Commit Graph

265 Commits

Author SHA1 Message Date
Jeremiah Hoyet
bbe3ceb025 Fixed issue where Gravatars with rating higher than G would cause a 404 error.
closes #4770
- Check for Gravatar now allows the highest rating for images
- Defaults to silhouette in the event a user deletes their Gravatar
- Allows highest rating for Gravatars (x), since Ghost should have no opinion on image ratings.
2015-01-08 19:34:28 -05:00
Jason Williams
5c6d45f258 Optimize model class methods
No Issue
- Reorder promise chains to defer database queries until they
  are needed.
- Execute database queries that are not dependent on each other in
  parallel instead of sequentially.
- Reduce the number of variables used to hold state across multiple
  promise blocks.
- Do not go async unless necessary.
2014-12-19 00:54:22 +00:00
Sebastian Gierlinger
40c78493a3 Password change MU
closes #4624
- added user_id to password reset request
- hide old password field
- updated changePassword method to check permissions
- updated changePassword method to work without oldPassword
- fixed bug for errors shown as [Object object]
2014-12-11 21:23:07 +01:00
Sebastian Gierlinger
319887c77b Merge pull request #4573 from ErisDS/limit-all-sitemaps
Add limit=all consistently to users, posts & tags
2014-12-04 09:45:33 +01:00
Hannah Wolfe
9b146e59bb Add limit=all consistently to users, posts & tags
refs #623, #4348

- this fixes sitemaps to list all posts, pages, tags and users
- makes the API behave consistently across all paginated resources
2014-12-03 18:46:26 +00:00
Sebastian Gierlinger
9b8141bb08 Merge pull request #4530 from ErisDS/issue-4498
API - no more m-2-m relation ids by default
2014-12-02 20:49:47 +01:00
Hannah Wolfe
4cb909542a API - no more m-2-m relation ids by default
closes #4498

- remove toJSON code which returns only IDs from objects
- don't auto-include tags & fields in post responses
- don't auto-include roles in user responses
- fix #allthethings that made assumptions about the auto-includes, or otherwise were only working because of the auto-include
2014-12-02 19:24:44 +00:00
Hannah Wolfe
c06e649ab1 Merge pull request #4554 from sebgie/issue#3872
URL safe base64 encoding
2014-12-01 16:56:14 +00:00
Sebastian Gierlinger
9ddabffa10 URL safe base64 encoding
closes #3872
- updated base64 escaping to respect + and \
- updated base64 escaping to remove = during transport
- updated tests
2014-12-01 16:59:49 +01:00
Jacob Gable
2cfa18475a Generate sitemap files
Closes #623

- Add basic init and eventing scaffold
- Add sitemap-index.xml generation
- Broke out generators to individual files, added request handler
- Add page, author and tag xml files; add index mapping
- Add SiteMapManager unit tests
- Add Generators tests
- Cache invalidation headers for sitemap-*.xml
- Redirect sitemap.xml to index and rename to sitemap-index
- Handle page convert and publish/draft changes
- Add very basic functional test for route existence
- Add cache headers to sitemap routes
2014-11-30 10:49:45 -08:00
sanddudu
904727a927 Fix gravatarLookup method
Closes #4511
- Add missing "return"
- Fix error handling
2014-11-25 21:30:53 +08:00
Hugo Jobling
11a0f01e25 Make tokens URL safe
Base64 encoding causes some issues when the token is URL encoded
as the = symbol is not a valid URL character. We replace any =
symbols with a - as this is valid in a URL, but is guaranteed
not to appear in a base64 string. This fix ensures that Ghost
password resets work with mail providers such as Mailgun that
add their own tracking redirects

