Commit Graph

1292 Commits

Author SHA1 Message Date
Kevin Ansfield
4773939670 🔒 Improved validation of fetched urls and responses in oembed endpoint
no issue

- prevent oembed fetching from accessing IP addresses or localhost domains
- prevent oembed endpoint from passing through fetched responses as-is
  - reject any fetched data that does not validate against the oembed spec
  - strip any unknown properties from the oembed response before returning

Credits: Nick Mykhailyshyn
2020-03-09 10:42:25 +00:00
Nazar Gargol
895b3d98e7 Refactored members csv export for bettere readability
no issue
2020-03-06 13:55:11 +08:00
Fabien O'Carroll
58187175c3
Deleted all but active sessions on password change (#11639)
closes #10323 

* Fixed usage of hasMany for user->session
* Refactored changePassword to async function
* Deleted all user sessions when password changed
* Tested for session retained after password changed
* Added the session to the frame
* Skipped the current session when changing password
2020-03-05 12:22:32 +02:00
Nazar Gargol
8f789523e3 Fixed date formatting in members CSV export
no issue

- Made date formatting coherent with the one used in API and the exporter
- Using JSON.stringify() here because that's exactly how API is getting it's formattting done atm
2020-03-04 17:41:02 +08:00
Daniel Lockyer
a851cdfc7b Handled bad URLs in oembed bookmark API
fixes #11636

- malformed URLs passed to oembed API would cause `got` or `metascraper`
  to throw an error and this would result in a 500 error from Ghost
- this commit catches the errors and returns a reasonable response
2020-03-02 14:24:26 +00:00
Naz
b0ff1e7cac
Added member login resource to Admin API (#11607)
no issue

- Adds 'GET /members/:id/signin_urls' endpoint to Admin API allowing to fetch login URL for member. This URL allows to log in as a member which is useful in situations when you need to impersonate a member (for example to debug some issue they are having)
- Added member_signin_urls permission with migrations. Only the "Owner" user can read "signin_urls" resource. Admin and other users will be denied access
2020-02-27 11:48:02 +08:00
Nazar Gargol
b9db9fa15e Allowed editing member's email
no issue

- After investigating effects of allowing editing email there were no significant blockers found, so there is no reason not to allow editing this field
2020-02-21 16:00:13 +08:00
Nazar Gargol
b5183204e9 Added missing frame parameter in member mapper
no issue

- This is not causing any bugs but the frame should always be passed in into the mapper to avoid unintended bugs
2020-02-21 10:40:41 +08:00
Nazar Gargol
a1fef1fc7c Added created_at field to accepted fields for members CSV import
no issue

- This field is usefult when importing from external sources.
- The date format should be compatible with one used internally by Ghost which is RFC 2822 compliant format
2020-02-19 19:55:32 +08:00
Kevin Ansfield
19812f53f4
Added member.avatar_image for member gravatars in themes (#11584)
refs https://github.com/TryGhost/Team/issues/243

- uses `member.toJSON()` to add a computed `avatar_image` property
  - if the member has an email address and gravatar is not disabled then we generate a gravatar url using the `?d=blank` parameter to return a transparent image if the member's email has no gravatar
2020-02-19 10:08:12 +00:00
Nazar Gargol
6db07ce34d 🐛 Fixed member CSV import setting subscribed to true as default
no issue

- When importing through CSV we should remain the defaults of 'subscribed' fields (`true` at the moment), unless it is explicitly set to `false` or `FALSE` (the latter uppercase value often comes from scpredsheets)
2020-02-18 11:34:20 +08:00
Rishabh Garg
001db05075
Added labels for Members (#11538)
no issue

* Updated sendEmailWithMagicLink syntax

* Updated label name selection from theme

* Updated migration version for labels

* Added labels to export/import of members

* Added member labels sanitization for case-insensitive duplicates

* Fixed tests

* Fixed label serialization bug on import

* Bumped @tryghost/members-api to 0.15.0

* Fixed lint

* Cleanup
2020-02-14 15:03:10 +05:30
Rish
4eeed0d32a 🐛 Fixed "undefined" values in member csv export
no issue

We missed handling `undefined` values for fields during csv export for memebrs, which causes csv entries as `undefined` for fields that don't exist. It also added need for extra handling of `undefined` entries during csv import. This PR fixes the bug by properly handling empty/undefined values in export
2020-02-12 11:03:16 +05:30
Nazar Gargol
2c52282662 Added future cleanup note
no issue

