- locally the spam prevention test failed, only when run in a group
- seems to be due to order and the way sinon reset works
- this fixes it locally for me
closes#10788
This adds an extra filter to the preImport method of the settings
importer to removes settings with the key `is_private`
This message is specifically only for when an import has privacy mode ON
and the current site has privacy mode OFF.
closes: #5162
- We no longer have to implement funky current logic, our link_class helper will do this for us
- We use {{concat}} to pass an extra class for the li, so we don't end up with a random space
* Simplified db controller permissions options
The existing objects were confusing because they did the same thing as
setting permissions to true, but gave the impressions that something
special was happening/required.
* Added DB Backup Integration Role
This will allow us to assign certain api_keys this role, in order to
automate db backups
* Allowed admin api_keys to have configurable roles
This will allow keys for the admin api to do customised things such as db export
* Added ghost-backup integration to fixtures
* Added migrations for DB Backup Integration and role
refs #10060
- Migrated authentication.resetPassword method to v2
- Migrated authentication.acceptInvitation method to v2
- Migrated authentication.setup method to v2
- Added missing test coverage for "setupUpdate" method
- Migrated authentication.updateSetup method to v2
- Migrated authentication.isInvitation method to v2
- Migrated authentication.isSetup method to v2
- Removed unused 'setup.completed' event as it wasn's used anywhere in the system and has been complicating the logic unnecessarily
- Without the event, it's possible to simplify sendNotification method to just use email address of the user
- Added email sending check to v0.1 test suite
- Refactored sendNotification method to just use email address as parameter
- Renamed sendNotification to sendWelcomeMail
- The only thing the method does now is sending welcome mail, so new naming seems natural :)
closes#10949
This updates the getImageWithSize function in the img_url helper to consider relative paths WITHOUT a leading slash the "base case". If a path does have a leading slash, we remove it, pass it through the function again, and then prepend the slash.
#10921
- Changed {{meta_title}} helper to use site meta_title' field
- Changed {{meta_description}} helper to use site 'meta_description' field
- Changed {{og_image}} helper to use site 'og_image' field
- Added site title handling for og/twitter metadata
- Refactored use of 'blog' in variable name in favor of 'site'
- Extended meta_description test suite with 'home' context cases
- Changed {{twitter_image}} helper to use site 'twitter_image' field
- Added ghost_head test for site metadata
- Renamed blog->site in variable names for touched files
no issue
- Forced a filter on read and browse requests to the integrations endpoint to limit fetches to only "custom" and "builtin" integration types
- Expanded test coverage for "internal" integrations
closes#10927
- Previous fix 2823c0b342
- It didn't work because the validation layer in "frame" doesn't take into account the value under `required` property of the controller, so to prevent validation on the field whole `required` key/value have to be removed
- Removed unused variables
- Extended regression suite to prevent similar problems in the future
no issue
- Initial commit that broke the build: 20cce5da37
- There is no enforced ordering for integrations and because of combined differences how MySQL/SQLite orders by default in combination with how created_at/updated_at dates are generated for fixtures in tests and for migrations there is no reliable way to check order
no issue
- The basic test coverate for 'browse' endpoint for integrations was missing.
- It case is needed to be able to expand it in https://github.com/TryGhost/Ghost/pull/10501
refs #10921
- New SEO related fields will now be available as a part of Admin API /settings endpoint
- The ordering of fields is taken from post's schema
- Extended settings test suite with new SEO fields
- Adjusted settings model unit test
closes#10785
- The behavior for tags will now be similar to posts' one described in the docs
- "The only strictly required field when importing posts is the title. Ghost will automatically generate slugs and set every other field to the default or empty."