closes #3872 (for real this time)
2014-11-20 11:38:43 +00:00
Victor Szeto
2e8e2ce367 Improve validation for user.website
closes #4444
- validate URL without protocol in server and client
- when saving url, add `http://` if the url doesn't have a protocol
2014-11-17 00:40:43 -05:00
Jason Williams
15fe121490 Fix gravatar request url.
Refs #4367
- 'http:' was accidentally left out when passing the gravatar
  URL into request, and request requires the full scheme to be present.
2014-11-16 04:33:33 +00:00
Jason Williams
a2e670cb0b Merge pull request #4320 from felixrieseberg/iss4235
Work with case-sensitive email addresses
2014-11-12 19:35:38 -06:00
Felix Rieseberg
af1d2201b0 Work with case-sensitive email addresses
Closes #4235
2014-11-12 17:18:53 -08:00
Jason Williams
8249d88cdd Timeout after two seconds on gravatar lookup.
Refs #4277
- Switch from the built-in http module to request and set
  a timeout of 2 seconds on gravatar lookup requests.
- Move request package from devDependencies to dependencies.
2014-10-30 20:01:11 +00:00
Felix Rieseberg
0025f3d6de Shorter user slugs (if possible)
Closes #4211
2014-10-01 23:27:21 +02:00
Harry Wolff
469aaa398c Add jscs task to grunt file and clean up files to adhere to jscs rules.
resolves #1920

- updates all files to conform to style settings.
2014-09-17 21:44:29 -04:00
Maurice Williams
3583515e44 adding config flags to control all items mentioned in PRIVACY.md
closes #3241
- in config.js, the `privacy` attribute holds all privacy-related flags
- `privacy.userTinfoil: true` disables everything (equivalent to setting all flags to false)
- added helper function to core/server/config/index.js to checking privacy flags
- added helper function to core/server/config/index.js to show warning about deprecated items
2014-09-13 12:04:01 -04:00
Jason Williams
07ad400ee0 Replace the when promise library with bluebird.
Closes #968
2014-08-23 17:15:40 +00:00
Harry Wolff
5ff2a31ce1 Move Models module to have an init method that sets up all models
resolves #2170

- creates a models.init() function that requires all other model files
and caches them.  This is opposed to the previous functionality where
when you require('./models') it would immediately require all other models.
Now it's done when you want.

- Updates all tests to reflect the new structure of the model module
2014-08-18 15:54:10 -04:00
Hannah Wolfe
5381db37cd Fix for bug where owner user has name owner
no issue

- in the case that the role is not being assigned, the code assumes it doesn't get a role..
2014-08-11 10:51:14 +01:00
Hannah Wolfe
8d46705dbb Disable user validation and errors on login
fixes #3658

- Catch any errors from user.save() events during login
- Prevent validation from happening at all when only updating status/last_login
- Fixes a problem I introduced with errors which are arrays in logError
2014-08-08 13:12:17 +01:00
Fabian Becker
9915fb1268 Fix revoke user invite and user.destroy
fixes #3630
- Extend user adapter in ember to load users with status: all
- Fix user.destroy by loading all users with status: all
2014-08-06 16:48:18 +00:00
Fabian Becker
a2d5105bcc Changing User.read API to default to active users.
refs #3542
- Properly handle forgotten screen (ember)
- Change Users API to only return active users on read
- Adjust tests
2014-08-06 00:30:48 +02:00
Felix Rieseberg
abf251212c Descriptive error if user by mail not found.
closes #3537
- Replaced generic NotFound error with descriptive NotFoundError.
2014-08-01 18:13:33 -07:00
Jason Williams
938b183707 Sanity check page parameter used in findPage
Closes #3510
- Make sure the page parameter is does not overflow the
  integer data type.
- Added tests.
2014-08-01 14:32:38 +00:00
Hannah Wolfe
756368721e Update importer for MU
closes #3285

- remove apps stuff for now
- if there is a single user, behave the same as before, overriding
  non-critical properties of the single owner user
- if there are multiple users, import them like normal resource
2014-07-31 23:14:57 +01:00
Hannah Wolfe
194d45fac6 Merge pull request #3480 from jaswilli/issue-3466
Update user roles in store after owner transfer
2014-07-31 15:39:48 +01:00
Hannah Wolfe
1c3cb1bb6a Merge pull request #3472 from morficus/issue-3401
custom slugging capabilities for individual user pages
2014-07-31 15:36:11 +01:00
Jason Williams
baf9138b27 Update user roles in store after owner transfer
Closes #3466
- Transferring the owner role is now done via a separate
  endpoint and not through Ember-Data.  As a result the
  user role data needs to be updated manually.
- Updated the owner endpoint to return a response body
  containing the updated user objects.
- Updated tests.
2014-07-31 13:41:10 +00:00
Maurice Williams
489cd08d97 custom slugging capabilities for individual user pages
closes #3401
- modifying slug-generator to be more generic
- adding slugging capabilities for /settings/users/:slug
- modified posts to use the updated slug-generator
2014-07-31 08:14:22 -04:00
Hannah Wolfe
eecbdc1693 User edit & add endpoints cleanup
- edit and add endpoints don't assume role
- edit and add endpoints cope with no role, role objects, and strings
- resend user invite was failing at one point due to no role being sent, but this shouldn't be required
- other random api cleanup
2014-07-31 12:37:48 +01:00
Gabor Javorszky
8487dada0b Implement user and related content deletion
Closes #3100

