Commit Graph

6810 Commits

Author SHA1 Message Date
Greenkeeper
177c0fba07 chore(package): update cors to version 2.8.1 (#7343)
https://greenkeeper.io/
2016-09-14 13:16:18 +01:00
Austin Burdine
78f580763f ensure amp works when blog is running in subdirectory (#7353)
closes #7352
- use relative url instead of absolute url for post lookup
- add test that passes w/these changes
2016-09-14 12:47:25 +01:00
Sebastian Gierlinger
03ca49ca5e Respect subdirectory for preview pages (#7365)
no issue
- added subdirectory for preview route when doing cache invalidation
2016-09-14 12:32:48 +01:00
Aileen Nowak
a4427952e2 ⬆️ 🚨 Update Amperize dep and fix test (#7374)
no issue

Updates Amperize dep to v0.3.1 and fixes test for `amp_content`.
2016-09-14 12:30:37 +01:00
Katharina Irrgang
8c1e5fbc61 🐛 add missing dependency lodash.orderBy (#7333)
no issue
2016-09-14 11:22:16 +01:00
Katharina Irrgang
5f4da361aa 🐛 fix 006 transform dates for sqlite server offset 0 (#7322)
refs #7192, refs #7248, refs #7351
2016-09-14 11:19:39 +01:00
Hannah Wolfe
4287e0e78b 🐛 Reactivate theme on override + cache clear (#7368)
closes #7350

- When the active theme is overridden, ensure that the activateTheme middleware gets called by removing the `req.app.activeTheme` value.
- Additionally, ensure that the full cache is invalidated
2016-09-14 10:18:52 +00:00
Ryan McCarvill
98a17d5116 fix: Empty Sitemap.xml (#7354)
closes #7341
2016-09-14 10:44:08 +02:00
Hannah Wolfe
fe321a15c6 Version bump to 0.10.1 2016-09-06 17:15:49 +02:00
Hannah Wolfe
8972ac0f39 Updated Ghost-Admin to 0.10.1 2016-09-06 17:15:49 +02:00
Hannah Wolfe
a5c0dd1dd1 ⬆️ Updating extract-zip to bugfixed version (#7331)
- This version has a fix for maxogden/extract-zip#30, where directories are not always identified correctly
2016-09-06 17:15:07 +02:00
Aileen Nowak
b3b1bcca94 🐛 Return reg. HTML on Amperize time-out (#7324)
no issue

`{{amp_content}}` helper can handle error now, if returned from `Amperize` module. In case of on error, we return the unprocessed HTML, which will then get validated by the `Sanitize` functionality.

The unprocessed HTML will be stored in the cache, until the post is updated.

Points to Amperize fork of AileenCGN as dependency to have include the error handling changes incl. timeouts.
2016-09-06 15:29:21 +02:00
Hannah Wolfe
761d963893 💄 Output overall from -> to version during migration (#7329)
no issue

- Migrations weren't clear what version the database was
2016-09-06 13:59:54 +02:00
Katharina Irrgang
2142a9c587 🐛 fix direct blog migration and permission fixture options (#7320)
* 🐛 fix direct update

closes #7297
- move sitemap initialisation into sitemap handler
- initialise sitemap on first request to sitemap

* 🐛 fix how we pass options to migration files

refs #7317
- clone options when passing them into the migration/fixture files
- do not use default sequence, because it does not clone the arguments
2016-09-06 13:16:32 +02:00
Greenkeeper
4e6b1d7471 chore(package): update gscan to version 0.0.13 (#7328)
https://greenkeeper.io/
2016-09-06 10:45:52 +02:00
Kevin Ansfield
0b6459cb91 Fix upgrade notification type value (#7308)
refs #7305

* 🎨 display upgrade alerts with the correct "info" style
* 💄 update use of notifications status/type/location attrs to reflect current usage
2016-09-01 17:58:46 +02:00
Aileen Nowak
11436317c0 🐛 Remove oldschool HTML attribrutes (#7309)
no issue

Uses `allowedAttributes` functionality of `Sanitize` HTML and whitelists attributes for certain tags, regarding
AMP validation rules.

