closes#3401
- modifying slug-generator to be more generic
- adding slugging capabilities for /settings/users/:slug
- modified posts to use the updated slug-generator
- edit and add endpoints don't assume role
- edit and add endpoints cope with no role, role objects, and strings
- resend user invite was failing at one point due to no role being sent, but this shouldn't be required
- other random api cleanup
Closes#3242
- Add checks for valid fields in tags and posts
- Add unit test with empty tag export data file
- Add unit test with empty post export data file
Closes#3100
* Introduces `destroyByAuhor`, given a context and an id, it will check if context has permission to delete the user by the id, and then deletes all the content where `author_id` is id, and then deletes the user
* Does multiple checks to make sure user exists
* Added a fixture `posts:mu` that creates 4 users belonging to 4 roles, 50 posts that have authors evenly distributed, 5 tags and all 50 have one tag attached to it, evenly distributed.
Caveats / questions
* Started testing
closes#3426
- added transfer ownership endpoint
- added owner to roles.permissible
- manually removed owner from roles.browse
- removed hard coded author role
- fixed tests that were passing due to hard coded author role
- added testUtils.setup(‚roles‘)
Closes#3281
- Add the missing return to populateDefault
- Wrap defaultSetting in [] when passing to readSettingsResult
- Populate default value of dbHash in parseDefaultSettings
- Modify migrations.init to only load databaseVersion for export_spec test
- Fix spacing in test util file and null reference error in test
- Uncomment user tests (but add .skip) and remove settings from testUtils.setup()
no issue
- added `invited-pending` when resending invitation
- promise chain was missing a return statement
- email error was masked and front end showed success notification
issue #3409
- DRYs out the controllers/frontend a little by moving common functinoality
into its own function
- adds ability to use home.hbs template file if it exists
- adds unit tests for this functionality
closes#3274
- Ensure that validation errors are always handled by moving them into the
importer
- Ensure that db errors are handled consistently across sqlite and mysql
- Change the errors to be output in a table, with a short failure notification
- Add tests for 003 importing bad files
Closes#3414
- Adds a helper which shows a select string deopending on the number of items provided
```
{{plural pagination.total empty='No posts' singular='% post' plural='% posts'}}
```
If `pagination.total` == 0, output 'No Posts'
If `pagination.total` == 1, outputs `1 Post`
If `pagination.total` == 2 or more, outputs `2 Posts`
Credit to @sebgie for making this work.
closes#3082
- no more in-line HTML strings
- adding files for "welcome", "reset password", and "invite user" emails
- added mail.generateContent() to create HTML and plain-text email content
- refactored methods that trigger emails to send both HTML and plain-text emails
no issue
- acquiring a new access token using a refresh token sets the
expiration time of the refresh token to now + 24 hrs.
- moved all occurrences of ONE_HOUR, ONE_DAY and ONE_YEAR to
`core/server/utils`
closes#3096, closes#3378, refs #3100
- user.permissible updated to reflect proper permissions
- small amount of API refactoring to handle extra cases
- extensive integration testing
refs #3083, #3096
In order to implement advanced permissions based on roles for specific
actions, we need to know
what role the current context user has and also what action we are
granting permissions for:
- Permissible gets passed the action type
- Effective permissions keeps the user role and eventually passes it to
permissible
- Fixed spelling
- Still needs tests
closes#3374
- If user object is returned but undefined, we'll display a
human-readable
error notification (user model)
- If user object is returned, but the user is inactive or invited (but
not
activated), we'll display a human-readable error notification
Closes#3083 Refs #3229
- Populates the dropdown list in the invite user menu with the
list of roles a user is permitted to create.
- Users API now checks the invite user request for allowed roles.
- Change API response from 200 to 201 on successful invitation.
- Change API response from 500 to 201 when the user was created but
the email was not sent. The client will show a warning notification
when it sees 'invite-pending' as the new user's status.
- Add support for "?status=all" to the /users endpoint.