- This method was created as a shortcut and the real issue of 'undefined' values being present in CSV should be fiexed instead
2020-02-11 18:17:46 +08:00
Nazar Gargol
5caf924013 Fixed member delete method to use correct options
closes #11589

- `findOne` method in destroy method was usinng wrong options object (unlinke read method id comes from frame.options not frame.data) thus this was causing 404 errors
2020-02-11 16:35:18 +08:00
Nazar Gargol
4a79a0e753 Corrected 404 handling 2020-02-10 12:41:39 +00:00
Nazar Gargol
52635f1aa8 Basic implementation of backup retreival from file 2020-02-10 12:41:39 +00:00
Nazar Gargol
49983e799c Changed backup service signature to be able to expand it
- Will need to add a new method allowing to read an export file, so the module signature has to become an object rather than a function
2020-02-10 12:41:39 +00:00
Nazar Gargol
afe11c2b06 Added basic backup implementation for users DELETE endpoint
- The filename is returned to be able to fetch the backup on demand
- Wasn't able to limit exported tables as exporter doesn't support such functionality
2020-02-10 12:41:39 +00:00
Nazar Gargol
42f4518a63 Improved error logging for member CSV import
no issue

- Error object can be an array in case of database constrain validation errors, for this reason need to distinguish between singular objects and an array. This handling resemles the one in common error-handler - https://github.com/TryGhost/Ghost/blob/3.5.0/core/server/web/shared/middlewares/error-handler.js#L31-L33
2020-02-10 16:25:56 +08:00
Nazar Gargol
019605e9e0 Added concurency limit for member creation when importing
no issue

- When importing large batches of members we should not allow for unlimited amount of parallel requests created as this might lead to connection pool problems and reaching API rate limits (for example Stripe API is limited to 100 req/s)
2020-02-10 16:03:08 +08:00
Nazar Gargol
e57f7219e5 Added error logging for errors occuring during CSV import
no issue

- CSV import uses direct API calls which skips through logging error. This additional code should catch and record any internal errors
2020-02-07 14:33:30 +08:00
Nazar Gargol
68a36dd799 Changed members CSV export to match import format
refs c295435b41

- The import format changed the `subscribed` to `subscribed_to_emails`. Export should have the same format as import for consistency
2020-02-05 15:34:55 +08:00
Naz Gargol
c295435b41
Added new fields to members CSV import (#11539)
no issue

- New fields that are accepted through members CSV import endpoint are:
  - `subscribed_to_emails` - corresponds to `subscribed` flag in API
  - `stripe_customer_id` - links existing Stripe customer to created member
  - `complimentary_plan` - flag controlling "Complimentary" plan subscription creation for imported member

- Noteworthy exception in field naming - `subscribed_to_emails` that corresponds to `subscribed` API flag present on members resources. It's a special case of CSV format, where users can be less technical it's more explicit to what the flag does (also the same naming is applied in the Admin UI)

- Failing to either link Stripe customer or assign "Complimentary" subscription to imported member behaves in a transaction-like manner - imported record is not created in the database. This is needed to be able to retry imports when it fails for reasons like connectivity failure with Stripe or Stripe miss-configuration.

- To avoid conflicts with linking same Stripe customer to multiple members there is a special handling for duplicate `stripe_customer_id` fields. Records with duplicates are removed from imported set.
2020-02-04 13:51:24 +08:00
Naz Gargol
25f11bbf1c
Added complimentary member subscription (#11537)
no issue

- We need a way to simulate "premium" membership without any payment from members' side. For this new "Complimentary" plan is introduced
- Allows `comped` flag as an input only on `PUT /members/:id` endpoint which sets  free subscriptions based on "complimentary" plan on the member
- Added `comped` flag to members endpoint responses
- Bumped members-api to 0.12.0. This version supports new set/cancel complimentary subscription methods
2020-01-28 11:25:00 +07:00
Nazar Gargol
e9e3f58792 Refactored member controller to use model layer
refs https://github.com/TryGhost/Members/pull/105