This PR fixes issues with inline style like `border`, `bgcolor`, `align` and so on.
2016-09-01 16:05:39 +02:00
Greenkeeper
c80f481b95 chore(package): update gscan to version 0.0.12 (#7307)
https://greenkeeper.io/
2016-09-01 13:42:00 +02:00
Austin Burdine
7854b65848 fix subscriber uploads from windows (#7306)
no issue
- allow 'application/octet-stream' as a valid content type for an
  uploaded subscriber csv
2016-09-01 12:43:50 +02:00
Katharina Irrgang
54559f24f9 fix: memory leak (#7291)
closes #7189

- downgrade lodash to 3.x
- downgrade bookshelf to 0.9.x
- downgrade knex to 0.10.x
- keep lodash 4.x functions
2016-09-01 10:53:08 +02:00
Austin Burdine
c8bc1b0d3c allow windows flavor of zip mime type to be uploaded (#7293)
refs #7292
- add 'application/x-zip-compressed' to allowed mime types for import
  and theme upload
2016-09-01 08:49:54 +02:00
kirrg001
6dfca64521 Version bump to 0.10.0 2016-08-29 19:12:46 +02:00
kirrg001
de39b5cf5d Updated Ghost-Admin to 0.10.0 2016-08-29 19:12:26 +02:00
kirrg001
dba676434b Updating Ghost-Admin: Fixes/Improvements for 0.10.0 2016-08-29 10:50:20 +02:00
Aileen Nowak
587337aab3 🐛 Allow .zip file upload for file import (#7278)
closes #7277

Adds `.zip` to `extensions` and `application/zip` to `contentTypes` in config, specificly for uploads to `db`, to allow .zip-file file uploads from labs.
2016-08-29 09:19:49 +02:00
Aileen Nowak
1bc1f165f1 💄 Add post image to AMP template and style fixes (#7272)
no issue

Will show the post image on top of the AMP page, if image is uploaded.
Some minor style changes.
2016-08-26 12:28:45 +02:00
Aileen Nowak
9d76004807 🛠 Change Amperize dep (#7271)
no issue

Changes the Amperize module to point at tarball
2016-08-25 18:48:33 +02:00
Aileen Nowak
d59f199ee3 🐛 🎨 Improves AMP validation for video and iframe (#7270)
no issue

Video tags aren't supported in Amperize yet, therefore, we strip them out. If a `<video>` tag has nested `<source>` elements, they would stay because they are whitelisted regarding `Sanitize`, as we use them for `<audio>` tags as well.

This PR uses `cheerio` to strip out in `<video>` nested `<source>` tags, without removing the fallback text.
It also removes prohibites attributes for `<amp-iframe>` which are e. g. used by Vimeo embeds.

Removes every kind of inline `style` attributes, as they will cause validation errors as well.
2016-08-25 12:47:28 +02:00
kirrg001
7932f63e6a Updating Ghost-Admin: Fixes/Improvements for 0.10.0 2016-08-25 12:24:38 +02:00
Aileen Nowak
93ee19f36e 🐛 fix: make small media types not stretch (#7265)
no issue

Fixes a bug with displaying small media types like images or gif. Two reasons for that:
1. In many cases, we only have the relative URL instead of the absolute URL for the media source and therefore, `Amperize` module wasn't able to detect the image size and set the default image size of `width="600"` and `height="400"`.
2. Even if we have detected the correct image size, the attribute `layout="default"` would still make it strech. This issue is fixed in `Amperize`, but it wasn't merged at this time, so I set the dependency on my fork.

Adds `amp-anim` to the `.post-content` class, to have same CSS style as an image.
2016-08-25 11:09:25 +02:00
Hannah Wolfe
84a35a4753 🎨 Theme events (#7269)
no issue
- add events for uploaded, downloaded & deleted
2016-08-25 10:36:12 +02:00
kirrg001
b7c0c65d56 Updating Ghost-Admin: Fixes/Improvements for 0.10.0 2016-08-25 09:27:11 +02:00
Hannah Wolfe
545d2cb8b0 Use node-archiver to create zips (#7268)
closes #7266, closes #7267

- Adds node-archiver as a dependency
- Adds new zip-folder utility
- Switch out exec 'zip' for zip folder utility
- Store generated zips in os.tmpdir
- Don't delete zips from content/themes when uploading or deleting
- Fixes path resolution for delete
2016-08-25 09:22:22 +02:00
Aileen Nowak
f7129a0e39 🎨 Util to convert relative urls in absolute (#7264)
no issue

This PR takes the existing function `processUrls` in `data/xml/rss` and refactors it to be a stand-alone util.
The change is needed, as this functionality will be accessed from `apps/amp` to convert relative URLs.
2016-08-25 07:09:40 +01:00
Hannah Wolfe
5739411c51 🐛 Ensure sitemap items are valid (#7261)
closes #7186