* Introduces `destroyByAuhor`, given a context and an id, it will check if context has permission to delete the user by the id, and then deletes all the content where `author_id` is id, and then deletes the user
* Does multiple checks to make sure user exists
* Added a fixture `posts:mu` that creates 4 users belonging to 4 roles, 50 posts that have authors evenly distributed, 5 tags and all 50 have one tag attached to it, evenly distributed.

Caveats / questions

* Started testing
2014-07-31 03:48:59 +01:00
Hannah Wolfe
5dc457b417 Merge pull request #3443 from halfdan/30850-users-api
Users API advanced browsing
2014-07-30 22:47:55 +01:00
Hannah Wolfe
5d3788ffe6 Merge pull request #3457 from sebgie/issue#3426
Transfer ownership end point
2014-07-30 22:26:42 +01:00
Fabian Becker
d4fdb07d9c Users API advanced browsing
closes #3085
- active and invited include multiple statuses when fetching
- adjusted data generator
2014-07-30 16:59:27 +00:00
Sebastian Gierlinger
ded6aa6ac0 Transfer ownership end point
closes #3426
- added transfer ownership endpoint
- added owner to roles.permissible
- manually removed owner from roles.browse
- removed hard coded author role
- fixed tests that were passing due to hard coded author role
- added testUtils.setup(‚roles‘)
2014-07-30 17:40:30 +02:00
Hannah Wolfe
57a5444335 User API ability to filter users by role
refs #3446

- This only covers the API changes needed for #3446
2014-07-30 15:02:25 +01:00
Maurice Williams
e15fb9ed57 Error when inviting users
fixes #3433
- passing only the role ID when creating a user
- uncommenting test cases
2014-07-29 00:06:40 -04:00
Hannah Wolfe
987e9277dc User edit, add & destroy perms restricted by role
closes #3096, closes #3378, refs #3100

- user.permissible updated to reflect proper permissions
- small amount of API refactoring to handle extra cases
- extensive integration testing
2014-07-28 08:32:04 +01:00
Hannah Wolfe
4e3b21b7da Permissions Improvements
refs #3083, #3096

In order to implement advanced permissions based on roles for specific
actions, we need to know
what role the current context user has and also what action we are
granting permissions for:
- Permissible gets passed the action type
- Effective permissions keeps the user role and eventually passes it to
  permissible
- Fixed spelling
- Still needs tests
2014-07-28 06:29:59 +01:00
Felix Rieseberg
0b39df777b Signin: Proper notification if user not found
closes #3374
- If user object is returned but undefined, we'll display a
human-readable
error notification (user model)
- If user object is returned, but the user is inactive or invited (but
not
activated), we'll display a human-readable error notification
2014-07-24 11:34:52 -04:00
Jason Williams
8a2d50b871 Improve handling of users and roles in admin
Closes #3083 Refs #3229
- Populates the dropdown list in the invite user menu with the
  list of roles a user is permitted to create.
- Users API now checks the invite user request for allowed roles.
- Change API response from 200 to 201 on successful invitation.
- Change API response from 500 to 201 when the user was created but
  the email was not sent.  The client will show a warning notification
  when it sees 'invite-pending' as the new user's status.
- Add support for "?status=all" to the /users endpoint.
- Refactor the route and controller for the /settings/users page so
  that there's only one network API call to load users instead of two.
2014-07-24 14:20:47 +00:00
Sebastian Gierlinger
fa054a8eba Fix incorrect error
closes #3373
- added check if role is already assigned
- added check for unknown fields to fixDates/fixBools
- permissions are not implemented yet, so everyone is able to edit
owner ;-)
2014-07-24 10:17:10 +02:00
Jason Williams
739b57e05b Update Users API to handle role objects or ids
Closes #3357
- API method User#edit now handles User objects that have either
  an array of Role ids or objects.
- Fixed error handler notification on upload modal controller.
2014-07-22 05:48:16 +00:00
Sebastian Gierlinger
28b03ec87e Add edit roles
refs #3087
- added ability to edit user/roles relation
- user is not allowed assign roles to himself
- only one role per user is supported atm
- added tests
2014-07-21 22:50:43 +02:00
Maurice Williams
a8ca517c54 Pagination for Users Management screen
closes #3222
- implementing server-side pagination for /users API
- passing /users?limit=none will return all users
- passing /users?status=invited will filter base on user status
- creating 3 mixins (route, controller and view) to keep pagination logic DRY
- updating route, controller and view for Posts to use new mixing
- implementing infinite scrolling for Users Management screen (using new mixins)
- Users Management screen displays all invited users, but paginates active users
2014-07-21 14:03:26 -04:00
John O'Nolan
d10771b711 Larger default gravatar images 2014-07-20 18:50:07 +02:00
Hannah Wolfe
6e48275160 Extending context concept to models
fixes #3275, fixes #3290, ref #3086, ref #3084