- As members module has become a core part it makes sense to follow the same principles as in all other controllers and use the model directly instead of calling external services.
- Bumped @tryghost/members-api to 0.11.1 . New stripe-specific methods used in controllers are available starting with this version
- Exposing these new methods is a little hacky because there are no relationships setup on members_* tables. Left notes for future improvements once relations are introduced.
- We don't allow for chaging member's emails at the moment. For this reason had to modify JSON schema a little. It doesn't support OO inheritence: "This shortcoming is perhaps one of the biggest surprises of the combining operations in JSON schema: it does not behave like inheritance in an object-oriented language. " (ref. https://json-schema.org/understanding-json-schema/reference/combining.html#allof)
2020-01-15 17:52:47 +07:00
Ian Sim
6247b52367 Allowed pages to accept HTML as a source (#11422)
refs https://github.com/TryGhost/Ghost/issues/10471

- Allow page resource endpoints to accept HTML source. This behavior is the same as the post's resource introduced with e9ecf70ff7372f395b8917340805148bc764e2ef
- The functionality was most likely missed when post split into posts & pages was happening.
- Added symmetric changes to API v2.
2020-01-08 17:44:34 +01:00
Naz Gargol
97ea664d4d
🐛 Fixed empty html/plaintext fields for narrow fields parameter (#11505)
refs https://forum.ghost.org/t/plaintext-value-is-empty-using-the-api/10537

- The `plaintext`/`html` fields were empty because `visibility` attribute was not present in response body on output serialization stage. `visibility` field is always needed for content gating to work as expected 
- Added `visibility` field in the input serialization layer as it wouldn't be possible to use content gating if added on model layer through `defaultColumnsToFetch`
- Added test cases covering a bug
2020-01-08 14:43:21 +01:00
Nazar Gargol
11d1acb475 🐛 Fixed plaintext field being added as empty property when member post is requested
no issue

- Tests in previous commit uncovered a bug with unwanted field attached to
the post response
2020-01-06 14:59:30 +01:00
Rishabh Garg
160ef2976a
🏗Added host config limits for member emails (#11439)
no issue

Introduces host limits config for allowing email limits with members.
2019-12-17 19:24:27 +05:30
Rishabh Garg
fa3686bcc3
Added new brand blog setting (#11408)
no issue

Adds new `brand: {primary_color: ''}` blog setting behind dev flag for setting user-defined brand color in themes and emails.
2019-12-17 16:15:31 +05:30
Nazar Gargol
e25e847f47 Removed email related fields from API v2 responses
refs  https://github.com/TryGhost/Ghost/issues/11461

- The email feature was introduced in API v3 and is not back compatible with API v2. These fields should not appear in any v2 responses.
- Added regression tests for API v2 so that cases like this are spotted
easier in the future.
2019-12-16 20:01:38 +07:00
Rish
2d9963fbd8 Allowed comment_id and uuid in post API input
refs https://github.com/TryGhost/Ghost/pull/11462

Allows `comment_id` and `uuid` to be passed in post `add`/`edit` API calls instead of failing requests with validation error, though both properties are stripped out in serializer as we don't allow editing them.
2019-12-16 18:22:48 +05:30
Naz Gargol
bcddeeadf1
Removed redundant member manipulation proxy methods (#11423)
no issue

- This includes the interface change for members-api constructor - now accepts the member's model instead of proxy methods. These methods have been moved ton @tryghost/members-api in favor of using the model directly (ref: https://github.com/TryGhost/Members/pull/105)
- Moved error handling from the service layer to controller
- Bumped @tryghost/member-api package to 0.10.0
2019-12-06 12:04:10 +07:00
Hannah Wolfe
419e12d90a Added support for secondary navigation (#11409)
no issue

- Secondary navigation means most nav concepts are supported, e.g. header & footer, or left & right
- The UI is added separately, this PR adds supporting concepts:
  - make sure the default value is an empty array
  - add support in the API (v3 only)
  - add handling in the navigation helper
2019-12-04 11:12:02 +07:00
Rish
b9dd0d2b94 Refactored email handling to be consistent for test and newsletter emails
no issue
2019-11-26 21:41:01 +05:30
Nazar Gargol
9ff5fecbaf Fixed knex connection pool errors when scheduling a posts
no issue

- A subquery in mege service that creates email record wasn't using 'options' object needed to track transactions
2019-11-26 17:44:42 +07:00
Rish
e6f74c63db Fixed post serialization for test emails
no issue
2019-11-26 11:59:41 +05:30
Nazar Gargol
075fb76a60 Moved toJSON calls to serializer
- toJSON transformations should happen on serializer level so controllers could be called directly with it's own options internally
2019-11-25 12:04:58 +07:00
Kevin Ansfield
6a057fad99
Added /emails/:id/retry/ endpoint for retrying failed emails (#11410)
We want to allow admin users to trigger a retry of failed emails without having to go through the unpublish/republish dance.