- The breaking change was introduced with: 68d8154d4f (diff-e712df50c0dc7cf33746eeff0564003cR97) (assumed there's always slug in the imported object which is not true)
- Added originalIdMap to the importer base class to track id
substitution so it can be used when dealing with relational resource
updates
- Removed explicit use of 'this.stripProperties(['id']);' in
beforeImport of base class because we need to assign and remove the id
property in the same place to track this change
- Only calling 'this.stripProperties(['id']);' in
settings/trusted_domain imports as the method won't be called otherwise
- Expanded regression tests with new supported import case
* Swapped v1 with v4 UUID as requestId when logging
no issue
v1 UUID are based on current time and the hardware MAC address of the
machine where they are being generated. As such they have much more
complex semantics than v4 UUIDs which are simply randomly generated.
Unless there's a specific requirement for the special semantics of v1
UUIDs it is simpler and less error prone to simply go for v4 UUIDs
whenever just a unique identifier is needed.
* Swapped v1 with v4 UUID when creating a temporary contentFolder
no issue
v1 UUID are based on current time and the hardware MAC address of the
machine where they are being generated. As such they have much more
complex semantics than v4 UUIDs which are simply randomly generated.
Unless there's a specific requirement for the special semantics of v1
UUIDs it is simpler and less error prone to simply go for v4 UUIDs
whenever just a unique identifier is needed.
* Swapped v1 with v4 UUID when creating a temporary exportFolder
no issue
v1 UUID are based on current time and the hardware MAC address of the
machine where they are being generated. As such they have much more
complex semantics than v4 UUIDs which are simply randomly generated.
Unless there's a specific requirement for the special semantics of v1
UUIDs it is simpler and less error prone to simply go for v4 UUIDs
whenever just a unique identifier is needed.
refs #10790
- Following TODO in theme index file was waiting for 2 years, and today is the day to cross it out:
- "Reduced the amount of things we expose to the outside world"
- "Made this a nice clean sensible API we can all understand!" - by @ErisDS
- Cleaned exposed methods from themes module
- Removed unused storage getter
- Removed list method
- Removed validate method
- Renamed Storage to ThemeStorage
- Named the file the same way the class defined inside of it is named
- Naming was conflicting with coming rename of `settings` -> `storage`
- Renamed theme settings to storage
fixes 10883
- fixed an issue where /amp/ pages would cause an infinite redirect loop
- this only occurred when amp was disabled, and query params were passed to the /amp/ url
- this fix resolves the issue by not assuming /amp/ is the end of the URL
- it also checks for `/amp/` (both slashes) and replaces one
no issue
- Updated Test & linting packages
- Updated use of hasOwnProperty
- Using Object.prototype.hasOwnProperty instead (ref. eslint.org/docs/rules/no-prototype-builtins)
- Removed already defined built-in global variable Intl
- Applied `--fix` with lint command on `core/test` folder
- The rules were broken because some of them were made stricter for `eslint: recommended` ruleset (ref. https://eslint.org/docs/user-guide/migrating-to-6.0.0#eslint-recommended-changes)
- Removed redundant global variable declarations to pass linting
no issue
- The reason for the test failure was:
- Bump in express version: 5a316c3c80)
- Which included bump of it's internal dependency `send` to version send@0.17.1: https://github.com/expressjs/express/releases/tag/4.17.0)
- Which had a change in how 'xml' type was interpreted: https://github.com/pillarjs/send/pull/154/files
- Because in Ghost documentation for dynamic routing, we clearly state to use `contetn_type: text/xml` instead of just `content_type:xml` the test was considered to be not up to date (ref. https://docs.ghost.org/api/handlebars-themes/routing/routes/)
- Returning `content-type: text/xml; charset=UTF-8` stays in line with the rest of Ghost codebase
- WARNING: when using `res.type('xml')` for whatever reason in the codebase be awere that express will send `application/xml` header which is not the convention used throughout the codebase
no issue
- The underlying issue is the change in retry behavior in 'got' (a3e77de287)
- Now 500 responses trigger 2 default retries
- Renamed retries -> retry. As mentioned in https://github.com/sindresorhus/got/releases/v9.0.0
- Added response body error check
closes#10641
There is already an "icons" section in this json file, but it appears
that that is only used for v0.1 in which there was a "/uploads/icon"
route that passed in a "type" of "icons" to the validation middleware.
