Refs #3473
- Some tests are checking to make sure errors by using a
catch handler on the test. When assertions fail done()
is never called and results in a mocha timeout, which makes
it harder to see the cause of the failure.
closes#3522
- Previously, the logo had a href attribute which was manually kept
from executing on mobile. Slow mobile devices that didn’t fully load
the JS would therefore navigate “desktop style”
- The href attribute is now set after the event handler has been loaded, ensuring correct navigation behaviour.
closes#3544
- limit forgotten password requests to five requests per IP per hour
for different email addresses
- limit forgotten password requests to five requests per email address
- limit signin requests to ten failed requests per IP per hour
- removed special treatment for tests
closes#3529
- Created ‘delete user’ modal (similar to the ‘delete post’ modal) and
controller
- Modal will be opened if ‘Delete User’ is selected in the user
setting cog menu
Closes#3533, Closes#3547, Closes#3531
- invite-new-user always resets role to author now, allowing for multiple invites on one load
- Added confirm action when hitting return in INUModal's email input
- Don't pass users as the model to invite-new-user-modal
- Move invite-new-user reset to a `finally` clause
- invite-new-user always closes on a confirm
closes#3538, closes#3541
- The “autofocus” property isn’t considered by browsers if the element
is created after the page has been loaded. The Ember cookbook
recommends extending the input type with a manually triggered
autofocus, which I included here.
- This introduces the new helper “gh-focus-input”, an input field
gaining focus even when routing occurs.
fixes#3549fixes#3528
- instead of grabbing and setting the author after fetching the list of users, get the author info from the models "author" property and set it when that value returns. (3549)
- added filter to the PSM's "authors" attribute to only display active users (3528)
* Move publishedAtCompare to standalone function in closure scope
(allows better browser optimizations).
* Avoid getting the same field (published_at) more than once.
Closes#3511, Closes#3512, Closes#3526
- show* methods now close existing passive notifications by
default. They also now take an optional options object where
existing parameters such as "delayed" and "defaultErrorText"
can be passed in as well as the new "doNotClosePassive" flag.
- Removed all explicit calls to notifications.closePassive except
for the few places where it makes sense to call it separately.
Refs #3473
- Change tests to not assume that all inserted fixture data
will end up with the same millisecond-precision time for
results sorting. If a test is set up to check the contents
of a specific fixture extract it explictly from the results.
closes#3468
- added rate limit to deny more than 5 attempt every hour
- updated spam prevention to be configurable
- added config values spamTimeout, ratePeriod, rateAttempts
- added ratePeriod:1 to config.example.js to prevent functional tests
from hitting the rate limit
- commented spam test, I’ll fix it tomorrow
closes#3285
- remove apps stuff for now
- if there is a single user, behave the same as before, overriding
non-critical properties of the single owner user
- if there are multiple users, import them like normal resource
No Issue
- The method that generates a filename for the export during
a migration returns a promise, not the filename directly,
so the export file was being named [object Object].
Basic notifications are unnecessarily verbose and, in some instances, even cause line-wrapping to occur. This change shortens them to short, concsise statements to indicate what action has taken place.
* Add titleize utility function.
* Capitalizes first word.
* Capitalizes all words not contained in simple article/conjunction
list.
* Enable shortcuts for `uppercase`, `lowercase`, and `titlecase`.
* Fix header shortcuts
* Ensure that header shortcuts do not duplicate text.
* Make headers idempotent (pressing `ctrl+alt+1` then
`ctrl+alt+2` does not make `# # # blah`.
Closes#3029, Ref #3469
- Editor shortcuts are now built in a separate file, which uses `ctrlOrCmd` to correctly set OS specific shortcuts.
- Removed `newLine` and `selectWord` shortcuts
Closes#3466
- Transferring the owner role is now done via a separate
endpoint and not through Ember-Data. As a result the
user role data needs to be updated manually.
- Updated the owner endpoint to return a response body
containing the updated user objects.
