Commit Graph

4463 Commits

Author SHA1 Message Date
Fabien O'Carroll
3fc3c52dd3 Added flag for sending email when post is published
no-issue
2019-11-04 11:56:46 +07:00
Kevin Ansfield
6b420d0cbd Added member.edited webhook
no issue

- member model emits a `member.edited` event on update
- webhooks service listens for `member.edited` event and will trigger any registered hooks
2019-10-31 14:34:50 +00:00
Kevin Ansfield
a339a838b3
Removed /api/v2/members/ endpoints (#11308)
no issue

- this was a hangover from earlier members betas
- members is only available on `v3` and `canary` APIs
2019-10-31 11:11:46 +00:00
Naz Gargol
0c3b90283a
Renamed members to post-gating for better context (#11309)
no issue

- Using members.js naming for the file was a bad choice and lead to some false signals when doing a cleanup.  `post-gating` is more explicit and to the point of what the module is responsible for
2019-10-31 10:33:37 +01:00
Kevin Ansfield
1fd7014c45 Fixed member.deleted webhook having an empty payload
no issue

- the members output serializer was passing model objects through on `frame.response` but the webhooks serializer doesn't know how to deal with those
- adjusting the output serializer to use a mapper as per the other serializers means that POJOs are being passed through which allows the webhook serializer to correctly pick out the changed attributes
2019-10-31 15:19:45 +07:00
Naz Gargol
9b347d6d95 🐛 Fixed 3.0 migration on SQLite with many posts (#11302)
refs https://github.com/TryGhost/Ghost/pull/11270

- Fixed 3.0/11-update-posts-html migration which failed in scenario when more than 999 posts with posts_meta relation were present
- The issue was originally spotted here: https://github.com/TryGhost/Ghost/pull/11270#issuecomment-546248308
- The main problem is in the `SELECT` statement which is generated for `findAll` method in Bookshelf which creates `WHERE IN(post_ids_here)` statement with all posts in the database
- Using knex directly as that's a preferred way to write migrations (does not depend on the model layer)
2019-10-29 12:16:47 +00:00
Kevin Ansfield
c2cdfef9e2
💡 Removed list of reserved slugs (#11301)
no issue

- reserved slugs get in the way of creating pages such as `/signin/` which do not currently exist and are useful for members
- the reserved slugs concept is a little meaningless because if there are any route clashes then our own routes should always win out over a post slug
2019-10-29 09:49:47 +00:00
Rishabh Garg
d370a4e840
🐛 Fixed members export limiting to 15 members only (#11299)
refs https://github.com/TryGhost/Ghost/issues/11298

The members export admin API by default paginates the result and only returns upto 15 members. This allows passing `limit` param to the API and allows passing `limit=all` to fetch all members in result.
2019-10-29 10:20:32 +05:30
Naz Gargol
99c6351feb
🐛 Fixed 3.0 migration for SQLite (#11270)
closes #11263

- Fixed `3.0/05-populate-posts-meta-table.js` migration failure when having >999 posts with metadata in the database
- The issue here is with hitting SQLite's internal SQLITE_LIMIT_VARIABLE_NUMBER limit when updating with a large amount of posts having metadata fields set (ref.: https://sqlite.org/limits.html#max_variable_number)
- Transforming migration to iterative method avoided inserting lots of records at once
2019-10-28 14:21:21 +01:00
Kevin Ansfield
7284227f1e
🐛 Fixed 404s when using a proxy setup (#11269)
no issue

When using certain proxy setups that result in `host` and `x-forwarded-host` being different, it became impossible to access Ghost because all routes showed generic 404 pages.

- `vhost` module that we are using to separate front-end and admin urls does not use express' `req.hostname` so it does not pick up the `x-forwarded-host` url that express' `'trust proxy'` config gives us
- switched to the forked `@tryghost/vhost-middleware` package which has a one-line change to use `req.hostname || req.host`
- added `'trust proxy'` config to the admin express app and switched to using `req.hostname` in our redirect code to avoid infinite redirect loops
2019-10-28 11:22:05 +00:00
Naz Gargol
b1e20d2ad5
🐛 Fixed migration path from pre 2.28.x to 3.0.0 (#11268)
no issue

- Bug reported here https://forum.ghost.org/t/ghost-3-0-update-q-install-cannot-read-property-type-of-undefined/9659/3
- The issue happens when migrating from e.g. 2.28.x Ghost instance directly to 3.0
2019-10-28 12:02:16 +01:00
Nazar Gargol
5760395e92 Fixed reading_time calculation for non public posts
no issue

- The calculation of reading time has to happen before html field is sanitized for members plan.
2019-10-21 18:07:38 +07:00
Fabien O'Carroll
a500c3761f Added migration for subscriber labs flag
no-issue
2019-10-17 16:58:46 +07:00
Fabien O'Carroll
1fb41e1946 Removed superfluous space from filename
no-issue
2019-10-17 16:58:46 +07:00
Naz Gargol
f1fa74b5c4
💄Updated fixtures for Ghost v3 content + assets (#11247)
no issue 

- Updated post images and content
- Updated default blog cover asset
- Updated default Ghost user avatar
2019-10-17 10:49:30 +02:00
Peter Zimon
ce2e2e3834 Updated default publication icon
no issue
2019-10-17 07:59:21 +02:00
Rishabh Garg
d8e65d46e9
Updated post model queries to raw knex queries (#11246)
no issue

We split `posts` table into 2 in v3 with a new `posts_meta` table. Since migrations always use the version of code which is being migrated to - in this case the Post model - which in v3 relies on the posts_meta table, `2.x` migrations relying on post model will fail as it doesn't exist in the expected state. This PR updates all 2.x migrations using `models.Post` to use knex queries directly to access database and perform operations.
2019-10-17 10:36:18 +05:30
Fabien O'Carroll
7c4f177fee Added missing page prop to v2 Content API posts
no-issue

We have to wrap this in a check to make sure that `page` property is
only returned if either:
A) No `fields` param is passed (send back all fields)
B) `fields` param is passed AND it includes the `page` field
2019-10-16 15:44:05 +07:00
John O'Nolan
055f129059 Correct Twitter username 2019-10-16 14:22:42 +07:00
Peter Zimon
cac8c4a3e7 Refined member emails
no issues
- refined typography and spacing for member signup, singin and subscribe emails
2019-10-16 14:22:42 +07:00
Hannah Wolfe
fb072395ac Reduced API debug statements
- outputting so much information makes debug less useful
 - node debugger should be used for tracing values through the system,
     debug() is for more generally following logic and timing
 - removed debugs that output large objects
 - added consistent debugs for api methods
 - a couple of other tweaks for easier understanding of what's happening on a request
2019-10-15 15:07:38 +01:00
Fabien O'Carroll
c9c37b0da2
Merge master -> v3 (#11242)
Merge master -> v3
2019-10-15 17:44:14 +07:00
Rishabh Garg
1e9d4875f5
Added new member subscription settings (#11240)
no issue

We added 2 new member subscription settings - `allowSelfSignup` and `fromAddress`- with defaults as `true` and `noreply`, this migration sets default values for both settings for users migrating from previous version and cleans up intermediate naming for `allowSelfSignup`.
2019-10-14 16:58:15 +05:30
Fabien O'Carroll
20a6ad1ea6 Added member.added and member.deleted webhooks
no-issue
2019-10-14 15:50:24 +07:00
Fabien O'Carroll
5fb05e970c Updated webhook default to v3 api
no-issue

There are no members serializers on the v2 api
2019-10-14 15:50:24 +07:00
Fabien O'Carroll
d680f33f10 Removed unused members getter
no-issue

This would have errored when used
2019-10-14 15:50:24 +07:00
Fabien O'Carroll
94b261759e Added added and deleted events to member model
no-issue

These can be used to trigger webhooks
2019-10-14 15:50:24 +07:00
Fabien O'Carroll
df8a67a9ca Enabled members by default (#11190)
no-issue

This removes the need for `enableDeveloperExperiments` flag for members
2019-10-14 08:34:04 +05:30
Kevin Ansfield
78e16ddd3f Merge branch 'master' into v3 2019-10-11 11:31:31 +01:00
Rishabh Garg
fb1d11c09a Fixed subscribers migration to work without model (#11227)
no issue

Since we removed subscribers code in v3, we cannot use `models.Subscribers` for migration, and instead switch to using db directly for fetching existing subscribers before migrating them to members.
2019-10-11 10:43:18 +01:00
Rish
cd02fd5c63 Renamed member requirePayment setting
no issue

Renames member setting `requirePaymentForSignup` -> `allowSelfSignup` to match members API usage
2019-10-11 14:08:31 +05:30
Fabien O'Carroll
3eb4427888
Exposed visibility prop for posts on canary api (#11229)
no-issue

This is required by the theme layer to style member only posts
differently
2019-10-11 13:58:50 +07:00
Fabien O'Carroll
1500881923 Renamed getRequirePaymentSetting
no-issue

The negation before this function call was a little easy to miss for me
2019-10-11 13:47:48 +07:00
Fabien O'Carroll
0c602976c0 Passed members_email_auth_secret to members-api
no-issue
2019-10-11 13:47:48 +07:00
Fabien O'Carroll
cbb13904b8 Added members_email_auth_secret setting
no-issue

This will be used for signing HS256 JWTs it's a 64 byte (256 bit) hex
string
2019-10-11 13:47:48 +07:00
Fabien O'Carroll
ef5e6f7e5b Removed text-transform: capitalize from buttons
no-issue

Button text should be sentence case not title case
2019-10-11 11:45:11 +07:00
Fabien O'Carroll
527632f287 Updated members email templates
no-issue

These changes fix come colors and styles
2019-10-11 11:45:11 +07:00
Fabien O'Carroll
3062ec7690 Wired up members plaintext emails
no-issue
2019-10-11 11:45:11 +07:00
Fabien O'Carroll
257bebbb39 Wired up the members emails templates
no-issue
2019-10-11 11:45:11 +07:00
Fabien O'Carroll
f4d202d7c5 Added member email templates
no-issue
2019-10-11 11:45:11 +07:00
Fabien O'Carroll
98f27c1c33 Added getSubject function for members emails
no-issue
2019-10-11 11:45:11 +07:00
Fabien O'Carroll
6f160518d1 Ensured that members emails include our text version
no-issue
2019-10-11 11:45:11 +07:00
Fabien O'Carroll
b030081a4b Updated GhostMailer to allow forcing text content
no-issue

This is so that we can pass our own customised text content
2019-10-11 11:45:11 +07:00
Naz Gargol
1b04b48ffd Added from parameter for member emails (#11222)
* Added from parameter for member emails

no issue

- Passed in the `from` parameter when initializing members mailer to be able to customize outgoing address
- Extends GhsotMailer to accept a from parameter from the outside
2019-10-11 11:21:53 +07:00
Kevin Ansfield
6b3c4a59b4 🐛 Fixed rendering and url transformation of v1 "card-markdown" aliased cards
no issue

- Ghost 1.x stored markdown cards with the name `card-markdown`, this was changed in Ghost 2.x to be `markdown`. To keep compatibility with the older mobiledoc content the `markdown` card was aliased using a straightforward `Object.assign()`. Unfortunately this failed to work adequately when the url transformation functions were added to cards and resulted in corrupted data being returned in API responses
- moved the markdown card definition into a factory function so that a clean card definition object can be used for both the `markdown` and `card-markdown` cards
2019-10-10 16:35:29 +01:00
Rish
4f0ca2914f Updated members schema validation for name
no issue

- Removed minimum length requirement for `name` as its possible to have empty name for a member
2019-10-10 17:26:56 +05:30
Fabien O'Carroll
6b4e6fb400 Removed unused stripe_customers relationship
no-issue
2019-10-10 17:51:46 +07:00
Fabien O'Carroll
99681e692a Updated the create,get&update member functions
no-issue

This updates them to async functions, and defaults falsy name and note to null
2019-10-10 17:51:46 +07:00
Fabien O'Carroll
38832d5c6b Added note to member json schema
no-issue
2019-10-10 17:51:46 +07:00
Fabien O'Carroll
f3a8119870 Added note column to csv import/export for members
no-issue
2019-10-10 17:51:46 +07:00
Fabien O'Carroll
fe59613867 Wired up the note property to members-api
no-issue
2019-10-10 17:51:46 +07:00
Fabien O'Carroll
035cb55ca9 Added migration for note column on members table
no-issue
2019-10-10 17:51:46 +07:00
Fabien O'Carroll
0a40d11af9 Added note column to members table
no-issue
2019-10-10 17:51:46 +07:00
Fabien O'Carroll
58651caa32 Removed members endpoint from admin v2 api
no-issue
2019-10-10 17:51:46 +07:00
Fabien O'Carroll
dd214d71dc Decoupled add from importCSV queries
no-issue
2019-10-10 17:51:46 +07:00
Kevin Ansfield
7fc10106dc Merge branch 'master' into v3 2019-10-10 10:37:42 +01:00
Nazar Gargol
977fb5f650 Added reading_time property to post/page resources in Content API 2019-10-10 15:42:04 +07:00
Nazar Gargol
4a10ddc8fa Fixed unsafeAttributes fetching in Admin API v2
no issue

- This check was misside and only was implemented for canary.
2019-10-09 21:16:27 +02:00
Kevin Ansfield
587bd8accb Merge branch 'master' into v3 2019-10-09 15:04:09 +01:00
Kevin Ansfield
dc9a22d4de
Updated post model url transforms for posts/posts_meta split (#11223)
no issue

- `og_image` and `twitter_image` fields are now located in a separate model so the transform functionality for those fields needed to move accordingly
2019-10-09 13:38:08 +01:00
Rish
e7d7d9fdcc Added new fromAddress setting for member subscriptions
no issue

- Adds new `fromAddress` setting for member subscriptions to allow custom from mail address
2019-10-09 15:28:40 +05:30
Naz Gargol
0225936292
Removed subscribers from the codebase (#11153)
refs https://github.com/TryGhost/Ghost/pull/11152

- Added subscribers table drop migration
- Removed subscribers from schema
- Removed subscribers controllers/routes/regression tests
- Removed subscriber related API code
- Removed subscribers from internal apps
- Removed subscriber importer
- Removed subscriber model
- Removed subscriber related permissions
- Removed webhook code related to subscribers
- When upgrading to v3 it is on the site admin to migrate all zapps or any other webhook clients to use members
- Removed subscriber-specific translation
- Removed subscriber lab flag
2019-10-09 11:47:04 +02:00
Fabien O'Carroll
b77026870b Moved migrations from 3.0 to 2.34
no-issue
2019-10-09 16:24:51 +07:00
Fabien O'Carroll
cbb6337ae4 Prefixed stripe_customers_subscriptions with members
no-issue
2019-10-09 16:24:51 +07:00
Fabien O'Carroll
29b3dad302 Updated get/set metadata fn signatures
no-issue

This is to reflect an upstream change in members-api
2019-10-09 16:24:51 +07:00
Fabien O'Carroll
4c07d86086 Updated getMemberMetadata to use findAll method
no-issue

This means we go via our version of the bookshelf model
2019-10-09 16:24:51 +07:00
Fabien O'Carroll
ee0449245a Updated setMemberMetadata to use upsert method
no-issue

Much cleaner now :)
2019-10-09 16:24:51 +07:00
Fabien O'Carroll
3366bd1254 Added upsert method to stripe models
no-issue

This is kind of copied from the session model, but simplified
This will allow much easier integration with members-api
2019-10-09 16:24:51 +07:00
Fabien O'Carroll
998642eb24 Allowed filter option for findAll method
no-issue

This will allow us to constrain findAll queries, rather than using knex
`where` & `fetchAll` methods
2019-10-09 16:24:51 +07:00
Fabien O'Carroll
a6354d1acb Updated members api to store/retrieve subscriptions
no-issue
2019-10-09 16:24:51 +07:00
Fabien O'Carroll
37bb12afb3 Added model for stripe_customers_subscriptions
no-issue
2019-10-09 16:24:51 +07:00
Fabien O'Carroll
0c32dfaa30 Added migrations for stripe tables
no-issue
2019-10-09 16:24:51 +07:00
Fabien O'Carroll
a4ff87a774 Added stripe subscriptions & updated customers table
no-issue
2019-10-09 16:24:51 +07:00
Naz Gargol
786eaac57e
Added permission restrictions to editing members flag (#11217)
no issue

- Added test cases to check edit permission on settings endpoints
- Added test to demonstrate owner-only being able to toggle members flag
- Permission check when editing settings `lab.members`
- Passed additional function to permissions to allow custom selection of unsafe attributes due to settings object structure.
- Fully implementing this check on controller level would be wrong architecturally and not that straight forward because we lack role data in "frame"
- Cleaned up test after moving default_content_visibility to it's own property
2019-10-09 10:26:54 +02:00
Fabien O'Carroll
1e731dcdd3 Removed token param on page load for members
no-issue

This adds a bit of protection from accidentally sharing the url, and
also makes the url look cleaner
2019-10-09 13:36:06 +07:00
Fabien O'Carroll
dd419be2fb Added guard for missing stripe tokens
no-issue

This ensures that even if a stripe config object is present, we still
ensure that stripe is configured without keys
2019-10-09 12:00:53 +07:00
Rishabh Garg
7dc2eb2a1e
Added new requirePaymentForSignup setting for members (#11214)
* Added new `requirePaymentForSignup` setting for members

no issue

- Adds new `requirePaymentForSignup` setting flag for members, `false` by default.

- Wired members API `allowSelfSignup` to `requirePayment` setting
2019-10-08 22:00:46 +05:30
Naz Gargol
daa77c5c00
Permission restrictions for post.visibility modifications (#11213)
no issue

- Limited posts visibility field permissions to Editor-Up + Admin Integrations
- We don't want contributors or other roles lower than Editor to be able to modify content gating attribute
2019-10-08 15:44:27 +02:00
Kevin Ansfield
6028fde666 Merge branch 'master' into v3 2019-10-08 13:58:08 +01:00
Rishabh Garg
d9a0c8732c Fixed error when saving unknown url in bookmark card (#11210)
no issue

- `payload.metadata` may not exist in a bookmark card because it's possible to save a mobiledoc document when the card is in it's "unable to parse url" state in the editor
- check for `payload.metadata` object before performing any url transformations to avoid invalid property access
2019-10-08 11:11:32 +01:00
Fabien O'Carroll
f1ef801b78 🐛 Fixed error when during migration to 2.32.0 on mysql (#11208)
closes #11207

MySQL doesn't allow unqiue keys with a length of more than 191 when using InnoDB with utfmb4. These changes will ensure any incorrect tables created are fixed and have the
correct length for customer_id

* Changed `customer_id` to non-unique column
* Nooped the 2.32 `members_stripe_customers` migration
* Added migration to recreate `members_stripe_customers` table
  * sqlite doesn't allow `ALTER TABLE` queries so this is the cleanest solution considering the table is not yet in use
2019-10-08 11:07:29 +01:00
Kevin Ansfield
32f3f9d2c3 🐛 Fixed "unsaved changes" modal displaying when post has been saved
refs https://github.com/TryGhost/Ghost/issues/10477

The unsaved changes modal is displaying even when the post has been saved if images have been uploaded because the server is transforming absolute image urls to relative during input of the `mobiledoc` field but not transforming them back to absolute during output. The editor then thinks it's out of sync and shows the warning when trying to leave.

- `@tryghost/url-utils` has been updated with new methods for transforming URLs in mobiledoc content
- moves absolute->relative transformation from the API input serializers into the Post model
- transforms URLs in more fields for a more comprehensive transformation and fewer issues when re-configuring a site's domain
  - previously there could be problems with internal links between posts not being transformed so you could change the url config to newdomain.com but links in post content would still be pointing to olddomain.com
- updates the API post output serializers to transform all modified fields
- drops the `?absolute_urls=true` param switch from the `canary` API post output serializer so that all URLs are output as absolute
  - we're transforming more urls to relative when saving so this is necessary to ensure the unsaved changes modal is not triggered
  - the query param isn't documented and will disappear in v3
2019-10-07 22:59:19 +01:00
Kevin Ansfield
fa4e68ba13 Added transformer methods to mobiledoc cards
no issue

- adds abolsute->relative and relative->absolute transformer methods to card definitions
- allows for each card to tailor it's transformation to the specific needs of it's payload so that the `mobiledoc` field can be transformed successfully during API serialization/deserialization
2019-10-07 22:59:19 +01:00
Fabien O'Carroll
5b33507bf8 Allowed overriding the default from address
no-issue

This will allow the members service to pass a custom from address
2019-10-06 21:03:56 +07:00
Fabien O'Carroll
a6086995a6 Refactored GhostMailer into a class
no-issue

This breaks down the send method into distinct components that are
easier to reason about
2019-10-06 21:03:56 +07:00
Fabien O'Carroll
a22d575a9e Removed from and getDomain methods from prototype
no-issue
2019-10-06 21:03:56 +07:00
Fabien O'Carroll
f4dbcb5f35 Changed imported modules assigned to const
no-issue

Updates to current standard
2019-10-06 21:03:56 +07:00
John O'Nolan
423b0d5412 Updated default from-address for system emails (#11202)
no-issue

Until now, we've used ghost@siteurl.com as the default from address for system emails, like user invitations and password resets. This was fine, because all system emails were going to people who would interact with "ghost" the app in some way, so the naming made sense.

Now we're introducing members, which will send emails on behalf of of the site owner, to their readers. If all goes to plan, they should be able to set a custom from address, however our default mail config will still be the fallback if no other value is available.

If you run "magazine.com" and you send someone a link to "login to magazine.com" then it's pretty weird for that email to come from "ghost@magazine.com" - so this PR changes the default value from ghost to noreply for an equally generic, but less opinionated default.
2019-10-06 19:02:10 +07:00
Fabien O'Carroll
b8e39af7ac Added stripe query param to checkout redirect urls
no-issue

The value will be set to one of 'success' or 'cancel' based on howthe
user exited the checkout flow.
2019-10-06 13:54:09 +07:00
Naz Gargol
a4462c5753
Added members CSV export to Admin API (#11198)
no issue
2019-10-03 20:36:22 +02:00
Naz Gargol
bb355ac9f2
Added members CSV import to Admin API (#11197)
no issue

- Improved error handling for member creation. We should be returning 422s instead of 500 when possible
- Wrapped `members.add` method with Bluebird promise. Wrapping is needed to be able to use `.reflect()` in CSV export method
- Added proper members CSV fixture
2019-10-03 19:59:19 +02:00
Kevin Ansfield
1fa70dea23
Whitelisted members endpoints for v2 and canary Admin APIs (#11196)
no issue

- http verbs needed to be whitelisted for the members endpoint to avoid `NotImplementedError`s when accessing
2019-10-03 17:28:20 +01:00
Naz Gargol
30326cbd2d
Added handling for PUT members endpoint (#11194)
no issue

- Adds the ability to edit `name` field for a specific member by using `PUT /members/:id` endpoint
2019-10-03 13:38:22 +02:00
Fabien O'Carroll
d4f71ade11 Added support for dynamic stripe checkout redirects
no-issue

You can now use `data-members-success` and `data-members-cancel` on any
element which also has a valid `data-members-plan` attribute to set the
cancel and success redirects for stripe checkout.

The value will be used similar to how a `href` attribute would be.

e.g.

On a page https://site.com/membership

An attribute of "/success" would redirect to https://site.com/success
An attribute of "success" would redirect to https://site.com/membership/success
An attribute of "https://site.com/whatever" would redirect to https://site.com/whatever
2019-10-03 17:36:33 +07:00
Naz Gargol
5228d9819b
Added members POST API (#11189)
no issue

- Added Regression full test coverage for members Admin API
- Added `POST /members` endpoint
- Added members schema definition + validation
- Added ability to pass through send_email/emal_type options to members API
2019-10-03 11:15:50 +02:00
Kevin Ansfield
839cf0289f Added tests for bookmark card
no issue
2019-10-02 17:47:37 +01:00
Nazar Gargol
fae0975c6e Removed check for isPaid flag
ref 6bbe7bb3d4

- This value is no longer being set on the client side and doesn't serve any purpose. The logic should rely on payment processors being configured instead
2019-10-02 11:22:29 +02:00
Naz Gargol
e214838039
Improve visibility's default handling (#11183)
no issue

- Moved default_content_visibility out of labs as we should be extra careful with what is exposed in the labs + it doesn't really belong there.
2019-10-02 11:08:10 +02:00
Fabien O'Carroll
a3f3a56589 Fixed DELETE method for members on admin
no-issue

members-api uses async functions internally which return non-bluebird
promises, so the `return` method wasn't availiable.
2019-10-02 15:44:14 +07:00
Fabien O'Carroll
2bdef15971 Passed basic updateMember function to members-api
no-issue

This adds support for updating member names
2019-10-02 15:26:40 +07:00
Fabien O'Carroll
db51add380 Passed logging correctly to members-api
no-issue

Since 0.7.2 of members-api setLogger has been removed and expects a
logger to be passed at creation
2019-10-02 14:03:00 +07:00
Fabien O'Carroll
500f8aac17 Passed partner_id in stripe appInfo
no-issue

This correctly configures stripe to use our partner integration
2019-10-01 17:55:59 +07:00
Fabien O'Carroll
655edcd5be Supported data-members-form=signup/signin/subscribe
no-issue

This allows the theme developer to drive the different flows based on
the data-members-form attribute. If the attribute is empty or blank, the
default "signin" will be sent.
2019-10-01 15:16:28 +07:00
Fabien O'Carroll
a0a406fe6a Updated members api to use type for url/email
no-issue

This adds basic templates for "signup"/"signin"/"subscribe" types for
the magic-link email template. It also adds the action query parameter
to the link so that clientside js can handle the different states.
2019-10-01 15:16:28 +07:00
Nazar Gargol
84b08e627d Removed #member tag logic from input/output serializers 2019-09-30 17:46:36 +02:00
Naz Gargol
36379b2806
Added content gating based on visibility flag (#11173)
no issue

- Checks content gating based on members current plan and visibility option set on the requested post/page
2019-09-30 17:40:03 +02:00
Naz Gargol
80f7e0b19e
Added default_content_visibility flag for content gating (#11163)
no issue

- Added 'labs' flag settings test
- Added test for default_content_visibility flag
- Default post's visibility takes into account values set in default_content_visibility setting
2019-09-26 15:40:24 +02:00
Naz Gargol
ff13821b27
Members post gating options (#11160)
no issue

- Removed uses of `visibility` column in frontend url service configs
- The value of `visibility` is always set to 'public' in posts at the moment and doesn't serve any specific purpose when used with these filters.
- Allowed new visibility attributes in post model
- `posts.visibility` column is being repurposed for the needs of member content gating
- Added test for visibility editing in Admin API
- Corrected test schema checks for Admin API post/page responses
2019-09-26 15:38:35 +02:00
Fabien O'Carroll
f1cd51b04b Added support for setting name in members-api
no-issue
2019-09-26 17:32:32 +07:00
Naz Gargol
a562f09c0d
🏗 Migrated subscribers data to members (#11152)
no issue 

- Populates members table with existing subscribers. Only takes into account columns we know already exist and need to be copied i.e `name`/`email`
2019-09-26 10:39:20 +02:00
Fabien O'Carroll
a62b014905 Renamed members_stripe_info to members_stripe_customers
no-issue

This is more specific and better if we start adding more stripe tables
2019-09-26 12:58:29 +07:00
Fabien O'Carroll
9b3d45d4c4 Corrected number for members name column migration
no-issue
2019-09-26 12:58:29 +07:00
Fabien O'Carroll
18285613c9 Ensured webhook handler uses members servicer getter
no-issue
2019-09-26 11:35:44 +07:00
Fabien O'Carroll
d81e1bf1c3 Allowed newer tokens to refresh member session
no-issue

This is so that an email sent after a payment is made will refresh the
session.
2019-09-26 11:35:44 +07:00
Fabien O'Carroll
a85328f0e5 Passed the set/get metadata methods to members-api
no-issue
2019-09-26 11:35:44 +07:00
Fabien O'Carroll
d4249a07c0 Wired up the members webhook handler endpoint
no-issue
2019-09-26 11:35:44 +07:00
Fabien O'Carroll
ab18905c76 Updated members api to use middleware exposed
no-issue
2019-09-26 11:35:44 +07:00
Fabien O'Carroll
11e246a93a Allowed checkout flow to be started without member
no-issue

This will allow non-logged in members to start the stripe checkout flow,
which will result in a webhook being sent
2019-09-26 11:35:44 +07:00
Fabien O'Carroll
a6fa0bc043 Updated member.plans to member.stripe.subscriptions
no-issue

This is to support the new format in which stripe information is
returned from the members-api module.
2019-09-26 11:35:44 +07:00
Fabien O'Carroll
97bf329ee2 Passed appInfo to members-api stripe instance
no-issue
2019-09-26 11:35:44 +07:00
Kevin Ansfield
d69440bd4f
Update dependency @tryghost/url-utils to 0.4.0 (#11156)
no issue

- updates usage of `htmlRelativeToAbsolute` to avoid unnecessary duplication of "home" url fetching (the UrlUtils instance already has that information)
2019-09-25 12:35:59 +01:00
Naz Gargol
d54be917d1
Added name column back to members table (#11151)
refs 294f3769cb

- We have a need for name field now :)
- This time `name` is nullable !
2019-09-25 10:44:50 +02:00
Fabien O'Carroll
c9b4fa4a09 Updated Member model to handle stripe_info property
no-issue

This maps the stripe_info property to the MemberStripeInfo model, so
that we can update the member model, and correctly add/edit rows in the
members-stripe-info table.
2019-09-25 10:05:30 +07:00
Fabien O'Carroll
e54adfd30d Added MemberStripeInfo model
no-issue

Simple model to allow us to do relations with the Member model
2019-09-25 10:05:30 +07:00
Fabien O'Carroll
fd1db4ffac Added migration for members-stripe-info table
no-issue
2019-09-25 10:05:30 +07:00
Fabien O'Carroll
6859e9a9a1 Added members-stripe-info table
no-issue

This will be used to store stripe specific information for members

customer_id has a max length of 255 https://stripe.com/docs/upgrades

member_id is not unique as we cannot ensure that a member doesn't have
more than one customer object associated with them. e.g. if they signup
twice, or if they cancel, and signup again, creating a new customer.