However, in v2, there is only a generic "/images/upload" route that is
used for both icons and images, which passes a "type" of "images"
so the .ico information needs to be added to the "images" section
of the json file.
refs #10790
refs #9528
- The settings service was designed to handle more settings then just routing, but till this day there wasn't anything else added. As routes.yaml is only being used by frontend router so conceptually it fits better to have this code in frontend, so that it doesn't have to reach out to server
- The code left in server settings is the one that interacts with the database `settings` table and only partially provides information to frontend. That part is known as 'settings cache' and will be accessed through API controllers.
closes#10643
The async resolver in express-hbs relies on storing the state of the
promises on the `this` value inside of a helper, which is always set to
the `context`. This patch updates our helpers which render templates, to
use `this` as the context when rendering their templates.
refs #10790
- Moved /core/apps into core/frontend
- Moved /core/server/helpers to /core/frontend/helpers along with /core/server/services/themes
- Changed helper location in overrides
- Moved /core/server/services/routing to /core/frontend/services
- Moved /core/server/services/url to /core/frontend/services
- Moved /core/server/data/meta to /core/frontend/meta
- Moved /core/server/services/rss to /core/frontend/services
- Moved /core/server/data/xml to /core/frontend/services
closes#10773
- The refactoring is a substitute for `urlService.utils` used previously throughout the codebase and now extracted into the separate module in Ghost-SDK
- Added url-utils stubbing utility for test suites
- Some tests had to be refactored to avoid double mocks (when url's are being reset inside of rested 'describe' groups)
refs #10618
- Visibility methods don't belong on model, but are generic utils
- Used directly from ghost helper's visibility methods, cleans up core
- Removes direct model dependency of theme helper
- Updated `foreach_spec` to correct test data as per schema - visibility property cannot be empty
no issue
- by default the `/ghost/` route will add an `x-frame-options: sameorigin` header to the response to help protect the admin area against clickjacking
- the header can be disabled by adding `"adminFrameProtection": false` to the `config.{env}.json` configuration file
Credits: Muhammad Fawwad Obaida
* Installed `@tryghost/members-{api,auth-pages}`
no-issue
* Used @tryghost/members-auth-pages in member service
no-issue
* Used @tryghost/members-api in members service
no-issue
* Deleted core/server/lib/members
no-issue
* Fixed parent app tests
no-issue
Requiring the members api (via the `gateway` getter) was throwing an
error, so we stub out the members service getters
closes#10709
- Only transform a canonical URL that is identical with the Blog URL to a relative URL when the protocol matches as well
- Leave the canonical URL absolute for all other cases
- Use case for this is e. g. when users want to port over their Facebook comments/shares/likes after a move from `http` to `https`
closes#10706
- Fixed a bug where we weren't assigning `summary_large_image` as Twitter card property when no feature image is provided, but a dedicated Twitter image
- Updated test to reflect this case to be tested better
no issue
- case: restart Ghost and while having a scheduled post
- caused by 4acc375fb6 (diff-4726ce3c4d18d41afad4b46cb0aa7dd3)
- the bug exists since 2.12
- Bookshelf added support (or better said fixed a bug) for accessing previous attributes
- `object.updated('published_at')` always returned "undefined", because the self-implementation < 2.12 only remembered previous attributes after update (see https://github.com/TryGhost/Ghost/blob/2.11.0/core/server/models/base/index.js#L234)
- but `object.previous('published_at')` returns the current value (object.get('published_at') === object.previous('published_at') -> and that's why rescheduling on bootstrap never worked
- might fix https://forum.ghost.org/t/scheduled-posts-never-publish/6873/10
- reduced timeouts on scheduling unit tests
no issue
- when sending `html` with `?source=html` to the v2 Admin API it's now possible to include blocks of HTML that will be extracted to html cards rather than going through the normal lossy html-to-mobiledoc conversion
Example usage would be sending HTML in the following format:
```html
<p>Some standard content...</p>
<!--kg-card-begin: html-->
<div class="my-custom-html">...</div>
<!--kg-card-end: html-->
<p>Some more content...</p>
```
In this case an html card will be created in the mobiledoc with the content `<div class="my-custom-html">...</div>`.
no-issue
The previous relations were setup to match against "members", which is
plural, but the object_type on the permission is "member". This was
causing the permissions to not be added as a relation to the role.