- Ensure that we use the current logged in user and not just user 1 when
- removing hard coded user: 1 except where absolutely necessary
- passing context, rather than user to models
- base model has a new function to determine what id to use for created_by etc
2014-07-18 15:32:56 +01:00
Sebastian Gierlinger
42f461cb6d Restored spam prevention
closes #3128
- added spam prevention middleware
- restored tests
2014-07-17 14:22:07 +02:00
Hannah Wolfe
5c1a7a7349 Revert "Restore spam prevention" 2014-07-17 12:11:23 +01:00
Sebastian Gierlinger
e4e027d17b Restored spam prevention
closes #3128
- added spam prevention middleware
- restored tests
2014-07-16 10:00:49 +02:00
Hannah Wolfe
b03ecd9ebc Use bookshelf's model registry plugin
Refs #2170

This removes the circular dependency problem from our models thanks to
https://github.com/tgriesser/bookshelf/issues/181
- add the registry plugin
- switch all models and collections to be registered
- switch relationships to be defined using a string, which calls from the registry
2014-07-13 18:18:25 +01:00
Sebastian Gierlinger
8c2258dc4c Move setup to API
closes #3136
- moved setup to authentication API
- added `POST /ghost/api/v0.1/authentication/setup` to execute the
setup process
- added `GET /ghost/api/v0.1/authentication/setup` to check if blog is
already set up (needed for #3145)
- removed unused methods from api/users.js
2014-07-11 14:17:09 +02:00
Sebastian Gierlinger
215badc663 Setup hijacks owner user
closes #3074
- user generated by fixture is hijacked
- user is updated with name, email, password, slug and status
- creates new user if db is migrated but no user exists
- previously removed tests are back
2014-07-10 19:29:51 +02:00
Sebastian Gierlinger
5e4fae6f11 Add owner fixture
closes #3073
- added fixture for owner role
- added fixture for initial user (new db)
- added conversion administrator -> owner (existing db)
- changed tests to take over owner user
- removed some functional tests until /setup works with owner user
2014-07-10 12:00:51 +02:00
Sebastian Gierlinger
035fb04d34 closes #3197
- added role to user obj (only returned from the user endpoint)
- added `/users/?include=roles` and
`/users/?include=roles,roles.permissions` query parameters
- added and updated tests
2014-07-08 18:00:59 +02:00
Sebastian Gierlinger
84cfd529ed Allow user to accept invitation
closes #3081
- added route `/ghost/api/v0.1/authentication/invitation`
- added accept invitation
- added signup with token
- removed check() from users api
- fixed promise in resetPassword()
2014-07-03 17:06:07 +02:00
Sebastian Gierlinger
79a80b67ac Invite user API
closes #3080
- added users.invite() to add user from email with random password
- added `GET /ghost/api/v0.1/users/` to invite users and resend
invitations
- removed one user limit
- added global utils for uid generation
- changed some „“ to ‚‘
2014-07-02 16:22:18 +02:00
Sebastian Gierlinger
c8e8da4780 oAuth
closes #2759
closes #3027

