extension to check server side if image upload is a valid file 
closes #705
- uses the file type passed by express/connect
- relies on the type being set correctly by the browser upload
- doesn't reread the file to check
 2013-09-20 13:20:59 +01:00
Hannah Wolfe
0c545d5f2e Cleanup 2013-09-19 08:51:01 +01:00
Hannah Wolfe
32d1076d35 Correct validation message for short passwords 
closes #833
 2013-09-19 08:41:04 +01:00
Hannah Wolfe
5528423636 Client & Server side validation for posts per page 
closes #839

- caused a 500 error
 2013-09-19 07:55:37 +01:00
Hannah Wolfe
477c4c59fa Merge pull request #843 from cgiffard/500-errors 
500 Series Error Handling & Stack Traces
 2013-09-18 22:52:52 -07:00
Hannah Wolfe
fe5df2b0d1 Updated Welcome to Ghost fixture 
closes #790
 2013-09-19 05:59:33 +01:00
Christopher Giffard
9c8b02949a 500 Series Error Handling & Stack Traces 
Fixes #825

- Changes the way the error middleware is delivered in server.js, moving
  all the logic back into errorHandling.js
- Alters error logging to use console.error (probably more appropriate) instead
  of console.log
- Changes error tests to accomodate for these alterations
- Alters user-error and error hbs templates to incorporate stack traces
- Adds additional styling for error pages to accomodate stack traces
- Added logic to parse and deliver formatted stack traces

Notes:
======

- Jslint gets in the way of the regex I've got to use to parse the stack.
  (It cites 'security reasons' which are not relevant in this case.)
  I needed to add a condition to relax it at the top of errorHandling.js
- The stack trace should probably be added as a partial, but I figured it
  was out of scope for this PR.
 2013-09-19 13:01:20 +10:00
Hannah Wolfe
eb6856dac3 Removing Temporary importer 2013-09-18 23:24:26 +01:00
Hannah Wolfe
ee78f87c47 Import > Signout 
- uncommitting the thing I shouldn't have commited
 2013-09-18 16:11:21 +01:00
Hannah Wolfe
f717aed96f Merge pull request #820 from jamesbloomer/705-image-Upload-file-storage-amends 
Remove temporary files when uploading images
 2013-09-18 08:08:48 -07:00
Hannah Wolfe
7193f05376 Default user image and cover 
closes #812

- replace defaults with consistently named .png files
- change the settings saving code so that it doesn't double-save images and save the defaults to the db
 2013-09-18 15:54:52 +01:00
Hannah Wolfe
571333bb5d Temporary Importer 
- seems my very late night commit was a bit screwed.
 2013-09-18 15:03:29 +01:00
Hannah Wolfe
ed9259a32e Merge pull request #822 from matthojo/Post-Settings-labels 
Bug Fix: Clicking on Post Settings labels now selects relative input
 2013-09-18 05:59:01 -07:00
Hannah Wolfe
5fdfa79faf Merge pull request #816 from cgiffard/404-500-design 
Default 404/500 Error Message
 2013-09-18 05:37:09 -07:00