Closes#3291
- Adds redirects based on roles as defined in the case
- Adds new mixin `CurrentUserSettings`
- For authors, all settings pages redirect to `users/self`
- For editors, all settings pages other than specific users redirect to `users`. Any user that is not self or an author redirects to `users`
Refs #3424, Refs #3444
- API and test suite refactoring triggered a conflict with
the way update_check_spec.js was written. Using a running
copy of Ghost is no longer needed in those tests so it
was removed.
No Issue
- Move authentication related handlers to the Application route.
- Switch Sign Out from a button to a link. Use the signout route
to handle invalidating the session and redirecting instead of
an action from a button.
- Clear error messages on signin page when pressing log in button.
- Errors are now always shown on sign in screen and a success
notification is shown after sign out.
- Update functional tests.
Closes#3281
- Add the missing return to populateDefault
- Wrap defaultSetting in [] when passing to readSettingsResult
- Populate default value of dbHash in parseDefaultSettings
- Modify migrations.init to only load databaseVersion for export_spec test
- Fix spacing in test util file and null reference error in test
- Uncomment user tests (but add .skip) and remove settings from testUtils.setup()
no issue
- added `invited-pending` when resending invitation
- promise chain was missing a return statement
- email error was masked and front end showed success notification
issue #3409
- DRYs out the controllers/frontend a little by moving common functinoality
into its own function
- adds ability to use home.hbs template file if it exists
- adds unit tests for this functionality
closes#3274
- Ensure that validation errors are always handled by moving them into the
importer
- Ensure that db errors are handled consistently across sqlite and mysql
- Change the errors to be output in a table, with a short failure notification
- Add tests for 003 importing bad files
Closes#3414
- Adds a helper which shows a select string deopending on the number of items provided
```
{{plural pagination.total empty='No posts' singular='% post' plural='% posts'}}
```
If `pagination.total` == 0, output 'No Posts'
If `pagination.total` == 1, outputs `1 Post`
If `pagination.total` == 2 or more, outputs `2 Posts`
Credit to @sebgie for making this work.
closes#3082
- no more in-line HTML strings
- adding files for "welcome", "reset password", and "invite user" emails
- added mail.generateContent() to create HTML and plain-text email content
- refactored methods that trigger emails to send both HTML and plain-text emails
closes#3431
- change feed_test.js to call casperjs getHTML() instead of
getPageContent(), because the latter now strips markup
Alternative fix would be to use .page.frameContent directly
instead of using a casperjs wrapper.
Change runs cleanly on Travis (old casperjs tag) and locally
in the Ghost-Vagrant setup with both the old casperjs tag
and the current HEAD SHA (29bbd03f7cdc9fc1e70f0fe1400635dd7d3537ad)
no issue
- acquiring a new access token using a refresh token sets the
expiration time of the refresh token to now + 24 hrs.
- moved all occurrences of ONE_HOUR, ONE_DAY and ONE_YEAR to
`core/server/utils`
closes#3096, closes#3378, refs #3100
- user.permissible updated to reflect proper permissions
- small amount of API refactoring to handle extra cases
- extensive integration testing
refs #3083, #3096
In order to implement advanced permissions based on roles for specific
actions, we need to know
what role the current context user has and also what action we are
granting permissions for:
- Permissible gets passed the action type
- Effective permissions keeps the user role and eventually passes it to
permissible
- Fixed spelling
- Still needs tests
closes#3177
- uses an iFrame to initiate the download to hide the access token
The access token is now hidden in the admin logic. If we would like to
completely hide the token it is possible to remove the access token and
use signed requests instead, but I think the effort isn’t worth the
benefit in this case.
Closes#3399
- Provide our own authenticate action handler which does not
clear the password input.
- Use the Signin route's deactivate hook to clear the password
property on the controller after the user has transitioned
away from the signin page.
No issue
- Created NewUserValidator class to DRY up validation of a models name, email, and password
- Changed SignUpValidator to be an instance of NewUserValidator
- Changed SetUpValidator to extend NewUserValidator
closes#3392
- removing data-binding attribute for "name" input box on signup screen
- removing data-binding attribute for "password" input box on signup screen
- making "email" the first input box and "name" the 2nd
- removing "autofocus" attribute for "email" input box on signup screen
closes#3374
- If user object is returned but undefined, we'll display a
human-readable
error notification (user model)
- If user object is returned, but the user is inactive or invited (but
not
activated), we'll display a human-readable error notification
Closes#3083 Refs #3229
- Populates the dropdown list in the invite user menu with the
list of roles a user is permitted to create.
- Users API now checks the invite user request for allowed roles.
- Change API response from 200 to 201 on successful invitation.
- Change API response from 500 to 201 when the user was created but
the email was not sent. The client will show a warning notification
when it sees 'invite-pending' as the new user's status.
- Add support for "?status=all" to the /users endpoint.