- Refactor the route and controller for the /settings/users page so
that there's only one network API call to load users instead of two.
closes#3373
- added check if role is already assigned
- added check for unknown fields to fixDates/fixBools
- permissions are not implemented yet, so everyone is able to edit
owner ;-)
no issue
- Refactor all integration tests to specify and load ONLY the fixtures
they require to run, rather than initialising the whole kit-and-kaboodle
for every single test which takes FOREVER.
- Refactor the route tests to share a doAuth function, and also specify
additional fixtures required
- Move import and export unit tests, which are actually integration tests
(they touch the DB)
- Comment out most of the permissions unit tests for now as they need more
stubs/mocks so as to not touch the DB
Still todo:
- prevent default DB initialisation in route tests, and specify all
fixtures requires as per the integration tests
- fix up the unit/permissions_spec
migration from usage of config() to just an object of config.
no relevant issue
- Change 'loadConfig' task to 'ensureConfig' to more accurately reflect
what it is actually doing. Its sole purpose is to make sure a `config.js`
file exists, and as such the name now reflects that purpose.
- Update config/index.js to export the ghostConfig object directly
so that it can be accessed from other modules
- Update all references of config(). to config.
This was a blind global find all and replace, treat it as such.
- Fixes to tests to support new config access method
- Allow each test to still work when invoked invidually
Closes#3161
- Add a config.js file for the client which is used to configure
Ember.Application during runtime. The correct version of config.js
is copied into place by grunt via the copy:(dev|prod) task from
either config-dev.js or config-prod.js.
- Serve minified and production versions of libraries where applicable
including handlebars-runtime and ember-prod.
- Bundle third party libraries into vendor.min.js.
- Bundle Ghost's Ember app and templates into ghost.min.js
- Remove all fixture data and code from the client.
Closes#3357
- API method User#edit now handles User objects that have either
an array of Role ids or objects.
- Fixed error handler notification on upload modal controller.
refs #3087
- added ability to edit user/roles relation
- user is not allowed assign roles to himself
- only one role per user is supported atm
- added tests
closes#3222
- implementing server-side pagination for /users API
- passing /users?limit=none will return all users
- passing /users?status=invited will filter base on user status
- creating 3 mixins (route, controller and view) to keep pagination logic DRY
- updating route, controller and view for Posts to use new mixing
- implementing infinite scrolling for Users Management screen (using new mixins)
- Users Management screen displays all invited users, but paginates active users
Closes#3196
* adds `/roles/` endpoint
* is given the current user as context
* wraps everything in a canthis.browse.role
* gets all the available roles (should "Owner" be filtered out?)
* optional parameter: `permission=assign`. Gets all roles authenticated user could assign
* if we're not signed in, gives a "please sign in" (standard) error
* if we're signed in, but user is not in the context, gives a "there was no user in the context" error
* if the user is an "Author", gives a "there are no available roles to assign" error
* implemented hacky filter because when.js produces heisenbugs past 3.2.3 (when.filter not available)
* added extra fixtures to `permissions.json`. Might need a migration.
Caveats:
* there are no tests
* for some reason the setup functional test was failing for me locally
closes#3309, refs #3229
- adds different message depending on status
- doesn't delete the new user if the problem was an email error
- filters the 2 lists based on all statuses
closes#2600
- adds 2 new columns to tags, for the soon-to-land tag management UI
- fixes validation for the active bool in app_fields
- adds missing return to addColumn command
- cleanup in addTableColumn util
fixes#3275, fixes#3290, ref #3086, ref #3084
- Ensure that we use the current logged in user and not just user 1 when
- removing hard coded user: 1 except where absolutely necessary
- passing context, rather than user to models
- base model has a new function to determine what id to use for created_by etc
closes#3128 (now really)
- added express variable disableLoginLimiter
- added disableLoginLimiter to all tests that use Ghost as module and
do authentication
- fixed isSetup not working for status other than active
- removed ‚Ensure a User is Registered‘ test as this is covered by the
new setup test
refs #3283, refs #2739, refs #3096
- Renames permissions which didn't follow bread
- Adds permissions for notifications, mail and tags
Still todo:
- wire up the new permissions where they are needed
- add permissions for roles
refs #2600
One day in the future it would be nice to have a CLI for Ghost
In the meantime, lets have an easy way to force migrations to run
This is for development, or dead end situations only
It will at least do a DB backup ;)
Closes#3145
- Prevent navigation to the setup screen if Ghost setup
has previously been completed.