- Add a concept of validity to each generator
- Refactor base generator to handle invalid (empty) nodes for both events & the initial generation
- Update the tests a bit, to fix some bugs in the tests
- Ensure the homepage is always present
2016-08-25 07:13:08 +02:00
Hannah Wolfe
02ca986ed7 🎨 Improve theme validation error messaging (#7253)
refs #7204

- Adds a new ThemeValidationError class
- This error has a top level message, but will also contain all the individual errors within the `errorDetails` property
- Updated the API error handling to return `errorDetails` if it is present
2016-08-24 14:45:54 +02:00
Greenkeeper
01bac00e61 chore(package): update gscan to version 0.0.11 (#7259)
https://greenkeeper.io/
2016-08-24 14:45:37 +02:00
Katharina Irrgang
fb4a4817ef improvement: storage error handling (#7257)
no issue

- while testing different situations for custom storage adapters after switching from 0.9 to 0.10, it turned out the error output was not optimal
- this PR improves that
2016-08-24 13:32:29 +01:00
kirrg001
6c199afedf Updating Ghost-Admin: Theme upload/download 2016-08-23 14:18:04 +02:00
Katharina Irrgang
a91e54cf1a feature: theme upload/download/delete (#7209)
refs #7204

- added 3 new themes permissions
- change core/client
- add theme upload/download logic
- extended local file storage to serve zips
- added gscan dependency
- add ability to handle the express response within the api layer
- restrict theme upload to local file storage
- added 007 migration
2016-08-23 13:07:25 +01:00
Jesse Dijkstra
f546a5ce1d Remove open redirect by removing double slashes from redirects (#7247)
no issue

Double slashes are treated as a HTTP calls as specified in [RFC1801](http://www.ietf.org/rfc/rfc1808.txt). Because of this behaviour the uncapitalise created an open redirect. By removing double slashes in the path we ensure open redirects cannot be created.

As an example, please click the following URL: https://dev.ghost.org///Google.com/.

This issue  has been reported by pentesters of our product [LearningSpaces.io](http://learningspaces.io).
2016-08-23 13:47:59 +02:00
Katharina Irrgang
6a1c10516e improvement: ensure custom storage adapter has required functions (#7234)
refs #2852

- improvement: ensure custom storage adapter has required functions
- serve, save and exists are from now on required functions for a custom storage adapter
- add delete as required storage function
2016-08-22 22:51:42 +01:00
Katharina Irrgang
41ae8c03b9 feature: storage adapter for images and themes (#7241)
refs #2852
- we offer the option to define a storage for themes and a storage for images
2016-08-22 18:55:28 +01:00
Katharina Irrgang
f174d4d56b Revert "Update supertest to version 2.0.0 🚀" (#7243) 2016-08-22 19:53:45 +02:00
Aileen Nowak
a5c29dfc34 [FEATURE] AMP (#7229)
closes #6588, #7095

* `ImageObject` with image dimensions (#7152, #7151, #7153)
- Returns meta data as promise
    - returns a new Promise from meta data
    - uses `Promise.props()` to resolve `getClient()` and `getMetaData()`

- Adds 'image-size' util
The util returns an object like this
```
{
    height: 50,
    url: 'http://myblog.com/images/cat.jpg',
    width: 50
};
```
if the dimensions can be fetched and rejects with error, if not.
In case we get a locally stored image or a not complete url (like `//www.gravatar.com/andsoon`), we add the protocol to the incomplete one and use `urlFor()` to get the absolute URL. If the request fails or `image-size` is not able to read the file, we reject with error.
- adds 'image-size' module to dependencies
- adds `getImageSizeFromUrl` function that returns image dimensions

- In preparation of AMP support and to improve our schema.org JSON-LD and structured data, I made the following changes:
    - Changes the following properties to be `Objects`, which have a `url` property by default and a `dimensions` property, if `width` and `height` are available:
        - `metaData.coverImage`
        - `metaData.authorImage`
        - `metaData.blog.logo`
    - Checks cache by calling `getCachedImageSizeFromUrl`. If image dimensions were fetched already, returns them from cache instead of fetching them again.
    - If we have image dimensions on hand, the output in our JSON-LD changes from normal urls to be full `ImageObjects`. Applies to all images and logos.
    - Special case for `publisher.logo` as it has size restrictions: if the image doesn't fulfil the restrictions (<=600 width and <=60 height), we simply output the url instead, so like before.
    - Adds new property for schema.org JSON-LD: `mainEntityOfPage` as an Object.
    - Adds additional Open Graph data (if we have the image size): `og:image:width` and `og:image:height`
    - Adds/updates tests

