Commit Graph

12959 Commits

Author SHA1 Message Date
Thibaut Patel
55a0c69451 Added the customThemes limits to all api versions
https://github.com/TryGhost/Team/issues/663
2021-05-21 09:56:22 +02:00
Renovate Bot
9010932466
Update dependency sanitize-html to v2.4.0 2021-05-20 16:28:50 +00:00
Fabien O'Carroll
f4017cc439 🐛 Fixed creating members linked to stripe customers
closes https://github.com/TryGhost/Ghost/issues/12942

The signature of the `linkStripeCustomer` method was updated and this
usage was missed.
2021-05-20 13:44:35 +01:00
Fabien O'Carroll
253eee627c Removed boot precondition checks from members-api
refs https://github.com/TryGhost/Team/issues/598
refs https://github.com/TryGhost/Ghost/commit/5cdf910e

Since we have moved the preconditon checks into this codebase, we no
longer need the members-api module to run them. This bump includes the
changes to remove the last of those checks.
2021-05-20 12:14:14 +01:00
Fabien O'Carroll
17a2083c05 Added precondition for Stripe Connect Admin API
refs https://github.com/TryGhost/Team/issues/598

Stripe Webhooks require SSL in production, and so we should not be
allowing connecting to Stripe in production mode unless the site is
running with SSL.
2021-05-20 12:08:45 +01:00
Fabien O'Carroll
b668d6fc9c Added members service init to boot sequence
refs https://github.com/TryGhost/Team/issues/598

This method contains precondition checks for booting Ghost, and should
be called as early as possible.
2021-05-20 12:08:45 +01:00
Fabien O'Carroll
5cdf910e63 Checked boot preconditions in members service init
refs https://github.com/TryGhost/Team/issues/598

We now have several pre-conditions related to members which determine
whether or not Ghost is allowed to start. Rather than burying this
within the members-api module, we have now surfaced them to an init
method which can be called during the boot sequence of Ghost. This will
allow us to exit early and explicitly.
2021-05-20 12:08:45 +01:00
Fabien O'Carroll
3f6544bebc Renamed index.js -> service.js for lint reasons
no-issue

Our linter now requires that files named index.js have less than 50
lines, so this renames the index.js file to service.js and reexports
service.js from index.js so that linting will pass.
2021-05-20 12:08:45 +01:00
Hannah Wolfe
05a16948a3
Moved testmode routes into a correctly named file
- testmode routing was in an index.js file, this breaks our coding standards
- these routes belong in routes file, same as all other routes
2021-05-20 11:42:27 +01:00
Renovate Bot
d98334eb89
Update dependency express-session to v1.17.2 2021-05-19 20:47:30 +00:00
Renovate Bot
fd394f0c3a
Update dependency @sentry/node to v6.4.1 2021-05-19 18:16:24 +00:00
Fabien O'Carroll
1d36afbc41 Updated dynamic whitelist from schema to static array
no-issue

This protects our tests against changes to the database schema, which
helps us decouple the API from the database, and make tests less
brittle. It also forces us to manually update the tests if we do make a
change to the API!
2021-05-19 18:49:18 +01:00
Fabien O'Carroll
5880edd722 Replaced members 'comped' status with 'paid'
refs https://github.com/TryGhost/Team/issues/693

Since we've got rid of the concept of Complimentary with the Custom
Prices work, we're removing the 'comped' status from members. This
involves a migration for existing members, a schema update for the
validation, and a bump to members-api to no longer use the 'comped'
status for new members.

We also update the aggregation of the MemberStatusEvent to consider the
'comped' status as 'paid', and that there are 0 'comped' status events
in the database.

We can consider a migration for this data in the future, either adding
new status events moving from 'comped' to 'paid', or by modifying
existing status events. However both of these are very difficulty to
write a down migration for, and might be best saved for a major version.

