no issue
- added our theme error handling middleware to {admin}/content/ so that cache headers are properly set for 404s
- only registered {admin}/content when a separate admin url is configured so that we're not overriding {site}/content
no issue
- Session controllers were using API v1 http method which bypassed "frame" introduced with API v2.
- Changes here are just a long-awaited cleanup to allow completely remove v0.1 code
- Theme fixtures don't have "ghost-api" which still fallbacks to v0.1 and have to have it hardcoded for now. When v0.1 removal is complete and v2 becomes the default this can be reverted
no issue
- As v0.1 API is dropped there is no need to keep an API client around
- Removed references to ghost-sdk in regression test suite
- Removed routes to /public/ghost-sdk.js
- Removed reference to ghost-sdk in grunt build process
refs https://github.com/TryGhost/Ghost/issues/11083
- the `/api/v2/admin/site/` endpoint is "public" and as such was not using the `authAdminApi` middleware stack so it did not act like other API endpoints with protocol or trailing-slash redirects
- adds `publicAdminApi` middleware array and uses it for the `/site/` endpoint in both v2 and canary API versions
no issue
- Removed v1 'author' leftover in include statement for preview controller
- Removed v1 'author' leftover in include statement for preview controller
- Removed v1 'author' leftover in include statement in entry lookup routing helper
- Migrated related test to use v2 API controller
- Removed v0.1 routing confif
- Removed v0.1 url config
- Fixed tests that had to do with url's in resources after removing v0.1 resources from URL cache
- Removed v1 'author' leftover in include statement in static routing helper
- Modified the test to use v2 API
- Removed v1 specific condition with 'page' in context helper
- Fixed dynamic routing spec after theme switch to v2. All tested users have to have at least one published post to be shown as an author
- Fixed URL Service spec to use theme engine v2
no issue
- Removed deprecated 'blog' reference from frontend data. The alias (site->blog) stays till next version (v4) as it's not leaving much of technical debt but would ease the migration process for anybody still using it.
- The follow up to this is substitute of all references to `options.data.blog` with `options.data.site` in "frontend"
- Fixed test utils helper to use `site` instead of `blog`
- Removed 0.1 flag checks in {{get}} helper
- Removed user aliasing from {{get}} helper
- Removed unused translation for {{get}} helper
- Added a note to excerpt changes in metadata for future reference
- Removed page alias used in description helper. The mix of page context with post object in the metadata was only possible in v0.1
- Changed mock in ghost_head helper to use v2
- Removed unneeded test for body class helper
closes https://github.com/TryGhost/Ghost/issues/11078
Problem:
- the admin client makes an XHR request to the `/private/` endpoint when a private site is configured
- when a separate admin URL is configured this was causing 500 errors in the admin client because missing CORS headers on the endpoint was causing browsers to abort the request
- browsers will also look at the CORS headers on any resources that are the result of a redirect and abort the request if they do not allow cross-origin requests, this means allowing all requests on `/private/` is not enough
Solution:
- uses the `cors` middleware with a dynamic options function for the whole of the front-end site app
- dynamic options function allows the following requests through:
- same-origin (browsers and non-browser agents will not send an `Origin` header)
- origin is `localhost` or `127.0.0.1` with any protocol and port
- origin matches the configured `url` hostname+port on any protocol
- origin matches the configured `admin:url` hostname+port on any protocol
no issue
- when too many login attempts were detected for the `/private/` form we were throwing 500 errors instead of the more appropriate 429 error that we use everywhere else for "too many request" type errors
no issue
- @tryghost/url-utils was bumped to 0.3.1 which fixed admin redirects returning relative rather than absolute URLs
- updates tests that were expecting relative URLs rather than absolute URLs
refs #10496
- currently {{asset this/is/not/a.string}} would throw a 500 error
- this commit changes that to make it throw a sensible 400 + incorrect usage error
no-issue
* Installed @tryghost/members-ssr@0.4.0
This now supports caching of the data returned by the members-api
* Renamed cookies set by members-ssr
As discussed with @ErisDS I have prefixed these cookies with `ghost`
no-issue
When installing new packages yarn sorts them alphabetically, this meant
that installing/updating packages would have extra changes which would
be noisy either to developers or the git history.
fixes#10990
- Changed the static router to throw a 400 error for a missing template file, rather than falling back to using the default.hbs file
- Falling back is weird and hard to understand, but throwing an error makes it clear that the user has to provide the matching template
- The new error reads 'Missing template [filename].hbs for route "[route]".'
Assume you have a route.yaml file something like:
```
routes:
/: home
```
- In Ghost v2, if you don't have a home.hbs template, Ghost falls back to using the default.hbs file if it's available
- Most themes have a default.hbs, however this file is a layout file, depended on by other templates, not a template file itself
- In production mode, using the default.hbs as a template causes weird, intermittent layout issues depending on which order pages are loaded
- This is due to this issue: https://github.com/barc/express-hbs/issues/161
- In Ghost v3, we will throw a 400 error for missing template files instead of having a fallback
- In the example above, navigating to '/' would throw the error 'Missing template home.hbs for route "/".'
no-issue
* Installed members-api@0.5.0 members-ssr@0.3.1
* Supported multiple members-forms
* Used members canary api
* Added GET handler to /members/ssr for id token
The identity token will be used to ensure that a payment is linked to the correct member
* Added stripe.js to ghost_head when members enabled
* Added basic support for linking to stripe checkout
* Removed listener to title and icon settings changes
* Added stripe subscription config
no issue
- Drops `ghost_auth_access_token` and `ghost_auth_id` fields since not used anymore
- Adds migration for dropping these columns from users table
- Drops Auth strategy - `ghostStrategy` - since its not used anymore
no issue
- Content API doesn't return primary_tag and primary_author fields by default if authors or tags were not requested
- These fields are still always included in Admin API as a result of having authors and tags loaded (like a sideeffect)