- Fix templates that were incorrectly using foreach instead of each.
- Add validation for minimum password length.
- Fix up functional tests and split out tests for setup to a separate
instance of casper because setup requires a new database.
- Add a cleanDatabase task to grunt which resets the database to
new.
closes#3252
- added `/ghost/api/v0.1/uploads/` endpoint
- removed upload method from `controller/admin.js`
- moved removal of temporary files from storage to endpoint (needed to
account for failed uploads)
- changed and moved tests
- Oversight: I think that we use `.otherwise()` and `.catch()` a bit
too extensive and mask the real error objects. We probably need an
error handling strategy at some point in the future.
refs #2600
- fixed issue with defaults not being populated on upgrade
- added logging to all actions in the migration process to help debugging
in future
- did a little bit of refactoring
Closes#3271
- Change validations on both server and client to allow the
Website field to be empty or a valid URL.
- Add new schema validation helper isEmptyOrURL.
- Remove duplicate call to UserValidator in the save action
of the SettingsUser controller.
- User.last_login and User.created_at are already Moment objects
so Moment#fromNow can be called on them directly.
refs #2600, refs #2379
Refactoring fixtures to make permission management a little easier
- Separate fixtures into JSON file and split permissions fixtures from other fixtures
- make fixture migrations more robust by fetching objects, not relying on
ids and checking before adding
- changed owner fixture slightly to remove any confusion between the 'Owner' role and 'Ghost Owner' user.
- moved 003 fixture versions out of config into logic, possibly not a good
idea
- refactored permissions fixtures and added permissions_roles fixtures to
make it easier to read / add
closes#2422
- updated to use new change password method
- have all save settings use notifications
- create assetUrl helper for creating asset paths with subdir's properly
prefixed
- move all url based helpers onto a url object in ghost-paths
Refs #2170
This removes the circular dependency problem from our models thanks to
https://github.com/tgriesser/bookshelf/issues/181
- add the registry plugin
- switch all models and collections to be registered
- switch relationships to be defined using a string, which calls from the registry
Issue #3160
- Use notifications API to display available update notification.
- Remove update_notification handlebars helper as now both the
check for an available update and the notification handling
is run from the server's admin controller index method.
- Bind the notification's location property to a css class
for styling.
- Refactor Ember notifications to better handle notification
objects. Move responsibility for css class generation onto
the notification component.
- Refactor gh-notifications component to take a location argument
that's used to assign a css class and filter notifications.
closes#3136
- moved setup to authentication API
- added `POST /ghost/api/v0.1/authentication/setup` to execute the
setup process
- added `GET /ghost/api/v0.1/authentication/setup` to check if blog is
already set up (needed for #3145)
- removed unused methods from api/users.js
closes#3074
- user generated by fixture is hijacked
- user is updated with name, email, password, slug and status
- creates new user if db is migrated but no user exists
- previously removed tests are back
This frees us up to enforce one single point of access, thus paving
the way towards allowing us to initialize the models at are request,
and not when it's require().
addresses #2170
closes#3073
- added fixture for owner role
- added fixture for initial user (new db)
- added conversion administrator -> owner (existing db)
- changed tests to take over owner user
- removed some functional tests until /setup works with owner user
Closes#3226
- Remove dependent property from the computed content property
that is used to build the active theme selector.
- Add validation to the Settings model so that it rejects
attempts to set an activeTheme that is not installed.