- added oauth2orize library for server side oAuth handling
- added ember-simple-auth library for admin oAuth handling
- added tables for client, accesstoken and refreshtoken
- implemented RFC6749 4.3 Ressouce Owner Password Credentials Grant
- updated api tests with oAuth
- removed session, authentication is now token based

Known issues:
- Restore spam prevention #3128
- Signin after Signup #3125
- Signin validation #3125

**Attention**
- oldClient doesn't work with this PR anymore, session authentication
was
removed
2014-06-30 14:58:10 +02:00
Sebastian Gierlinger
1db0431e4d User API changes
closes #2822
- added destroy user method
- added remove user permission
- added API end point for get reset token
- added API end point for reset password
- added API end point for change password
2014-06-20 11:15:01 +02:00
Jason Williams
9a9593536d Update when.js dependency to version 3.2.3 2014-06-16 04:11:22 +00:00
Hannah Wolfe
c02ebb0dcf Refactor API arguments
closes #2610, refs #2697

- cleanup API index.js, and add docs
- all API methods take consistent arguments: object & options
- browse, read, destroy take options, edit and add take object and options
- the context is passed as part of options, meaning no more .call
  everywhere
- destroy expects an object, rather than an id all the way down to the model layer
- route params such as :id, :slug, and :key are passed as an option & used
  to perform reads, updates and deletes where possible - settings / themes
  may need work here still
- HTTP posts api can find a post by slug
- Add API utils for checkData
2014-05-15 10:41:05 +01:00
Jacob Gable
0dc6dc29a7 Add apps permissable checks in posts and users
Closes #2738

- Re-introduce the TargetModel.permissable interface check in the
regular permission flow path
- Pass loadedPermissions, hasUserPermission and hasAppPermission to
permissable interface to reduce logic necessary
- Refactor recursive call to pass original arguments but with actual
model
- Refactor canThis(this.user) use in api/posts.js to just canThis(this)
2014-05-14 09:22:25 -05:00
Sebastian Gierlinger
fd0f5a5028 Add distinct error classes
closes #2690
- added new error classes
- moved errorhandling.js to /errors/index.js
- changed API errors to use new classes
- updated tests
2014-05-09 12:11:29 +02:00
David Arvelo
87cda81c84 Sanitize models' attributes/options before passing to bookshelf/knex
closes #2653
- enforce strict whitelists for model methods
- create a class method that reports a model method's valid options
- create a class method that filters a model's valid attributes from data
- create a class method that filters valid options from a model method's options hash
2014-05-06 23:02:49 -04:00
Sebastian Gierlinger
b98709b3ce Refactor omit of password
- remove password in toJSON() instead of filtering every occurrence of
user
- changed faulty error type ‚NotFound‘ to ‚NoPermission‘
2014-05-06 12:14:58 +02:00
Hannah Wolfe
31fc84cefb Consistency in model method naming
- The API has the BREAD naming for methods
- The model now has findAll, findOne, findPage (where needed), edit, add and destroy, meaning it is similar but with a bit more flexibility
- browse, read, update, create, and delete, which were effectively just aliases, have all been removed.
- added jsDoc for the model methods
2014-05-06 00:36:42 +01:00
Hannah Wolfe
f2071eedb2 Move user API to primary document format
closes #2593

- added new format to user API methods
- changed all places where the user api was used
- updated tests and added more coverage
- little bit of cleanup in utils/api
2014-05-02 20:50:44 +01:00
Hannah Wolfe
3eb284e4b5 Update & grunt-groc and fix docs errors
issue #2622