We probably won't handle this case to begin with, but we will keep the
data intact.
2019-09-25 10:05:30 +07:00
Fabien O'Carroll
e078cb5612 Removed unused password logic from Member model
no-issue
2019-09-25 10:05:30 +07:00
Kevin Ansfield
3eb11533bd Marked the client auth table drop migration as irreversible
no issue

- bumps `knex-migrator` so it supports irreversible migrations
- marks the `03-drop-client-auth` migration as irreversible because it destroys data that is not recoverable and is required for earlier versions of Ghost to function
2019-09-23 17:22:46 +01:00
Rishabh Garg
6d0f19ebfa
🏗 Migrated scheduler to work with v2 API (#11142)
* Updated scheduler to use v2 API by default

* Updated scheduling for post/page resource types

* Extended base method to take options param with token and jwt options

* Updated token expiration to 6 hours after publish/blog start time to allow retries
2019-09-23 21:42:53 +05:30
Naz Gargol
50546d8cba
🔥 Removed deprecated ghost_head and ghost_foot properties from /settings responses (#11144)
no issue 

- Removed ghost_head/ghost_foot propeties from Content API `GET /setting` response
- Removed ghost_head/ghost_foot from the output in Admin API
- Added validation when requesting ghost_head/ghost_food fields
- Updated deprecation comments
2019-09-23 12:59:00 +02:00
Hannah Wolfe
0107ac848a Improved x-request-id handling
- Currently, we create a request ID for internal use if one isn't set & this is used in logs
- If a custom request ID is set via X-Request-ID header, this gets logged, however, we don't return this with the response
- Means that a custom ID gets lost on the way back out, and makes tracing requests through a system trickier
- This change ensures that if X-Request-ID is set on the request, it is also set on the response so that requests can be properly traced
- It's easy to set this in e.g. nginx so that the feature becomes available - Ghost doens't need to do this
- Note: also split request id handling out into new middleware
2019-09-22 18:23:45 +01:00
Kevin Ansfield
5189f5e640 Removed begin/end html comments from output of most cards
no issue

- the begin/end comments are only really useful when wrapping free-form content cards such as html and markdown, the rest all have specific elements and classes that can be used in parsers
- made the comment wrappers optional in the `render()` function created by the `createCard()` factory
- opted into comment wrappers for the html and markdown cards
2019-09-20 14:31:42 +01:00
Nazar Gargol
cc8f9bcb98 Marked code property for removal in Ghost 4.0
refs https://github.com/TryGhost/gscan/issues/144
refs https://github.com/TryGhost/gscan/pull/259

- The property hasn't been marked correctly in Ghsot 2.0 so will be able to go away the earliest in Ghost 4.0
2019-09-19 12:15:17 +02:00
Kevin Ansfield
fb1b207db9 Fixed error rolling back the "remove empty strings" migration
no issue

- rollbacks have switched to using transactions but the migration code was copied from an old migration coded before that switch
- `down()` is no longer called with an object that contains a `connection` key, it has `transacting` instead
2019-09-18 16:08:18 +01:00
Naz Gargol
6f9026af6b
Limited legacy subscriber webhook payload to v2 only (#11139)
no issue

- In v3 we don't need to support any legacy webhook formats
- Added a comment about the removal of the format when v2 is dropped
2019-09-18 16:22:07 +02:00
Nazar Gargol
3b65081b5e 🔥 Removed deprecated markdown wrapper 2019-09-18 11:53:41 +02:00
Nazar Gargol
38a7a66fd1 Updated author/author_id cleanup notes
no issue

- Updated test utilities to clearly identify both fields are not used in API responses
- Updated comment to remember clearning authors/author_id before releasing Ghost 4.0
2019-09-17 17:26:23 +02:00
Naz Gargol
a2ebee3f4e
🔥 Removed 'staticPages' filter (#11135)
refs #5151
refs #10737

- Removed all uses/references to post's "staticPages" filter
- It was only a feature specific to API v0.1 which doesn't have to take space in the codebase anymore
2019-09-17 14:12:25 +02:00
Nazar Gargol
a30812cce1 Bumped default API for member to v3 2019-09-17 10:15:39 +02:00
Nazar Gargol
8e54cfd31f Bumped default API for url utils to v3 2019-09-17 09:43:31 +02:00
Fabien O'Carroll
24e730fa25 Updated members-ssr middleware to async functions
no-issue

Also updates to use Object.assign rather than req.member = value to get
around false positives from eslint:

  * https://github.com/eslint/eslint/issues/11899
2019-09-17 11:05:06 +08:00
Fabien O'Carroll
162ff4e0bf Removed POST signin functionality
no-issue

This is no longer needed as we can signin with a GET now
2019-09-17 11:05:06 +08:00
Fabien O'Carroll
73bc3ec388 Added a middleware to handle signin via a GET
no-issue

This also adds a basic check before handing of to the members-ssr
module, this should make logs a little less noisy and only log warnings
if a token was passed and that token was invalid/incorrect.
2019-09-17 11:05:06 +08:00
Fabien O'Carroll
0e60b5dea4 Updated members service usage of members-ssr@0.5.0
no-issue

members-ssr@0.5.0 changed the `membersApi` param with `getMembersApi`
2019-09-17 11:05:06 +08:00
Fabien O'Carroll
531e217b82 Protected members middleware with a labs check
no-issue

This would have been creating a lot of noisy logs for sites without
members enabled.
2019-09-17 11:05:06 +08:00
Fabien O'Carroll
a3940ef9db Simplified urlUtils require path
no-issue

This was previously going to a parent directory which was shared by both modules
2019-09-17 11:05:06 +08:00
Kevin Ansfield
5be275bd46
Added migration for re-generating html of all posts (#11133)
refs https://github.com/TryGhost/Ghost/issues/10445

- re-generates HTML for every post so that they are using the most recent Koenig renderer output
2019-09-16 17:44:00 +01:00
Kevin Ansfield
ea7a677e4a
Added migration to normalize all empty strings to NULL (#11132)
refs https://github.com/TryGhost/Ghost/issues/10388, original PR https://github.com/TryGhost/Ghost/pull/10428

- re-introduces the migration which normalizes all empty strings in the database to `NULL`
- this was previously reverted due to being too large of a migration for a minor but a major is a good time to do it
2019-09-16 17:43:48 +01:00
Naz Gargol
cb58115700
🔥 Moved user email removal to API serialization layer (#11110) 2019-09-16 15:42:14 +02:00
Kevin Ansfield
39db5bd177 Prefixed 3.0 migrations with 0 to preserve order
no issue

- `knex-migrator` will run migrations in the order that nodejs provides when running `fs.readDirSync` which in most cases is strict alphabetical
- 3.0 will shortly have more than 9 migrations which was resulting in the migration order being 1, 10, 2
- prefixing all single-digit migrations with `0` means that strict alphabetical ordering results in the expected order
2019-09-16 13:21:39 +01:00
Kevin Ansfield
06365b282f Fixed migrations folder name
no issue

- 3.0.0 was renamed to 3.0 for consistency
2019-09-16 11:54:03 +01:00
Kevin Ansfield
e57e19ec31
🏗 Migrated posts.page column to posts.type (#11111)
refs https://github.com/TryGhost/Ghost/issues/10922

- adds migrations to...
  1. add `post.type` column
  2. populate `post.type` column based on `post.page` value
  3. drop `post.page` column
- updates all code paths to work with `post.type` in place of `post.page`
- adds `nql-map-key-values` transformer for mapping `page`->`type` in `filter` params when using the v2 API
- modifies importer to handle `post.page`->`post.type` transformation when importing older export files
2019-09-16 11:51:54 +01:00
Rish
d2bd3975f9 Fixed migration order 2019-09-16 14:22:01 +05:30
Rish
0b34b508d8 Fixed migration order and folder naming 2019-09-16 14:19:13 +05:30
Rishabh Garg
8ec12d9eee
🏗 Extracted post metadata in new post_meta table (#11102)
NOTE: The post metadata table split is purely an internal optimization for v3 and doesn't require or expect any external actions including related API usage in v3

We keep running into issues adding new fields to the post table because there are too many fields making the post table "too wide". We have also hit MySQL limitations in how many bytes can be in a row (64kb) with post table.

In v3, we decided to split the 8 post fields (meta, twitter and og) used for meta data into a posts_meta table as these 8 fields are all "problem" `varchar` fields and make sense logically grouped together. The API layer is unaffected by the split as input/output serializers ensure the data flow works the same way as it was in v2. Only thing to note is json export in v3 will have slightly different structure with posts meta fields as separate.

- Creates new post_meta schema/table with 8 fields (2 meta_* , 3 twitter_* and 3 og_*)
- Update relations between post and post_meta table
- Update input/output serializers to keep existing API behavior
- Avoids new entry in post_meta table for post where all meta fields are null
- Keeps the current fields API param behavior
- Handles migration of existing posts to new table structure
- Updates importer/exporter to work seamlessly with table changes
2019-09-16 14:15:55 +05:30
Kevin Ansfield
378ebe62b1 Merge branch 'master' into v3 2019-09-16 09:32:10 +01:00
Fabien O'Carroll
359d89d897 Logged out members signin link in development
no-issue

This makes it easier to test locally when mail config hasn't been setup
2019-09-16 09:33:45 +08:00
Nazar Gargol
af93e95fdd Reverted parent_id removal in tags in toJSON
no issue

- Partial rever of changes from https://github.com/TryGhost/Ghost/pull/11107/files#diff-792e00d413994563a1607b2be123da13L67-L68
- This code has effects how updated_at is behaving and broke "can\'t edit dates and authors of existing tag" test
- Based on bda76acba6 comment this removal should be moved into API layer but a more appropriate place then output serializer should be chosen (or original breaking test corrected)
2019-09-13 20:49:20 +02:00
Rish
caa121cae5 Fixed log usage for columnMigration command 2019-09-13 19:54:18 +05:30
Kevin Ansfield
1e905e1ef6
Added migrations to drop v0.1 auth tables (#11108)
no issue

- drops now-unused `accesstokens`, `refreshtokens`, `clients`, and `client_trusted_domains` tables
- no rollback because the db schema for the tables no longer exists
2019-09-13 13:36:20 +01:00
Nazar Gargol
f75a8f9aa9 Reworded confusing comment mentioning v0.1 2019-09-12 19:17:35 +02:00
Naz Gargol
0306c397d0
🔥 Removed v0.1 leftover code in model layer (#11107)
no issue

- Removed redundant model code in users
- Removed v0.1 specific attribute removal on model layer for post
- Removed property deletions comments handled in serialization layer
- Removed unused token.added listener. users.last_seen is  populated on middleware layer when a new access token is created
- Removed unneeded test for setting last_seen in users
2019-09-12 17:39:16 +02:00
Kevin Ansfield
d645afb416 Removed all accesstokens and refreshtokens related code
no issue

- v0.1 is ☠️ so the access/refresh token based auth is no longer used
- removed all code related to the `accesstokens` and `refreshtokens` tables
- removed all `passport` related dependencies as it's no longer used
2019-09-12 15:45:27 +01:00
Nazar Gargol
721118680d Updated API versioning README.md
- As 0.1 is dropped there is no need to mention it anymore
2019-09-12 16:27:09 +02:00
Kevin Ansfield
33fe21f888 Removed all clients and client_trusted_domains related code
no issue

- v0.1 is ☠️ so there's no longer any use of client auth
- removes all code related to `clients` and `client_trusted_domains`
- noops the "add backup client" migration in 1.7 because the referenced fixture no longer exists causing migrations and consequently all regression tests to fail
2019-09-12 15:09:49 +01:00
Nazar Gargol
c00c04df30 Removed unused translations 2019-09-12 14:49:56 +02:00
Kevin Ansfield
7e92b07233 🔒 Added admin:redirects config option for disabling admin redirects
no issue

- adds `config:redirects` config option that defaults to `true`
- when set to `false`
  - `/ghost/` will 404 on the front-end when a separate admin url is configured
  - all `{resource}/edit/` URLs on the front-end will 404
2019-09-12 12:40:12 +01:00
Naz Gargol
95ea5265d5
🔥 Removed v0.1 auth services (#11104) 2019-09-11 19:40:48 +02:00
Naz Gargol
5b59c7b542
🔥 Removed v0.1 controllers & routes (#11103)
no issue 

- Removed v0.1 controllers
- Removed 0.1 API unit tests
- Removed 0.1 API app and mount point
- Removed leftover use of v0.1 in entry-lookup test suite
- Removed frontend client API enpoints and related code (middleware)
- Fixed prev/next test suites to use v2 API
- Set default API version to explicit v2 in UrlUtils
- Removed v0.1 API regex from public files middleware
2019-09-11 19:10:10 +02:00
Nazar Gargol
ad070c7200 Fixed lint rule 2019-09-11 18:37:30 +02:00
Nazar Gargol
0f75a8d0bc ⚠️ Skiped Scheduler initialization logic and it's tests
no issue

- This commit is to be reverted once Scheduler migration is completed.
- Should not ever land in master!
2019-09-11 18:27:57 +02:00
Kevin Ansfield
666a9d371f 🔥 Removed all non-/ghost/ redirects to the admin
no issue

- we used to redirect paths such as `/logout/` and `/signin/` to the admin but they are no longer desired
  - with the introduction of members these URLs can be confused with front-end member related actions
  - we want to be able to optionally "turn off" redirects to the admin to help mask the admin url when it's configured to be separate to the front-end
2019-09-11 14:55:00 +01:00
Kevin Ansfield
5fc101136f Fixed urls in output when accessing front-end via https
no issue

- `vhost` as used in b46f9b1dc2 does not pass down the `trust proxy` setting to child apps so it's required to be called explicitly in each child app
- fixed URLs being output as http:// instead of https:// when the front-end is accessed with `x-forwarded-proto: 'https'`
2019-09-11 14:50:55 +01:00
Kevin Ansfield
717567995b Fixed 404 handling for {admin url}/content/* routes
no issue

- added our theme error handling middleware to {admin}/content/ so that cache headers are properly set for 404s
- only registered {admin}/content when a separate admin url is configured so that we're not overriding {site}/content
2019-09-11 14:18:31 +01:00
Naz Gargol
b8b0a5ea18
💡Migrated session controllers for compatibility with "frame" (#11101)
no issue

- Session controllers were using API v1 http method which bypassed "frame" introduced with API v2. 
- Changes here are just a long-awaited cleanup to allow completely remove v0.1 code
2019-09-11 11:28:55 +02:00
Naz Gargol
91984b54ca
🔥 Removed ghost-sdk client for v0.1 API (#11100)
no issue

- As v0.1 API is dropped there is no need to keep an API client around
- Removed references to ghost-sdk in regression test suite
- Removed routes to /public/ghost-sdk.js
- Removed reference to ghost-sdk in grunt build process
2019-09-10 17:15:53 +02:00
Kevin Ansfield
b46f9b1dc2 🔒 Fully separated front-end and admin app urls
no issue

- uses `vhost` in parent-app to properly split front-end and admin/api apps when a separate admin url is configured
2019-09-10 15:47:49 +01:00
Kevin Ansfield
58b9aea00d Added publicAdminApi middleware stack
refs https://github.com/TryGhost/Ghost/issues/11083

- the `/api/v2/admin/site/` endpoint is "public" and as such was not using the `authAdminApi` middleware stack so it did not act like other API endpoints with protocol or trailing-slash redirects
- adds `publicAdminApi` middleware array and uses it for the `/site/` endpoint in both v2 and canary API versions
2019-09-10 15:47:49 +01:00
Naz Gargol
a9050f68ea
🔥 Removed V1 code/references in frontend helpers/meta layers (#11080)
no issue

- Removed deprecated 'blog' reference from frontend data. The alias (site->blog) stays till next version (v4) as it's not leaving much of technical debt but would ease the migration process for anybody still using it. 
- The follow up to this is substitute of all references to `options.data.blog` with `options.data.site` in "frontend"
- Fixed test utils helper to use `site` instead of `blog`
- Removed 0.1 flag checks in {{get}} helper
- Removed user aliasing from {{get}} helper
- Removed unused translation for {{get}} helper
- Added a note to excerpt changes in metadata for future reference
- Removed page alias used in description helper. The mix of page context with post object in the metadata was only possible in v0.1
- Changed mock in ghost_head helper to use v2
- Removed unneeded test for body class helper
2019-09-10 11:37:04 +02:00
Fabien O'Carroll
00604bf522 Ensured events are not fired whilst being handled
no-issue

This _should_ stop double firing of API requests
2019-09-10 17:29:04 +08:00
Fabien O'Carroll
ebd42440a2 Added support for data-members-signout
no-issue

This will cause the session to be destroyed when clicking on element
with data-members-signout attr
2019-09-10 17:29:04 +08:00
Fabien O'Carroll
e59d56fe92 Improved error handling for members.js
no-issue

This now allows for an element with the data-members-error to be added
as the child of a data-members-form or data-members-plan and will be
populated with the error message when appropriate.
2019-09-10 17:29:04 +08:00
Fabien O'Carroll
9d9dae5da4 Ensure that dataset is read from correct element
no-issue

This fixes a problem where the click event is fired from a child of the element
2019-09-10 17:29:04 +08:00
Fabien O'Carroll
84dac3ddb3 Renamed button to el
no-issue
2019-09-10 17:29:04 +08:00
Fabien O'Carroll
1a92fb8619 Added loading class to data-members elements
no-issue

This is so that developers can confitionally render state based on if
the request is currently in progress
2019-09-10 17:29:04 +08:00
Kevin Ansfield
1752132051 Merge branch 'master' into v3 2019-09-10 09:50:15 +01:00
Kevin Ansfield
ba3c26ef5c
🐛 Fixed "View site" screen in admin on private sites with separate admin url (#11098)
closes https://github.com/TryGhost/Ghost/issues/11078

Problem:
- the admin client makes an XHR request to the `/private/` endpoint when a private site is configured
- when a separate admin URL is configured this was causing 500 errors in the admin client because missing CORS headers on the endpoint was causing browsers to abort the request
- browsers will also look at the CORS headers on any resources that are the result of a redirect and abort the request if they do not allow cross-origin requests, this means allowing all requests on `/private/` is not enough

Solution:
- uses the `cors` middleware with a dynamic options function for the whole of the front-end site app
- dynamic options function allows the following requests through:
  - same-origin (browsers and non-browser agents will not send an `Origin` header)
  - origin is `localhost` or `127.0.0.1` with any protocol and port
  - origin matches the configured `url` hostname+port on any protocol
  - origin matches the configured `admin:url` hostname+port on any protocol
2019-09-09 17:42:55 +01:00
Kevin Ansfield
88659e5a52 Switched private login brute errors to correct error status code
no issue

- when too many login attempts were detected for the `/private/` form we were throwing 500 errors instead of the more appropriate 429 error that we use everywhere else for "too many request" type errors
2019-09-09 16:02:21 +01:00
Hannah Wolfe
708927335b Added error handling for weird handlebars syntax
refs #10496

- handlebars if and unless helpers throw weird, unhelpful syntax errors
- for now, catch these errors and do something helpful with them
2019-09-09 13:03:04 +01:00
Hannah Wolfe
9abffe4396 Added guard to asset helper for missing paths
refs #10496

- currently {{asset this/is/not/a.string}} would throw a 500 error
- this commit changes that to make it throw a sensible 400 + incorrect usage error
2019-09-09 13:02:45 +01:00
Fabien O'Carroll
b8fc0d2bd1
Cached member data in ghost-members-ssr-cache cookie (#11096)
no-issue

* Installed @tryghost/members-ssr@0.4.0
  This now supports caching of the data returned by the members-api

* Renamed cookies set by members-ssr
  As discussed with @ErisDS I have prefixed these cookies with `ghost`
2019-09-09 17:39:46 +08:00
Hannah Wolfe
a4464d0137 Return correct error codes from storage adapter
no issue

- malformed paths such as http://localhost:2368/content/images/2018/02/%c0%af were throwing 500 errors, instead of 500 errors
- this code catches the error and handles it correctly
2019-09-06 17:40:55 +01:00
Fabien O'Carroll
78505f86ef
Updated members.js & members.min.js (#11082)
no-issue

* Converted member.js to es5
* Updated member.min.js
2019-09-06 16:07:46 +08:00
Fabien O'Carroll
f63577fa4f
Implemented stripe checkout handling for members
no-issue

* Installed members-api@0.5.0 members-ssr@0.3.1
* Supported multiple members-forms
* Used members canary api
* Added GET handler to /members/ssr for id token
The identity token will be used to ensure that a payment is linked to the correct member
* Added stripe.js to ghost_head when members enabled
* Added basic support for linking to stripe checkout
* Removed listener to title and icon settings changes
* Added stripe subscription config
2019-09-06 15:14:21 +08:00
Fabien O'Carroll
49672a1e4d Updated members service to use magic-link signin
no-issue
2019-09-05 11:14:50 +08:00
Fabien O'Carroll
edca4138ff Updated getMember to return null rather than throw
no-issue

This allows members code to remove try/catch statements without having
to pass the Ghost/bookshelf specific `require: false` option
2019-09-05 11:14:50 +08:00
Fabien O'Carroll
294f3769cb Removed name and password columns from members table
no-issue

We have no need for these right now and it is easier to drops the
columns, rather than to modify the name column to nullable
2019-09-05 11:14:50 +08:00
Fabien O'Carroll
7382967613 Added createColumnMigration helper
no-issue
2019-09-05 11:14:50 +08:00
Rishabh Garg
b875cc339d
🔥 Dropped unused ghost_auth_* user fields
no issue

- Drops `ghost_auth_access_token` and `ghost_auth_id` fields since not used anymore
- Adds migration for dropping these columns from users table
- Drops Auth strategy - `ghostStrategy` - since its not used anymore
2019-09-03 20:48:42 +05:30
Rishabh Garg
303046bc0a
💡Added v3 API endpoint (#11073)
no issue

- Adds new /v3/ endpoint which currently aliases canary code
2019-09-03 12:33:31 +05:30
Kevin Ansfield
bc18aee3b4 Removed unused admin serviceworker endpoint
no issue

- Ghost-Admin serviceworker support was removed a long time ago but the URL handling was never removed
2019-09-02 16:58:06 +01:00
Nazar Gargol
548ed8b851 🔥 Dropped default inclusion of primary_tag/primary_author fields in Content API
no issue

- Content API doesn't return primary_tag and primary_author fields by default if authors or tags were not requested
- These fields are still always included in Admin API as a result of having authors and tags loaded (like a sideeffect)
2019-09-02 15:06:12 +02:00
Rishabh Garg
44a5da22b9 🐛 Fixed wrong icon being pulled into bookmark cards for some sites (#11055)
no issue

Current metascraper rule for fetching page metadata in case of bookmark card gives preference to publisher logo over icon tags. This PR updates giving first preference to icon link tags followed by logo.
2019-08-27 19:32:26 +01:00
Rishabh Garg
c2aa62083c Added support for bookmark card (#11024)
requires https://github.com/TryGhost/Ghost-Admin/pull/1293

- updates `oembed` endpoint behaviour
  - if an oembed provider is not found then we use `metascraper` to populate a metadata object
  - when metadata is returned rather than an oembed response the payload will look like this:
    ```json
    {
        "url": "...",
        "type": "bookmark",
        "metadata": {
            "url": "...",
            "title": "...",
            "description": "...",
            "author": "...",
            "publisher": "...",
            "thumbnail": "...",
            "icon": "..."
        }
    }
    ```
- adds a `bookmark` card which generates output for the bookmark card:
  ```html
  <figure class="kg-card kg-bookmark-card">
    <a href="[URL]" class="kg-bookmark-container">
      <div class="kg-bookmark-content">
        <div class="kg-bookmark-title">[TITLE]</div>
        <div class="kg-bookmark-description">[DESCRIPTION]</div>
        <div class="kg-bookmark-metadata">
          <img src="[ICON]" class="kg-bookmark-icon">
          <span class="kg-bookmark-author">[AUTHOR]</span>
          <span class="kg-bookmark-publisher">[PUBLISHER]</span>
        </div>
      </div>
      <div class="kg-bookmark-thumbnail">
        <img src="[THUMBNAIL]">
      </div>
    </a>
  </figure>
  ```
  - if a particular bit of data does not exist then the associated html element will not be present
2019-08-27 15:01:02 +01:00
Rishabh Garg
51b5197418
Revert "Removed defaultColumnsToFetch from models (#11010)" (#11045)
refs #11043

This reverts commit 45e971b63e due to above issue.
2019-08-21 23:56:35 +05:30
Kevin Ansfield
f038fbe0aa Fixed "Unable to update nested relation" errors when rolling back migrations
no issue

- we recently started wrapping rollbacks in transactions (https://github.com/TryGhost/knex-migrator/pull/161)
- in a number of migrations we were calling `model.destroy()` without passing through the options which includes the current transaction
- for models which are using `bookshelf-relations` this could result in an internal `SQLITE_BUSY: database is locked` error because it tries to run queries against tables that have been locked by previous queries in the transaction
- by passing through the options when calling `.destroy()` it allows the `bookshelf-relations` to re-use the same transction avoiding the database lock problems
2019-08-20 11:20:52 +01:00
Rishabh Garg
1b09ae9200
🐛 Fixed blog setup crashing for falsy email config (#11041)
refs #11040

In case of falsy `sendWelcomeEmail` config, the blog setup crashed as the setup method implicitly returned undefined instead of promise. This handles the fasly config correctly.