- @tryghost/members-api@1.7.0 is the version that includes the required
  changes, however we have already bumped to 1.8.0 in Ghost
2021-05-19 18:49:18 +01:00
Fabien O'Carroll
278ad8eaea Updated comped flag for v3 Members Admin API
refs https://github.com/TryGhost/Team/issues/693

Since we no longer have the concept the "comped" we update the v3 API to
always have a `comped` flag of `false` - maintaining backwards
compatibility.
2021-05-19 18:49:18 +01:00
Fabien O'Carroll
57a176ff3d Removed comped flag from canary Members Admin API
refs https://github.com/TryGhost/Team/issues/693

Since we no longer have a concept of "comped" we're removing the flag
from the unstable canary api.
2021-05-19 18:49:18 +01:00
Rishabh
5cabc39124 Fixed products data in members api on changing comped status
refs a4c78dbf19

Updates member data on edit to include products data when comped status is changed, as by default we don't include products data when member goes from free to paid subscription due to comped being added.
2021-05-19 23:14:04 +05:30
Rishabh
a4c78dbf19 🐛 Fixed error on saving member with susbcriptions
closes https://github.com/TryGhost/Team/issues/699

With custom products, saving a member with subscriptions on member detail page in Admin throws errors on console, though the save is successful. This breaks the Admin as user needs to refresh the screen again to get rid of error. This change -

- updates the response on member save to return `price` object in subscription
- updates tests
2021-05-19 22:32:15 +05:30
Fabien O'Carroll
0e77b378a6 Migrated members_{monthly,yearly}_price_id settings
refs https://github.com/TryGhost/Team/issues/698

The migrations to populate these settings are handled by the members-api
module, as they depend on the stripe_prices table being populated. This
cannot be guarunteed at boot, so we're unable to do this as a standard
migration.
2021-05-19 15:37:20 +01:00
Thibaut Patel
2bcc934eb4 Disable CSRF on the oauth callback route
no issue

Keeping CSRF enabled there would prevent oauth from working as users are redirected from the provider domain to the /callback route, where they are logged-in
2021-05-18 20:44:21 +02:00
Rishabh
2e8db93ab6 Filtered selected prices in Portal settings
no refs

Filters active prices in Portal settings to only contain the selected prices by site owner in new monthly/yearly price id settings, ignoring all other prices for now.
2021-05-18 20:27:20 +05:30
Hannah Wolfe
d9367f5b20
Added debug to gscan checks for timings
- added a couple of extra debug calls to see how long gscan checks take in the boot process
2021-05-18 15:22:04 +01:00
Renovate Bot
ae98bf5a6d Update dependency mock-knex to v0.4.10 2021-05-18 11:05:31 +01:00
Rishabh
76adf920da Updated Portal to handle logged out API response
refs https://github.com/TryGhost/Team/issues/560
refs 196cdafe6b

The endpoint `/members/api/member/` used by Portal for fetching member details was updated to return 204 No Content instead of 401. This change updates Portal to handle updated API response for logged out member, along with couple of bug patches -

- 🐛 Fixed extra email sent for logged in members on upgrade
- 🐛 Fixed falsy value not used in preview
2021-05-18 15:01:33 +05:30
Rishabh
4627d1c26a Added settings for monthly/yearly price ids
no refs

Since backend now allows multiple prices but we want the prices to be currently limited to monthly/yearly on UI, we need new settings to store the current monthly/yearly price by the site owner. These settings determine the active prices shown in Admin / Portal for the site till we allow all custom products/prices again.
2021-05-18 13:34:31 +05:30
Thibaut Patel
e0db9a16f9 Fixed the version sent to Sentry
commit 9c498697c9
issue https://github.com/TryGhost/Team/issues/694

`process.env.npm_package_version` is only filled when Ghost is started via npm scripts, so it would have been empty when starting Ghost using `node index.js`
2021-05-17 13:32:56 +02:00
Fabien O'Carroll
3483bfa747 Updated @price data to not use archived prices
no-issue