- Updated grunt-groc to 0.4.5
- Fixed the few places which made the docs fail to generate
- There is still a mix of styles
2014-04-21 19:04:20 +01:00
Sebastian Gierlinger
e47e9c62d0 Add permissions to API
closes #2264
- added permissions check to db, users and posts
- added register method to users
- added doesUserExist method to users
- added user from session to internal calls
- changed permissible to overwrite canThis
- removed action map and action type from permissable method
2014-04-16 18:22:22 +02:00
Sebastian Gierlinger
61e94a6e8b Use current user in models
closes #2058
- fixed apiContext as suggested in the issue
- added user to options object for models
- added api.users.register() for public registration
- changed models to use options.user for created_by, updated_by,
author_id and published_by
- added override to session model to avoid created_by and updated_by
values
- added user (id: 1) to tests
- added user (id: 1) for registration
- added user (id: 1) for import, fixtures and default settings
- added user (id: 1) for user update
- added user (id: 1) for settings update (dbHash, installedApps, update
check)
- updated bookshelf to version 0.6.8
2014-04-16 18:20:09 +02:00
Jacob Gable
9369dd3bf7 Add app permission checking to canThis
- Pass permissions loading to buildObjectTypeHandlers to eliminate
shared state
- Load both app and user permissions to check
- Check app permissions if present
- Create apps table and App model
- Move effectiveUserPermissions to permissions/effective
- Change permissable interface to take context; user and app.
- Add unit tests for app canThis checks and effective permissions
2014-04-16 18:06:39 +02:00
Matt Enlow
f8d90f1cc6 Added populate last login time
closes #2515
- sets last_login when user is saved if user status changed to active
- added integration test in user Basic Operations
2014-03-27 12:29:43 -06:00
Hannah Wolfe
438cbab68e Ensure generateSlug gets transaction for tags
fixes #2460

- add transacting to tag saving
- add same to users while we're here
2014-03-25 11:14:17 +00:00
Jonathan Johnson
e4bb6d08cc Update validator to 3.4.0
Closes #1379

- Convert to new api usage for both server-side and client-side
- Provide way require a negative response for boolean methods in
  default-settings.json
- Add field validation functional tests
  - Settings (General)
    - Title length validation
    - Description length validation
    - postsPerPage, numeric, min, max
  - Settings (User)
    - Bio Length validation
    - Location length validation
    - Url validation
  - Login
    - Email validation
  - Editor
    - Title required validation
2014-03-04 13:54:24 -07:00
Fabian Becker
1a9e91f120 Replace JSLint with JSHint.
closes #2277
- Added ES6 linting to core/client/
- Fix typeof array comparison
2014-03-04 15:47:39 +00:00
Sebastian Gierlinger
ac7f4f05c4 Add validation from schema.js
closes #1401
- added data/validation/index.js
- added generic validation for length
- added generic validation for nullable
- added validations object to schema.js for custom validation
- removed pyramid of doom from api/db.js
2014-02-19 18:32:23 +01:00
Sebastian Gierlinger
ea6c601b01 Improvements for models
#closes #1655
- removed models as parameter for bookshelf-session
- changed to read permittedAttributes from schema.js
- changed updateTags to be executed at saved event
- added validate to execute after saving event
- added test for published_at = null (see #2015)
- fixed typo in general.hbs
2014-02-19 14:57:26 +01:00
John-David Dalton
6eab7b3f92 Replace underscore with lodash. 2014-02-06 14:08:34 +00:00
Sebastian Gierlinger
d28bf3de4c Improve password reset token
no issue
- added check that a combination of email + expires is rejected after
10 attempts
- changed comparison to time independent method

Thanks to @chiiph for reporting this issue!
2014-01-30 13:00:30 +00:00
Hannah Wolfe
6098b83152 Adding case-insensitive User.getByEmail method
fixes #1498

- emails are no longer converted to lowercase, local mailbox can validly
  be mixed case
- getByEmail uses JS to compare emails to ensure we can support unicode
- tests that users can be retrieved by their email address with case
  insensitivity
2014-01-15 10:39:40 +00:00
Harry Wolff
a1f64d2f1f Extending halfdan’s work for UX settings improvements
#1351

- prevent a new post (not saved on server) from
updating its slug/date to the server

- fix jshint

- add back creation of a posts slug upon a post creation

- update for rebasing

- hide ability to ‘delete this post’ from post settings
menu when a post hasn’t yet been saved to the server
2014-01-06 21:33:24 -05:00
Hannah Wolfe
3f9b0fa618 Disable xss santization
issue #1378
fixes #1328

- xss santization does some odd things. This isn't needed until we have multi-user support, and we are investigating better solutions.
2014-01-06 20:17:20 +00:00
Hannah Wolfe
4bac1e3672 Fix gravatar retrieval
fixes #1778