- Refactor the route and controller for the /settings/users page so
that there's only one network API call to load users instead of two.
closes#3373
- added check if role is already assigned
- added check for unknown fields to fixDates/fixBools
- permissions are not implemented yet, so everyone is able to edit
owner ;-)
closes#3352
- adding a ```type``` attribute to buttons inside form in the settings section
- scanning the rest of the project to find any other buttons w/a missing attribute
no issue
- Refactor all integration tests to specify and load ONLY the fixtures
they require to run, rather than initialising the whole kit-and-kaboodle
for every single test which takes FOREVER.
- Refactor the route tests to share a doAuth function, and also specify
additional fixtures required
- Move import and export unit tests, which are actually integration tests
(they touch the DB)
- Comment out most of the permissions unit tests for now as they need more
stubs/mocks so as to not touch the DB
Still todo:
- prevent default DB initialisation in route tests, and specify all
fixtures requires as per the integration tests
- fix up the unit/permissions_spec
migration from usage of config() to just an object of config.
no relevant issue
- Change 'loadConfig' task to 'ensureConfig' to more accurately reflect
what it is actually doing. Its sole purpose is to make sure a `config.js`
file exists, and as such the name now reflects that purpose.
- Update config/index.js to export the ghostConfig object directly
so that it can be accessed from other modules
- Update all references of config(). to config.
This was a blind global find all and replace, treat it as such.
- Fixes to tests to support new config access method
- Allow each test to still work when invoked invidually
Closes#3161
- Add a config.js file for the client which is used to configure
Ember.Application during runtime. The correct version of config.js
is copied into place by grunt via the copy:(dev|prod) task from
either config-dev.js or config-prod.js.
- Serve minified and production versions of libraries where applicable
including handlebars-runtime and ember-prod.
- Bundle third party libraries into vendor.min.js.
- Bundle Ghost's Ember app and templates into ghost.min.js
- Remove all fixture data and code from the client.
Closes#3357
- API method User#edit now handles User objects that have either
an array of Role ids or objects.
- Fixed error handler notification on upload modal controller.
refs #3087
- added ability to edit user/roles relation
- user is not allowed assign roles to himself
- only one role per user is supported atm
- added tests
No Issue
- Loading posts from the API should not be necessary in PostsIndexRoute
because its parent resource (PostsRoute) pre-loads the store.
Changing the store.find to store.all gets rid of a duplicate
network request to load all posts.
closes#3222
- implementing server-side pagination for /users API
- passing /users?limit=none will return all users
- passing /users?status=invited will filter base on user status
- creating 3 mixins (route, controller and view) to keep pagination logic DRY
- updating route, controller and view for Posts to use new mixing
- implementing infinite scrolling for Users Management screen (using new mixins)
- Users Management screen displays all invited users, but paginates active users
Closes#3325
- Add Roles model and add hasMany roles to User model.
- Add EmbeddedRelationAdapter that will automatically include
hasMany relations in calls to the API.
- UserAdapter and PostAdapter now extend EmbeddedRelationAdapter
and all explicit includes from store.find() have been removed.
Closes#3196
* adds `/roles/` endpoint
* is given the current user as context
* wraps everything in a canthis.browse.role
* gets all the available roles (should "Owner" be filtered out?)
* optional parameter: `permission=assign`. Gets all roles authenticated user could assign
* if we're not signed in, gives a "please sign in" (standard) error
* if we're signed in, but user is not in the context, gives a "there was no user in the context" error
* if the user is an "Author", gives a "there are no available roles to assign" error
* implemented hacky filter because when.js produces heisenbugs past 3.2.3 (when.filter not available)
* added extra fixtures to `permissions.json`. Might need a migration.
Caveats:
* there are no tests
* for some reason the setup functional test was failing for me locally
No issue
- Removed tabs from tag.js (why didn't jshint catch this?)
- Removed superfluous `activate` in SettingsIndexRoute
- updated `UserModel` and `TagModel` to have `created_by, updated_by` be references to `user` objects.
- updated `UserModel` to use `moment-date` instead of `date`
closes#3309, refs #3229
- adds different message depending on status
- doesn't delete the new user if the problem was an email error
- filters the 2 lists based on all statuses
Ref #3084
This PR does NOT hide the dropdown as required to close 3084.
- `EditorNewRoute` creates post with the author set to the current user
- added `authors` ArrayPromiseProxy (whoa, what?) to PSM
- added `changeAuthor` function that sets author and saves model when the user selects a new author
closes#2600
- adds 2 new columns to tags, for the soon-to-land tag management UI
- fixes validation for the active bool in app_fields
- adds missing return to addColumn command
- cleanup in addTableColumn util
No Issue
- Do not run generateSlugPlaceholder if save has been initiated
and the title has already been set on the post. At that stage
a slug has already been generated and another API call is not
necessary.
fixes#3275, fixes#3290, ref #3086, ref #3084
- Ensure that we use the current logged in user and not just user 1 when
- removing hard coded user: 1 except where absolutely necessary
- passing context, rather than user to models
- base model has a new function to determine what id to use for created_by etc
Refs #3160
- gh-notifications component now takes an optional notify
parameter. If present it will be invoked as an action
when a notification is added or removed.
- Add a data-notification-count attribute to the main container
that tracks the number of "top" notification messages that
are currently being shown.