* Added caption support to code card renderer
refs https://github.com/TryGhost/Ghost-Admin/pull/1181
- when a caption for a code card is provided, render the contents inside a `<figure>` element with a `<figcaption class="kg-card kg-code-card">` to match other caption-enabled cards
refs #10571
- Removes dependency on 'context' property being set in error when
checking a theme
- Refactoring was needed to be able to avoid passing checked theme as a
part of thrown error (logic was relying on error having this specific
data in context property). This created a problem where we controlled
the logic flow with data in error object.
- Introduced 2 different types of theme check handling, one behaves the
same way as before, the other gives more granulac control to the caller
to decide what to do with returned errors.
refs #10656
- To make sure more users see important updates or announcements
notification dismissal now works per user instead of globally
- Expanded acceptance test for notification deletion
- Expanded regression test covering multiuser dismissal of notification
- Added clarifying comment about destroyAll method use in API
* Removed support for cookies in members auth middleware
no-issue
The members middleware will no longer be supporting cookies, the cookie
will be handled by a new middleware specific for serverside rendering,
more informations can be found here:
https://paper.dropbox.com/doc/Members-Auth-II-4WP4vF6coMqDYbSMIajo5
* Removed members auth middleware from site app
no-issue
The site app no longer needs the members auth middleware as it doesn't
support cookies, and will be replaced by ssr specific middleware.
https://paper.dropbox.com/doc/Members-Auth-II-4WP4vF6coMqDYbSMIajo5
* Added comment for session_secret setting
no-issue
We are going to have multiple concepts of sessions, so adding a comment
here to be specific that this is for the Ghost Admin client
* Added theme_session_secret setting dynamic default
no-issue
Sessions for the theme layer will be signed, so we generate a random hex
string to use as a signing key
* Added getPublicConfig method
* Replaced export of httpHandler with POJO apiInstance
no-issue
This is mainly to reduce the public api, so it's easier to document.
* Renamed memberUserObject -> members
no-issue
Simplifies the interface, and is more inline with what we would want to export as an api library.
* Removed use of require options inside members
no-issue
This was too tight of a coupling between Ghost and Members
* Simplified apiInstance definition
no-issue
* Added getMember method to members api
* Added MembersSSR instance to members service
* Wired up routes for members ssr
* Updated members auth middleware to use getPublicConfig
* Removed publicKey static export from members service
* Used real session secret
no-issue
* Added DELETE /members/ssr handler
no-issue
This allows users to log out of the theme layer
* Fixed missing code property
no-issue
Ignition uses the statusCode property to forward status codes to call sites
* Removed superfluous error middleware
no-issue
Before we used generic JWT middleware which would reject, now the
middleware catches it's own error and doesn't error, thus this
middleware is unecessary.
* Removed console.logs
no-issue
* Updated token expirty to hardcoded 20 minutes
no-issue
This returns to our previous state of using short lived tokens, both for
security and simplicity.
* Removed hardcoded default member settings
no-issue
This is no longer needed, as defaults are in default-settings.json
* Removed stripe from default payment processor
no-issue
* Exported `getSiteUrl` method from url utils
no-issue
This keeps inline with newer naming conventions
* Updated how audience access control works
no-issue
Rather than being passed a function, members api now receives an object
which describes which origins have access to which audiences, and how
long those tokens should be allowed to work for. It also allows syntax
for default tokens where audience === origin requesting it. This can be
set to undefined or null to disable this functionality.