- fixed resource identifier in email permissions migration so email permissions are added correctly
- added new email permissions migration so that beta releases can be upgraded without rollback (will be a no-op for any non-beta upgrades)
- added `/emails/:id/retry/` canary Admin API endpoint
  - follows same URL pattern as theme activation
  - only triggers mega service retry endpoint if the email has a `'failed'` status
2019-11-22 14:20:32 +00:00
Naz Gargol
c2aec69af9
Added email retry logic for failed batches (#11402)
no issue

- When whole email batch fails we want to allow retrying sending a batch when post is republished
- Refactored naming for email event handling in mega
2019-11-18 21:28:54 +07:00
Kevin Ansfield
1c8b78818f Merge branch 'master' into mega 2019-11-18 11:09:46 +00:00
Rish
baccbb4942 Updated test email to throw error for failed requests
no issue
2019-11-18 13:24:28 +05:30
Kevin Ansfield
5fd2b7fed1 Added send_email_when_published query param to posts endpoint
no issue

- having a `send_email_when_published` property on the Post resource that only has an effect at certain times was confusing and was causing issues with clients that needed to know details of how that toggle worked
- makes `post.send_email_when_published` a fully read-only property in the API
- adds support for `?send_email_when_published=true` query param that can be passed in POST/PUT requests to the posts endpoint when scheduling or publishing a post - this is the only way to set `post.send_email_when_published` to `true`
- adds handling to ensure that `post.send_email_when_published` is always reset to `false` when reverting a post back to a draft _unless_ an email has already been sent
2019-11-14 17:29:03 +00:00
Rish
6d1de1b912 Fixed post not showing authors in email
no issue
2019-11-14 10:45:05 +05:30
Rish
eaf7289af3 Fixed bulk settings input serializer 2019-11-14 08:20:16 +05:30
Rish
d3229b6ade Wired mailgun provider API keys via config or settings
no issue
2019-11-13 22:29:31 +05:30
Rish
05e9f01f30 Added dynamic fields isEnabled/isConfig on bulk email settings
no issue

Adds 2 new dynamic calculated fields on bulk email settings -

`isEnabled` - If mailgun is configured either with config or admin settings
`isConfig` - If mail is configured via config directly
2019-11-13 22:29:31 +05:30
Naz Gargol
b48f1f4b2c
Updated defaults handling for email property in posts (#11355)
no issue

- Fixed default email property output when the empty value is returned
- This is needed for consistency with other endpoint properties like primary_tag which are null when there is no value assigned
- Updated acceptance tests to handle email property
- Schema had to be updated to not use reference so that the information about email can be independent of the post - can still exist if the post is deleted
2019-11-08 11:40:49 +07:00
Rish
d7d06653df Fixed email not returned in put object on post publish 2019-11-07 17:03:23 +07:00
Rishabh Garg
b1d436e2ee
Added input validation to strip email object on post (#11351)
no issue

Removes post email relation from edit/add requests as we don't want to edit email object directly as part of post
2019-11-07 16:11:37 +07:00
Kevin Ansfield
2421516aa6 Made email a default include on posts API in v3/canary 2019-11-07 12:47:07 +07:00
Nazar Gargol
640f7155fc Fixed linter 2019-11-07 11:47:15 +07:00
Nazar Gargol
eca129c18d Hooked mega service to listen to email.added event
- This was needed because we switched to synchronous request handling (to allow including email data with post.publish event)
2019-11-07 11:47:15 +07:00
Nazar Gargol
4e1caa8b08 Added email relation to post and allowed include for /posts endpoint 2019-11-07 11:47:15 +07:00
Rish
97e2af9a06 Added mailgun domain to members subscription settings
no issue