- Updated tests.
closes#3401
- modifying slug-generator to be more generic
- adding slugging capabilities for /settings/users/:slug
- modified posts to use the updated slug-generator
- edit and add endpoints don't assume role
- edit and add endpoints cope with no role, role objects, and strings
- resend user invite was failing at one point due to no role being sent, but this shouldn't be required
- other random api cleanup
closes#3400
- The user view has been extended to have properties indicating whether
the user has rights to make the displayed user an owner or delete
him/her
- Handlebar conditionals decide whether or not to display the cog
* Ensures that posts listing only shows posts that the current user
authored, if they only have the Author role.
* Do not transition into the posts.post route if the current user is
not the author (but has the Author role). This is needed because
the API server will always return the post (regardless of the current
user).
Closes#3015
- Added stepThroughPosts method to PostsRouter, takes a integer, goes that far, wraps around the array.
- PostsPostRoute notifies the PostsController of which model it currently has, to help stepThroughPosts know who's selected
Closes#3242
- Add checks for valid fields in tags and posts
- Add unit test with empty tag export data file
- Add unit test with empty post export data file
Closes#3100
* Introduces `destroyByAuhor`, given a context and an id, it will check if context has permission to delete the user by the id, and then deletes all the content where `author_id` is id, and then deletes the user
* Does multiple checks to make sure user exists
* Added a fixture `posts:mu` that creates 4 users belonging to 4 roles, 50 posts that have authors evenly distributed, 5 tags and all 50 have one tag attached to it, evenly distributed.
Caveats / questions
* Started testing
Closes#3402, Closes#3428
-------------------
### Components
- Added GhostSelectComponent to handle async select creation (h/t @rwjblue)
- Added GhostRolesSelector (extends GhostSelect) for displaying user role options
- Created StoreInjector for surgically inserting the store into things that normally wouldn't have them.
### Users Settings
- InviteNewUserModal now uses GhostRolesSelector & defaults to Author
- The role dropdown for user settings has permissions set per 3402
### User Model
- Added `role` property as an interface to getting and setting `roles`
- Refactored anything that set `roles` to set `role`
- isAdmin, isAuthor, isOwner and isEditor are all keyed off of `role` now
### Tests
- Added functional tests for Settings.Users
- updated settings.users and settings.users.user screens
- fix spacing on screens
### Server Fixtures
- Fixed owner fixture's roles
When a using the forgottenRoute if you enter an incorrectly formatted
email address you would see the error message 'Invalid Email', however
if you entered an email address that was correctly formatted but missing
the error message would be 'Invalid email address'.
This fixes the discrepancy.
closes#3426
- added transfer ownership endpoint
- added owner to roles.permissible
- manually removed owner from roles.browse
- removed hard coded author role
- fixed tests that were passing due to hard coded author role
- added testUtils.setup(‚roles‘)
Closes#3291
- Adds redirects based on roles as defined in the case
- Adds new mixin `CurrentUserSettings`
- For authors, all settings pages redirect to `users/self`
- For editors, all settings pages other than specific users redirect to `users`. Any user that is not self or an author redirects to `users`
Refs #3424, Refs #3444
- API and test suite refactoring triggered a conflict with
the way update_check_spec.js was written. Using a running
copy of Ghost is no longer needed in those tests so it
was removed.
No Issue
- Move authentication related handlers to the Application route.
- Switch Sign Out from a button to a link. Use the signout route
to handle invalidating the session and redirecting instead of
an action from a button.
- Clear error messages on signin page when pressing log in button.
- Errors are now always shown on sign in screen and a success
notification is shown after sign out.
- Update functional tests.