- Adds regression test for pro config blog setup
2019-08-20 15:43:43 +05:30
Kevin Ansfield
80fbfd7a85 Revert post.page->post.type handling
no issue
- the column addition/removal can be too slow for large sites
- will be added back in 3.0

---

Revert "Fixed canary api for page/type column"
This reverts commit a5a7e7e919.

Revert "Updated frontend canary url config for page/type"
This reverts commit 19100ec5e6.

Revert "Updated canary api to handle type column correctly (#11006)"
This reverts commit c3e8ba0523.

Revert "Ensured `page` filter works in routes.yaml"
This reverts commit 9037c19e50.

Revert "Replaced usage of mongo util with nql-map-key-values"
This reverts commit 8c5f1d0ef0.

Revert "Added shared nql-map-key-values module"
This reverts commit ef4fd4b8ef.

Revert "Ensured page prop is present on content api response"
This reverts commit cfa0a0862b.

Revert "Fixed failing regression tests"
This reverts commit 9c2bb3811f.

Revert "Updated xmlrpc and slack service to use type column"
This reverts commit 44a02c7d36.

Revert "Updated v0.1 posts api to work with type column"
This reverts commit 2c81d7c914.

Revert "Removed updates to v0.1 specific code"
This reverts commit 08d83c1f53.

Revert "Added missing context from ValidationError"
This reverts commit cd45ab4f54.

Revert "Renamed page->type in the page&posts serializers"
This reverts commit df99e724e3.

Revert "Added mongo helper to input serializers"
This reverts commit fb8eadb4a8.

Revert "Passed mongoTransformer through to NQL"
This reverts commit 0ae3f0fdfc.

Revert "Permitted mongoTransformer option for read methods"
This reverts commit a89376bf26.

Revert "Updated the count plugin to reference the type column"
This reverts commit a52f15d3d3.

Revert "Updated hashes for db integrity check"
This reverts commit bb6b337be3.

Revert "Remove page column and remaining references"
This reverts commit 9d7190d692.

Revert "Added type column to data generator"
This reverts commit e59806cb45.

Revert "Removed references to page column in rss tests"
This reverts commit 04d0f855de.

Revert "Removed page column references in validation tests"
This reverts commit f0afbc5cc0.

Revert "Updated the post model to use the `type` column"
This reverts commit 1189bc823a.

Revert "Updated url service to use type column"
This reverts commit 61612ba8fd.

Revert "Updated the v2 api to deal with type column"
This reverts commit 57afb2de2b.

Revert "Added type property to post model defaults"
This reverts commit dc3345b1c5.

Revert "Added type property to the default post fixtures"
This reverts commit 82d8c38033.

Revert "Added type column to posts table"
This reverts commit 9b85fc6a69.
2019-08-19 12:02:14 +01:00
Kevin Ansfield
3764e023fb No-op'd post.page->post.type migrations, added cleanup post.type->post.page migrations 2019-08-19 12:02:14 +01:00
Kevin Ansfield
25f91aa102
Fixed importer not handling post.page->post.type conversion (#11025)
no issue

- updates the attribute sanitiser of the posts importer to convert `post.page=true/false` to `post.type='page'/'post'
- gives precedence to `post.type` if an imported post somehow has both `post.page` and `post.type` attributes
2019-08-16 19:41:38 +01:00
Kevin Ansfield
61420ae67f
Updated @tryghost/url-utils to v0.3.0 (#11027)
refs https://github.com/TryGhost/Ghost/issues/10793

- fixes `urlUtils.htmlRelativeToAbsolute` mangling attribute quote styles and removing indentation
2019-08-16 00:26:24 +01:00
Fabien O'Carroll
523be3879f Standardised require call to use relative path
no-issue
2019-08-15 11:57:45 +08:00
Fabien O'Carroll
62f2c4a2bf Updated canary actions endpoint
closes #11015

This simplifies the actions endpoint and allows for filtering and
querying of all types of actions across separate resources and actors
2019-08-14 17:40:36 +08:00
Fabien O'Carroll
ab70a369fa Updated User model to support actions
closes #11013
2019-08-14 17:40:36 +08:00
Fabien O'Carroll
657d0fc067 Updated Tag model to support actions
closes #11014
2019-08-14 17:40:36 +08:00
Fabien O'Carroll
5d7ad0518a Remove dynamic generation of static resource_type
no-issue
2019-08-14 17:40:36 +08:00
Fabien O'Carroll
e3c3633183 Simplified model event handler attachment
no-issue

This is smaller and easier to read than the previous approach
2019-08-14 17:40:36 +08:00
Fabien O'Carroll
24c8da58e4 Fixed local package issue for npm users (#11019)
closes #11018
2019-08-14 13:19:01 +05:30
Fabien O'Carroll
45e971b63e
Removed defaultColumnsToFetch from models (#11010)
no-issue

* Removed redundant options from permittedOptions
  The column option is already permitted at the Base model level.

* Remove defaultColumnsToFetch from Base model

* Removed defaultColumnsToFetch from Post model
2019-08-14 09:58:12 +08:00
Fabien O'Carroll
a5a7e7e919 Fixed canary api for page/type column
no-issue

Canary didn't have all of the post/type changes copied across
2019-08-13 13:10:27 +08:00
Fabien O'Carroll
c3e8ba0523 Updated canary api to handle type column correctly (#11006)
refs #10922

* Updated canary api to handle type column correctly

* Updated unit tests

* Updated regression tests
2019-08-12 17:39:59 +05:30
Paulo Barbosa
730e307d18 🐛Fixed generic 500 for bad key param in content API (#10977)
refs #10948

- Throws 400 when using multiple key query-values instead of a 500 error
2019-08-12 12:56:09 +01:00
Fabien O'Carroll
8c5f1d0ef0 Replaced usage of mongo util with nql-map-key-values
no-issue

Removes the shared module in favour of an "external" one
2019-08-12 18:41:43 +08:00
Fabien O'Carroll
cfa0a0862b Ensured page prop is present on content api response
refs #10922
2019-08-12 18:41:43 +08:00
Fabien O'Carroll
9c2bb3811f Fixed failing regression tests
refs #10944

These tests were broken in the above PR
2019-08-12 18:41:43 +08:00
Kevin Ansfield
ff1ac49b0a
Excluded mobiledoc_revisions table from exports (#10993)
no issue

- the `mobiledoc_revisions` table can grow very large in certain circumstances which can result in Out-Of-Memory errors when performing backups, resulting in failed upgrades
- adds `mobiledoc_revisions` to the exporter excluded tables list as a temporary solution until we have safer export creation and/or improved revision handling
2019-08-12 11:33:16 +01:00
Kevin Ansfield
4f3391cd04
Updated @tryghost/url-utils to v0.2.0 (#11004)
no issue

- updates `@tryghost/url-utils` following an internal refactor of the package
- renames `makeAbsoluteUrls` to `htmlRelativeToAbsolute` to better reflect what the function is doing
- renames `getBlogUrl` to `getSiteUrl`
- updates UrlUtils test stubbing util to work with a class
- fixes use of invalid port numbers in tests (max port number is 65535, any higher is an invalid URL that will error with some parsers)
2019-08-12 09:31:42 +01:00
Nazar Gargol
3bd3570592 🐛 Fixed duplication error when importing posts without slugs
refs #8717

-  The posts without slugs should not be taken into account when detecting duplicates as slug field is not required when importing.
- Ideal solution would require generating slug before duplicate detection phase. This would cause duplicate detection to take 'title' into account which didn't happen before.
2019-08-12 09:20:31 +01:00
Rish
9ab754a0c7 Added canary endpoint to parent app
no issue

Mounts new canary api endpoint on parent app
2019-08-09 20:46:49 +05:30
Rish
13a77363de Updated uncapitalise check to work with canary
no issue

Previously uncapitalise check was based on fixed api endpoint format - v[NUMBER], this updates it to work with canary endpoint
2019-08-09 20:46:49 +05:30
Rish
6ce9a5fc0e Updated token verification to use dynamic audience check
no issue

Admin key token verification was using hardcoded audience check with v2 admin endpoint, this updates it to check against api version and api type of the request url
2019-08-09 20:46:49 +05:30
Rish
7b761a8751 💡 Added canary api endpoint
no issue

Adds new canary api endpoint, currently replicating v2 endpoint but paving way for future updates to new version
2019-08-09 20:46:49 +05:30
Fabien O'Carroll
acd1a7fd69 Fixed naming of backup cotent perm migration
no-issue

This file got accidentally renamed in 532fdb0806
2019-08-09 15:00:26 +08:00
Fabien O'Carroll
b6f2bc33b7 Moved page/type column migrations to correct version
refs #10922
2019-08-09 14:53:40 +08:00
Fabien O'Carroll
44a02c7d36 Updated xmlrpc and slack service to use type column
refs #10922
2019-08-09 14:39:01 +08:00
Fabien O'Carroll
b45e955dea Ensured that the page column can be rolled back
refs #10922

When rolling back the removal of the page column, we must re-add it, but
the definition for it has been removed from the schema, so we must
hardcode the definition.
2019-08-09 14:39:01 +08:00
Fabien O'Carroll
1096dc2085 Added ability to pass columnSpec to addTableColumn
refs #10922

This gives us the ability to add columns that have since been removed
from the schema, for example in a down migration.
2019-08-09 14:39:01 +08:00
Fabien O'Carroll
2c81d7c914 Updated v0.1 posts api to work with type column
refs #10922
2019-08-09 14:39:01 +08:00
Fabien O'Carroll
08d83c1f53 Removed updates to v0.1 specific code
refs #10922

v0.1 can just be left alone and not updated to use type - we can deal with that in a transform
2019-08-09 14:39:01 +08:00
Fabien O'Carroll
cd45ab4f54 Added missing context from ValidationError
refs #10922

This is necessary to keep existing functionality in v0.1
2019-08-09 14:39:01 +08:00
Fabien O'Carroll
df99e724e3 Renamed page->type in the page&posts serializers
refs #10922
2019-08-09 14:39:01 +08:00
Fabien O'Carroll
fb8eadb4a8 Added mongo helper to input serializers
refs #10922

This helper assits in replaces keys and values as defined by the mapping object
2019-08-09 14:39:01 +08:00
Fabien O'Carroll
0ae3f0fdfc Passed mongoTransformer through to NQL
refs #10922
2019-08-09 14:39:01 +08:00
Fabien O'Carroll
a89376bf26 Permitted mongoTransformer option for read methods
refs #10922

This will allow us to pass through a customer transformer to replace
references to removed columns in the mongo query generated inside of NQL
2019-08-09 14:39:01 +08:00
Fabien O'Carroll
51fb0815b4 Created migrations for page -> type column
refs #10822
2019-08-09 14:39:01 +08:00
Fabien O'Carroll
a52f15d3d3 Updated the count plugin to reference the type column
refs #10922
2019-08-09 14:39:01 +08:00
Fabien O'Carroll
9d7190d692 Remove page column and remaining references
refs #10922
2019-08-09 14:39:01 +08:00
Fabien O'Carroll
1189bc823a Updated the post model to use the type column
refs #10922

This replaces references to the `page` column with the `type` column
2019-08-09 14:39:01 +08:00
Fabien O'Carroll
57afb2de2b Updated the v2 api to deal with type column
refs #10922

This replaces references to the `page` column with references to the
`type` column.
2019-08-09 14:39:01 +08:00
Fabien O'Carroll
dc3345b1c5 Added type property to post model defaults
refs #10922
2019-08-09 14:39:01 +08:00
Fabien O'Carroll
82d8c38033 Added type property to the default post fixtures
refs #10922
2019-08-09 14:39:01 +08:00
Fabien O'Carroll
9b85fc6a69 Added type column to posts table
refs #10922

This column is limited to the two values 'post' and 'page'
2019-08-09 14:39:01 +08:00
Nazar Gargol
bae19fbdb6 Allowed access to POST /db/backup endpoint
no-issue
2019-08-09 10:57:49 +08:00
Nazar Gargol
6779732cd0 Fixed regression tests for v2/admin/db
no-issue
2019-08-09 10:57:49 +08:00
Nazar Gargol
532fdb0806 Added migrations for scheduler integration, permission and role
refs #10060

- Modification of https://github.com/TryGhost/Ghost/pull/10974/files
- Added publish permission migrations for all roles having "post": "all" permission
2019-08-07 14:56:51 +02:00
Nazar Gargol
00f95e7328 Migrated schedules controller to v2
closes #10060

- Implemented scheduling for posts and pages
- Added cache invalidation when scheduling
- Refactored admin token eneration function to accept existing key as parameter in tests
- Added Ghost Scheduler Integration fixture
- Added fixture for permissions for post publish action
- Migrated getScheduled method to v2
- Did not add support for 'from' and 'to' parameters as they were not used by DefaultScheduler
- This method needs rethinking in a long run as it's an ugly hack and should rather become proper endpoint that returns JSON data instead of models
- Removed unused auth middleware from v2 routes
- Added internal scheduler role
- Implemetnted transactions in v2 frame
- This takes into account scenario mentioned in c93f03b87e
- Specifically:
>if two queries happening in a transaction we have to signalise
  knex/mysql that we select for an update
  otherwise the following case happens:
  you fetch posts for an update
  a user requests comes in and updates the post (e.g. sets title to "X")
  you update the fetched posts, title would get overriden to the old one
2019-08-07 14:51:36 +02:00
Fabien O'Carroll
42c9904a8f Added migrations for backupContent permission
no-issue
2019-08-07 17:57:26 +08:00
Fabien O'Carroll
f31e535041 Removed authenticateClient usage from v2 api
no-issue

We do not support this authentication mechanism for api v2
2019-08-07 17:57:26 +08:00
Fabien O'Carroll
910e15e643 Added backupContent permission fixture
no-issue

This permission was overlooked during the creation of the ghost-backup
integration.
2019-08-07 17:57:26 +08:00
Sumedh Nimkarde
167e1ead2e 🐛 Ignored node_modules dir when archiving (#10969)
fixes #10929
2019-08-06 16:17:41 +08:00
Fabien O'Carroll
373627223c
🐛 Ensured import does not override private setting (#10882)
closes #10788

This adds an extra filter to the preImport method of the settings
importer to removes settings with the key `is_private`

This message is specifically only for when an import has privacy mode ON
and the current site has privacy mode OFF.
2019-08-06 16:15:40 +08:00
Kevin Ansfield
d96be4907e
Fixed relative canonical_url values not being stored as root-relative (#10989)
no issue

- we try to store all urls as relative paths where possible in Ghost so that the `config.url` value can be changed
- all relative paths are stored as root-relative except for the `post.canonical_url` field which was storing subdirectory-relative paths
- adds a migration to put the subdirectory prefix onto any relative canonical_url paths
- updates the canonical_url input serialiser to keep the subdirectory rather than stripping it to match all other url fields
2019-08-05 13:56:28 +01:00
Hannah Wolfe
b48fdaf1be Added {{link_class}} helper
- moved dynamic class logic out of {{link}} helper into shared utils
- both {{link}} and {{link_class}} use these utils
2019-08-05 12:12:05 +01:00
Fabien O'Carroll
21427ad73f
Created DB Backup integration (#10974)
* Simplified db controller permissions options

The existing objects were confusing because they did the same thing as
setting permissions to true, but gave the impressions that something
special was happening/required.

* Added DB Backup Integration Role

This will allow us to assign certain api_keys this role, in order to
automate db backups

* Allowed admin api_keys to have configurable roles

This will allow keys for the admin api to do customised things such as db export

* Added ghost-backup integration to fixtures

* Added migrations for DB Backup Integration and role
2019-08-02 17:28:02 +08:00
Rish
5f9f5ea0d5 Refactored oembed controller data validation
refs #10060

- Uses validation layer for checking url data on oembed requests
- Fixes typo in comment
2019-08-01 17:13:12 +05:30
Naz Gargol
27bf453792
Migrated authentication controller to v2 (#10950)
refs #10060

- Migrated authentication.resetPassword method to v2
- Migrated authentication.acceptInvitation method to v2
- Migrated authentication.setup method to v2
- Added missing test coverage for "setupUpdate" method
- Migrated authentication.updateSetup method to v2
- Migrated authentication.isInvitation method to v2
- Migrated authentication.isSetup method to v2
- Removed unused 'setup.completed' event as it wasn's used anywhere in the system and has been complicating the logic unnecessarily
- Without the event, it's possible to simplify sendNotification method to just use email address of the user
- Added email sending check to v0.1 test suite
- Refactored sendNotification method to just use email address as parameter
- Renamed sendNotification to sendWelcomeMail
- The only thing the method does now is sending welcome mail, so new naming seems natural :)
2019-08-01 13:18:24 +02:00
Nazar Gargol
db9eed6288 Switched to use v2 http module instead of ovelooked v1
- Small adjustments in controller that came along with the switch
2019-08-01 13:06:15 +02:00
Nazar Gargol
956da204f2 Expanded authentication test suite with cases for password reset flow
- Added missing endpoint coverage
- Minor fixes with formatting and validations uncovered by the test
- Added same test to v0.1 coverage
2019-07-30 22:48:59 +02:00
Nazar Gargol
3945e8a5ee Added missing doSettings call in updateSetup 2019-07-30 16:52:37 +02:00
Nazar Gargol
589b78d575 Added missing validator to updateSetup method
- This is the code corresponding to processArgs function in v1 authentication.updateSetup method
2019-07-30 16:37:32 +02:00
Nazar Gargol
c7a836b926 Renamed sendNotification to sendWelcomeMail
- The only thing the method does now is sending welcome mail, so new naming seems natural :)
2019-07-30 16:15:53 +02:00
Nazar Gargol
8503bdceb8 Refactored sendNotification method to just use email address as parameter 2019-07-30 16:13:53 +02:00
Nazar Gargol
dae69072f6 Removed unused 'setup.completed' event
- Without the event it's possible to simplify sendNotification method to just use email address of the user
2019-07-30 15:45:07 +02:00
Nazar Gargol
7b97c1ada1 Added missing notification email when setting up a site 2019-07-30 15:42:16 +02:00
Fabien O'Carroll
7cc90a3f62 Removed noise from members-ssr error logging
no-issue

Previously we were using the error logger, which is probably a bit
extreme for these errors. This also removes the stacktrace from the logs
so we don't enter fresh hell whilst developing/looking through logs.
2019-07-29 15:45:04 +08:00
Nazar Gargol
8b651bff9d Migrated authentication.updateSetup method to v2 2019-07-25 17:12:39 +02:00
Nazar Gargol
4441ee15a0 Migrated authentication.isSetup method to v2 2019-07-25 17:13:05 +02:00
Nazar Gargol
ddabd5e808 Migrated setup method 2019-07-25 17:12:39 +02:00
Nazar Gargol
a5990e555b Fixed lint error 2019-07-25 17:12:39 +02:00
Nazar Gargol
132e278a22 Migrated authentication.isInvitation method to v2 2019-07-25 17:12:47 +02:00
Nazar Gargol
f4b97d3bc8 Migrated authentication.acceptInvitation method to v2 2019-07-25 17:12:39 +02:00
Nazar Gargol
4da03a38b6 Corrected debug namespace 2019-07-25 17:12:39 +02:00
Nazar Gargol
8135d4d188 Added validation layer to password reset
- Adding a new method in all.js seems a little dirty, but that seems like the best place for now as similar method was added for changePassword method
2019-07-25 17:12:39 +02:00
Nazar Gargol
b3ed11719e Migrated authentication.resetPassword method to v2 2019-07-25 17:12:20 +02:00
Aileen Nowak
d11fd4210b Updated docs api links to be version-less 2019-07-25 15:17:23 +08:00
Kevin Ansfield
1aa7e368a2
🎨 Added url value to the Content API /settings/ endpoint (#10946)
closes https://github.com/TryGhost/Ghost/issues/10945

- adds the `url` property to the returned output manually because it's a config value rather than a settings value
2019-07-24 11:12:07 +01:00
Fabien O'Carroll
805f3c7250 Added logging for members-ssr errors
no-issue

This will help us debug issues with members-ssr functionality going forward
2019-07-24 18:11:48 +08:00
Kevin Ansfield
2b6830b747 Ensured Admin API cannot fetch internal integrations (#10501)
no issue

- Forced a filter on read and browse requests to the integrations endpoint to limit fetches to only "custom" and "builtin" integration types
- Expanded test coverage for "internal" integrations
2019-07-24 11:52:55 +02:00
Nazar Gargol
bf5824a7ba Fixed ability for the owner to change password of other users
closes #10927

-  Previous fix 2823c0b342
- It didn't work because the validation layer in "frame" doesn't take into account the value under `required` property of the controller, so to prevent validation on the field whole `required` key/value have to be removed
- Removed unused variables
- Extended regression suite to prevent similar problems in the future
2019-07-22 19:00:21 +02:00
Aileen Nowak
496f873ac4
Updated links to docs (#10941)
no issue
2019-07-22 18:17:50 +08:00
Fabien O'Carroll
97983baed6 🐛 Fixed CORS for errors from Admin API
refs #10932

Previously we were only applying the cors middleware to the options
preflight request, which meant that if the request errored, the cors
headers would not be applied, resulting in the client being unable to
read response data. This applies the cors middleware to _all_ requests
to the Admin API.
2019-07-22 12:57:41 +08:00
Fabien O'Carroll
2cb41dd8cd 🐛 Fixed CORS for errors from Content API
closes #10932

Previously we were only applying the cors middleware to the options
preflight request, which meant that if the request errored, the cors
headers would not be applied, resulting in the client being unable to
read response data. This applies the cors middleware to _all_ requests
to the Content API.
2019-07-22 12:57:41 +08:00
Fabien O'Carroll
5da8da1879
Deleted unused pg.js module (#10928)
no-issue

This module was first created (AFAICT) in c09c20ad8d (diff-20a31f345ca2643b2602224678bb8d5b) and
has since undergone some filename renames and eslint refactors - we don't support
PostgreSQL and have no immediate plans to do so.
2019-07-22 12:11:19 +08:00
Naz Gargol
c3a80f112a
Exposed site SEO data through Conent API & {{@site.*}} helper (#10925)
refs #10921

- Site SEO data will now be available as part of `GET /settings` response in Content API as well as part of {{@site.*}} helper
2019-07-19 10:40:47 +02:00
Naz Gargol
b89b57b6fb
Added global site SEO fields in Admin API (#10923)
refs #10921

- New SEO related fields will now be available as a part of Admin API /settings endpoint
- The ordering of fields is taken from post's schema
- Extended settings test suite with new SEO fields
- Adjusted settings model unit test
2019-07-18 16:24:34 +02:00
Fabien O'Carroll
078060abdc
Refactored members service logging and errors (#10919)
* Installed @tryghost/members-ssr@0.2.1

refs https://github.com/TryGhost/Members/issues/38

This updates allows for dynamic access of the membersApi, which will be
used in future when replacing the membersApi instance with a newly
configured one.

* Set the membersApiInstance logger to use common.logging

refs https://github.com/TryGhost/Members/issues/38

Passes the Ghost logger to the members api, so that we can keep an eye
on errors produced by the api.

* Refactored memberService use to always use getter

refs https://github.com/TryGhost/Members/issues/38

This will allow us to switch out the membersApi and the consumers of it
to have the updated reference by going through a getter.

* Installed @tryghost/members-api@0.3.0

refs https://github.com/TryGhost/Members/issues/38

Adds support for setting the logger

* Uninstalled stripe@7.0.0

refs https://github.com/TryGhost/Members/issues/38

The stripe module is now a dep of members-api, as it should be

* Updated members service to reconfigure settings

refs https://github.com/TryGhost/Members/issues/38

Previously we were unable to stop an invalidly configured members api
instance, now that we create a new instance, we can wait for the ready
or error event and only switch it out then.
2019-07-18 15:37:11 +08:00
Rish
01ea872af2 🐛 Fixed cache invalidation header on theme override
closes #10920

- Fixed incorrect property name to correctly set cache invalidation header on theme override
2019-07-17 18:41:25 +05:30
Naz Gargol
46706646e3
Refactored authentication controller v0.1 (#10893)
refs #10060

- Modules extractions done here are meant to make upcoming migration of authentication controller to v2 more manageable and reduce code repetition
- There were couple modules extracted for different areas that controller touches: passwordrest, accept (for invitation), setup 
- The aim was to keep changes to the minimum while making small readability improvements to new functions through async/await syntax
- The biggest barrier to make more encapsulated functions was the fact that we mutate options parameter on multiple levels in the controller. e.g mutations of options.data during validation on the password reset ties it up to the implementation of doReset function
2019-07-17 12:28:16 +02:00
Naz Gargol
9dcc17a017
🐛 Fixed import for tag without slugs that belongs to a post (#10917)
closes #10785

- The behavior for tags will now be similar to posts' one described in the docs
- "The only strictly required field when importing posts is the title. Ghost will automatically generate slugs and set every other field to the default or empty."
- The breaking change was introduced with: 68d8154d4f (diff-e712df50c0dc7cf33746eeff0564003cR97) (assumed there's always slug in the imported object which is not true)
- Added originalIdMap to the importer base class to track id
substitution so it can be used when dealing with relational resource
updates
- Removed explicit use of 'this.stripProperties(['id']);' in
beforeImport of base class because we need to assign and remove the id
property in the same place to track this change
- Only calling 'this.stripProperties(['id']);' in
settings/trusted_domain imports as the method won't be called otherwise
- Expanded regression tests with new supported import case
2019-07-16 12:01:44 +02:00
Peter Zimon
a482c547ae Update default 404 page
refs. https://github.com/TryGhost/Ghost/issues/10899
- removed broken ghost "illustration" from default frontend 404 page
- refined style of 404 page to be more theme agnostic
2019-07-15 14:47:01 +02:00
Vikas Potluri
2823c0b342 🐛 Allowed administrators to change other users' passwords (#10891)
closes #10427

- Administrators don't know other users' passwords, but they should be able to change other users' password
- Don't require oldPassword to be provided
2019-07-15 14:19:31 +08:00
Vikas Potluri
b431dc56cb 🐛 Fixed error message when get helper doesn't have API access (#10892)
closes #10875
2019-07-15 14:18:58 +08:00
Christoph Tavan
834a5a0521 Replaced v1 for v4 uuids (#10871)
* Swapped v1 with v4 UUID as requestId when logging

no issue

v1 UUID are based on current time and the hardware MAC address of the
machine where they are being generated. As such they have much more
complex semantics than v4 UUIDs which are simply randomly generated.