- use http for initial request, store url with no schema
2014-01-01 18:10:55 +00:00
Sebastian Gierlinger
05ca5edeeb Remove fixed scheme from gravatar url
no issue
- removed scheme from gravatar url

Reason:
Gravatar supports ssl and the fixed scheme will cause ‚insecure
content‘ warnings.
2013-12-17 17:21:00 +01:00
Gabor Javorszky
c515e20ea3 Adds login limiter
Closes #499
* On wrong passwords, statuses: `active` -> `warn-1` -> `warn-2` -> `warn-3` -> `locked`
* On login check, if user's status is `locked`, login automatically fails and user is encouraged to reset password. Does not even bother to check for passwords.
* login attempts tell user how many attempts she has remaining in notification box
* successful login will reset status to `active`
* resetting password with forgotten password emailed token resets status to `active`
* complete with a test suite
2013-11-29 01:24:25 +00:00
Jacob Gable
34e453039b Improved Password Reset Tool
Closes #1471

- add api and User model methods for generating and validating tokens
- add routes and handlers for reset password pages
- add client styles and views for reset password form
- some basic integration tests for User model methods
2013-11-22 10:46:19 -06:00
Fabian Becker
89201a5c84 Lowercase email address.
fixes #1498
2013-11-18 00:34:51 +00:00
Declan cook
cbe8c15dc8 Add users Gravatar on signup
When a user registers try to find their gravatar.
2013-11-11 23:45:47 +00:00
Sebastian Gierlinger
bb17e1c0e9 Add API tests
closes #1189
- added tests
- added request module
- added status codes to API calls
- fixed return values of API calls
- fixed that drafts caused an error when being deleted
- fixed X-Invalidate-Cache headers
- moved testUtils.js to utils/index.js
2013-11-03 18:13:19 +01:00
Ben Gladwell
69d3a1460d Remove unparam:true from jslint config in Gruntfile.js
issue #1365
- added /*jslint unparam:true*/ to functions where absolutely necessary
- added /*jslint unparam:true*/ to functions in which keeping parameter
  list added clarity to the underlying api, even when those parameters
  are not currently used
- removed unused parameters in a few places
2013-10-31 14:02:34 -04:00
Fabian Becker
1af17725fc Replace nodejs-bcrypt with bcryptjs
* https://github.com/shaneGirish/bcrypt-nodejs
* https://github.com/dcodeIO/bcrypt.js
2013-10-23 15:43:45 +00:00
b1nd
8f74eb0b83 Added server validation for location field 2013-10-22 23:00:12 +01:00
Tim Griesser
13639ad8d1 Updating to bookshelf 0.5.7 & knex 0.4.11 2013-10-17 18:23:36 +01:00
Hannah Wolfe
95f9fce3be Swapping escape to sanitze
issue #938

- rather than using escape, use node-validatiors santize function which is designed for preventing xss vectors
- added listener for changes to both editor and settings page
- added more sanitization to the user model
- consistently use triple-braces when outputting blog post titles
2013-10-09 19:13:16 +01:00
Tim Griesser
c9235ccb0b Escaping several fields to prevent XSS
issue #938
- escapes post's title field
- escapes settings title, description, email
- escapes user's name field
- includes test for post title
2013-10-09 19:13:13 +01:00
John O'Nolan
d1957958e3 Cleanup indentation and quotes
Aligns all requirements vertically for easier reading + adds single quote standard consistently throughout Ghost, except in long strings.
2013-09-26 15:06:31 +01:00
Hannah Wolfe
32d1076d35 Correct validation message for short passwords
closes #833
2013-09-19 08:41:04 +01:00
Hannah Wolfe
d587a845d4 Set migrations to use new 000 schema
issue #632

- removed old schemas
- updated base model to reflect all of the consistent behaviours and properties across the models
- updated all models to match the new schema

TODO

- no fixtures are currently loaded except settings
- need to rename properties across the codebase
2013-09-14 20:01:46 +01:00
Hannah Wolfe
01f6551bf2 Small model update for tags and users
- tags are now created with uuid & timestamps
- user role is no longer a model, just a join done with attach
2013-09-13 15:06:17 +01:00
Hannah Wolfe
bbbfed9921 Temporary aliasing on the User model
issue #389