* AMP router and controller (#7171, #7157)
Implements AMP in `/apps/`:
- renders `amp.hbs` if route is `/:slug/amp/`
- updates `setResponseContext` to set context to `['amp', 'post']` for a amp post and `['amp', 'page']` for a page, but will not render amp template for a page
- updates `context_spec`
- registers 'amp' as new internal app
- adds the `amp.hbs` template to `core/server/apps/amp` which will be the default template for AMP posts.
- adds `isAmpURL` to `post-lookup`

* 🎨 Use `context` in meta as array (#7205)
Instead of reading the first value of the context array, we're checking if it includes certain context values.
This is a preparation change for AMP, where the context will be delivered as `['amp', 'post']`.

*  AMP helpers (#7174, #7216, #7215, #7223)
- Adds AMP helpers `{{amp_content}}`, `{{amp_component}}` and  `{{amp_ghost_head}}` to support AMP:
- `{{amp_content}}`:
    - Adds `Amperize` as dependency
    - AMP app uses new helper `{{amp_content}}` to render AMP HTML
    - `Amperize` transforms regular HTML into AMP HTML
    - Adds test for `{{amp_content}}` helper
    - Adds 'Sanitize-HTML` as dependendy
    - After the HTML get 'amperized' we still might have some HTML tags, which are prohibited in AMP HTML, so we use `sanitize-html` to remove those. With every update, `Amperize` gets and it is able to transform more HTML tags, they valid AMP HTML tags (e. g. `video` and `amp-video`) and will therefore not be removed.
- `{{amp_ghost_head}}`:
    - registers `{{amp_ghost_head}}` helper, but uses `{{ghost_head}}` code
    - uses `{{amp_ghost_head}}` in `amp.hbs` instead of `{{ghost_head}}`
- `{{ghost_head}}`:
    - Render `amphtml` link in metadata for post, which links to the amp post (`getAmpUrl`)
    - Updates all test in metadata to support `amp` context
    - Changes context conditionals to work with full array instead of first array value
    - Adds conditionals, so no additional javascript gets rendered in `{{ghost_head}}`
    - Removes trailing `/amp/` in URLs, so only `amphtml` link on regular post renders it
    - Adds a conditional, so no code injection will be included, for an `amp` context.
- `{{amp_components}}`:
    - AMP app uses new helper `{{amp_components}}` to render necessary script tags for AMP extended components as `amp-iframe`, `amp-anime` and `amp-form`
    - Adds test for `{{amp_components}}`
2016-08-22 18:49:27 +02:00
Greenkeeper
3c13c98d7f chore(package): update supertest to version 2.0.0 (#7159)
https://greenkeeper.io/
2016-08-22 18:38:41 +02:00
Aileen Nowak
2875f5a9bc 🐛 config.theme.timezone must not be overwritten (#7232)
closes #7182

When calling `config.set()` in the settings api, we want to set the active timezone of the blog to make it available in our `settingsCache`. But because the `theme` object in the `set` prototype was already set to `Etc/UTC` as default, the `_.merge` function would always overwrite our `activeTimezone` with the default value.

This PR changes the code in the way, that we always set 'Etc/UTC' for the timezone as default, _until_ we fetched our settings and therefore the `activeTimezone` setting, so we can overwrite it.

This issue had not only influence on the date helper, but everywhere in our codebase, where we rely on reading the `timezone` from our config, instead of our settings. The `{{@blog.timezone}}` helper reflected that quiet well, as it would always show `Etc/UTC`
2016-08-22 17:56:35 +02:00
Katharina Irrgang
07e59cf27e fixes: storage base getUniqueFileName (#7230)
no issue
- getUniqueFileName does not replace . by -
- added poor extensions validation
2016-08-22 16:54:10 +01:00
Katharina Irrgang
3b8f08e0ec fix: delete unused theme endpoints (#7231)
no issue
2016-08-22 10:54:54 +01:00
Aileen Nowak
18eda54cf0 🐛 Change default referrer policy (#7240)
closes #7235

Changes the default referrer policy to `no-referrer-when-downgrade` because Safari can't deal with `origin-when-crossorigin`.
2016-08-22 11:20:56 +02:00