Unless there's a specific requirement for the special semantics of v1
UUIDs it is simpler and less error prone to simply go for v4 UUIDs
whenever just a unique identifier is needed.

* Swapped v1 with v4 UUID when creating a temporary contentFolder

no issue

v1 UUID are based on current time and the hardware MAC address of the
machine where they are being generated. As such they have much more
complex semantics than v4 UUIDs which are simply randomly generated.

Unless there's a specific requirement for the special semantics of v1
UUIDs it is simpler and less error prone to simply go for v4 UUIDs
whenever just a unique identifier is needed.

* Swapped v1 with v4 UUID when creating a temporary exportFolder

no issue

v1 UUID are based on current time and the hardware MAC address of the
machine where they are being generated. As such they have much more
complex semantics than v4 UUIDs which are simply randomly generated.

Unless there's a specific requirement for the special semantics of v1
UUIDs it is simpler and less error prone to simply go for v4 UUIDs
whenever just a unique identifier is needed.
2019-07-15 14:01:02 +08:00
David Darnes
b293b25128
Update each to foreach loop 2019-07-12 10:08:45 +01:00
Rish
e26635620e 🐛 Fixed theme upload error when overriding existing
no issue

- Cache invalidation header was set wrongly in frontend theme service
- This moves cache invalidation out of theme service to themes controller by passing `themeOverriden` flag along with theme
2019-07-11 15:34:15 +05:30
Naz Gargol
f3ec2fb2f7
Cleaned up theme service (#10884)
refs #10790

- Following TODO in theme index file was waiting for 2 years, and today is the day to cross it out:
- "Reduced the amount of things we expose to the outside world"
- "Made this a nice clean sensible API we can all understand!" - by @ErisDS
- Cleaned exposed methods from themes module
- Removed unused storage getter
- Removed list method
- Removed validate method
- Renamed Storage to ThemeStorage
  - Named the file the same way the class defined inside of it is named
  - Naming was conflicting with coming rename of  `settings` -> `storage`
- Renamed theme settings to storage
2019-07-09 16:35:18 +02:00
Fabien O'Carroll
d9d8d91b6a
Fixed members auth pages flashing on open (#10889)
closes #10888

The real work for this was done in:
https://github.com/TryGhost/Members/pull/37

Installed @tryghost/members-auth-pages@1.1.0
Installed @tryghost/members-theme-bindings@0.2.3
2019-07-09 19:05:47 +08:00
Fabien O'Carroll
177411045a
Moved members static pages to members api URL (#10887)
* Installed @tryghost/members-api@0.2.0

refs #10886

This will allow us to mount one router rather than having a static and
api router.

* Added members v2 api directory

refs #10886

This brings the members api more inline with how the rest of the apis
work within Ghost.

* Mounted the members api app to the api route

closes #10886

This successfully mounts the api and the static pages to the
/api/v2/members/ URL.

* Installed @tryghost/members-auth-pages@1.0.0

refs #10886

This updates the auth pages to work correctly with the new mount point.

* Changed membersUrl in members.js to use members api

refs #10886

This keeps the membersUrl lined up with the path for the static
members pages.

* Removed old members static mount point

refs #10886

These are no longer used, nor desired.

* Remove superfluous code from members service

refs #10886

This remove the gateway getter which is no longer used, and the fallback
for members not enabled - which is handled within the members app.

* Updated ssoOrigin to use admin url

refs #10886

This ensures that sites running on a separate admin domain have the
correct ssoOrigin, which is used to ensure only the designated auth
pages are used to hit the authentication endpoints.

Since the auth pages are now hosted under the `/ghost` url, they will be
on the admin origin and not the site origin
2019-07-09 19:02:44 +08:00
Nazar Gargol
bc8f8979c1 Removed stray use of urlService.utils
refs #10773

- All instances of `urlService.utils` were previously migrated to use standalone SDK module `url-utils`
2019-07-08 17:53:29 +02:00
renovate[bot]
db53ac0721 Update Test & linting packages (major) (#10858)
no issue 

- Updated Test & linting packages
- Updated use of hasOwnProperty
- Using Object.prototype.hasOwnProperty instead (ref. eslint.org/docs/rules/no-prototype-builtins)
- Removed already defined built-in global variable Intl
- Applied `--fix` with lint command on `core/test` folder
- The rules were broken because some of them were made stricter for `eslint: recommended` ruleset (ref. https://eslint.org/docs/user-guide/migrating-to-6.0.0#eslint-recommended-changes)
- Removed redundant global variable declarations to pass linting
2019-07-05 13:40:43 +02:00
Fabien O'Carroll
90bb40ed80
Improved dynamic default options performance (#10816)
closes #10789

* Updated keypair generation to use a memoised fn

This allows us to embed the members dynamic defaults in the object at
definition, and will allow us to only create the keypair when we need
it, in future.

* Added getDefaultValue fn to default setting obj

This will allow us to generate the default values when they're needed
rather than at boot time.

* Ensured dynamic defaults only generated when used

This replaces all the dynamic default values with functions to return
the values, and then calls (if required) that function inside the
getDefaultValue method of the setting object.
2019-07-05 15:30:29 +08:00
renovate[bot]
1f32a1372f Update dependency got to v9 (#10861)
no issue 

- The underlying issue is the change in retry behavior in 'got' (a3e77de287)
- Now 500 responses trigger 2 default retries
- Renamed retries -> retry. As mentioned in https://github.com/sindresorhus/got/releases/v9.0.0
- Added response body error check
2019-07-04 10:36:51 +02:00
Fabien O'Carroll
683e37c764
Fixed generation of api urls for members service (#10869)
no-issue

Previously we used urlFor which wasn't setup to correctly support
members. This changes members service to use the admin URL directly
2019-07-04 12:05:56 +07:00
Naz Gargol
4529ab514c
Themes controllers code extraction (#10818)
refs #10790

- Extracted 'setFromZip' method into themes services
- Extracted 'activate' method
- Extracted 'destroy' method
- Extracted 'download' method
- The method name here tries to follow 'setFrom...` convention we've agreed upon. So, in this case, we have get() which returns JSON response and getZip() which returns a file
2019-07-01 16:56:23 +02:00
Hannah Wolfe
6f507b8608 Updated theme activation API to experimental
- allow both uploading and activating themes as experiemental API features
- previously only uploading was allowed, I believe purely due to an oversight
2019-07-01 10:14:03 +01:00
Jeffrey Fisher
6ca34a29fd 🐛 Allowed .ico files to be uploaded for icons. (#10820)
closes #10641

There is already an "icons" section in this json file, but it appears
that that is only used for v0.1 in which there was a "/uploads/icon"
route that passed in a "type" of "icons" to the validation middleware.
However, in v2, there is only a generic "/images/upload" route that is
used for both icons and images, which passes a "type" of "images"
so the .ico information needs to be added to the "images" section
of the json file.
2019-07-01 13:29:24 +07:00
Rish
15a3dacf26 Fixed invalid method usage in members authentication
no issue

- `getPublicConfig` in members authentication was not called correctly
2019-06-27 15:21:21 +05:30
Kevin Ansfield
3229de75f8 Revert "Replaced keypair with rsa-keypair module (#10758)"
This reverts commit 64735693be.

- `rsa-keypair` is a binary dependency that was failing to install for a lot of users, reverting for now so we can look at alternative options for speeding up boot time
2019-06-26 14:00:25 +01:00
Fabien O'Carroll
dd727a44df
Fixed issuer when site and api are diff domains (#10806)
no-issue

The issuer value is used through the members code base as the identifier
for the members api. The existing code did not take into account that
the domain/url for the site could be different than for the admin (and
the apis).
2019-06-26 16:02:08 +07:00
Naz Gargol
0bf1542bc6
Extracted settings service part manipulating routes.yaml (#10800)
refs #10790
refs #9528

- The settings service was designed to handle more settings then just routing, but till this day there wasn't anything else added. As routes.yaml is only being used by frontend router so conceptually it fits better to have this code in frontend, so that it doesn't have to reach out to server
- The code left in server settings is the one that interacts with the database `settings` table and only partially provides information to frontend. That part is known as 'settings cache' and will be accessed through API controllers.
2019-06-25 18:33:56 +02:00
Fabien O'Carroll
0e2ce29468 Moved members static mount point to /ghost/members
no-issue

This alleviates the CORS requests failing for members when the admin is
hosted on a different domain than the site
2019-06-25 15:13:52 +07:00
Fabien O'Carroll
bb1ee3c265 Updated members-theme-bindings & public/members.js
no-issue

This updates Ghost to inject the exact urls we want to use for both the
static members pages and the ssr endpoints we've configured for the
frontend. This allows us to changes these without having to update the
members repository, and gives a cleaner split between the two.
2019-06-25 15:13:52 +07:00
Nazar Gargol
22f56c95a8 Fixed redirects.json file validation
refs #10790

- Reference to method previously used to validate wasn't updated during refactoring done in be27db46eb
2019-06-24 10:56:30 +02:00
Naz Gargol
8ae5db9922
Extracted frontend code from settings API controllers (#10797)
* Moved settings#upload method out of settings controller

* Moved out code from download to serve method

* Moved API v0.1 settings upload/downalod routes.yaml methods to use setting handler service

* Reverted unintended change

* Moved RoutesHandler into settings module

- To keep in convention with settings described in - https://github.com/TryGhost/Ghost/issues/9528 , extracted routes handler into separate settings folder

* Frontend settings for API v0.1

* Renamed 'routes' to 'dynamic-routing'

* Renamved activate/serve methods as suggested in discussions

* Moved settings dynamicRouting to routing.settings
2019-06-21 16:52:07 +02:00
Naz Gargol
be27db46eb
Extracted frontend code from redirects API controllers (#10798)
refs #10790

- The code was moved out of controllers to reduce the number of coupling points between the API controllers and "frontend" services
- A nice side effect of this move is a decreased amount of code that will need to be maintained and reusability between existing controllers
- Calling just a few methods from frontend services on API level makes it easier to abstract fronted away from API
2019-06-21 16:50:16 +02:00
Nazar Gargol
c7522f896b Moved settings dynamicRouting to routing.settings 2019-06-21 16:34:17 +02:00
Nazar Gargol
a84c15689e Renamved activate/serve methods as suggested in discussions 2019-06-21 13:58:26 +02:00
Nazar Gargol
f3b4e2e39a Renamed 'routes' to 'dynamic-routing' 2019-06-21 13:12:23 +02:00
Daniel Lockyer
64735693be Replaced keypair with rsa-keypair module (#10758)
refs #10789 

Speed up Ghost boot time by replacing the JS-only RSA key generator
library with a native alternative.
2019-06-21 16:51:44 +07:00
Nazar Gargol
19d3c4bc5c Frontend settings for API v0.1 2019-06-20 17:20:44 +02:00
Nazar Gargol
61dc9e8c24 Moved RoutesHandler into settings module
- To keep in convention with settings described in - https://github.com/TryGhost/Ghost/issues/9528 , extracted routes handler into separate settings folder
2019-06-20 16:58:26 +02:00
Nazar Gargol
06a6dc835d Moved API v0.1 settings upload/downalod routes.yaml methods to use setting handler service 2019-06-20 13:34:22 +02:00
Nazar Gargol
8709f5cc55 Moved out code from download to serve method 2019-06-20 13:23:58 +02:00
Nazar Gargol
c3b14f82fd Moved settings#upload method out of settings controller 2019-06-20 13:19:22 +02:00
Nazar Gargol
58a077564f Fixed stray rename after frontend extraction
refs #10790

- The name should be themeService as everywhere else in the codebase
2019-06-19 17:58:07 +02:00
Naz Gargol
df7e64fafa
Extracted frontend folder (#10780)
refs #10790

- Moved /core/apps into core/frontend
- Moved /core/server/helpers to /core/frontend/helpers along with /core/server/services/themes
- Changed helper location in overrides
- Moved /core/server/services/routing to /core/frontend/services
- Moved /core/server/services/url to /core/frontend/services
- Moved /core/server/data/meta to /core/frontend/meta
- Moved /core/server/services/rss to /core/frontend/services
- Moved /core/server/data/xml to /core/frontend/services
2019-06-19 11:30:28 +02:00
Naz Gargol
abda6e6338
Migrated to use url-utils from Ghost-SDK (#10787)
closes #10773

- The refactoring is a substitute for `urlService.utils` used previously throughout the codebase and now extracted into the separate module in Ghost-SDK
- Added url-utils stubbing utility for test suites
- Some tests had to be refactored to avoid double mocks (when url's are being reset inside of rested 'describe' groups)
2019-06-18 15:13:55 +02:00
Hannah Wolfe
d1e3205569 Add url as context to oembed unknownProvider error
- This is so that we can use logs to see urls that turn up with this error
2019-06-13 12:57:02 +01:00
Kevin Ansfield
bbae006eb5
Speed up image-size utility functions (#10784)
no issue

- add `probe-image-size` dependency
- use `probe-image-size` to fetch partial image data over the network where possible
2019-06-11 16:25:15 +01:00
Nazar Gargol
a936362051 Removed logging for validation error in frontend routing
refs #10525

- The logging in this place only introduced confusion and provided no usefull information
2019-06-11 12:35:16 +02:00
Timothy Stapleton
f2e60806da 🐛 Fixed redirects to absolute URLs (#10777)
closes #10776

When the "to" property of the redirect includes a host (implying an external or fully qualified url) we skip replacing any paths and redirect straight to it, rather than modifying the URL with the sites sub-directory.
2019-06-10 12:48:37 +07:00
Rish
a4f119cb7f Moved visibility utility from static model fn to Ghost-SDK
refs #10618

- Visibility methods don't belong on model, but are generic utils
- Used directly from ghost helper's visibility methods, cleans up core
- Removes direct model dependency of theme helper
- Updated `foreach_spec` to correct test data as per schema - visibility property cannot be empty
2019-06-09 13:12:04 +05:30
Kevin Ansfield
ea37b78456
Added logging of slow {{#get}} helper uses (#10779)
no issue

- `{{#get}}` can slow down requests a lot if not used carefully, typically by using `limit="all"` or similar which can force a lot of data to be fetched and processed
- adds a warning log if we detect any `{{#get}}` helper call which takes longer than a certain threshold (default 200ms)
- allow log level and threshold to be configured via config to allow for different environments behaviours and requirements

New config options:
```
{
    "logging": {
        "slowHelper": {
            "level": "warn",
            "threshold": 200
        }
    }
}
```

Example output for `{{#get "tags" limit="all" order="name asc"}}` with a lot of tags:

```
[2019-06-07 10:35:52] WARN {{#get}} helper took 453ms to complete

{{#get}} helper took 453ms to complete

Error ID:
    062daed0-8910-11e9-8185-3b615ad8677d

Error Code:
    SLOW_GET_HELPER

Details:
    api:          v2.tagsPublic.browse
    apiOptions:
      order: name asc
      limit: all
    returnedRows: 1698
```
2019-06-07 14:54:55 +01:00
Nazar Gargol
f5544e7831 Migrated to use @tryghost/social-urls package
refs #10618

- /lib/social/urls was extracted into SDK to move more modules out of the core and reduce coupling of the theme layer
2019-06-06 17:10:13 +02:00
Naz Gargol
cb199b17b8
Decoupled asset hash calculation from package.json (#10774)
refs https://github.com/TryGhost/Ghost/issues/9414
refs c9b95b4bbd

- Removed package version from asset hash calculation
- Package version doesn't introduce any value when calculating a hash because Date.now() provides enough randomization on its own
2019-06-05 10:06:25 +02:00
Naz Gargol
acdcadc396
🔥 Dropped Node v6 support (#10771)
no issue
    
- Node v6 has come to EOL as of 2019-04-30 (ref. https://github.com/nodejs/Release#end-of-life-releases)
- Removed Node v6 specific tests and code
2019-06-03 14:20:23 +02:00
Kevin Ansfield
f88adb9180
Added x-frame-options header to /ghost/ route (#10760)
no issue
- by default the `/ghost/` route will add an `x-frame-options: sameorigin` header to the response to help protect the admin area against clickjacking
- the header can be disabled by adding `"adminFrameProtection": false` to the `config.{env}.json` configuration file

Credits: Muhammad Fawwad Obaida
2019-05-28 09:04:48 +01:00
Aileen Nowak
d086841f36
Updated link to Marketplace (#10754)
no issue

- Marketplace moved to https://ghost.org/marketplace
2019-05-22 16:55:28 +08:00
Fabien O'Carroll
53b884ec2b
Refactored json-schema to use one instance of ajv (#10746)
refs https://github.com/TryGhost/Team/issues/211

Previous code was creating a new ajv instance for each call, as well as
loading the schemas, which are cached. This was causing a memory leak as
ajv caches all schemas.

We've replaced it with one instance of ajv, and conditionally
loading/compiling the schemas if they haven't been seen before.
2019-05-15 13:28:10 +02:00
Fabien O'Carroll
c101fd90d7
Removed lib/members in favour of packages (#10739)
* Installed `@tryghost/members-{api,auth-pages}`

no-issue

* Used @tryghost/members-auth-pages in member service

no-issue

* Used @tryghost/members-api in members service

no-issue

* Deleted core/server/lib/members

no-issue

* Fixed parent app tests

no-issue

Requiring the members api (via the `gateway` getter) was throwing an
error, so we stub out the members service getters
2019-05-08 14:08:25 +02:00
Rish
a4f4a00cc4 Updated to use slugify method from SDK for safe string
refs #10618

- Updated lib safe string security method
2019-05-07 15:33:07 +05:30
Rish
65ee0f95c4 Updated reading time helper to use SDK
refs #10618

- Removed duplicate calculation for reading time by using SDK method
2019-05-07 15:33:07 +05:30
Aileen Nowak
b2ed906773 🎨 Allowed protocol overwrite for canonical URLs (#10729)
closes #10709

- Only transform a canonical URL that is identical with the Blog URL to a relative URL when the protocol matches as well
- Leave the canonical URL absolute for all other cases
- Use case for this is e. g. when users want to port over their Facebook comments/shares/likes after a move from `http` to `https`
2019-05-06 15:27:54 +02:00
kirrg001
a31ed7c71d Added comments for Ghost API
no issue

- jsdoc
- added more information & context
2019-05-06 14:49:25 +02:00
Aileen Nowak
79345f9030 🐛 Fixed Twittercard having wrong property when no feature image provided
closes #10706

- Fixed a bug where we weren't assigning `summary_large_image` as Twitter card property when no feature image is provided, but a dedicated Twitter image
- Updated test to reflect this case to be tested better
2019-05-06 12:51:43 +02:00
Nazar Gargol
b69f1e9e21 Added comment about future scheduler migration
refs #10060
2019-05-06 12:26:08 +02:00
Katharina Irrgang
2447335ab1 🐛 Fixed post scheduling on restart (#10726)
no issue

- case: restart Ghost and while having a scheduled post 
- caused by 4acc375fb6 (diff-4726ce3c4d18d41afad4b46cb0aa7dd3)
  - the bug exists since 2.12
  - Bookshelf added support (or better said fixed a bug) for accessing previous attributes
  - `object.updated('published_at')` always returned "undefined", because the self-implementation < 2.12 only remembered previous attributes after update (see https://github.com/TryGhost/Ghost/blob/2.11.0/core/server/models/base/index.js#L234)
  - but `object.previous('published_at')` returns the current value (object.get('published_at') === object.previous('published_at') -> and that's why rescheduling on bootstrap never worked
- might fix https://forum.ghost.org/t/scheduled-posts-never-publish/6873/10
- reduced timeouts on scheduling unit tests
2019-05-06 11:11:43 +02:00
Nazar Gargol
f21e713a83 Added temp file cleanup for invalid themes
refs #10174

- When theme check fails with validation error there was no cleanup of files left from zip extraction
2019-05-02 17:59:29 +02:00
Fabien O'Carroll
a77190a312 Removed 2.16 member permission migration
no-issue

It turned out that due to the mismatch between `"members"` and
`"member"`, that not a single row was added to the database via this
migration. Clearing the file for simplicity.
2019-05-02 17:31:38 +02:00
Fabien O'Carroll
c70f5a0567 Copied member permission migration from 2.16->2.22
no-issue

The original migration read data from the fixtures, and ensured the
relations were made. Now the fixtures have been corrected, we can use
the same migration for 2.22
2019-05-02 17:31:38 +02:00
Fabien O'Carroll
0a67a25dbc Fixed member permission/role relations in fixtures
no-issue

The previous relations were setup to match against "members", which is
plural, but the object_type on the permission is "member". This was
causing the permissions to not be added as a relation to the role.
2019-05-02 17:31:38 +02:00
kirrg001
8f76827464 Added comments for post scheduling
no issue

- jsdoc
- inline comments
2019-05-01 22:05:42 +02:00
Kevin Ansfield
990ecec873
Added caption support to code card renderer (#10719)
* Added caption support to code card renderer

refs https://github.com/TryGhost/Ghost-Admin/pull/1181

- when a caption for a code card is provided, render the contents inside a `<figure>` element with a `<figcaption class="kg-card kg-code-card">` to match other caption-enabled cards
2019-05-01 17:10:24 +02:00
Nazar Gargol
d0970ad309 Removed lts update check flag
no issue

- `lts` parameter support was discontinued as of today. Returned data completely relies on `ghost_version` sent with the update check request
2019-05-01 16:00:53 +02:00
Nazar Gargol
27dae4022c 🐛 Fixed meta schema for 'page' context in dynamic routing
refs #10082

- When specifying an existing page as an allias for collection, e.g: `data: page.it-is-a-page` it was failing to generate metadata
2019-04-30 18:20:20 +02:00
Nazar Gargol
f5c1ed8fcb 🐛 Fixed 404 in collection index page if using data.slug
closes #10542

- Fixed error that was causing collection index to not be rendered: relations connected to alliased resource were not fetched
2019-04-30 18:20:20 +02:00
Florian Schlittenbauer
8eb4d4c888 replace deprecated del() with delete() call 2019-04-29 09:09:55 +02:00
Zimo
a6d7c46f2c Updated members payment failed copy and style
no-issue
2019-04-25 15:54:30 +02:00
Fabien O'Carroll
bf90733ce1 Updated token generation to use plans on member
no-issue

This is to remove duplication of logic, that now lives solely in the
getMember method
2019-04-25 13:38:26 +02:00
Fabien O'Carroll
70343f7923 Updated getMember to return plans
no-issue

Plans are distinct from subscriptions, as in theory a subscription could
have many plans. These moves the construction of the plans array into
the getMember function so that every consumer has access to the same
data.
2019-04-25 13:38:26 +02:00
Rish
b207ea35ec Updated signup flow to handle invalid payments
no issue
2019-04-24 13:23:00 +02:00
Fabien O'Carroll
7574d9af68 Added members-theme-bindings library to public
no-issue

This file is copied across on install, making it easy to update via
package.json, tbh we could not commit it to the repo - but it makes
sense to be able to see it when browing the file explorer. Any bumps in
package.json will update the file, so that it is prompted to be
commited.
2019-04-24 12:46:00 +02:00
Fabien O'Carroll
18ba613e45 Added member.js file to initialise theme bindings 2019-04-24 12:46:00 +02:00
Fabien O'Carroll
8689493cf5 Updated ghost_head to include the members scripts
no-issue

This conditionally adds the members scripts based on the labs setting
for members, and the context of the rendering to NOT be for AMP
2019-04-24 12:46:00 +02:00
Fabien O'Carroll
d638d6e979 Added middleware for serving members.js from core
no-issue
2019-04-24 12:46:00 +02:00
Fabien O'Carroll
ed1a42f7f3 Exported raw middleware from serve-public-file
no-issue

The current public file middleware handles route matching itself, which
means it is applied to express via the use method. Due to use being a
"global" application of middleware, this means it is not possible to
apply a labs middleware before the public file serving middleware
without it affecting the entire route stack.

This commit exports a piece of raw middleware that can be used with the
get method of express, so that we can attach middleware beforehand.

This will be used to conditionally serve the members specific public
files, based on the labs flag for members.
2019-04-24 12:46:00 +02:00
Fabien O'Carroll
d7fadfeff7 Fixed bug with deleting members after config change 2019-04-24 12:46:00 +02:00
Fabien O'Carroll
235d6a0366 Refactored labs middleware to remove duplication
no-issue

Also exposes a generic interface now.
2019-04-24 12:46:00 +02:00
Nazar Gargol
cb322fc1be Improved error context usage
refs #10571

- Change was done to avoid usage of hardcoded value and provide more context. Additionally errorDetails are formatted in a readable way
2019-04-23 09:45:11 +02:00
Nazar Gargol
63337dd823 Changed context used in error to help
refs #10571

- The context should provide the context in which the error has happened instead current value was more suited to purposes of help
2019-04-23 09:31:24 +02:00
Nazar Gargol
cea598597b Restructured theme check logic
refs #10571

- Removes dependency on 'context' property being set in error when
checking a theme
- Refactoring was needed to be able to avoid passing checked theme as a
part of thrown error (logic was relying on error having this specific
data in context property). This created a problem where we controlled
the logic flow with data in error object.
- Introduced 2 different types of theme check handling, one behaves the
same way as before, the other gives more granulac control to the caller
to decide what to do with returned errors.
2019-04-22 22:34:12 +02:00
Vikas Potluri
d989d62c10 Migrated encode, facebook_url and foreach helpers to es6 (#10655)
refs #9589 

* updated encode helper to use newer code standards
* updated facebook_url helper to use newer code standards
* updated foreach helper to use newer code standards
2019-04-22 17:54:42 +02:00
ml4den
8732d40967 Fixed a typo for non-verb "setup" (#10680)
no-issue
2019-04-22 17:47:28 +02:00
Rishabh Garg
8191513a86 Updated members site config keys (#10702)
no issue
2019-04-22 17:23:58 +02:00
Nazar Gargol
2253b2d18c 🐛 Fixed redirect for pages causing 404
closes #10649

- `resourceType` in API v0.1 is only of 'post' type. Because in admin we now distinguish between 2 types of editable resources: 'posts' and 'page' the redirect has to be based on 'entry.page' flag
2019-04-22 15:08:09 +02:00
kirrg001
ab49d1eed6 Added comments for routing service
no issue

- jsdoc
- inline comments
2019-04-21 23:55:22 +02:00
kirrg001
e07c0ecdc4 Added comments for url service
no issue

- jsdoc
- inline comments
2019-04-21 00:14:40 +02:00
Nazar Gargol
e1dca54bf7 🎨 Made notifications dismissible per user
refs #10656

- To make sure more users see important updates or announcements
notification dismissal now works per user instead of globally
- Expanded acceptance test for notification deletion
- Expanded regression test covering multiuser dismissal of notification
- Added clarifying comment about destroyAll method use in API
2019-04-19 09:43:14 +02:00
Fabien O'Carroll
39ed3f9145
Updated members auth pages to use gateway-protocol (#10695)
no-issue

This swaps out a hand copied library with the published one on npm
2019-04-18 15:53:36 +02:00
Nazar Gargol
809e610842 Added notification access persmission for users of Editor role
closes #9546

- Updated permissions  fixture for Editor role
- Added migration for permissions for Editor users
- Updated tests
2019-04-18 13:02:23 +02:00
kirrg001
6dd65d7176 Corrected general comment in update check unit
no issue
2019-04-17 20:52:50 +02:00
kirrg001
22c2d0cbcb Added comments for update check service
no issue

- jsdoc
- inline comments
- clarified variable names
2019-04-17 20:03:26 +02:00
Zimo
5a0113f24c Added close event on member pages background click 2019-04-17 16:34:14 +02:00
Peter Zimon
fb8a127729
Members refine buttons (#10692)
* Members: disabled signup button during signup

* Members: disabled non-Stripe signup button during signup

* Members: added check to Log in button logged in state
2019-04-17 16:16:03 +02:00
Zimo
01fa787227 Updated mobile styles for members upgrade screen 2019-04-17 16:06:04 +02:00
Rish
db9c2d1eca Fixed lint issues
no issue
2019-04-17 18:26:32 +05:30
Nazar Gargol
c519ce55e3 Fixed failing integration test
refs #9875

- Moved the comment about filtering by version closer to version checks as it doesn't apply to whole `.filter(...)` block
2019-04-17 14:48:09 +02:00
Rishabh Garg
876e310aea
Updated check for members-ssr use at theme layer (#10693)
no issue

### Context

As part of updating the theme layer to use members-ssr [here](f9899cb8c4), we introduced a case where if `enableDeveloperExperiments` is not switched on, the whole theme loading will crash due to unavailability of `ssr` property on members service [here](https://github.com/TryGhost/Ghost/blob/master/core/server/services/members/index.js#L12). Since we switch on `enableDeveloperExperiments` by default on master now, the issue won't be reproducible locally until explicitly switched off. 