Closes#3279
- Switch from this.session.get('user') to this.store.find('user') and
some further limiting until a custom user adapter is created
- Switch the deactivate logic to rollback the used model
- Pass the user as the model in the link-to in user list template
closes#3128 (now really)
- added express variable disableLoginLimiter
- added disableLoginLimiter to all tests that use Ghost as module and
do authentication
- fixed isSetup not working for status other than active
- removed ‚Ensure a User is Registered‘ test as this is covered by the
new setup test
Reverting the placeholder that was introduced in #2734 to fix#1623. We should handle this intelligently by automatically interpretting the input and using validation if we can't. The user should not have to know or care about what http is.
Regardless off any of the above, we should not be introducing user-facing text like this without proper consideration. A placeholder of "http://ghost.org" is far more confusing than no placeholder at all. It also looks like a cheap promotional tactic on our part.
refs #3283, refs #2739, refs #3096
- Renames permissions which didn't follow bread
- Adds permissions for notifications, mail and tags
Still todo:
- wire up the new permissions where they are needed
- add permissions for roles
refs #2600
One day in the future it would be nice to have a CLI for Ghost
In the meantime, lets have an easy way to force migrations to run
This is for development, or dead end situations only
It will at least do a DB backup ;)
Closes#3145
- Prevent navigation to the setup screen if Ghost setup
has previously been completed.
- Fix templates that were incorrectly using foreach instead of each.
- Add validation for minimum password length.
- Fix up functional tests and split out tests for setup to a separate
instance of casper because setup requires a new database.
- Add a cleanDatabase task to grunt which resets the database to
new.
Refs #3161
- Move two inline template snippets from the post tags input
component into the .hbs template file so they can be
pre-compiled. Needed when shipping only the handlebars runtime
in production mode.
Closes#3105, Closes#3175
- Removed notification on successful post's `page` status change
- Removed notification on successful post `featured` status change
- Added `closePassive()` notifications on error in the post-settings-menu
- Persistent notifications will close whether their `DELETE` request was
successful or not.
#### Misc
- Added `name` attribute to `post-setting-menu.hbs` inputs to facilitate testing
- Removed `return <Promise>` from action in `PostSettingsMenuController`. Actions should only return `true`
- Toggling `post.featured` won't fire NProgress.
closes#3252
- added `/ghost/api/v0.1/uploads/` endpoint
- removed upload method from `controller/admin.js`
- moved removal of temporary files from storage to endpoint (needed to
account for failed uploads)
- changed and moved tests
- Oversight: I think that we use `.otherwise()` and `.catch()` a bit
too extensive and mask the real error objects. We probably need an
error handling strategy at some point in the future.
Closes#3254, closes#3138, closes#3245
### Settings Routing and View refactoring
- Refactored `SettingsView` to handle transitions between mobile and desktop layouts
- `SettingsRoute` will only transition to `settings.general` if the screen is large enough to show both the menu and the content
- Added `SettingsIndexView` to handle showing the settings menu on mobile screens
- Added `SettingsContentBaseView` to be inherited by any settings view that is not index.
- Updated Settings templates appropriately to work with new views
- Removed extraneous `active` class from `settings-content`
- Changed settings menu to use `gh-activating-list-item`
- Retooled settings tests
### Mobile Utils
- Renamed file to `mobile.js`, since it's inside of `utils/`
- Added `mobileQuery` MediaQueryList to help detect layout changes
- Removed unused `hasTouchScreen`, `device.js` should be used instead.
- Removed unused `smallScreen` function
- Moved FastClickInit to codemirror-mobile
refs #2600
- fixed issue with defaults not being populated on upgrade
- added logging to all actions in the migration process to help debugging
in future
- did a little bit of refactoring
Closes#3271
- Change validations on both server and client to allow the
Website field to be empty or a valid URL.
- Add new schema validation helper isEmptyOrURL.
- Remove duplicate call to UserValidator in the save action
of the SettingsUser controller.
- User.last_login and User.created_at are already Moment objects
so Moment#fromNow can be called on them directly.
refs #2600, refs #2379
Refactoring fixtures to make permission management a little easier
- Separate fixtures into JSON file and split permissions fixtures from other fixtures
- make fixture migrations more robust by fetching objects, not relying on
ids and checking before adding
- changed owner fixture slightly to remove any confusion between the 'Owner' role and 'Ghost Owner' user.
- moved 003 fixture versions out of config into logic, possibly not a good
idea
- refactored permissions fixtures and added permissions_roles fixtures to
make it easier to read / add
closes#2422
- updated to use new change password method
- have all save settings use notifications
- create assetUrl helper for creating asset paths with subdir's properly
prefixed
- move all url based helpers onto a url object in ghost-paths
Closes#3037
- Created `NProgressSaveMixin`, which extends the `save` method of a model
to fire NProgress.
- Extended `UserModel`, `PostModel`, and `SettingModel` with the new
mixin.
- NProgress can be disabled by passing an options hash to the save function with the `{disableNProgress:true}`
- Now that the ValidationEngine isn't the only thing playing with options inside of `model#save`, refactored it to pass the options down the super chain.