- added role to user obj (only returned from the user endpoint)
- added `/users/?include=roles` and
`/users/?include=roles,roles.permissions` query parameters
- added and updated tests
Closes#3199
-If datatype is dateTime convert to javascript Date object when
retrieved from the database.
-Add tests to make sure models and internal API are using Date
objects for dateTime fields.
-Add tests to make sure the HTTP API is returning ISO 8601
date strings for dateTime fields.
Closes#3122
-Fix validation so that all values are validated instead
of just values that evaluate to true.
-Ensure validation methods consistently return promises
and switch error handling from try/catch to promise.catch
to get rid of unhandled rejection warnings.
-Add 0 and 1 to list of acceptable values in boolean validation.
closes#3080
- added users.invite() to add user from email with random password
- added `GET /ghost/api/v0.1/users/` to invite users and resend
invitations
- removed one user limit
- added global utils for uid generation
- changed some „“ to ‚‘
closes#3057
- add Notification model
- update injected Notifications object to handle persistent notifications
- load server notifications on setup if logged in otherwise on successful sign-in
- changed all existing notifications.closeAll calls to closePassive
- fixed dismissable/dismissible spelling in server API & tests
- add notifications.closeNotification method so DELETE calls can be made for server-originating notifications
closes#3056
- Remove clientold
- Remove clientold tests
- Cleanup old admin helpers
- Remove old routes from admin and controllers from admin controller
- Comment out / remove old and broken tests
- Cleanup Gruntfile.js, bower.js, package.json etc
Still TODO:
- cleanup / add removed tests
- do we still need countable?
Closes#2843
* Implemnted the ember validator correctly for both reset request and actual reset (with the token)
* added reset validator
* changed the request route addresses to be `/authentication/passwordreset`
* changed the format of data to be `{ thing: [ {data } ] }`
Missing:
* notifications
* tests for these use cases
closes#2759closes#3027
- added oauth2orize library for server side oAuth handling
- added ember-simple-auth library for admin oAuth handling
- added tables for client, accesstoken and refreshtoken
- implemented RFC6749 4.3 Ressouce Owner Password Credentials Grant
- updated api tests with oAuth
- removed session, authentication is now token based
Known issues:
- Restore spam prevention #3128
- Signin after Signup #3125
- Signin validation #3125
**Attention**
- oldClient doesn't work with this PR anymore, session authentication
was
removed
Closes#3071
-Refactor api.mail.sendTest to take a "to:" parameter.
-Inject recipient address into the mail api's sendTest method
from the route handler.
fixes#3072
- Change router to handle /ember/setup/
- Adjust doSignup to also handle setup
- Adjust tests and add new where necessary
- Add setup controller, setup validation, setup route
- Adjust casper emberSetup to handle new setup
fixes#3031
- Adds an initializer for passing config to the frontend, it's not pretty but it works
- Forwards the apps route and hides the apps menu item if apps:true is not present in config.js
closes#2822
- added destroy user method
- added remove user permission
- added API end point for get reset token
- added API end point for reset password
- added API end point for change password
Closes#2061
- Lazy load the defaultSettings value in Settings model
- Populate individual defaults before read/edit
- Populate all defaults before first browse call
- Remove populateDefaults calls from init code
closes#2354
refs #1641
- added addUnique()
- added dropUnique()
- added addColumn() -> needed for #2330
- dropColumn() is missing due to lack of knex support
- further cleanup of the migrations module
Closes#2927
-refactor exporter to export tables that exist in the
database instead of keying off of schema.js
-move some shared database utility functions into their
own module
no related issue
- Updates package.json packages, adding express middleware packages
that have been broken into their own modules
- Updates controllers/frontend.js to use the new Layer object that Express 4.0
has. Requires some monkey-patching as the Layer object isn't explicitly
surfaced, however it should be safe to do.
- Moved the setup of routes into middleware/index.js because they need to
be added as a middleware function before the 404 and 500 handlers. This is
no longer possible with the old app.use(app.router) as that has been removed.