This PR includes a patch fix which adds dummy `ssr` object to members service `api` object and members middleware check on APIs to ensure no crash in case developer flags is not switched on. 

Longer term it will be definitely useful to upgrade the dummy `api` object to trigger on member labs than the developer flag.
2019-04-17 17:38:12 +05:30
Fabien O'Carroll
5cb8972e2c Fixed subscription issue with null coupons
no-issue

Coupons were being sent as null to the api, so we support non required fields
2019-04-17 13:41:27 +02:00
Rish
ab3b0d95a2 🐛 Fixed fetching RSS in case of posts with no content
refs #10679

- Handles `null` html values in calculation
2019-04-17 15:12:01 +05:30
Fabien O'Carroll
500ec826c3 Added default disabled state of false to FormInput
no-issue
2019-04-17 10:35:17 +02:00
Fabien O'Carroll
78165a9981 Removed unused onClick handler in StripeSubscribePage
no-issue
2019-04-17 10:35:17 +02:00
Fabien O'Carroll
4d9ddbf77a Added coupon support to StripeSubscribePage
no-issue

Only shows the (disabled) input when a coupon is available
2019-04-17 10:35:17 +02:00
Fabien O'Carroll
feee3dc58f Cleaned up render{Subscribe,Upgrade}Page
no-issue

- ensured promises are returned
- removed unused prop
2019-04-17 10:35:17 +02:00
Fabien O'Carroll
0970fa6a6d Added CouponInput component
no-issue

This can be used in the subscribe pages to pass coupon info through
2019-04-17 10:35:17 +02:00
Fabien O'Carroll
b28f3a02d9 Added support for disabled form elements
no-issue

This can be used for a coupon input in future
2019-04-17 10:35:17 +02:00
Fabien O'Carroll
88368d0d94 Updated members api and gateway to pass coupo
no-issue

This will allow the auth pages and members sdk to pass coupons through
to the api.
2019-04-17 10:35:17 +02:00
Fabien O'Carroll
cdc3971ed8 Passed coupon from metadata through to stripe
no-issue

This will allow us to send through coupons from the api layer and have
stripe handle the rest :)
2019-04-17 10:35:17 +02:00
Rish
b377549bc7 Added spinner on member signup pages
no issue
2019-04-16 23:22:15 +05:30
Rish
874fceb077 Updated member signin page to show logged in status
no issue
2019-04-16 22:42:16 +05:30
Nazar Gargol
1211c70eb3 🐛 Fixed Ghost out of date notification
closes #9875

- The solution here is a quick patch and should be cleaned up once https://github.com/TryGhost/Ghost/issues/10236 is implemented
2019-04-16 18:29:51 +02:00
Zimo
17bc79d57e Added fade in for signup complete page 2019-04-16 17:51:16 +02:00
Peter Zimon
94ac33bc97
Members refinements (#10689)
* Updated close animation speed for members pages
* Updated responsive styles for members mobile screens 
* Adding spinner CSS to members pages
* Adding members signup complete page
2019-04-16 17:36:37 +02:00
Fabien O'Carroll
9aa9b39a59 Fixed require path of members-ssr
no-issue
2019-04-16 17:19:46 +02:00
Fabien O'Carroll
f9899cb8c4
Updated theme layer to use members-ssr (#10676)
* Removed support for cookies in members auth middleware

no-issue

The members middleware will no longer be supporting cookies, the cookie
will be handled by a new middleware specific for serverside rendering,
more informations can be found here:

https://paper.dropbox.com/doc/Members-Auth-II-4WP4vF6coMqDYbSMIajo5

* Removed members auth middleware from site app

no-issue

The site app no longer needs the members auth middleware as it doesn't
support cookies, and will be replaced by ssr specific middleware.

https://paper.dropbox.com/doc/Members-Auth-II-4WP4vF6coMqDYbSMIajo5

* Added comment for session_secret setting

no-issue

We are going to have multiple concepts of sessions, so adding a comment
here to be specific that this is for the Ghost Admin client

* Added theme_session_secret setting dynamic default

no-issue

Sessions for the theme layer will be signed, so we generate a random hex
string to use as a signing key

* Added getPublicConfig method

* Replaced export of httpHandler with POJO apiInstance

no-issue

This is mainly to reduce the public api, so it's easier to document.

* Renamed memberUserObject -> members

no-issue

Simplifies the interface, and is more inline with what we would want to export as an api library.

* Removed use of require options inside members

no-issue

This was too tight of a coupling between Ghost and Members

* Simplified apiInstance definition

no-issue

* Added getMember method to members api

* Added MembersSSR instance to members service

* Wired up routes for members ssr

* Updated members auth middleware to use getPublicConfig

* Removed publicKey static export from members service

* Used real session secret

no-issue

* Added DELETE /members/ssr handler

no-issue

This allows users to log out of the theme layer

* Fixed missing code property

no-issue

Ignition uses the statusCode property to forward status codes to call sites

* Removed superfluous error middleware

no-issue

Before we used generic JWT middleware which would reject, now the
middleware catches it's own error and doesn't error, thus this
middleware is unecessary.

* Removed console.logs

no-issue

* Updated token expirty to hardcoded 20 minutes

no-issue

This returns to our previous state of using short lived tokens, both for
security and simplicity.

* Removed hardcoded default member settings

no-issue

This is no longer needed, as defaults are in default-settings.json

* Removed stripe from default payment processor

no-issue

* Exported `getSiteUrl` method from url utils

no-issue

This keeps inline with newer naming conventions

* Updated how audience access control works

no-issue

Rather than being passed a function, members api now receives an object
which describes which origins have access to which audiences, and how
long those tokens should be allowed to work for. It also allows syntax
for default tokens where audience === origin requesting it. This can be
set to undefined or null to disable this functionality.

{
    "http://site.com": {
        "http://site.com": {
            tokenLength: '5m'
        },
        "http://othersite.com": {
            tokenLength: '1h'
        }
    },
    "*": {
        tokenLength: '30m'
    }
}

* Updated members service to use access control feature

no-issue

This also cleans up a lot of unecessary variable definitions, and some
other minor cleanups.

* Added status code to auth pages html response

no-issue

This was missing, probably default but better to be explicit

* Updated gateway to have membersApiUrl from config

no-issue

Previously we were parsing the url, this was not very safe as we can
have Ghost hosted on a subdomain, and this would have failed.

* Added issuer to public config for members

no-issue

This can be used to request SSR tokens in the client

* Fixed path for gateway bundle

no-issue

* Updated settings model tests

no-issue

* Revert "Removed stripe from default payment processor"

This reverts commit 1d88d9b6d73a10091070bcc1b7f5779d071c7845.

* Revert "Removed hardcoded default member settings"

This reverts commit 9d899048ba7d4b272b9ac65a95a52af66b30914a.

* Installed @tryghost/members-ssr

* Fixed tests for settings model
2019-04-16 16:50:25 +02:00
Fabien O'Carroll
b3f66c6c91 Blacklisted private member settings for HTTP calls
no-issue

Previously it was possible to fetch the private key and session secret
for the members service, this is a security issue as we do not have
specific permissions for individual settings yet, and could have
possibly exposed secrets to admin integrations.
2019-04-16 14:39:01 +02:00
Tim Birkett
2b75d1f9df Exposed new logging config options (#10678)
no issue

- Exposes the new name and gelf logging options.
2019-04-16 16:34:15 +05:30
Chris McKulka
a6fc2f1514 🐛 Removed extraneous log message for missing en.json locale file (#10662)
no issue
- content is in english (en) by default so only show the missing translation file warning when a non-english locale is configured
2019-04-16 10:32:20 +01:00
Vikas Potluri
c58236e549 🐛 Disallowed locked/suspended users from being made owner via the API (#10647)
- closes #10555
- Added a check to the user modal that the new owner is active 
- Had to refactor Owner->Author unit test (also renamed it)
  - Based on the first 2 lines, owner->editor change is attempted (hence the rename)
  - Since both stubs return a 'modal' with owner role which means owner->owner change is actually attempted
  - Now that there's a user status check, added the `status` property to the user receiving owernship
2019-04-16 10:30:29 +01:00
Fabien O'Carroll
b50cff8753 Updated import to never use {active,instsalled}_apps
no-issue

This is so that new imports will not contain old default, or invalid
values.
2019-04-16 11:19:17 +02:00
Fabien O'Carroll
7461869f13 Updated import to only show warning when apps exist
no-issue

This is so that someone with empty defaults for installed_apps and
active_apps, or someone without the defaults at all, will not see the
warning message when importing.
2019-04-16 11:19:17 +02:00
Fabien O'Carroll
a947947ebd Removed support for apps from getContentPath
no-issue

There is no longer a need for this as external apps do not work.
2019-04-16 11:05:33 +02:00
Fabien O'Carroll
37bcdb0a83 Removed filters module
no-issue

This is no longer used now, as it was for apps to extend Ghost
2019-04-16 11:05:33 +02:00
Fabien O'Carroll
90c2dbcd6b Removed use of filters module
no-issue

As we're deprecating apps, filters are no longer used.

- Removed use of filters in helpers
- Removed use of filters from routing service
- Removed use of filters from rss service
- Removed use of filters in base model
2019-04-16 11:05:33 +02:00
Fabien O'Carroll
54ac98037b Refactored proxy to not take name param
no-issue

This was only used as context to api methods, but those have been removed.
2019-04-16 11:05:33 +02:00
Fabien O'Carroll
ca2dc1889a Removed unused filters object from apps proxy
no-issue

This is not used by any current apps, and apps are considered
deprecated.
2019-04-16 11:05:33 +02:00
Fabien O'Carroll
65f16f77a7 Removed unused api object from apps proxy
no-issue

This is not used by any current apps, and apps are considered deprecated.
2019-04-16 11:05:33 +02:00
Fabien O'Carroll
0d40952232 Removed apps from update-check
no-issue

This only read external apps, so can be removed now we don't support them
2019-04-16 11:05:33 +02:00
Fabien O'Carroll
f74d459dad Removed active and installed apps default settings
no-issue
2019-04-16 11:05:33 +02:00
Fabien O'Carroll
4a22fcf73a Removed unused translations for apps service
no-issue
2019-04-16 11:05:33 +02:00
Fabien O'Carroll
29948da3bc Refactored app service init to load config
no-issue
2019-04-16 11:05:33 +02:00
Fabien O'Carroll
d31395412b Removed sandbox from apps service
no-issue

The instansiation of a Module object was only used so that we could
override the require method inside external apps, now we have no support
for them, we are free to require the internal apps directly. This has no
functionality change.
2019-04-16 11:05:33 +02:00
Fabien O'Carroll
4696d70de0 Refactored app proxy module to not use Constructor
no-issue

Rather than creating a whole instance, we can replace it with a helper
method - his is less memory intensive and a little easier to parse for
something this small.
2019-04-16 11:05:33 +02:00
Fabien O'Carroll
ca8c5c4907 Removed app permissions module and updated loader
no-issue

The permissions module is no longer necessary as we only suppot internal
apps, which have all permissions. This allowed us to delete the module,
but required that we update the loader to remove references to it.
2019-04-16 11:05:33 +02:00
Fabien O'Carroll
e4db1eed81 Removed support for external apps from Proxy
no-issue

This also removes the need for permissions, as internal apps have all permissions
2019-04-16 11:05:33 +02:00
Fabien O'Carroll
4b74c11abb Removed installAppByName method
no-issue

Only external apps needed the install step, we can safely remove this now.
2019-04-16 11:05:33 +02:00
Fabien O'Carroll
ad9d142174 Refactored Sandbox to be singleton
no-issue
2019-04-16 11:05:33 +02:00
Fabien O'Carroll
fd9fc92dd5 Removed external app support in Sandbox
no-issue
2019-04-16 11:05:33 +02:00
Fabien O'Carroll
fc1aa58dc0 Removed external app support from app service loader
no-issue
2019-04-16 11:05:33 +02:00
Fabien O'Carroll
d63d3f77eb Removed external app support from app service init
no-issue
2019-04-16 11:05:33 +02:00
Rishabh Garg
62f5bdac4c
Updated to use count words/images helpers from SDK (#10686)
refs #10618

- Added @tryghost/helpers dependency to use Ghost-SDK helpers
- Updated countWords, countImages helpers and removed local copy
2019-04-16 08:00:01 +05:30
Fabien O'Carroll
32a4798d76 Added skip of active/installed apps settings during import (#10681)
no issue
- the `{active,installed}_apps` settings related to a very old, minimally implemented, unreleased, and problematic approach to custom apps
- this is the first step towards full removal of the old "apps" concept

Credits: Kacper Szurek
2019-04-15 11:10:10 +01:00
Rish
9e6733ecab Updated subscription data in member request
no issue

- Added subscription amount to member subscription data
2019-04-13 10:44:43 +05:30
Rishabh Garg
c03ca79c66
Added Admin API for deleting members (#10673)
no issue

- Added new API to delete members
- Added methods to handle e2e member deletion
- Deleting member via Admin leads to
  - Removal of member from payment processor and cancelling all active subscriptions immediately
  - Removal of member information from DB
2019-04-13 10:38:56 +05:30
Rishabh Garg
35c4da710a
🐛 Fixed sitemap generation with correct date and images value (#10668)
closes #10640

- Updated sitemap resources data to include certain fields
- Fixes sitemap date and images value
- Updated date handling for sitemap nodes
2019-04-09 12:43:07 +05:30
Naz Gargol
87b37556c8
Improved error context usage (#10669)
refs #10571

- Reduced the amount of log output for collision errors
- Improved data passed into `errorDetails` during theme check
- After discovering https://github.com/TryGhost/Ghost/blob/9810834/core/server/services/themes/index.js#L56-L57 wasn't able to remove `checkedTheme` from `context`. Left a note to be refactored later
2019-04-09 13:00:56 +08:00
Kevin Ansfield
47692b1081 🐛 Fixed last paragraph not rendering on front-end when it's styled
no issue
- the conditional for removal of trailing blank paragraphs was not sufficient to handle paragraphs where the first child element was not a text node such as when the content of the last paragraph is italic
- switched to a method that fully walks the DOM of the last paragraph node to extract its equivalent `.textContent` value for use in the "last para is blank?" check
2019-04-08 16:25:20 +01:00
Fabien O'Carroll
cebcf27b6b 🐛 Fixed 500 template error occurring in place of a 404 for missing pages/assets (#10660)
no issue

- when the page is missing the context can be undefined, this defaults it to an empty array so that later `context.includes()` calls don't error
2019-04-04 14:41:56 +01:00
Fabien O'Carroll
35725f9537 Added members data to local template options
no-issue

- Splits updateTemplateData into three functions with clear naming
- Adds req.member to local template options, to be used as {{@member}}
2019-04-04 10:44:43 +02:00
Fabien O'Carroll
b38fb32c3f Refactored theme middleware module
no-issue

- Replaces var -> const
- Removed use of object to hold functions
2019-04-04 10:44:43 +02:00
Fabien O'Carroll
d0c1853797 Used getter instead of looking up internal property
no-issue

Since express-hbs@1.10 we have a method to get the template options,
which should be used rather than reading internal "private" properties
2019-04-04 10:44:43 +02:00
Vikas Potluri
bd77c1e2e0 Migrated body_class, content and date helpers to ES6 (#10644)
refs #9589 

* updated body_class helper to use newer code standards
* updated content helper to use newer code standards
* updated date helper to use newer code standards
2019-04-02 08:36:13 +02:00
Nazar Gargol
b9eaf27e56 🐛 Fixed admin error page on startup
closes #10616

- The check should be on empty object because that's the default state of expresses 'engines' property - 3ed5090ca9/lib/application.js (L59)
- The bug was introduced with 5e963935f9 (diff-04cc23b216e11161ab7267d69f13d004R142)
2019-04-01 15:06:00 +08:00
Nazar Gargol
0d89acd910 🐛 Fixed redirects to external URL
closes #10623

- The ability to redirect to external URLs was broken with 7e211a307c
- Added test coverage for external URL case
2019-04-01 12:33:29 +08:00
Vikas Potluri
960993b257 Migrated asset and author helpers to es6 (#10611)
refs #9589

* update asset helper to use newer code standards

* update authors helper to use newer code standards
2019-03-26 10:06:41 +05:30
kirrg001
1e6f4ba340 🐛 Fixed Admin API v2 wasn't returning preview url
no issue

- Admin API v2 returned /404/, see comment in code base:

/**
* CASE: admin api should serve preview urls
*
* @NOTE
* The url service has no clue of the draft/scheduled concept. It only generates urls for published resources.
* Adding a hardcoded fallback into the url service feels wrong IMO.
*
* Imagine the site won't be part of core and core does not serve urls anymore.
* Core needs to offer a preview API, which returns draft posts.
* That means the url is no longer /p/:uuid, it's e.g. GET /api/v2/content/preview/:uuid/.
* /p/ is a concept of the site, not of core.
*
* The site is not aware of existing drafts. It won't be able to get the uuid.
*
* Needs further discussion.
*/
2019-03-21 19:08:38 +01:00
Rish
394c8b7650 Removed hard-coded members lab flag for theme
no issue

- Removed hard-coded setting to switch on members flag in labs based on developer flag
2019-03-21 13:56:46 +05:30
Grant
51151e9e9e Removed obsolete comment about api keys not being supported (#10622)
no issue

I noticed an outdated comment in the codebase ([confirmed by Kevin](https://forum.ghost.org/t/code-comment-says-we-dont-support-admin-api-keys-yet-is-this-true/6344/4?u=grant)). This PR removes it.
2019-03-19 20:05:37 +01:00
Nazar Gargol
2517e9dc65 Added consistent handling to empty mobiledoc
closes #10612

- Added handling for 'blank' mobiledoc structure which should be converted to '""' instead of '<p></p>'
2019-03-18 20:06:53 +08:00
kirrg001
56deccb74d Added missing translation key: admin api kid
no issue

- found this by coincidence
2019-03-18 12:48:39 +01:00
Eol
9a21bea2c7 🐛 Fixed null displayed on empty post content (#10617)
refs #10612

- Added `null` value handling to {{content}} helper, which is same to how {{exerpt}} helper handles `null` values at the moment
2019-03-18 19:46:59 +08:00
Katharina Irrgang
a2f7160499
Enhanced 2.18 detection (#10610)
no issue

- discovered another case
2019-03-13 23:40:50 +01:00
Fabien O'Carroll
ca16b197a2
Checked null & undefined in settings migration (#10609)
no-issue

This is to make sure we catch all falsy cases of values.
2019-03-13 23:35:23 +01:00
Fabien O'Carroll
406e7c04d2
Improved error messages/handling for 2.18 migrations (#10608)
no-issue

We do not want to throw errors for edgecases, so we lot a message
telling the user to double check their settings.
2019-03-13 22:03:54 +01:00
Fabien O'Carroll
a8debd8980
🐛 Fixed private blogging getting disabled after 2.17 migration (#10606)
no-issue

The 2.17 migration included a bug which set the `is_private`, `amp` and `force_i18n` setting values to `'false'` when they should have been `'true'`

We've reverted these changes by reading the most recent backup file, and setting the value to `'true'` if the backup has it set to `'true'` AND the current db has it set to false.

We've also amended the broken migration, so that it does not cause this issue for future installs
2019-03-13 21:35:19 +01:00
Fabien O'Carroll
56b6c633f6
Updated backup file names to include timestamp (#10607)
no-issue

Currently if you run two migrations on the same day, the backup is overwritten. This change adds the `HH-mm-ss` to the file name, meaning that you get a unique backup for each migration.
2019-03-13 21:06:05 +01:00
Katharina Irrgang
f64af762ef 🐛 Fixed "Cannot read property 'feature_image' of undefined" (#10602)
no issue

- refs https://forum.ghost.org/t/default-hbs-cannot-read-property-feature-image-of-undefined/6194
-
2019-03-13 18:13:52 +08:00
Kevin Ansfield
507d8b32db
Fixed previews not reflecting changes to scheduled posts on Ghost(Pro) (#10601)
closes https://github.com/TryGhost/Ghost/issues/10600
- modifies conditions for when to send a cache invalidation header for preview URLs to include changes to scheduled posts
2019-03-12 18:35:54 +00:00
kirrg001
811ba83b19 🐛 Fixed {{body_class}} helper when using data: page.{slug} in routes
refs #10082

- throwed a 500 because this.page was not handled
- v2 differentiates between page and post
2019-03-12 12:34:16 +01:00
kirrg001
555dc2f180 🐛 Fixed {{meta_title}} output when using data: page.{slug} in routes
refs #10082

- meta_title output wrong meta title

Only solves meta_title outout for this use case:

```
routes:
  /:
    data: page.{slug}
    template: t
```
2019-03-12 12:34:16 +01:00
kirrg001
3b4edccf62 🐛 Fixed {{meta_description}} output when using data: page.{slug} in routes
refs #10599

- meta_description output wrong meta description

Only solves meta_description for this use case:

```
routes:
  /:
    data: page.{slug}
    template: t
```
2019-03-12 12:34:16 +01:00
kirrg001
fef0aa44d3 🐛 Fixed meta twitter_image output when using data: post.{slug} for routes
refs #10082

```
routes:
  /news/:
    data: post.news
```

The twitter_image was not available, because the context is [news, post] and the data is in `data.post`.
The context helper was incorrect. I think it is still not fully correct, but only focused on this use case.
The meta layer needs a full refactoring.
2019-03-12 12:13:47 +01:00
Naz Gargol
34fad7eaaf
Added Canonical URL support to posts&pages in Admin & Content API v2 (#10594)
refs #10593

- Added `canonical_url` field to post&pages resources in Admin & Content APIs
- Support for canonical URL on metadata layer (used in {{ghost_head}} helper)
- Made sure the new field is not accessible from API v0.1 
- Added handling same domain relative and absolute URLs
2019-03-12 17:51:29 +08:00
kirrg001
0c8373afb7 Removed 'null' parsing in settings model
refs #10582

- I don't think this is a good idea
- If a user passses "null", we should treat it as a string
- I am not aware of a use case why people have "null" in their database
- If people send "null" via the API, we should respect this and accept a string
2019-03-11 20:07:48 +01:00
kirrg001
0c583135ba Added TODO to settings input serializers
no issue

- we need these rules globally
2019-03-11 20:07:48 +01:00
kirrg001
255b55cab5 Added proper importer regression tests
refs #10582
2019-03-11 20:07:48 +01:00
kirrg001
145a9456a2 Updated settings validations
refs #10582

- the db input formatter ensures we always forward "true" or "false" for boolean fields
2019-03-11 20:07:48 +01:00
kirrg001
20ab9651dc Removed force_i18n in API v2 settings serializer
refs #10582

- deprecated
- won't serve
- won't save
2019-03-11 20:07:48 +01:00
kirrg001
bfccaa8d2e Added db formatter for settings model
refs #10582

- ensure we won't forward booleans to database
- type TEXT will transform booleans to "0"/"1!
2019-03-11 20:07:48 +01:00
kirrg001
037ac4d748 Added input serialization for settings API v2 to transform "0"/"1" booleans
refs #10582

- otherwise we will forward string booleans to model layer
- causes trouble if we trigger events
- causes trouble if we want to add conditions to the model e.g. setting.get('value') ?
2019-03-11 20:07:48 +01:00
kirrg001
f80a9429b9 Added migration to normalize booleans
refs #10582
2019-03-11 20:07:48 +01:00
kirrg001
fca05453fe 🐛 Fixed site requests showing 422 if path is not a valid slug
no issue

- e.g. /feed.xml/ was showing a 422
- any other none slug site requests showed a 422
- should be a 404
- context: site is talking to Content API
  - it can happen that the API returns a 422
  - the routing layer needs to handle this and always show a 404
- catched error in routing error handling
- need to see if there are more cases
2019-03-11 19:40:51 +01:00
Aileen Nowak
23215e7d74 Added event to integrations when created (#10588)
no issue

- There was no model event being sent yet when a new integration is being created
- Added this event type to our analytics listener
2019-03-11 15:28:17 +01:00
kirrg001
160d50a258 🐛 Fixed /edit url redirecting to wrong admin client url
no issue

- admin client has fixed showing a 500
- we now show a 404 if the url is wrong
- server side has corrected the editor url
2019-03-11 15:26:13 +01:00
Kevin Ansfield
0a846002f8 Renamed blog->site in error messages and welcome e-mail (#10586)
no issue

- general `blog` -> `site` wording switch
2019-03-11 15:25:21 +01:00
Fabien O'Carroll
a2aa66ca73
🐛 Fixed img-url to output relative url by default (#10596)
closes #10595

* Added breaking test for img-url helper

Input from the content API was absolute, adding this test to verify my fix

* Updated existing test to breaking test for img-url

Had made a dumb assumption when building images sizes, this updates the
test to fail so we can verify the fix

* Refactored img-url to return as early as possible

This makes it a little easier to parse what's going on, and it also
allows us to remove the check for existence of the image url in the
getImageSizes function

* Refactored img-url config parsing to clean up core logic

Superficial refactor to make future changes able to focus on what rather
than how.

* Refactored internal image detection into helper

We're gonna need to know if the image is internal or not, when we force
the path to relative, if we pull this out now, we have access in the top
level logic

* Removed duplicate checks for internal image

Cleaning up and moving "higher-level" logic into the main function of
the module

* Renamed attr -> requestedImageUrl

Superficial refactor, trying to be more explicit about identifiers

* 🐛 Fixed img-url to output relative url by default

Includes a check to isInternalImage as we never want to make external
images relative.

* Returned early if img-url recieves external url

After realising we never want to deal with external urls, we can
continue to return as early as possible, letting us remove checks and
simplify the more complex logic for internal images.