Since we now allow archiving prices, we should filter them out from
being considered the monthly or yearly plan, as they are unable to be
subscribed to.
2021-05-17 11:02:27 +01:00
Fabien O'Carroll
22a211f1de Fixed @price data when Stripe is not configured
no-issue

Themes which use the `@price` data will have a 400 error if they are not
setup prices. This adds default price data so that the theme will not
error.
2021-05-17 11:02:27 +01:00
Thibaut Patel
9c498697c9 Removed a require of core/server from core/shared
issue https://github.com/TryGhost/Team/issues/694

Solves an eslint warning
2021-05-17 11:42:19 +02:00
Renovate Bot
2af3d760a2
Update dependency @sentry/node to v6.4.0 2021-05-17 08:09:59 +00:00
renovate[bot]
3b5ce73026
Update dependency @tryghost/session-service to v0.1.22 (#12965)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-05-14 18:35:36 +02:00
Kevin Ansfield
84724537be 🐛 Fixed feature images in emails appearing very wide in Outlook
closes https://github.com/TryGhost/Team/issues/675

Outlook will display images at their native resolution if no `width` attribute is supplied. Content images were fixed a while ago but feature images would still render very wide and cause horizontal scroll and text size/alignment issues.

- modify `post.feature_image` and add a `post.feature_image_width` property before passing it through to the email template
  - for Unsplash images we assume all images are larger than 600px so we change the URL to reference a 1200px image and set the image width to 600 (to keep images on retina displays crisp)
  - for other images we probe the image to fetch the original dimensions and give set an image width of 600 if needed, if it's a locally-hosted image we update the URL to point at a max 1200px version
- updated email template to output a `width` attribute on the feature image `<img>` tag if it's set
2021-05-14 11:57:37 +01:00
Kevin Ansfield
7070572e4f Moved getLocalSize() from mobiledoc to image-size lib
no issue

- `getLocalSize()` is useful outside of the mobiledoc populate-image-sizes function
- expanded `ImageSize` class with new methods
  - `getOriginalImageSizeFromStoragePath()` - takes the "original" image extraction and test from `getLocalSize()` and makes it more generally available
  - `getImageSizeFromStorageUrl()` - takes the path extraction from `getLocalSize()` to make image sizes from local urls more generally available
  - `getOriginalImageSizeFromStorageUrl()` - URL version of the new `getOriginalImageSizeFromStoragePath()` method
2021-05-14 11:57:37 +01:00
Thibaut Patel
14cae4b154 Added notes to oauth code for future improvements
no issue
2021-05-14 12:10:27 +02:00
Naz
02ea81fdda Removed dead code
refs d698a2b431

- This code is not needed since the switch to "allowlist" approach
2021-05-13 16:20:28 +04:00
Naz
d698a2b431 Finished refactor of content utils in acceptance suite
refs 06dd9bac59

- This is a continuation of the work started in the refed commit. In short: allowlisting response checks wherever possible
- The file is now "schema" depencency free. Should serve as an example for other test "utils" modules.
2021-05-13 16:19:33 +04:00
Naz
255b4da7a2 Removed unused test utils modules
no issue

- This is dead code!
2021-05-13 15:41:27 +04:00
Naz
d98f76b18c Refactored test utils "post" properties
refs 06dd9bac59
refs https://github.com/TryGhost/Team/issues/687

- This is a continuation of the work started in the refed commit. In short: allowlisting response checks wherever possible
2021-05-13 15:41:27 +04:00
Rishabh
c6eafeb89b Updated tests for member endpoint
refs https://github.com/TryGhost/Team/issues/560
refs 196cdafe6b

Last commit updated the response status for member endpoint  - `/members/api/member` - from 401 to 204. This change updates the test to handle new response code.
2021-05-13 15:35:14 +05:30
Rishabh
196cdafe6b 💡 Removed 401 error for logged-out member on Portal
closes https://github.com/TryGhost/Team/issues/560
closes https://github.com/TryGhost/Ghost/issues/12870

The endpoint `/members/api/member/` is used by Portal for fetching member details on site load to setup different flows. The response from this endpoint for logged out member has now changed from 401 Unauthorized to 204 No Content.