{
"http://site.com": {
"http://site.com": {
tokenLength: '5m'
},
"http://othersite.com": {
tokenLength: '1h'
}
},
"*": {
tokenLength: '30m'
}
}
* Updated members service to use access control feature
no-issue
This also cleans up a lot of unecessary variable definitions, and some
other minor cleanups.
* Added status code to auth pages html response
no-issue
This was missing, probably default but better to be explicit
* Updated gateway to have membersApiUrl from config
no-issue
Previously we were parsing the url, this was not very safe as we can
have Ghost hosted on a subdomain, and this would have failed.
* Added issuer to public config for members
no-issue
This can be used to request SSR tokens in the client
* Fixed path for gateway bundle
no-issue
* Updated settings model tests
no-issue
* Revert "Removed stripe from default payment processor"
This reverts commit 1d88d9b6d73a10091070bcc1b7f5779d071c7845.
* Revert "Removed hardcoded default member settings"
This reverts commit 9d899048ba7d4b272b9ac65a95a52af66b30914a.
* Installed @tryghost/members-ssr
* Fixed tests for settings model
- closes#10555
- Added a check to the user modal that the new owner is active
- Had to refactor Owner->Author unit test (also renamed it)
- Based on the first 2 lines, owner->editor change is attempted (hence the rename)
- Since both stubs return a 'modal' with owner role which means owner->owner change is actually attempted
- Now that there's a user status check, added the `status` property to the user receiving owernship
no-issue
This is so that someone with empty defaults for installed_apps and
active_apps, or someone without the defaults at all, will not see the
warning message when importing.
no-issue
As we're deprecating apps, filters are no longer used.
- Removed use of filters in helpers
- Removed use of filters from routing service
- Removed use of filters from rss service
- Removed use of filters in base model
no-issue
This module didn't really seem to be tetsing anything, it was all based
on internally set properties, which if there was a bu, likely the bug
would be reflected in this property too - resulting in useless test.
no-issue
The module has no concepts of permissions anymore, so all tests can
ignore this concept too. Also refactors tests to match the new signature
of the module.
no issue
- the `{active,installed}_apps` settings related to a very old, minimally implemented, unreleased, and problematic approach to custom apps
- this is the first step towards full removal of the old "apps" concept
Credits: Kacper Szurek
no issue
- the conditional for removal of trailing blank paragraphs was not sufficient to handle paragraphs where the first child element was not a text node such as when the content of the last paragraph is italic
- switched to a method that fully walks the DOM of the last paragraph node to extract its equivalent `.textContent` value for use in the "last para is blank?" check
no-issue
This allows the tests to not inspect the "internals" of the module, and
deal with the middleware array it exports.
- Removes two layers of indentation for readablity
- Adds executeMiddleware helper
- Reuses the global requires, rather than making new globals for stubs
no issue
- Updated theme fixtures to be in line with new deprecation rules
for {{lang}} and {{@blog.*}} helpers introduced with https://github.com/TryGhost/gscan/pull/180
refs #9178
- Migrated settings model regression to unit tests
- Removed redundant/unuseful post tests
- Extracted post model regression tests to API tests
- Renamed test suites for consistency
no issue
- Admin API v2 returned /404/, see comment in code base:
/**
* CASE: admin api should serve preview urls
*
* @NOTE
* The url service has no clue of the draft/scheduled concept. It only generates urls for published resources.
* Adding a hardcoded fallback into the url service feels wrong IMO.
*
* Imagine the site won't be part of core and core does not serve urls anymore.
* Core needs to offer a preview API, which returns draft posts.
* That means the url is no longer /p/:uuid, it's e.g. GET /api/v2/content/preview/:uuid/.
* /p/ is a concept of the site, not of core.
*
* The site is not aware of existing drafts. It won't be able to get the uuid.
*
* Needs further discussion.
*/
no-issue
Currently if you run two migrations on the same day, the backup is overwritten. This change adds the `HH-mm-ss` to the file name, meaning that you get a unique backup for each migration.