* Cleaned up the internal image logic

Defining the three functions in order helps to see what operations are
going to happen and in which order, we can then return the result of
each operation applied to the next operation.
2019-03-11 15:20:05 +01:00
David Sánchez
49cf18fe33 🐛 Changed subscribed page title from hardcoded to site title (#10589)
no issue

- The subscribed title was being hardcoded as "Ghost" instead of using the title of the site.
2019-03-11 14:07:37 +08:00
Nazar Gargol
9a831d1306 Fixed url for settings images saved in the db
closes #10590

- All images stored in the db should be relative urls and should only be served as absolute
2019-03-11 11:59:06 +08:00
Hannah Wolfe
d2b1e0d4b7 Attr pass-thru & full context in partial helpers
refs #5162

- allow pagination and navigation partial helpers to have attributes passed through to them
    - e.g. {{navigation header=true}} -> {{#if header}} will now work
    - allows styling navigation to be done differently for different sections of the page
- properly create a data frame, and pass through "this" context
    - means {{navigation header=true}} is the same as {{> navigation header=true navigation=@site.navigation}}
    - our partial helpers, have the same behaviour exactly as if the partial was called directly
- this is additive, and improves behaviour
2019-03-09 21:21:01 +00:00
Nazar Gargol
942324b60e 🐛 Fixed private blogging getting enabled after import
refs #10582

- Importer should do similar conversion introduced in 04c60b4ce1
2019-03-07 18:44:47 +08:00
Nazar Gargol
3124d23ccf 🐛 Fixed force_i18n import validation error
closes #10580

- The validation was failing because boolean values in settings can also be "0" and "1". 04c60b4ce1 explains the reason why these 2 new values are allowed
2019-03-07 16:42:11 +08:00
Naz Gargol
9810834f7b
Removed redundant errorDetail and context stringification in errors (#10572)
no issue

- Additional JSON.stringify call is redundant because it is already happening internally in Ignition (https://github.com/TryGhost/Ignition/blob/master/lib/logging/GhostLogger.js#L241)
- Left stringification in importer as is, because the use case there is also
putting errors into 'problems' array and seems like those values have to
be stringified
2019-03-07 12:58:44 +08:00
Katharina Irrgang
04c60b4ce1
🐛 Fixed private blogging getting enabled when saving any setting (#10576)
no issue

- Reported here: https://forum.ghost.org/t/in-version-2-16-3-found-bug/6065/3

---

Admin Client sends false or true booleans for `is_private` key.

The settings table has two columns "key" and "value". And "value" is always type TEXT.

If you pass value=false, the db will transform this value into "0".
`settingsCache.get('is_private')` is then always true, even though the value is meant to be false.

We should add a migration in v3 and normalize all setting values to ensure consistent database values. Furthermore, we should improve the handling around settings values in general.

For now, we protect parsing values from DB, which we anyway need to transform the values into the correct data type, because we always save strings. This will protect values being stored as "false" or "1" or whatever.
2019-03-06 12:56:26 +01:00
kirrg001
ac26436c10 🐛 Fixed v0.1 username/password authentication
no issue

- refs 39edb7646e
2019-03-06 10:48:21 +01:00
kirrg001
5b73e8238e 🐛 Fixed email address not being returned with admin api key authentication
no issue

- bug in model layer
- we have to drop these context checks when dropping v0.1
2019-03-06 10:48:21 +01:00
Dan Sloan
fba277ce1d 🐛 Fixed custom certificate usage for MySQL (#10573)
closes #10570

Added a conditional to only run makePathsAbsolute when database:client
is sqlite3, which keeps expected behaviour (make the
"database:connection:filename" path absolute when running SQLite) while
not breaking MySQL behaviour.
2019-03-06 10:28:10 +01:00
Kevin Ansfield
39edb7646e
Improved error message when attempting to use disabled v0.1 Public API (#10562)
no issue
- trying to use the v0.1 Public API when it was disabled led to a confusing error message, see https://forum.ghost.org/t/403-forbidden-error-on-postman-api-call/6017
- adds an explicit check for the Public API being enabled in the client authentication step and throws a useful error message if client auth is attempted when it's disabled
2019-03-05 10:41:07 +00:00
kirrg001
e79fc9a9be Fixed incorrect codeinjection_* assignment
no issue

- discovered while testing
2019-03-05 11:00:16 +01:00
Nazar Gargol
e109c54245 🐛 Fixed 500 error when wrong field data was passed
closes #10564

- Added similar filtering logic to models/base in `findOne` as in `findPage` to prevent fetching unexistent columns
2019-03-05 17:26:34 +08:00
Nazar Gargol
30c005f848 🐛 Fixed field filtering for /authors/:id endpoints
closes #10512

- Removed field filtering in blog owner fetching because it didn't work before (fields weren't reduced) and now broke generated sql queries (ambiguous id field)
2019-03-05 15:18:32 +08:00
Nazar Gargol
62c4ae119d 🐛 Fixed field filtering for /tags/:id endpoints
refs #10512

- Fixed ability to fetch specific fields when fetching tag resource by id
- Also only returning `url` field when specified in `fields` parameter
2019-03-05 13:17:38 +08:00
kirrg001
97cf337907 🐛 Fixed 404 when trying to update codeinjection_* settings in Admin API v2
refs #10560
2019-03-04 22:59:13 +01:00
kirrg001
449bae9a48 🐛 Fixed missing "value" property for settings Admin API v2
closes #10518

- we had a very generic logic to remove "unwanted" null values
  - copied from v0.1
  - originally added in 7d4107fec4
- this logic transformed: settings = [{key: 'key', value: null}] to [{key: 'key'}], which is wrong
- i've removed this generic logic completely, because i don't know which purpose it serves
- if there a specific case where we want to remove null values, we should either use the JSON schema or use a specific serializer for the target resource
- added tests to proof that settings API behaves as it should
- one test failed because we removed the isNull logic -> if you send published_at = null on a published post
  - the model layer has a piece of logic to force a date if you set published_at to null if the status is published
  - protected
2019-03-04 20:06:53 +01:00
Fabien O'Carroll
98b4940f70
🐛 Allowed data in collections to use specified key (#10559)
closes #10434

This adds the list of objects to the specified key,
finishing off the work started in the PR here:
https://github.com/TryGhost/Ghost/pull/10449
2019-03-04 17:53:58 +01:00
Kevin Ansfield
5a7356de5b 🐛 Fixed excerpt property being missing if plaintext is NULL or ""
closes https://github.com/TryGhost/Ghost/issues/10558
- added conditional to explicitly set `excerpt` to `null` in the API output serializer when a post has no `plaintext` or `custom_excerpt` value
2019-03-04 14:30:26 +00:00
Kevin Ansfield
2b34327544 🐛 Fixed plaintext field not being cleared when post body is removed
closes https://github.com/TryGhost/Ghost/issues/10557
- add conditional for plaintext changing rather than only being present for when to set a new plaintext value
2019-03-04 14:03:44 +00:00
Fabien O'Carroll
d7238e94c2
🐛 Supported "false" as absolute attribute value (#10556)
no-issue

* Added breaking test
* 🐛 Supported "false" as absolute attribute value

refs https://github.com/TryGhost/docs-api/pull/29
2019-03-04 11:23:42 +01:00
Vikas Potluri
42c472feff Removed superagent dependency (#10535)
no issue

- Migrated default scheduling adapter to use Got via the request proxy
- SchedulingDefault is the only module that was using superagent so removed it as a dependency
2019-03-04 15:59:38 +08:00
Nazar Gargol
01b03f7a1a 🐛 Fixed returning 'null' text for exerpt helper
refs #10554

- Fixes a flow described in https://github.com/TryGhost/Ghost/issues/10554#issuecomment-469127056
2019-03-04 14:39:20 +08:00
kirrg001
a180d4e103 Updated TODO's
no issue
2019-02-27 18:08:36 +01:00
kirrg001
f8d1e38290 🐛 Fixed empty amp page
closes #10547

- TODO: raise issue
2019-02-27 17:56:09 +01:00
kirrg001
f33dacaf64 🐛 Fixed {{url}} output when using {{#next_post}}/{{#prev_post}}
closes #10546

- TODO: raise issue
2019-02-27 17:50:51 +01:00
Rish
d62feca270 Added members permission migrations
no issue

- Added new fixtures for member permissions for Admin
2019-02-26 15:43:36 +07:00
Rish
20a898a986 Refactored members auth flow with dynamic settings
no issue

- Updated members auth flow UI
- Updated members settings and routing to be dynamic
2019-02-26 15:43:36 +07:00
kirrg001
90aef4f6c9 Stripped "excerpt" and "plaintext" from API v2 schema
no issue

- exceprt -> virtual field
- plaintext -> generated field
2019-02-26 09:07:14 +01:00
kirrg001
5a52336791 Used correct posts controller name for Content API v2
no issue
2019-02-26 08:33:10 +01:00
kirrg001
38e93c19b5 Reverted & Solved apiType differently
no issue

- was unable to revert 9dd7aff9c6, because it contains members changes
- functional calls did not work correctly, because the content and admin ctrl differentiation happend in the web layer
- `isContentAPI` returned true for `api.v2.settings.edit(data, {context: {internal:true{})`
- content & admin API are using different controllers
- we can just tell which ctrl is content API and which is not
- the direction fits for the content & admin API split
2019-02-26 08:33:10 +01:00
kirrg001
46d7a5666e Renamed authors ctrl to authors-public
no issue

- consistency
2019-02-26 08:33:10 +01:00
kirrg001
7a2398b7f2 Fixed error handling for API frame
no issue

- throwing an object from a catch handler is not a good idea
- unexpected and broke functional call to API (always returned a 500, because API returned {err: err, method: ...}
2019-02-26 08:33:10 +01:00
Nazar Gargol
3baf52fba9 Added 'property' field to errors returned from API
refs #10438
2019-02-26 13:41:13 +07:00
Hannah Wolfe
bd904cd8e1
Tags endpoint is experimental
- hasn't been tested yet, soooooooon
2019-02-26 12:52:58 +07:00
Rish
392bb412d2 Fixed broken static routes with members serverside rendering
no issue

refs cc1f62438d
2019-02-26 12:19:31 +07:00
Rish
b010c1be7e Fixed broken routes with members serverside rendering
no issue

refs cc1f62438d
2019-02-26 11:59:50 +07:00
Fabien O'Carroll
4e6a6a24ac Updated Admin API key auth to require kid in header (#10538)
* Required kid be a header claim as according to spec

https://tools.ietf.org/html/rfc7515#section-4.1.4 (JWT is an extension of JWS)

* Updated error message for missing kid

* Fixed admin-api key unit tests

* Fixed regression and acceptance tests
2019-02-26 11:03:47 +07:00
kirrg001
71951eabea Fixed webhook resource name for page events
no issue

- posts & pages live in the same table, need to use the event name
2019-02-25 23:51:23 +01:00
kirrg001
6c50dadb90 Fixed serialized webhook payload for deleted resources
no issue

- serializer did not kick in correctly
2019-02-25 23:35:52 +01:00
kirrg001
370f3bbcc0 Removed single author serializer from v2
no issue
2019-02-25 23:35:09 +01:00
kirrg001
2fd5964089 Fixed emitEvent in base model
no issue

- the options were not correctly remembered
2019-02-25 22:53:47 +01:00
Fabien O'Carroll
cc1f62438d
Added support for serverside rendering of members content (#10522)
no-issue

- Added member auth middleware to siteApp
- Passed member as context in routing service
- set Cache-Control: private for member requests
- fucked up some tests
- Added member as global template variable
- Updated tokens to have expiry of subscription_period_end
2019-02-25 17:03:27 +01:00
kirrg001
d6872de0b2 Added "useGravatar" to config endpoint in Admin API v2
no issue
2019-02-25 15:39:47 +01:00
kirrg001
a1023f0b11 Renamed theme upload file field name
no issue

- consistent with /images/upload/ endpoint
2019-02-25 13:26:03 +01:00
kirrg001
3278e8df22 Returned prefix for site & config response
no issue

- otherwise it's super inconsistent to our other responses
- we always expose the resource type first
2019-02-25 13:24:19 +01:00
kirrg001
bd7da54ce3 Changed config endpoint for Admin API v2
no issue

- re-designed config endpoint
- timezones.json should live in Ghost-SDK long-term
2019-02-25 13:24:19 +01:00
kirrg001
f9974a91a9 Added public /site endpoint to Admin API v2
no issue
2019-02-25 13:24:19 +01:00
kirrg001
b5155e280e Returned tags & authors by default for Admin API v2
no issue

- tags, authors, authors.roles by default
2019-02-25 13:22:50 +01:00
kirrg001
28a222703b Added computed "excerpt" field to Admin API v2
no issue
2019-02-25 13:22:50 +01:00
kirrg001
e65a82833c Changed default format from html to mobiledoc for Admin API v2
no issue

- Ghost-Admin needs mobiledoc only
- Ghost-Android needs mobiledoc only
- any other client can fetch other formats using the query param
2019-02-25 13:22:50 +01:00
Nazar Gargol
f558b58c89 Combined /images* endpoints into /images/upload
- refs #10438

- /images/upload now accepts all the image uploads and distinguishes their purpuse using new `purpose` form data field
2019-02-25 19:15:16 +07:00
Kevin Ansfield
4f9e687f62 Updated mobiledoc renderer to insert begin/end HTML comments around cards
no issue

We're creating tooling to convert HTML to Ghost flavoured mobiledoc, however we have cards that allow arbitrary content without a wrapper element which means that we're unable to do a 1:1 mapping of mobiledoc->html->mobiledoc. To work around this problem we now output HTML comments before/after the output of each card so that our converter can extract card content correctly when parsing HTML.

- added `createCard` method which wraps a card's `render()` method to add begin/end comments and updated all cards to use it
- only takes affect for newly added or re-saved posts/pages
2019-02-25 18:05:01 +07:00
kirrg001
23d54803e6 Triggered webhooks with all content formats
no issue

- it make sense to include as much as possible
- webhook consumers don't need to re-fetch resources if they need a specific format
2019-02-25 09:46:50 +01:00
kirrg001
f3f3b62d19 Removed console.log
no issue
2019-02-25 09:43:32 +01:00
kirrg001
3459f38c09 Fixed webhook payload
no issue

- async code was not handled
2019-02-25 09:38:08 +01:00
kirrg001
23fed961e5 Removed requirement to provide authors for admin api keys
no issue

- we just fallback to owner user
- reason: consistent with how the importer works, easier to work with the API
2019-02-25 09:16:32 +01:00
Nazar Gargol
50ea7f0eff Added user friendly error messages to Admin API
refs #10438

- Adds new fields to errors returned from API:  help, code, and id
- Makes `message` more descriptive towards non technical users
2019-02-25 10:40:35 +07:00
Kevin Ansfield
792c2608c5 Added kg-card-hascaption class to image/gallery/embed cards with captions
refs https://github.com/TryGhost/Ghost/issues/10445
- adds class to card renderers
- class will only be present on new or re-saved posts
2019-02-25 10:15:14 +07:00
kirrg001
0665c72dda Removed primary_tag & primary_author if null from Admin API v2
refs #10438

- "null" means the resource does not exist (it was sett to "null"), which is not true
- we won't serve primary_tag and primary_author by default
- TODO: add the same change to the Content API v2 (raise issue)
2019-02-24 13:31:43 +01:00
kirrg001
377d7e4271 Removed serving primary_tag when members is enabled
no issue

- Content API v2 served primary_tag by default if members flag is enabled
- reference: b2201d4179
- it's safe to remove, because members is behind the dev flag
2019-02-24 11:54:04 +01:00
Nazar Gargol
9d4b0c09a8 Renamed uploads to images
refs #10438

- As the support of /uploads endpoint has been dropped in Admin API, all related files have to correspond to new naming
2019-02-24 11:18:45 +07:00
Nazar Gargol
73bb626cae Removed unused GhostErrors
refs #10438
2019-02-24 10:52:03 +07:00
kirrg001
48bd7a094c Stripped virtual fields from Admin API v2: primary_tagg & primary_author
refs #10438

- you cannot add or update these fields
- these are virtual fields
2019-02-23 22:58:57 +01:00
kirrg001
aa96334379 Removed default debug log from base model when emittingg events
no issue

- we should only log the event if the model was changed
2019-02-23 22:31:56 +01:00
kirrg001
4fb783d4a3 Stripped virtual field from Admin API v2: "url"
refs #10438
2019-02-23 22:31:23 +01:00
kirrg001
0430dc374f Expanded webhooks debug
no issue
2019-02-23 22:03:49 +01:00
kirrg001
58153ad47d Fixed "html" being marked as changed if mobiledoc or html was not changed
no issue

- if you html is NULL e.g. you create a draft post, we always set "html" to ""
- this get's marked as changed
- !this.get('html') was added for the 2.0 migration, because some posts had custom mobiledoc, but no html value
2019-02-23 22:02:42 +01:00
kirrg001
641b67e784 Fixed x_by being detected as changed if owner updates resources
refs #9299

- `contextUser` returns a number and if the previous x_by is "1", then bookshelf marks it as changed ("1" !== 1)
- this is a left over from 0.x, because we still owner as id 1
- as soon as we fix 9299, we don't have to worry about this anymore, because we will fetch the owner id if we need it
2019-02-23 22:00:24 +01:00
Fabien O'Carroll
4a1a245e9b
Updated audience validation for admin api tokens (#10519)
no-issue
2019-02-23 12:51:21 +01:00
kirrg001
487a32832a Reverted access to "actions" for integrations
refs #9865

- see dbd3832967
- we are not aware of any use cases so far
- reverting
2019-02-23 09:37:18 +01:00
Fabien O'Carroll
a02a43e6fa
Improved Members security and performance (#10511)
no-issue

* Corrected function names for rpc methods

* Updated gateway to store tokens locally

* Fixed lint

* Added hardcoded 30 minute expiry for member tokens

* Added default contentApiAccess config;

* Updated validateAudience method

This is required for security, we need to restrict which domains can access
tokens meant for the content api
2019-02-23 04:47:42 +01:00
Katharina Irrgang
a361a8d7c0
Added support for short format when attaching authors/tags in Admin API v2 (#10505)
closes #10504

- both formats are supported
2019-02-22 13:01:04 +01:00
Nazar Gargol
55289d04c8 Changed response structure for /images
refs #10438

- To make response structure future proof and conform to the rest of API responses /images* now returns an object with url property instead of plain url string
2019-02-22 18:17:44 +07:00
Nazar Gargol
187636193b Removed /uploads* endpoints
refs #10438
2019-02-22 18:17:44 +07:00
Katharina Irrgang
dfd350bd69
Cleaned up Admin API v2 posts/pages input serializer (#10516)
no issue

- make use of filter instead of status=all or data.page
- nql was designed to filter data on database layer
- do not break v0.1
- we just got rid of the "status" query param, you should use the filter instead
- get rid of the ugly condition to remove page field if "fields" param was used
- allow filtering on model layer for "findOne"
  - do not allow filtering for "findOne" on API layer for now
  - the API controller defines what is allowed
  - the model layer can allow more by default
  - we can re-use the powerful filter logic without adding hacks
2019-02-22 12:07:34 +01:00
Fabien O'Carroll
a1219e8f65
Added upgrade page to members auth (#10513)
no-issue
2019-02-22 07:30:00 +01:00
Katharina Irrgang
0a70226128 Separated pages & posts in Admin API v2 (#10494)
refs #10438, refs #10106

* Renamed existing pages ctrl
* Splitted posts & pages for Admin API v2
* Added pages JSON input schema for Admin API v2
* Removed single author for Content & Admin API v2
  - single author is not documented
  - single author usage is deprecated in v0.1
  - single author usage is removed in API v2
* Splitted posts & postsPublic controller for v2
* Removed requirement to send `status=all` from Admin API v2
* Removed `status` option from pages Content API v2
* Removed `status` options from Users Admin API v2
2019-02-22 10:17:14 +07:00
kirrg001
cf8622ea99 Removed "status" query option from Authors Content API v2
no issue

- this is either documented, not does it work
- the Content API returns authors independing on the status
- filtering by status should not work, because otherwise you could guess the status of a user
- we do not expose the status (!)
2019-02-21 12:24:16 +01:00
kirrg001
0dd3aad2d0 Required updated_at for Admin API v2 when updating a post/page
refs #10438

- the `updated_at` functions as version control value
- it is required for collision detection
- we might redesign this feature at some point
2019-02-21 08:39:17 +01:00
Nazar Gargol
f394eaa7b8 Added optional support for HTML source
closes TryGhost/Ghost-SDK/issues/51

- Due to JSDOM not supporting Node v6 the support for HTML conversion is now optional
2019-02-21 13:27:47 +07:00
Kevin Ansfield
288a38036b Improved error messages for failed authorization 2019-02-21 13:19:57 +07:00
kirrg001
3b2ede88e0 Handled duplicated authors
no issue

- discovered while testing
- the matching helper can fallback twice to owner user in theory
2019-02-18 19:30:11 +01:00
kirrg001
2ab0c8e222 🐛 Fixed filtering by primary_tag or primary_author in routes.yaml
closes #10482

- the mapping was missing
2019-02-18 19:13:22 +01:00
Nazar Gargol
9020293e61 Added posibility to accept html as an input source for post
closes #10471

- Allows accepting HTML input for /posts endpoint when `?source=html` is
present in query parameter along with `html` in request payload
2019-02-15 18:58:46 +00:00
Zimo
17e29a3185 Applying basic styles to members popups
no issue
2019-02-15 18:17:38 +01:00
Kevin Ansfield
8e9ade6357
Added migration to insert builtin Zapier integration (#10500)
no issue

A new Zapier app will be released that uses the v2 Admin API which means it will require an ApiKey that is linked to an Integration.

- adds a `type` column to the `integrations` table with the following types allowed:
  - `custom` (default) used by custom integrations added by users
  - `builtin` used by built-in integrations that have their own UI and won't show up in the "Custom Integrations" list
  - `internal` used by "internal" integrations such as the scheduler
- adds a `zapier` "builtin" integration to the fixtures
2019-02-15 14:48:21 +00:00
Nazar Gargol
18921747bb Added check for empty name for tags
refs #10438

- Also corrected and expanded test cases for tag validation
2019-02-15 13:19:06 +00:00
Nazar Gargol
921f9d394f Removed posts.tags.parent sanitation
refs #10438

- As we strip parent and parent_id fields in /tags endpoint, similarly stripping it for posts related tags
2019-02-15 12:19:49 +00:00
Nazar Gargol
c58e03a359 Added stricter validation for post.authors
refs #10438

- By stripping relational fields, it allows to remove redundant code in post input serializer
2019-02-15 12:19:49 +00:00
Nazar Gargol
e305d5e9cb Skiped 'all' validations for posts/tags endpoints
refs #10438

- Skipped validations that are now handled on JSON Schema level and would make sure error messages are consistent for these endpoints
2019-02-15 12:19:49 +00:00
Katharina Irrgang
40f359a238 🐛 Fixed night mode when using API v2 (#10499)
no issue
2019-02-15 12:15:37 +00:00
Rish
b84881e842 Updated members modal UI structure
no issue
2019-02-15 14:15:17 +05:30
Nazar Gargol
76c6f96aed Changed error type for missing file in /uploads
refs #10438
2019-02-14 20:52:51 +00:00
Fabien O'Carroll
9dd7aff9c6
Updated Content API to use members plans to determine permission (#10483)
no-issue


* Refactored hideMembersOnlyContent to 3 "stages"
* Exported paymentConfigured flag from members service
* Updated Content-API to check members service for paymentConfigured
* Updated members content output serializer to remove content if plan required and no plan
* Updated isContentAPI method
* Moved api util test
2019-02-14 18:17:02 +01:00
Rishabh Garg
896769ee8f
Updated signup page for members (#10493)
no issue

* Added new subscribe page with stripe integration
2019-02-14 22:29:41 +05:30
Nazar Gargol
5f7c2b4d87 Improved error messaging returned from JSON Schema validations
refs #10438
2019-02-14 10:52:42 +00:00
Nazar Gargol
fa42a71181 🐛 Fixed validation error when adding tag from PSM
refs #10438

- Relaxed validation rules for tag.slug property to allow 'null' values
2019-02-14 10:04:02 +00:00
Katharina Irrgang
c2b3520652
Removed id restriction for posts relations in Admin API v2 (#10489)
refs #10438

- we now try to match by slug or id or email
- fallback to owner
- you cannot create a user via post endpoint
- Ghost uses the invite flow to add users
- get rid of `id` restriction on API level
2019-02-13 20:38:25 +01:00
Fabien O'Carroll
6bdeeaba10
Added apiType property to frame for {Content,Admin} API (#10487)
no-issue

This sets the `apiType` property of the `frame` to 'content' and 'admin'
for the Content & Admin API respectively.
2019-02-13 16:59:10 +01:00
Katharina Irrgang
90c421a8a8 Removed client credentials from Admin API v2 (#10485)
refs #10438
- v2 does not use client credentials anymore
- exception: scheduler & backup clients
2019-02-13 13:51:51 +00:00
Naz Gargol
ae437a89dd
Updated posts JSON Schema with 'strip' properties (#10488)
refs #10438
refs #9100

- Added 'strip' attributes to properties that need to be ignored
- Relaxed 'uri' format to 'uri-reference'
- Made input array for posts more restrictive
2019-02-13 13:34:45 +00:00
Naz Gargol
40cc6e6548
Added JSON Schema validations for /tags (#10486)
Added JSON Schema validations for /tags endpoints

refs #10438
refs #9100

- Added JSON Schemas for POST/PUT /tags endpoints
- Added 'strip' keyword definition schema allowing to strip data and not throw errors on further validation stages
2019-02-13 12:26:32 +00:00
kirrg001
f8b62a063b Removed more unused fields from Admin API v2 response
refs #10438

- these fields are not used
- no need to expose them in v2
- we will either remove them in the next major or use them for new features (will see)
2019-02-13 11:42:08 +01:00
Fabien O'Carroll
a3e7a7b3ea
Updated product hashseed to be hardcoded (#10484)
no-issue
2019-02-13 11:19:43 +01:00
Fabien O'Carroll
5472aa61ac
Added config endpoint to Member API (#10467)
no-issue

* Added getPublicConfig method to stripe payment processor
* Added getPublicConfig method to subscriptions service
* Added initial config endpoint for members api
* Added getConfig method to members gateway
2019-02-13 10:12:15 +01:00
kirrg001
36547a9c3a Removed ghost_auth_id from Admin API v2 response
refs #10438

- unused field
- no need to expose this field
2019-02-12 23:36:42 +01:00
kirrg001
db148e653f Removed tag.parent from Admin API v2 response
refs #10438

- this is an unused field
- no need to expose this field
- if we start working on nested tags, this field might become interesting/used
2019-02-12 19:26:31 +01:00
Nazar Gargol
20300cf002 🐛 Fixed error when inserting unexistent related tag
refs #10438

- Additional check for present 'name' property before generating a
'slug'. Setting slug should not succeed and throw validation error in later
stages.
2019-02-12 17:50:51 +00:00
Nazar Gargol
d0d299285c Fixed tests for post input serialization
refs #10472

- Moved config related variable into function scope, so it can be reset by unit tests
- e47d1e275f broke the build and is being fixed by this commit
2019-02-12 12:04:18 +00:00
Nazar Gargol
e47d1e275f Fixed image URL to be stored as relative in mobiledoc
refs #10477
closes #10472

- Adds transformation for any asset absolute URL's into relative used in mobiledoc
2019-02-11 19:20:16 +00:00
Fabien O'Carroll
8e75267bbb
🐛 Allowed data to be read from root of specified key for static pages (#10449)
refs #10434
2019-02-11 12:43:01 +01:00
Nazar Gargol
d299e8676f Fixed JSON Schema validation error message format
refs #10438
2019-02-08 12:17:39 +00:00
Nazar Gargol
28986b3b77 Fixed post.tags validation schema
refs #10438