Ghost API was previously returning 401 Unauthorized error for logged-out member as this seemed to be technically correct response for unauthorized access to membership features. This resulted in a lot of confusion for end users where visible 401 errors on console were perceived as errors in the script as well as caught by loggers as erroneous traffic. Also for an end user, in the context of visiting a website - the user themselves is not trying to gain access to anything so this becomes cause for more confusion.

After internal discussion, the endpoint - [SITE_URL]/members/api/member- now returns 204 No Content instead of 401 for logged out member, denoting server was able to process the request but did not find any associated member. This should avoid any unwanted error logging on Portal load on a site, as well as make Portal functioning more transparent for a site.
2021-05-13 15:26:07 +05:30
Renovate Bot
421d457430 Update dependency @tryghost/helpers to v1.1.45 2021-05-13 10:07:59 +01:00
Naz
eb7e4bb815 🐛 Fixed frontmatter-related validation error
refs https://github.com/TryGhost/Team/issues/687

- The frontmatter field has leaked into the API layer unintentionally when it was introduced into the DB schema during 4.0 release.
- The fix add the field to "trim" list in all API. A proper validation and handling will be add per API as usecase for the field becomes clear
2021-05-13 12:14:05 +04:00
Naz
06dd9bac59 Refactored post resource Admin API test utils
refs https://github.com/TryGhost/Team/issues/687

- The approach of generating validation properties using `/server/data/schema` package's tables object is prone to leaking unwanted database fields into API responses
- This refactor takes a tiny step into direction of relying on "allowlist" approach for properties in the API response resources.
- Apart from solving the described property leak problem it also moves toward decoupling tests from `/core/server` dependencies!
2021-05-12 18:15:54 +04:00
Naz
ec01c4f004 Fixed typos 2021-05-12 17:06:10 +04:00
Naz
1e20f2cb76 🐛 Fixed webhook initialization when over limit
refs https://github.com/TryGhost/Team/issues/599

- Webhook listener was still kicking in when the limit for  "customIntegrations" was in place. This is due to parallel initialization that was done previously and sometimes limit service initialized before webhooks but sometimes it didn't!
- Moving it to be initialized before any othe service ensures the race conditon doesnt happen anymore
2021-05-11 18:11:51 +04:00
Daniel Lockyer
9c2388e8aa
v4.5.0 2021-05-11 13:34:32 +01:00
Daniel Lockyer
a528769f57
Updated Ghost-Admin to v4.5.0 2021-05-11 13:34:32 +01:00
Daniel Lockyer
78600636b2
Updated Casper to v4.0.5 2021-05-11 13:34:28 +01:00
Fabien O'Carroll
41acc37865 Made complimentary_plan & stripe_customer_id exclusive
no-issue

When importing Members it is possible to have both the
complimentary_plan and the stripe_customer_id columns set, this can
result in unusual outcomes, for example when importing a customer with a
zero-amount subscription, they would end up with two "comped"
subscriptions, and there would be two "comped" prices in the database.

As we are deprecating the use of "comped" in favour of creating a
subscription with a specific price, we're updating the import to prefer
`stripe_customer_id` column, only using the `complimentary_plan` column
when it is the only of the two columns passed.
2021-05-11 12:33:28 +01:00
Fabien O'Carroll
ed0f90a82d Fixed errors when importing comped Members
no-issue

The logic for finding the zero-value price to be used was broken, and
this patch to members-api fixes it
2021-05-11 12:13:48 +01:00
Renovate Bot
83d4a19757 Update dependency @tryghost/url-utils to v1.1.4 2021-05-11 12:09:16 +01:00