- Output only aliases (saving data with these keys won't work) gives us the right names in the theme API
2013-09-09 15:25:20 +01:00
Hannah Wolfe
36874badd5 Merge pull request #587 from javorszky/iss288
Email sending with Sendgrid plus password reset
2013-09-02 15:44:48 -07:00
Hannah Wolfe
1ff9550e1f User property aliases
issue #389

 - Temporary aliases for user model, schema will be changed soon, in the meantime we want themes to be built using the right properties
2013-09-02 20:58:49 +01:00
Gabor Javorszky
5999d01b7d Repaired email sending, implement password reset
Closes #288
* I use SendGrid for sending the emails, and it works fine (provided you supply the correct credentials in `config.mail` in `config.js`)
* Generates a random 12 char long alphanumeric password, replaces user's pw, and sends an email about it.
2013-09-01 00:20:12 +02:00
Hannah Wolfe
c70dfde7e3 Agressive stripping of the model attributes
- fixes #517
- prevents this from occuring again in future with other relations
- validation function & stripping done for all models
- casper test for flow, plus validation & logged out tests
2013-08-25 18:12:27 +01:00
Hannah Wolfe
41e36cca7e Validation consistency
- introduced validation method in the post and user model
- moved signup validation onto model
- consistent use of validation & error messaging in the admin UI
- helper methods in base view moved to a utils object
2013-08-25 18:10:12 +01:00
Gabor Javorszky
be7ed2dfdc Added validation for signup and login screens
Closes #374
* Included node-validator as a package
* Implemented server side validation (the client side js is a mess, need a LOT of work)
* Validates email address both on signup and login screens, gives error message on malformed email addresses
* Requires at least 8 chars of password
* Tells user if password is too short
* Tells user if no such user on login
* Tells user if wrong password on login
* Tells user if server responds with a 404 (goes away, dies, etc)
* Added middleware between req and login / signup for validation
2013-08-20 09:42:42 +01:00
Jacob Gable
bbe5105048 Edit Post Permissions 2013-08-18 12:28:05 -05:00
Gabor Javorszky
f6d164b5d8 Current user added
Closes #340. Closes #375
* Replaced session with id of current user
* Added method to ghostlocals to always send profile picture and full name to templates (template checks if falsy)
* Modified user saving (`forge().set(new).save()` died on me, `forge().save(new)` didn't)
* If user has profile picture, that will be used
* If user has name, that will be used
* Password changing doesn't care about your email. Uses cookies. Tasty!
* User pane uses current user id. Had to set path to me, otherwise goes to `browse` instead of `read`.
* Added logic to user api to check for `id === 'me'`, and then use the cookie value
* User data saves are now correct
* There is no logout error
2013-08-17 22:02:46 +01:00
Hannah Wolfe
2f11f053ab Minor code cleanup, docs and other bits & pieces 2013-08-06 22:24:40 +01:00
Gabor Javorszky
071f9769c6 Users can change password
Closes #282
* Added a new route
* Added new methods
* Triple security!
* Passwords are actually changed
* Also added a change password button, because 'save' has too much baggage.

On security: checks whether you're logged in. Then checks whether your old password is actually the one that belongs to you (gets value from the email field for the email, see caveat no2). Checks the new passwords for === and length > 6 on client and server side as well. And THEN changes passwords.

Caveats:
* didn't add a test, as mocha fails spectacularly on my machine. SQLITE_CORRUPT: database disk image is malformed. Cute, huh?
* Because we don't have / I'm not aware of / could not find a "currentuser" variable, I need to get the email address of the user we want to change from the email field. Theoretically if they replace that with another user's email address, and supply their pw, they will change THEIR password instead of their own.
2013-08-06 00:49:06 +01:00
Hannah Wolfe
30b4eb07f7 App restructure - closes #245
- This is a first pass at getting a more logical structure. The focus is on moving from admin/frontend to client/server.
- The location of the databases is highly important, this isn't expected to change again
In the future
- client/assets should probably become public/
- more stuff should be shared (helpers etc)
- cleanup some confusion around tpl and views
2013-07-11 20:23:34 +01:00