- Change oneOf to anyOf to allow any of the required fields
2019-02-08 11:29:42 +00:00
Nazar Gargol
96cdde80b9 Fixed validation error when creating new tag from PSM
refs #10438

- Expanded required fields for related tags to have either one of 'id', 'slug' or a 'name' field
2019-02-08 11:02:18 +00:00
Naz Gargol
19643c75dd
Added JSON Schema validation for /posts endpoint (#10468)
refs #10438

- Added  validation helper based on JSON schema
- Added schema validation for POST/PUT in /posts endpoints
- Refactored existing authors validation test suite
- Extended test coverage with a minimally required structure of post.add validator
2019-02-08 10:40:58 +00:00
kirrg001
e1436e2985 Required "event" & "target_url" for webhook creation
refs #10461
2019-02-07 23:21:59 +01:00
kirrg001
f8a286869a Allowed POST & DELETE webhooks endpoints for integrations
refs #9865

- was not sure about allowing to edit webhooks
2019-02-07 23:14:27 +01:00
kirrg001
b83232bf0c Added more webhooks & changed payload
refs #10461

- do not break the existing webhooks by keeping both payload formats for subscribers events
- refactored webhooks service to run models through target API version
- added new events described in the target issue reference
- this refactoring & enhancement is undocumented, further breaking changes will happen because we are actively working on: https://github.com/TryGhost/Ghost/issues/10438
2019-02-07 23:14:27 +01:00
kirrg001
a83aa6e184 Added ability to receive toJSON format of previous attributes
refs #9248

- e.g. model.toJSON({previous: true})
- includes previous relations
2019-02-07 23:14:27 +01:00
kirrg001
50da5d9bab Corrected debug in base model
no issue
2019-02-07 22:08:52 +01:00
kirrg001
7810140f15 Avoided site.changed event if nothing has changed
refs #10461
2019-02-07 22:08:36 +01:00
kirrg001
82c5fc7f5a Ensured API can ask model.wasChanged
refs #10461

- the model layer (only post & user) fetches the model after update
- i assume it was added to ensure a response with all fields
- quick fixing it for now to ensure API layer can access ".wasChanged" to be able to decide if a request modified a resource or not

@NOTE: Bookshelf does not physically update a resource if nothing has changed.
2019-02-07 22:07:13 +01:00
kirrg001
4fca28e643 Made use of model.wasChanged
refs #10461
2019-02-07 22:06:13 +01:00
kirrg001
a157c147af Added model.wasChanged helper
refs #10461

- helpful if you need to ask if the model was changed
- Bookshelf does not support this feature yet
- https://github.com/bookshelf/bookshelf/issues/1943
2019-02-07 22:05:07 +01:00
kirrg001
2eb1f2a507 Avoided inserting actions if nothing has changed
refs #10431

- I thought i have added this protection, but got removed via the simplification in cca3317a11
2019-02-07 20:49:35 +01:00
kirrg001
b25da62cca Ensured defaults when creating resources
no issue

- the model & api layer suffered from missing fields when creating resources
- usually there is only a handful of fields which are required to insert a resource
- the other fields are nullable and/or get defaults assigned
- the API only returned the configured default fields and the fields you have sent to the API
  - this resulted in a response with missing fields
- if you have listend on "created" event, the same happend
  - you received a model with missing fields
- we now set the undefined fields to null on purpose to ensure a full model for both cases

@NOTE:
There is no endpoint to serve webhooks (not for v0.1, not for v2).
Exposing the secret is required if an integration fetches it's api keys and it's webhooks.
The secret is currently un-used and not implemented.
2019-02-07 20:20:10 +01:00
John O'Nolan
ae5ed03488
Update admin redirects
Refs https://github.com/TryGhost/Ghost/pull/10079
2019-02-07 17:59:35 +07:00
kirrg001
1e90126760 Remembered changed fields on destroy
refs #9248
2019-02-07 11:35:00 +01:00
kirrg001
865366c7c8 Ensured consistency for event handlers in the model layer
no issue

- the event chain works like this:
  - if a model registers an event, it get's triggered, because it's stronger than the base model
- but you have to call the base model to agree on a contract, because base model implements generic logic in event handlers
- this was inconsistently used
2019-02-07 11:02:35 +01:00
Fabien O'Carroll
46bf5270df
Added initial subscription support with stripe to Members API (#10460)
These changes introduce a new "service" to the members api, which handles getting and creating subscriptions.

This is wired up to get subscription information when creating tokens, and attaching information to the token, so that the Content API can allow/deny access. 

Behind the subscription service we have a Stripe "payment processor", this holds the logic for creating subscriptions etc... in Stripe.

The logic for getting items out of stripe uses a hash of the relevant data as the id to search for, this allows us to forgo keeping stripe data in a db, so that this feature can get out quicker.
2019-02-07 10:41:39 +01:00
Fabien O'Carroll
5f66026647
Refactored auth pages for future flows (#10458)
no-issue

* Used camelCase for gateway method calls
* Added some components for building blocks of forms
* Added input specific components
* Added Form component
    This handles collecting the data to submit and sharing state between forms
* Added Pages component to handle urls
* Added the pages for the popup
* Added MembersProvider component
    This is designed to give its children access to gateway methods
* Added Modal component
    This wraps the pages and handles dispatching form submissions to the members gateway
* Refactored index.js to use new components/pages
* Fixed default page from Signup -> Signin
2019-02-07 10:39:55 +01:00
kirrg001
cca3317a11 Simplfied action trigger in base model
refs #10431

- the model layer triggers a couple of events on resource update
  e.g. post to page -> post.deleted, post.added
- the resource_type must be always "post", because "page" is not an official model (Bookshelf won't be able to resolve the resource anymore)
- the action streams looks very confusion if you see deleted and added actions when toggling the post to a static page
- therefor the easiest approach for now is to only store actions for: added, edited, deleted
- and we will add the context information asap
  - e.g. you will see that status was changed from "draft" to "published"
- we can also introduce extra published actions if we want
- relying on the internal event system right now makes things just more complicated and we want to keep it simple
2019-02-06 22:21:06 +01:00
kirrg001
dbd3832967 Allowed browse actions for integrations
refs #9865
2019-02-06 21:36:09 +01:00
kirrg001
5f4cf42c14 Fixed tests
no issue
2019-02-06 21:36:09 +01:00
kirrg001
a8e0a173c2 Redefined context.integration
no issue

- we only have access to the ID at the moment
- we really don't want to end up in the same situation as with "context.user"
2019-02-06 21:36:09 +01:00
kirrg001
68bdcfc753 Fixed model._changed for creating resources
no issue

- discovered while testing
- the events are still triggered though for posts because .authors are added on creation
2019-02-06 21:36:09 +01:00
kirrg001
2fd4cbb93b Added v2 actions endpoint
refs #10431

- added v2 endpoint with browse permissions
- context.integration was never accessible in the model layer
  - why? https://github.com/TryGhost/Ghost/issues/10099
2019-02-06 21:36:09 +01:00
kirrg001
8bb2c7d3d5 Added model implementation for actions
refs #10431

- added actions model
- added logic in event emiiter to insert actions if supported
2019-02-06 21:36:09 +01:00
kirrg001
fde31b31ba Added permissions for actions including migration
refs #10431

- migration script to add permissions for actions
- restricted to owner & admin & integration role for now
- we will add permissions for other rules too, but we need add more granular restrictions
  - e.g. contributors can only read actions for posts which he created
2019-02-06 18:59:09 +01:00
kirrg001
c127b406fc Added actions table including migration
refs 10431

- add actions table
- add migration
2019-02-06 18:59:09 +01:00
Kevin Ansfield
c9d6ffa5ab Allowed GET /configuration/about/ for Admin API v2 with API Key auth
refs https://github.com/TryGhost/Ghost/issues/9865
- needed for Zapier
2019-02-06 14:00:29 +00:00
ShumailAhmed123
24e96dcabf Updated default-routes.yaml syntax to single template (#10459)
closes #10456
2019-02-06 14:34:57 +01:00
Aileen Nowak
93b936d2fb Added back "theme.uploaded" analytics event (#10450)
no issue

- With the changes in 79ca6c575c we removed old unused events
- The theme upload event is still used and needed to be put back
- Added the event emit right after the successful upload of the theme
- Renamed analytics events for more consistency
- We need to add the same event emitter to the v0.1 API as it's not deprecated
- emits a `theme.uploaded` event after the theme was successfully uploaded and saved
2019-02-05 17:38:40 +01:00
Hannah Wolfe
426c122ed1 Updated messaging around {{get}} helper access
closes #10447

- Get helper message talks about the old API, but upgrading is the best way to solve the problem
- Had to create a way to add a custom message to a labs enabled helper to achieve this
2019-02-04 17:58:35 +00:00
Hannah Wolfe
5365094dfc 🐛 Provided get helper filters access to globals
closes #10448

- using @site.lang to read posts is a valid use case for the get helper filters
- get helper filters have special treatment of anything wrapped in {{}}, in the form of resolvePaths
- resolvePaths uses some custom logic + jsonpath to find the right bit of data to inject
- this function had no handling for globals starting with `@`, and also didn't have access to them
2019-02-04 15:26:45 +00:00
kirrg001
8b3336c84d Added condition to not trigger events if nothing has changed
refs #9248

- we no longer trigger events if the db was not changed
2019-02-03 13:02:31 +01:00
kirrg001
3289dc7619 Introduced model._changed
refs #9248

- Bookshelf gives access to ".changed" before the update
  - Discussion: https://github.com/bookshelf/bookshelf/issues/1943
- We also need to know what has changed after the update to be able to decide if we should trigger events
- Furthermore: Bookshelf cannot handle relation updates, it always marks relations as changed even though they did not change
- Bumped bookshelf-relations to be able to
  - know if relations were updated
  - ensure we unset relations on bookshelf's ".changed"
2019-02-03 13:02:26 +01:00
kirrg001
d44d93a19d Correct event debug logs in base model
no issue
2019-02-01 19:48:27 +01:00
Nazar Gargol
3274138ff3 Added a note on secret transformation before token verification
refs #9865

- Added some clarificatoin around why secret used for token verification has to be transformed binary decoded from hex
2019-02-01 14:04:25 +00:00
kirrg001
11c910ec8c Avoided to store empty plaintext if html does not contain any text
no issue
2019-01-31 23:14:12 +01:00
kirrg001
01419ef8b3 Added base model debug log for events
no issue
2019-01-31 23:02:48 +01:00
kirrg001
a45f76c574 Allowed subscribers for admin api v2 with api key authentication
refs #9865

- needed for Zapier
2019-01-31 22:09:14 +01:00
kirrg001
93092c8f20 Removed author from Admin API v2 output
refs #10438

- single author is deprecated and get's completely dropped in v3
2019-01-31 16:27:56 +01:00
kirrg001
7f7b477ce9 Fixed error message being unclear when admin api keys create posts without authors
refs #10438

- integrations != users
- Ghost's assumption is: if you create a post, the primary author becomes the logged in user
- we have to require authors for integrations
- short fix and needs some more thoughts later
2019-01-31 16:27:56 +01:00
Nazar Gargol
a463a56971 Changed path returned for uploads to absolute
refs #10438

- This change affects all /uploads/* and /images/* endpoints in Admin API
2019-01-31 15:02:33 +00:00
kirrg001
24a2208625 Fixed 500 when sending wrong mobiledoc structure
refs #10438
2019-01-31 13:33:05 +01:00
kirrg001
23f705d556 Added /images/ endpoints to Admin API v2
refs #10438

- make /images/ available
- we want to document this endpoint notiation, because it is more specific and fits better, because you can only upload images
- either we drop /uploads/ by the end of the project cycle or we keep both for now
- the Admin API v2 is currently undocumented and allows breaking changes in theory
2019-01-31 13:22:49 +01:00
kirrg001
0a4645ab09 Fixed key_authentication_spec.js
no issue

- pretty-urls only redirects GET requests currently
2019-01-31 12:24:09 +01:00
Nazar Gargol
59036577af Enabled Admin API key authentication
refs #9865
2019-01-30 19:17:25 +00:00
kirrg001
eafbaaeba5 Added v2 theme controller
refs #10060
2019-01-30 19:45:02 +01:00
kirrg001
7d05cbba1d Added notImplemented middleware for integrations
refs #9865
2019-01-30 14:15:12 +01:00
Rishabh Garg
8fd4b3f09f
Added new admin API for members (#10435)
no issue

- Added read and browse admin API for members
2019-01-30 17:06:09 +05:30
notanengineercom
5bd509c873 🐛 Fixed removal of temp files left behind by importer
refs #10174

- Improved importer cleanUp method usage, so the cleanup is called in cases when there is an error during an import stage
- Simplified files to clean up tracking as removal of files is now partially handled in uploader middleware
2019-01-30 09:24:29 +00:00
notanengineercom
631716053a 🐛 Fixed files staying in temp directory after upload is done
closes #10174

- Introduced upload middleware that cleans up temporary files stored by mutler after the request is finished
- Removed redundant fs.remove calls as this work is now handled in newly introduced middleware
2019-01-30 09:24:29 +00:00
kirrg001
d20bdfd9c1 Moved more allowed options for findPage to base model
no issue

- no need to define these options in each model
2019-01-29 23:29:06 +01:00
kirrg001
87bb3052a8 Moved allowed filter option to base model
no issue

- no need to define the filter option in each model
2019-01-29 22:57:11 +01:00
Fabien O'Carroll
e9c3040786 💡Reverted "empty-string to NULL" db migration (#10430)
no-issue
- revert the migration because migrations that (potentially) touch every row should be kept to major releases where possible
  - the migration was safe to run and won't cause any problems for anyone who has already upgraded
- reversion keeps the migration file but changes the contents to a no-op so that `migrations` table state is the same for all users whether they migrated with the full migration or the no-op version
2019-01-29 14:41:04 +00:00
Fabien O'Carroll
9fd9ad3fbb 🐛 Returned 0 for word/image count when html is null
refs #10429
2019-01-29 13:35:00 +01:00
Nazar Gargol
bc90b8ec27 🐛 Fixed plaintext attribute error when it is empty
refs #10388

- Issue was caused by migration of empty strings to null 0edacf3fc1
2019-01-29 12:12:10 +00:00
Rish
85fdb9a4f2 Fixed console getting cleared on dev start
closes https://github.com/TryGhost/Ghost/issues/10409

- Removed `clearConsole` on preact cli
2019-01-29 11:02:43 +05:30
Fabien O'Carroll
0edacf3fc1
🐛 Added migration to update empty strings to null (#10428)
closes #10388

This migration finds all tables with nullable columns, it then loops through the tables and their nullable columns, updating each column to a null when its current value is an empty string.
2019-01-28 19:00:29 +01:00
Rishabh Garg
3200ede8b1
🐛 Fixed crash on startup when no active theme (#10426)
closes #10416

- Updated to use default theme engine values when no active theme is found
2019-01-28 22:36:47 +05:30
Tim Birkett
2e21618290 Set Ghost user-agent header for got requests (#10424)
no-issue

Currently the `user-agent` header is the for outgoing webhook calls is the `got` default: `User-Agent: got/8.3.2 (https://github.com/sindresorhus/got)`.

This is pretty unfriendly to the receiver of the webhook who may wish to perform analytics on calling systems, implement security features based on calling system or take action based on different versions of a client.

This PR sets the header to: `User-Agent: Ghost/2.12.0 (https://github.com/TryGhost/Ghost)` which is much more descriptive.
2019-01-28 17:01:34 +01:00
Fabien O'Carroll
95880dddeb
🐛 Updated base model to store null instead of empty string (#10425)
refs #10388 

This updates the base model to retrieve column information, and explicitly set every property whose column is `nullable` and content is the empty string (`""`) to `null`
2019-01-28 16:58:28 +01:00
kirrg001
d8ac582426 🐛 Fixed 404 for locked or suspended users
closes #10410
2019-01-28 10:14:07 +01:00
Nazar Gargol
6318b65cab Changed context.api_key_id to an object containing key type information
refs #9865

- Changed id passed for api_key to an object to be able to differenciate between admin and content api requests
- Added integration id to frame context
- Small refactoring of frame context initialization
2019-01-24 17:22:58 +00:00
Naz Gargol
a0712d23e8
Shortened admin key length (#10418)
refs #10156

- Updated ApiKey model to use shorter secrets for admin keys
2019-01-24 13:46:33 +00:00
Nazar Gargol
5fbad09a56 Modified Admin API key output format
refs #9865

- Changed key format to {id}:{secret} so API consumer only has to worry about copying a single value during setup
- Updated key expiration time in getValidAdminToken test helper to match server side expiration check
2019-01-23 17:18:50 +00:00
Nazar Gargol
776e23696d Added audience check in Admin API key authentication
refs #9865

- Extracted tests related to Admin API key authenticatoin into separate
acceptance test suite
2019-01-23 15:01:22 +00:00
Fabien O'Carroll
3af0110bcc
Refactored members for management api (#10408)
no-issue
2019-01-22 15:29:44 +01:00
Rish
e972483f6c Fixed error handling for members reset password
no-issue

- Both input and form error was shown on submitting reset-password form
- Does not submit form anymore in case of validation errors
2019-01-22 11:46:48 +05:30
Katharina Irrgang
4acc375fb6
Bumped knex & bookshelf dependencies (#10404)
refs #9389, refs #9248

- https://github.com/bookshelf/bookshelf/releases/tag/0.14.0
- Bookshelf has fixed it's previous attr handling, see https://github.com/bookshelf/bookshelf/pull/1848
- SQlite3 double slashes was merged into knex and released 👻tgriesser/knex@c746dea
2019-01-21 21:53:11 +01:00
Katharina Irrgang
d0687da3a3
Bumped major test dependencies (#10403)
refs #9389

- eslint@5.12.1, eslint-plugin-ghost@0.1.0, grunt-contrib-clean@2.0.0, grunt-contrib-uglify@4.0.0, grunt-eslint@21.0.0, grunt-mocha-cli@4.0.0, grunt-shell@3.0.1, mocha@5.2
.0, nock@10.0.6, rewire@4.0.1

All of them dropped Node v4. I was not able to find any other big breaking changes, which affect us right now.
2019-01-21 18:28:44 +01:00
Nazar Gargol
c3e22b6ab9 🐛 Fixed forced page filter not being respected in Content API
closes https://github.com/TryGhost/Ghost/issues/10395, https://github.com/TryGhost/Ghost/issues/10390

- The grouping was introduced due to a flasy conjunction of last filter in 'or' group with enforced page filter, due to this the rest of filters in the 'or' group were bypassed
- Additional grouping added here increases the possiblity of https://github.com/NexesJS/NQL-Lang/issues/7 bug happening
2019-01-21 13:26:45 +00:00
Katharina Irrgang
3df763009e
Added quick fix to handle integration upserts for x_by columns (#10295)
refs #10286

- this is just a hotfix for v0.1
- we keep the x_by fields for now and deprecate them
- as soon as an integration updates/inserts a resource, we just store the owner ID
- we currently work on a new concept for v2
- v2 no longer exposes or uses x_by, see https://github.com/TryGhost/Ghost/pull/10294
- we need to iterate on this change, because we currently use the naming `context.api_key_id` in the auth/API layer
2019-01-21 12:41:45 +01:00
Dexter Leng
da71b61bcf 🐛Deleted associated roles_users rows when user is destroyed (#10243)
closes #8843
2019-01-21 12:36:13 +01:00
Katharina Irrgang
a927aecc3f
🐛 Fixed prev_next helper when using Content API v2 (#10397)
closes #10389
2019-01-21 11:48:18 +01:00
Fabien O'Carroll
6f87f2af93 Fixed img_url to work with protocol relative urls
closes #10391

- We use "relative protocol" urls for gravatar images, which were
  incorrectly getting treated as relative path urls.

- Refactored getBlogUrl calls into const
2019-01-21 11:41:23 +01:00
kirrg001
1126997244 Added easy way to enable admin api key authentication
refs #9865

- small refactoring to make both session and admin api key handling similar
- admin api key authentication is still disabled, but easy to enable
- added proof test how to authenticate using admin api keys
2019-01-18 18:57:58 +01:00
kirrg001
4f7783939d Fixed lint
no issue
2019-01-18 18:03:15 +01:00
kirrg001
e90148e7c3 Switched to use new implementation of authorizeAdminApi
refs #9865

- see code comments
2019-01-18 17:54:08 +01:00
kirrg001
f82bb07534 Added empty lines and reduces line length in auth authorize
no issue

- improves readability
2019-01-18 17:54:08 +01:00
kirrg001
3f758c6a0a Protected against empty admin api key
refs #9865
2019-01-18 17:54:04 +01:00
kirrg001
1b5b95e198 Renamed authenticateAdminApiKey to authenticate for admin api key auth
refs #9865

- the outer authentication layer wants a consistent interface of each authentication package
  - admin.authenticate
  - session.authenticate

- furthermore, there is no need to put the full feature into the exposed function name
2019-01-18 17:30:07 +01:00
kirrg001
462865981e Updated admin api key authentication to expect api key id in payload
refs #9865

- see https://github.com/TryGhost/Ghost/blob/2.11.1/core/server/lib/members/index.js#L52
- consistency
2019-01-18 17:22:19 +01:00
Fabien O'Carroll
1c56221d80 Added API Key auth middleware to v2 Admin API (#10006)
refs #9865

- Added `auth.authenticate.authenticateAdminApiKey` middleware
  - accepts signed JWT in an `Authorization: Ghost [token]` header
  - sets `req.api_key` if the token is valid
- Updated `authenticatePrivate` middleware stack for v2 admin routes
2019-01-18 12:45:06 +00:00
Fabien O'Carroll
809a167a55 Updated permissible methods for hasApiKeyPermissions (#9970)
refs #9865

This updates all current permissible methods to use the new function
signature which includes the hasApiKeyPermissions parameter. It also
makes sure that the hasApiKeyPermissions argument is taken into account
whenever checking before returning a resolved promise.

To be continued. This is just a tiny part of the big picture. None of these changes are fully committed to stay as they are.
2019-01-18 13:39:53 +01:00
kirrg001
2c7c72cd9f Fixed travis
no issue

- caused by fc73cd71bb
- breaks the content API access
2019-01-18 13:05:39 +01:00
Fabien O'Carroll
fc73cd71bb Updated permissions service to handle api keys (#9967)
refs #9865

- Enabled the permissions module to lookup permissions based on an api_key id.
- Updated the "can this" part of the permissions service to load permissions for any api key in the context, and correctly use that to determine whether an action is permissible. It also updates the permissible interface that models can implement to pass in the hasApiKeyPermissions param.
2019-01-18 11:17:11 +00:00
Fabien O'Carroll
42a1313bff
Removed members internal app (#10379)
no-issue

* Mounted members static router directly to parentApp

* Removed members internal app
2019-01-17 12:03:40 +01:00
Hannah Wolfe
909f9012ed
Updated docs links to best equivalents (#10386)
* Updated docs links to best equivalents
   - Our documentation has been overhauled, this updates the all the old links sprinkled through Ghost
* Update integrity hash
2019-01-17 06:57:37 +00:00
Greg Hart
418e958c69 🐛Fixed custom redirects to forward hashes correctly (#10319)
closes #10290
2019-01-15 23:26:18 +01:00
Hannah Wolfe
a1f0169edf 🐛 Fixed 500 error for content with no collection
no issue

- Fixes a case where a post that doesn't belong to a collection throws a 500 Resource Not Found Error
- This should be a 404 Resource Not Found error
- 500 suggests something went very wrong and is our fault,
-  but this is a user error where the collections or posts are misconfigured, and some content doesn't have a home
2019-01-15 22:00:46 +00:00
Hannah Wolfe
846a94728f
🐛 Fixed uncaught exceptions from image fetches
closes #10383

- Upgrades got to 8.3.2, which contains better error handling and resolves the issue with uncaught exceptions
- Note: Got 9.x stream doesn't support Node v6
- Requires us to hardcode http:// for xmlrpc because there is a breaking change where got now defaults to https instead of http
2019-01-15 20:35:46 +00:00
Hannah Wolfe
d58ecda9a9 🐛 Fixed responsive images for .icos
closes #10301

- we allow .ico files for icons, but we cannot resize these specialist files at present
2019-01-15 17:41:25 +00:00
Rishabh Garg
9d9690987a
🐛 Updated v2 content API output to return null instead of “” for empty fields (#10378)
refs #10345

- We are standardising on returning null from the Content API for any empty values
- Updated `post`, `tag` and `author` APIs
2019-01-15 17:58:51 +05:30
Naz Gargol
1a4497fc9a
🐛 Fixed default resource ordering in Content API (#10371)
refs https://github.com/TryGhost/Ghost/issues/10354

- Added ordering on input serialization layer for posts, pages, tags, and authors
- At the moment ordering is dependent on DB engine which will be resolved with https://github.com/TryGhost/Ghost/issues/6104
2019-01-15 12:21:04 +00:00
Katharina Irrgang
3924acd152
🗑Deprecated ghost_head & ghost_foot in favour of codeinjection_* for Settings API v2 (#10380)
closes #10373

- ghost_head & ghost_foot are deprecated from now on
- we want to remove them in v3
- this short fix is dirty (!)
- we return codeinjection_* for admin & content api
- this is a consistentency change e.g. posts return `post.codeinjection_*`
- need to raise a decoupling refactoring issue for the code comments
2019-01-15 13:03:17 +01:00
Fabien O'Carroll
cf1e4aa593
💡 Disabled v0.1 Public API by default (#10372)
refs #10364
2019-01-15 11:09:34 +01:00
kirrg001
95b5fb1c81 Fixed relative image paths for settings v2 admin api
refs #10363
2019-01-14 21:01:12 +01:00
Katharina Irrgang
56db4ddd75
🐛 Fixed API v2 Settings browse returns relative image path (#10370)
closes #10363
2019-01-14 20:36:41 +01:00
Katharina Irrgang
732f97a074
De-aliased api versions in codebase (#10375)
closes #10357
2019-01-14 19:49:55 +01:00
Naz Gargol
48d6e7298a
Refactored content-disposition header handling in API v2 (#10374)
closes https://github.com/TryGhost/Ghost/issues/10331

- Left only a filename part to be handled by controller configuration, the rest was extracted to more generic headers layer
2019-01-14 18:05:16 +00:00
Fabien O'Carroll
9837df0b6f
Added brute protection to content api (#10362)
* Revert "Removed brute force middleware form content api (#10353)"

This reverts commit 63c8c310fb.

* Updated content api spam prevention to use memory store

* Used TooManyRequestsError instead of InternalServer
2019-01-14 14:11:48 +01:00
Rishabh Garg
a7ba90dfa1
🐛 Fixed filtering of page attribute when fields query param is used (#10352)
closes #10351

- Updated filtering logic for `page` in output serialisers of post/page in v2
2019-01-11 22:26:34 +05:30
Naz Gargol
aa49f77504
🐛 Fixed url not being immediately available after post publish (#10361)
🐛  Fixed URL not being immediately available after post publish

closes https://github.com/TryGhost/Ghost/issues/10360

- This change makes sure posts and pages URLs are populated in
synchronous manner
- Further cleanup and restructuring of this hacky solution is planned to
be done in https://github.com/TryGhost/Ghost/issues/10360
2019-01-11 10:30:36 +00:00
Fabien O'Carroll
63c8c310fb
Removed brute force middleware form content api (#10353)
* Removed brute force middleware form content api

no-issue

This is just temporary

* Skipped brute test for content api
2019-01-09 11:38:03 +01:00
Fabien O'Carroll
76bb40b7c0
Added clause in validation for include to not error (#10350)
* Added clause in validation for include to not error

refs #10337

Here we forgo erroring when an invalid property for include is sent, and
instead remove the invalid properties.