Closes#3281
- Add the missing return to populateDefault
- Wrap defaultSetting in [] when passing to readSettingsResult
- Populate default value of dbHash in parseDefaultSettings
- Modify migrations.init to only load databaseVersion for export_spec test
- Fix spacing in test util file and null reference error in test
- Uncomment user tests (but add .skip) and remove settings from testUtils.setup()
no issue
- added `invited-pending` when resending invitation
- promise chain was missing a return statement
- email error was masked and front end showed success notification
issue #3409
- DRYs out the controllers/frontend a little by moving common functinoality
into its own function
- adds ability to use home.hbs template file if it exists
- adds unit tests for this functionality
closes#3274
- Ensure that validation errors are always handled by moving them into the
importer
- Ensure that db errors are handled consistently across sqlite and mysql
- Change the errors to be output in a table, with a short failure notification
- Add tests for 003 importing bad files
Closes#3414
- Adds a helper which shows a select string deopending on the number of items provided
```
{{plural pagination.total empty='No posts' singular='% post' plural='% posts'}}
```
If `pagination.total` == 0, output 'No Posts'
If `pagination.total` == 1, outputs `1 Post`
If `pagination.total` == 2 or more, outputs `2 Posts`
Credit to @sebgie for making this work.
closes#3082
- no more in-line HTML strings
- adding files for "welcome", "reset password", and "invite user" emails
- added mail.generateContent() to create HTML and plain-text email content
- refactored methods that trigger emails to send both HTML and plain-text emails
closes#3431
- change feed_test.js to call casperjs getHTML() instead of
getPageContent(), because the latter now strips markup
Alternative fix would be to use .page.frameContent directly
instead of using a casperjs wrapper.
Change runs cleanly on Travis (old casperjs tag) and locally
in the Ghost-Vagrant setup with both the old casperjs tag
and the current HEAD SHA (29bbd03f7cdc9fc1e70f0fe1400635dd7d3537ad)
no issue
- acquiring a new access token using a refresh token sets the
expiration time of the refresh token to now + 24 hrs.
- moved all occurrences of ONE_HOUR, ONE_DAY and ONE_YEAR to
`core/server/utils`
closes#3096, closes#3378, refs #3100
- user.permissible updated to reflect proper permissions
- small amount of API refactoring to handle extra cases
- extensive integration testing
refs #3083, #3096
In order to implement advanced permissions based on roles for specific
actions, we need to know
what role the current context user has and also what action we are
granting permissions for:
- Permissible gets passed the action type
- Effective permissions keeps the user role and eventually passes it to
permissible
- Fixed spelling
- Still needs tests
closes#3177
- uses an iFrame to initiate the download to hide the access token
The access token is now hidden in the admin logic. If we would like to
completely hide the token it is possible to remove the access token and
use signed requests instead, but I think the effort isn’t worth the
benefit in this case.
Closes#3399
- Provide our own authenticate action handler which does not
clear the password input.
- Use the Signin route's deactivate hook to clear the password
property on the controller after the user has transitioned
away from the signin page.
No issue
- Created NewUserValidator class to DRY up validation of a models name, email, and password
- Changed SignUpValidator to be an instance of NewUserValidator
- Changed SetUpValidator to extend NewUserValidator
closes#3392
- removing data-binding attribute for "name" input box on signup screen
- removing data-binding attribute for "password" input box on signup screen
- making "email" the first input box and "name" the 2nd
- removing "autofocus" attribute for "email" input box on signup screen
closes#3374
- If user object is returned but undefined, we'll display a
human-readable
error notification (user model)
- If user object is returned, but the user is inactive or invited (but
not
activated), we'll display a human-readable error notification
Closes#3083 Refs #3229
- Populates the dropdown list in the invite user menu with the
list of roles a user is permitted to create.
- Users API now checks the invite user request for allowed roles.
- Change API response from 200 to 201 on successful invitation.
- Change API response from 500 to 201 when the user was created but
the email was not sent. The client will show a warning notification
when it sees 'invite-pending' as the new user's status.
- Add support for "?status=all" to the /users endpoint.
- Refactor the route and controller for the /settings/users page so
that there's only one network API call to load users instead of two.
closes#3373
- added check if role is already assigned
- added check for unknown fields to fixDates/fixBools
- permissions are not implemented yet, so everyone is able to edit
owner ;-)
closes#3352
- adding a ```type``` attribute to buttons inside form in the settings section
- scanning the rest of the project to find any other buttons w/a missing attribute