- Cleaned up middleware/index.js to make it compatible with Express 4.0.
- Simplified the way themes are activated and enabled when they are activated.
The new handling is simpler, yet should still cover all the use cases that
previously existed.
- The entire flow of activating a theme through middleware should be a little
more centralized, letting it be easier to read and maintain.
- Moved every routes/*.js file to use an individual express.Router() instance.
Fixes#2836.
* Mailer now only handles sending email and initializing settings. Instead of adding new notifications there, it just sets flags on its own object.
* Mailer now checks for the presence of "to". If there is none, it fails. You should really pass a full mail object complete with "to", "subject" and "html", otherwise it's partial content.
* Therefore Mail API doesn't check for the existence of the "to", and doesn't get the email from settings and substitute that
* index.js now has a method that adds the notifications. I figured adding those THERE is probably better than individually in every module. It is, as the comments say, can be made extensible
No issue
-remove any existing listeners on the SIGINT event during
the ghost bootstrap process. handles an issue during testing
where node was warning about too many listeners.
Closes#2849
-wire up delete post action in ember admin
-refactor ember modal dialog
-override RESTAdapter.deleteRecord to workaround Ember expecting
an empty response body on DELETEs
Closes#2866
-update slug API to handle users and apps in addition to
posts and tags
-update existing tests
-add new functional tests for slug endpoint on http api
Closes#847
- Added logic to export database to the `core\server\data\` folder prior
to beginning a migration.
- Factored out versioning logic from migration to prevent circular
references
Ref #2699
- Introduce ember data dependency
- Add loadInitializers and refactor most initializers into one combined
- Add Post ember data model
- Refactor generateSlug to use title of post and ghostPaths
- Refactor post controller to not reference model.property everywhere
- Use RESTAdapter for posts, users and tags
- Setup author and tag relations in Post model
- Fix broken API calls by adding CSRF header
- Add initiaizer for csrf value
- Use actual User model for current user initializer
- Add action for setting featured post, test with actual api call
- Fix the sending of UUID's up to the server
- Refactor current-user to use ember-data store
- If a user is preloaded in the application, use pushPayload to put it
in the store
- Do a lookup on the store to get an actual User model for injection
- Fix posts/post controllerName in route/new.js
- Alter signup process to push user into ember data store
Closes#2601
- Removed slug generation from the post API
- Added new, self-contained slug API
- Fixed slug permissions in the fixtures files
- Added a HTTP route for the new API method
- Added integrational tests
Closes#2798
-fetch full model for active post in Backbone content preview view
-remove unnecessary type check in Models.Post.saving
-add functional tests for all post settings menu actions in editor screen
-add functional tests for all post actions in content preview
screen for posts with and without tags
Closes#2410
- Add signup action that posts to signup endpoint
- Fix nav bar showing on signup page
- Fix image link when a user hasn't set their image yet
- Redirect to the ember/signin page if requesting an ember page
Ran into this will calling the helper from a theme, tried to get the absolute url, but just providing {{url absolute}} wasn't enough. After explicitly adding `=true` it worked.
Ref #2413
- Remove fixture and use actual API
- Store and send down actual logged in user data
- Refactor isLoggedIn to use computed property on application
- After signin, update user data in dependency container
- Add CSRF to all routes and controllers via initializer
- Update authenticated route to check for user.isLoggedIn
- Add notifications for signin error
- Add notifications.showAPIError helper
- Add plumbing for refreshless signup to doSignUp in admin controller
closes#2610, refs #2697
- cleanup API index.js, and add docs
- all API methods take consistent arguments: object & options
- browse, read, destroy take options, edit and add take object and options
- the context is passed as part of options, meaning no more .call
everywhere
- destroy expects an object, rather than an id all the way down to the model layer
- route params such as :id, :slug, and :key are passed as an option & used
to perform reads, updates and deletes where possible - settings / themes
may need work here still
- HTTP posts api can find a post by slug
- Add API utils for checkData