* Fixed authors test

* Fixed validators tests
2019-01-08 12:29:15 +01:00
Kevin Ansfield
3a923c597f Remove API readme file
no issue
- it has no useful information and the content is out of date
- API docs live at https://docs.ghost.org/api/
2019-01-08 10:05:05 +00:00
Hannah Wolfe
954ca8c48f Removed unused visiiblity fields from Content API
refs #10337

- Trying to make the API output as clean as possible,
- We can add these back later if we start using them
2019-01-08 10:00:27 +00:00
Fabien O'Carroll
935b0f6d49 🎨 Use unoptimised image when possible for dynamic images (#10314)
closes #10283 

Updated middleware for dynamic image sizes to attempt to read the unoptimized image first, taking into account the `-n` suffix for duplicate image names, by using a regex.
2019-01-08 10:00:15 +00:00
Naz Gargol
df1ba8aee1
Added ability to notify and update url service about changes in related resources (#10336)
refs https://github.com/TryGhost/Ghost/issues/10124

- This PR introduced additional db calls in URL service due to the need for a model recalculation (we can't rely on the objects that come with events)
2019-01-08 09:48:53 +00:00
Hannah Wolfe
da17b2c82b Settings API should return null instead of ""
refs #10345

- We are standardising on returning null from the Content API for any empty values
2019-01-07 15:02:24 +00:00
Fabien O'Carroll
d5bf6dc1c8
Updated comment for globalBlock spam prevention (#10342)
no-issue

Just made it more clear it's not global across the entire api.
2019-01-07 20:21:26 +07:00
Fabien O'Carroll
5cecf0cd61
Added brute protection to content api (#10343)
* Added spam config for content api key

no-issue

* Created contentApiKey spam prevention method

* Added contentApiKey brute middleware

no-issue

This middleware attaches a listener for when the request has completed,
if the request ends with a successful response code, we reset any spam
prevention data for that ip.

* Added contentApiKey brute middleware to the content api

* Multipled maxWait by 24, to 24 hours
2019-01-07 20:03:46 +07:00
Naz Gargol
4177548a84
Migrated redirects controller to API v2 (#10053)
refs #9866

- Migrated redirect routes to use new redirect controller
2019-01-07 11:32:53 +00:00
kirrg001
7e944506e9 Fixed listeners not being removed for test env
no issue

- i saw lot's of event listener warnings
2019-01-05 12:41:26 +01:00
kirrg001
5548bbb2c1 Removed post.status from Content API v2 response
refs #10335

- only used for the preview feature, which does not remove the status field
2019-01-05 12:11:27 +01:00
Katharina Irrgang
6b758bda79
Refactored routing config for multiple api versions (#10333)
refs #10124

- one clean v0.1 and v2 config file for routing!
- solves one underlying bug reported in #10124
- the alias handling was just a hotfix to support v2 for the site
- but it was hard to read, ugly
- now we have two clean configs
- we'll see how useful it is
- need to do proper manual testing on Monday
2019-01-04 21:59:39 +01:00
kirrg001
62a669ac01 Fixed lint
no issue

- 😃 ✌🏻
2019-01-04 21:04:29 +01:00
kirrg001
ec29cfa1da Fixed and extended debug logs in entry-lookup helper
no issue
2019-01-04 20:45:23 +01:00
kirrg001
5e9710cf60 Removed un-used "internal" property in TaxonomyRouter
no issue

- discovered while implementing https://github.com/TryGhost/Ghost/pull/10333
2019-01-04 20:32:54 +01:00
kirrg001
a69a2d814c Added @TODO to theme middleware
no issue
2019-01-04 20:30:17 +01:00
kirrg001
a8dc29e794 Reverted page and status not being returned from Content API v2
refs https://github.com/TryGhost/Ghost/issues/10335

- temporary till Monday!!
2019-01-04 20:18:11 +01:00
Katharina Irrgang
30a0b1794a
Added calculated excerpt field to Content API v2 (#10326)
closes #10062

- return `post.excerpt` for Content API v2
- do not use `downsize`, because we might want to get rid of it if we drop v0.1 (downsize does not create good excerpts)
- simple substring of the plaintext field
2019-01-04 19:00:45 +01:00
Katharina Irrgang
6448c7bdc8
Fixed site using API v2 (#10332)
no issue

- See explanation: ef98c65040 (r31840536)
- that should not break anything, because resource consumption is based on resource type
- the alias pattern was only invented to make v2 work, it was a little dirty. i wanted to refactor that out anyway
2019-01-04 18:24:00 +01:00
Fabien O'Carroll
b6152684a8
Shortened content api key lengths (#10322)
* Lowered the min length for api keys to 26

* Updated ApiKey model to use shorter secrets for content keys
2019-01-04 19:39:54 +07:00
Hannah Wolfe
dd1cf5ffc7 Aliased {{@blog}} as {{@site}} in the theme API
- we're going to remove @blog in Ghost 3.0 in favour of @site
- @site is the theme-layer equivalent of the Content API settings endpoint
2019-01-04 12:17:32 +00:00
Hannah Wolfe
652e818cae Used settingsCache.getPublic() in theme middleware
- Use the new getPublic function which does the same thing as this code
- This removes the inclusion of the amp property, but this is undocumented and should not be there anyway!
- This also adds the ghost_head and ghost_foot property, which are public settings
2019-01-04 12:17:32 +00:00
Hannah Wolfe
5d977f23d4 Added Settings endpoint to V2 Content API
refs #10318

- This settings endpoint returns the commonly used, public information from our settings.
- The values are whitelisted each with a custom name for returning from the endpoint
2019-01-04 12:17:32 +00:00
Hannah Wolfe
80f9765a35 Removed deprecated settings
refs #10318

- cheap and dirty way of removing settings we don't use
- rewritten the settingsFilter function as that was unnecessarily complex
- aslo fixed the require of default-settings in the importer
2019-01-04 12:17:32 +00:00
Hannah Wolfe
ef98c65040
Clean v2 Content API (#10329)
* Removed unused fields from v2 Content API

- We want to ship the v2 Content API as clean and lean as we can
- Many fields in the DB aren't actually used, we shouldn't return these values
- Other values aren't useful outside of Admin clients, and shouldn't be returned either

Fields removed:
- tags: created_at, updated_at, parent
- authors: locale, accessibility, tour
- posts: locale, author status, page
2019-01-04 11:21:21 +00:00
Naz Gargol
d3f3b3dc20
Added plugin based author and public tag models in API v2 (#10284)
refs #10124

- Author model returns only users that have published non-page posts
- Added a public controller for tags (should be extracted to separate Content API controller https://github.com/TryGhost/Ghost/issues/10106)
- Made resource configuration dynamic based on current theme engine
- This needs a follow-up PR with fixes to the problems described in the PR
2019-01-03 20:30:35 +01:00
kirrg001
75037bcb28 Added some deprecation notes for x_by fields
closes #10286

- we will come up with a new activity stream/actions concept soon
2019-01-03 17:14:52 +01:00
kirrg001
789a3c0715 Removed x_by fields from API v2 response
refs #10286

- v2 no longer exposes x_by fields (published_by, updated_by, created_by)
- we will add a brand new concept called activity stream/actions soon
2019-01-03 16:38:52 +01:00
Fabien O'Carroll
0f32209e65
🐛 Fixed responsive images for gifs & svgs (#10315)
closes #10301

* Redirected to original image for gifs & svgs

* Created canTransformFileExtension method

* Updated image middlewares to use canTransformFileExtension
2019-01-03 16:28:37 +07:00
Nazar Gargol
6797da599b Added functional test for import endpoint in API v2
no issue

- This change is a follow up to this bugfix https://github.com/TryGhost/Ghost/pull/10299
- Added default export JSON to keep the state of db test suite intact
- Small typo fixe that noticed while debugging
2019-01-02 14:10:25 +01:00
Kevin Kuang
4a5a5acba7 🐛 Fixed broken content import in Admin API v2 (#10299)
no issue
2018-12-20 11:01:48 +01:00
Aileen Nowak
506d013f25
Ability to not send welcome email (#10293)
no issue

- We need to be able to not send the welcome email if needed
- Intruduces a new possible config setting `sendWelcomeEmail` which is set to `true` by default
2018-12-17 15:02:47 +01:00
Naz Gargol
aa8e75914d
Migrated db controller to API v2 (#10051)
refs #9866

- Migrated db import/export routes to use new db controller
2018-12-17 14:45:09 +01:00
Katharina Irrgang
5d2ab19881
Removed invitedBy from admin API: invitation endpoint (#10291)
refs #10286

- we want to deprecate all `x_by` fields
- we would like to get rid of all usages to be able to easily remove the fields in the future
- `invitedBy` is not used in the admin client
2018-12-17 14:16:39 +01:00
Katharina Irrgang
799857b77a 🐛 Fixed URL is not a constructor for Node v6 (#10289)
closes #10287
2018-12-17 17:23:45 +05:30
Naz Gargol
aca887a35d
Added async file header handling for API v2 (#10292)
refs #9866
2018-12-17 12:47:19 +01:00
Greg Hart
261a8234e9 Added Slack username option. (#10285)
refs #9735.
2018-12-14 18:57:32 +07:00
汪磊
2645ff05a0 🐛 Removed duplicate shortcut icon link (#10254)
no issue

{{amp_ghost_head}} already provides this
2018-12-14 16:59:06 +07:00
汪磊
7419566756 🐛Fixed multiple authors for amp (#10253)
no issue

- refs: gscan `GS001-DEPR-AUTHBL`
- the amp page always printed a single author only
2018-12-14 10:19:51 +01:00
Peter Zimon
42e013cfae
Members auth ui refinements (#10279)
* Update mobile modal animations
* Member popup input error and placeholder refinements
* Adding close animation to members auth popups
* Improve members auth dialog
* Refine members reset password design
2018-12-14 09:57:08 +01:00
Fabien O'Carroll
7dd2b04343 Removed ssoOriginCheck from signout endpoint (#10277)
no-issue

the ssoOriginCheck exists to ensure that we only allow signin/signup to
be called from the specified auth page, this is a very minor security
feature in that it forces signins to go via the page you've designated.
signout however does not need this protection as the call to signout
completely bypasses any UI (this is the same for the call to /token)
2018-12-14 12:26:31 +05:30
Fabien O'Carroll
2d92793b3f
Cleaned up image manipulator (#10282)
no-issue

* Added InternalServerError to resizeImage

* Added a redirect to original image if sharp is missing

* Improved naming - safeMethod -> method

* Updated process method to follow same sharp check pattern

* Refactor safety wrapper into makeSafe function

* Moved generic manipulation error to makeSafe function

* Refactored unsafeProcess to use unsafeResizeImage

* Removed CRAZY catch
2018-12-14 11:54:52 +07:00
Fabien O'Carroll
7099dd45a5
Supported dynamic image resizing for LocalFileStorage(#10184)
refs #10181 

* Added initial handleImageSizes middleware

* Implemented saveRaw method on local file storage

* Wired up handleImageSizes middleware

* Implemented delete for LocalFileStorage

* Removed delete method from theme Storage class

* Deleted sizes directory when theme is activated

* Ensured that smaller images are not enlarged

* Renamed sizes -> size

* Exited middleware as early as possible

* Called getStorage as late as possible

* Updated image sizes middleware to handle dimension paths

* Revert "Deleted sizes directory when theme is activated"

This reverts commit 9204dfcc73a6a79d597dbf23651817bcbfc59991.

* Revert "Removed delete method from theme Storage class"

This reverts commit b45fdb405a05faeaf4bd87e977c4ac64ff96b057.

* Revert "Implemented delete for LocalFileStorage"

This reverts commit a587cd6bae45b68a293b2d5cfd9b7705a29e7bfa.

* Fixed typo

Co-Authored-By: allouis <fabien@allou.is>

* Redirected to original image if no image_sizes config

* Refactored redirection because rule of three

* Updated comments

* Added rubbish tests

* Added @TODO comment for handleImageSizes tests

* Added safeResizeImage method to image manipulator

* Used image manipulator lib in image_size middleware
2018-12-13 20:25:24 +07:00
Todd Justin York
2860ddeb3b Switched to using safe string for navigation slug (#10267)
closes 10258

- we should use consistent tooling for generating slugs across the whole of Ghost
2018-12-13 12:30:56 +00:00
Fabien O'Carroll
c2275ed131
Added size attribute support to img_url helper (#10182)
refs #10181 

Adds support to request a size in the img_url helper using syntax like:
    <img src="{{img_url profile_image size="small"}}"/>

Requires the image_sizes config to be defined in the themes package.json
2018-12-13 19:14:08 +07:00
Dexter Leng
8c3d29edb2 🐛 Striped invisible unicode characters from slugs (#10252)
refs #9826

- Striped invisible characters from slug based on regexp pulled directly from XRegExp library, similarly to the approach taken in 9eef2616e4 (diff-50bf43eef863952813617ae9997538d0R4)
2018-12-13 13:06:59 +01:00
Hannah Wolfe
7cce71d997
🐛 Fixed get helper when API v0.1 is disabled (#10270)
closes #10266

- the Public API labs flag refers to the v0.1 API only
- if it is disabled, the v0.1 API should be disabled
- if the theme is using v2 API, then the get helper should be available regardless
2018-12-12 15:38:35 +00:00
Fabien O'Carroll
5cb053412f
Updated member lib/auth service to use origin of site url (#10271)
no-issue
2018-12-11 19:45:03 +07:00
Katharina Irrgang
9d7c3bd726
🐛 Fixed all known filter limitations (#10159)
refs #10105, closes #10108, closes https://github.com/TryGhost/Ghost/issues/9950, refs https://github.com/TryGhost/Ghost/issues/9923, refs https://github.com/TryGhost/Ghost/issues/9916, refs https://github.com/TryGhost/Ghost/issues/9574, refs https://github.com/TryGhost/Ghost/issues/6345, refs https://github.com/TryGhost/Ghost/issues/6309, refs https://github.com/TryGhost/Ghost/issues/6158, refs https://github.com/TryGhost/GQL/issues/16

- removed GQL dependency
- replaced GQL with our brand new NQL implementation
- fixed all known filter limitations
- GQL suffered from some underlying filter bugs, which NQL tried to fix
- the bugs were mostly in how we query the database for relation filtering
- the underlying problem was caused by a too simple implementation of querying the relations
- mongo-knex has implemented a more robust and complex filtering mechanism for relations
- replaced logic in our bookshelf filter plugin
- we pass the custom, default and override filters from Ghost to NQL, which then are getting parsed and merged into a mongo JSON object. The mongo JSON is getting attached by mongo-knex.

NQL: https://github.com/NexesJS/NQL
mongo-knex: https://github.com/NexesJS/mongo-knex
2018-12-11 11:53:40 +01:00
Fabien O'Carroll
48923ac327
Wired members service up to api and app (#10262)
* Updated auth service members middleware

refs #10213

* Wired up members api router to the ghost api endpoints

refs #10213

* Created members app for the static pages

refs #10213

* Wired up the members app

refs #10213
2018-12-11 15:18:07 +07:00
Fabien O'Carroll
0b58f4cf62
Added members service to create instance of members lib (#10261)
refs #10213 

* Added members service to create instance of members lib
2018-12-11 14:57:01 +07:00
Fabien O'Carroll
a5ea34900b
Added members lib module (#10260)
* Added members library inc. gateway

refs #10213

* Added the auth pages and build steps for them

refs #10213

* Cleaned up logs

* Updated gruntfile to run yarn for member auth

* Design refinements on members popups

* UI refinements

* Updated backend call to trigger only if frontend validation passes

* Design refinements for error messages

* Added error message for email failure

* Updated request-password-reset to not attempt to send headers twice

* Updated preact publicPath to relative path

* Build auth pages on init
2018-12-11 13:47:44 +07:00
Fabien O'Carroll
0bf5dd212a Added members related db changes and models
refs #10213
2018-12-11 11:53:55 +07:00
Fabien O'Carroll
dcfaecfe92
🐛 Added CORS support to the v2 Content API (#10257)
no-issue

When trying to use /api/v2/content from a different domain, the requests
were failing with CORS errors. This doesn't use the shared cors middleware,
because it should be open to all hosts, and not locked down via our
whitelist or trusted domains.
2018-12-11 11:44:12 +07:00
kirrg001
7af2802e14 Added validation for null|undefined values for required keys
closes #10071
2018-12-10 16:33:39 +01:00
kirrg001
ccd9541f75 Replaced hardcoded translation in shared input validator
no issue

- re-use existing keys
2018-12-10 16:33:39 +01:00
kirrg001
812e533554 Corrected incorrect syntax for required propierties
no issue
2018-12-10 16:33:39 +01:00
kirrg001
11f0f1c314 Fixed incorrect validation message for required values
no issue

- the message always showed: `Validation (FieldIsRequired) failed for key`
2018-12-10 16:33:39 +01:00
Nazar Gargol
da7fdfeae6 Extracted trimAndLowerCase utility to shared utility module
refs #9866
2018-12-10 13:56:42 +01:00
Naz Gargol
5cc441e720
🐛 Fixed contributors being able to delete draft posts as co-author (#10239)
closes #10238

- The user of contributor role should not be allowed editing a post while not being a primary author
2018-12-04 13:31:02 +01:00
Rishabh Garg
bf295a96a8
Added configuration controller to v2 API (#10056)
refs #10060
2018-12-04 09:27:36 +05:30
Rish
033ddf1b43 🐛 Fixed site changed webhook not triggered for scheduled posts
closes #10226

- Middleware emits site-changed event used to trigger webhook, was configured to v2 admin api only.
- Change allows all versions of api to emit event in case of cache invalidation
2018-12-04 09:39:41 +07:00
Sumedh Nimkarde
8b816af1c2 🐛 Fixed invalid imported subscribers count (#10229)
closes #9987

- Fixed the count of invalid records when importing single column csv of subscribers
2018-12-03 20:45:55 +01:00
Katharina Irrgang
fc21b25895
🐛Fixed auto redirect for extra data queries on post and page resources (#9828)
closes #9791

- we only made use of the redirect middleware, who detects if a redirect should happen, for taxonomies (tags, authors)
- `data: page.team` will now redirect too
- `data: post.team` will now redirect too
- you can disable the redirect using the long form
2018-12-03 20:31:48 +01:00
cotko
65a66ac007 Included relations if static resource is post | page (#10148)
refs #10082

- this is a requirement if a static route represents a single resource

e.g. `data: page.team`

- the page resource will no longer live on it's original static url
- instead, it now lives somewhere else
- that means the whole site needs to act the same than the original static url
  - the resource does not contain any relations
  - we don't forward the correct context (page, post, user?)
- we override the `include` property for now
  - need to wait for more use cases or bug reports for this controller
- more changes will follow asap
2018-12-03 19:26:21 +01:00
Fabien O'Carroll
ed77192457 Renamed API -> Api for v2 auth logic (#10142)
closes #10120
2018-12-03 18:08:57 +01:00
Dilan Guneratne
6bc658be9b 🐛Removed user reference warning from importer report if post is a draft (#10169)
refs #9584

- The Importer checks if a user reference is null. But if the post is a draft and published_by is null, we should ignore the user reference detection.
- This change will avoid showing an incorrect user reference warning in the importer report for draft posts.
2018-12-03 17:48:03 +01:00
Kacper Duras
7c1840f025 🐛 Fixed edit permission of the common article by multiple authors (#10214)
closes #10212
2018-12-03 17:44:23 +01:00
anaplian
c539d39875 🐛 Fixed missing 404 for unknown API routes (#10070)
closes #10020

* Append trailing slash to version path
2018-11-26 16:35:38 +07:00
Katharina Irrgang
e48c28b98f 🐛 Protected Ghost blog against invalid uploaded routes.yaml (#10100)
* 🐛  Protected Ghost blog against invalid uploaded routes.yaml

no issue

- e.g. you upload `filter:tag=this is a wrong filter value`
- ask the url service if it has finished it's work to ensure the upload was successful
- wait 5 seconds till Ghost will bring back the last uploaded valid version

* fixed test
2018-11-26 16:28:22 +07:00
Rishabh Garg
e2e5353ea9
Updated error message log and lastTriggeredError for webhook requests (#10147)
closes #10145

- Updated lastTriggeredError message in case of failure
- Removed GhostError in case of request failure and added proper warning
2018-11-20 12:13:35 +05:30
Fabien O'Carroll
db34297a74
Added string size comment to schema.js (#10179)
no-issue
2018-11-19 17:29:31 +07:00
Katharina Irrgang
090a936e16
Moved raw order for author filtering to correct place (#10166) (#10171)
refs #10105

- ordering !== filtering
2018-11-15 16:17:51 +01:00
Katharina Irrgang
e89a27f3ab
Replaced options.where GQL statements with filter notation (#10160)
refs #10105

- `options.where` is an older deprecated logic
- before the filter language was invented, Ghost generates statements for knex
- if we want to replace GQL with NQL, we can't generate these statements
- they are not understood from NQL, because NQL uses mongo JSON
- go through usages and rewrite the statements
- invent `extraFilters` for now
- we need to keep the support for `status` or `staticPages` for now (API requirement)
- IMO both shortcuts in the extra filters should be removed in the future

This commit is required for https://github.com/TryGhost/Ghost/pull/10159!
2018-11-15 15:53:24 +01:00
Katharina Irrgang
2e81852b22
Moved raw order for tag filtering to correct place (#10166)
refs #10105

- ordering !== filtering
2018-11-15 15:27:31 +01:00
Fabien O'Carroll
95ba6a55ec
Checked options.include when filtering tags (#10163)
no-issue
2018-11-14 17:54:15 +07:00
Rishabh Garg
b2201d4179 Removed formats from private posts in content api (#10154)
closes #10118

All behind a members labs switch for now

* Added filter for member only content

* Updated frame context

* Cleaned up members content check

* Cleanup

* Cleanup

* Ensured members filtering works without include=tags

* Protected against missing query

* Fixed usage of include vs withRelated

* Moved includeTags logic for members behind members flag to use tags

* Cleanup

* Update input serializer dependency

Co-Authored-By: rishabhgrg <zrishabhgarg@gmail.com>

* Added some explanations
2018-11-14 14:32:14 +07:00
Nazar Gargol
28a686a936 🐛 Fixed image optimisation for input image being smaller than optimized one
closes #10144

- When the input image is well optimized and has smaller byte size than the processed one it's still being used
- Bumped sharp version to have access to `size` property
2018-11-13 13:19:31 +01:00
Fabien O'Carroll
8046f4d437
🐛 Fix last seen for users (#10141)
* Added updateLastSeen method to user model

refs #10138

* Refactor codebase to use user.updateLastSeen

refs #10138

This is to ensure all updates go via the same method, meaning any
specific logic can be handled in one place, it also helps with grepping
the codebase to find where this occurs

* Created updateUserLastSeen middleware for v2 admin

refs #10138

This is intended to be used with the v2 admin api and _possibly_ the
content api, to give us an accruate report on thelast time a user access
a ghost instance.

* Wired updateUserLastSeen up to v2 Admin API

closes #10138

* Fixed broken test for v2 admin api

no-issue

This test was broken because it was incorrectly testing for a method to
be called exactly once - this was irrelevant to the functionality being
tested for.

* Updated user check method to set status to active

no-issue

* Debounced the updateUserLastSeen middlware an hour

no-issue

* Resolved some PR comments
2018-11-13 18:27:10 +07:00
Rishabh Garg
75f243a3a2
Added migration for webhook permissions_roles fixtures (#10153)
closes #10152

- Added new migration for webhook permissions_roles relations
2018-11-13 14:35:37 +05:30
cotko
002a135962 🐛Fixed order being ignored in routes.yaml file (#10146)
no issue
2018-11-12 20:24:12 +01:00
Sumedh Nimkarde
f3e9218ee3 🎨 Modified slack webhook payload, added info about published post (#9850)
closes #8936

- Modified the slack webhook payload to provide more info about a published post
2018-11-12 13:04:50 +01:00
Rishabh Garg
f2b44322a3
Enabled members lab setting for developer experiment flag (#10132)
closes #10114
 
* Members lab enabled to be always true behind developer experiments flag

* Members lab set to true for themes behind developer experiments flag

Note: This change uses hard-coded labs value for members based on enableDeveloperExperiments flag, ideal implementation for later is to pick those value from settings.
2018-11-09 17:12:21 +05:30
Fabien O'Carroll
f660b6a77b
Wired up Members auth to the Content API auth (#10129)
closes #10113
2018-11-08 16:57:42 +07:00
Fabien O'Carroll
93781a0e78 🚧 Authorized Content API requests with req.member
closes #10111

The members labs setting is required to be set for req.member to be
considered valid authorization
2018-11-08 13:34:29 +07:00
Fabien O'Carroll
2e922808e8 ♻ Updated naming for Content API specific middleware
no-issue

This is because the Content API will eventually be accessed not just
from Content API keys. The addition of a Content API specific
authorization middleware is because:
1. content api should not authorize based on req.user
2. content api will need separate authorization than admin api
2018-11-08 13:34:29 +07:00
Fabien O'Carroll
7323258415 🚧 Added req.member to the v2 api context object
closes #10112
2018-11-08 13:32:41 +07:00
Fabien O'Carroll
2a6e9aac55 🚧 Created members auth middleware
closes #10110
2018-11-08 13:32:09 +07:00
John O'Nolan
9f7295853f Changed casper.ghost.org to static.ghost.org references (#10109)
no issue

Assets moved from gh-pages to https://github.com/tryghost/static and hostname changed, redirects already in place. Can be tested on https://demo.ghost.io (image should all work fine, try visiting one directly to verify redirect works)
2018-11-07 15:50:38 +01:00
Katharina Irrgang
ff6bf5f318 Renamed /users to /authors for Content API V2 (#10096)
refs #10061

- Made /authors endpoint available in Content API V2
2018-11-07 15:29:37 +01:00
Rishabh Garg
3b8621e19c Added slack controller to v2 API (#10086)
refs #10060

- Added slack controller to v2 admin API
- Added new API test for slack API controller
2018-11-06 23:20:43 +01:00
Naz Gargol
ec03b3cfc5
Content API v2 date formatting (#10095)
closes #10065 

- Added UTC offset to dates returned by Content API
- Added test checking new format is compatible with Admin API
- Refactored output serializer mapping logic
2018-11-06 16:12:12 +01:00
Rishabh Garg
7b38986316 Removed mobiledoc format from Content API V2 response (#10098)
closes #10097

- removed formats `mobiledoc` option directly in post input serializer for v2 Content API
2018-11-06 14:39:16 +01:00
kirrg001
46c806358b Extended resource lookup in {{get}} helper
refs #10061

- prep task to add authors for content API
2018-11-06 14:08:13 +01:00
Rishabh Garg
3345618731
Added helper to check for content API (#10104)
no issue

* Added helper to check if API called is content API
2018-11-06 17:36:22 +05:30
kirrg001
22911b5812 Fixed frame context being empty
no issue
2018-11-06 14:44:06 +05:30