-  Delete api key and domain setting if its in the config to hide it in admin
2019-11-07 11:28:42 +07:00
Rish
6357d0c79b Fixed custom subject in email preview 2019-11-06 18:32:11 +07:00
Rish
77daa77e04 Added status=all by default to preview api 2019-11-06 18:18:44 +07:00
Rish
4db260f17e Added authors to email preview template 2019-11-06 18:03:46 +07:00
Rish
90af59d15c Fixed test preview mail for draft posts 2019-11-06 17:02:42 +07:00
Nazar Gargol
ae14eb00f9 Implemented GET /emails/:id endpoint 2019-11-06 15:56:56 +07:00
Rish
45cd39c386 Fixed members settings cleanup for mailgun config 2019-11-06 15:21:46 +07:00
Rish
3e331fcf86 Fixed lint 2019-11-06 12:15:03 +07:00
Rish
cc514f1776 Fixed permission for test email API 2019-11-06 12:09:55 +07:00
Rish
3023619ac9 Allowed status data for email preview API
no issue
2019-11-06 11:57:46 +07:00
Daniel Lockyer
b91f3071be Deferred loading metascraper (#11337)
no issue

- reduces Ghost boot time from 1.47s to 1.33s on my machine.
2019-11-06 08:31:11 +07:00
Nazar Gargol
d47100168b Removed post only fields from pages
- As we introduced email_subject and send_email_when_published for post responses we don't want to return them for pages
2019-11-05 18:42:31 +07:00
Rish
78a9463243 Updated members setting serializer for mail config 2019-11-05 18:23:23 +07:00
Nazar Gargol
bb223f9f4d Allowed editing subscribed field for members 2019-11-05 18:03:19 +07:00
Rish
4a53184d7f Added send preview email API
no issue
2019-11-05 16:09:18 +07:00
Nazar Gargol
5d76ceef8b Added plaintext field to email preview response 2019-11-05 15:04:48 +07:00
Fabien O'Carroll
15ffae211d Refactored members content gating check
no-issue
2019-11-05 12:53:14 +07:00
Nazar Gargol
9daed773c9 Added email preview output serializer 2019-11-05 12:15:50 +07:00
Nazar Gargol
8a7bf353d4 Added email preview controller 2019-11-05 12:15:50 +07:00
Rishabh Garg
f2f9073edd
Added email subject post meta field (#11335)
no issue
2019-11-04 13:15:23 +07:00
Fabien O'Carroll
a30caa5c66 Added send_email_when_published to post input schema
no-issue

This is required to allow us to send the flag into the api
2019-11-04 12:03:24 +07:00
Naz Gargol
0c3b90283a
Renamed members to post-gating for better context (#11309)
no issue

- Using members.js naming for the file was a bad choice and lead to some false signals when doing a cleanup.  `post-gating` is more explicit and to the point of what the module is responsible for
2019-10-31 10:33:37 +01:00
Kevin Ansfield
1fd7014c45 Fixed member.deleted webhook having an empty payload
no issue

- the members output serializer was passing model objects through on `frame.response` but the webhooks serializer doesn't know how to deal with those
- adjusting the output serializer to use a mapper as per the other serializers means that POJOs are being passed through which allows the webhook serializer to correctly pick out the changed attributes
2019-10-31 15:19:45 +07:00
Rishabh Garg
d370a4e840
🐛 Fixed members export limiting to 15 members only (#11299)
refs https://github.com/TryGhost/Ghost/issues/11298

The members export admin API by default paginates the result and only returns upto 15 members. This allows passing `limit` param to the API and allows passing `limit=all` to fetch all members in result.
2019-10-29 10:20:32 +05:30
Nazar Gargol
5760395e92 Fixed reading_time calculation for non public posts
no issue

- The calculation of reading time has to happen before html field is sanitized for members plan.
2019-10-21 18:07:38 +07:00
Fabien O'Carroll
7c4f177fee Added missing page prop to v2 Content API posts
no-issue

We have to wrap this in a check to make sure that `page` property is
only returned if either:
A) No `fields` param is passed (send back all fields)
B) `fields` param is passed AND it includes the `page` field
2019-10-16 15:44:05 +07:00
Hannah Wolfe
fb072395ac Reduced API debug statements
- outputting so much information makes debug less useful
 - node debugger should be used for tracing values through the system,
     debug() is for more generally following logic and timing
 - removed debugs that output large objects
 - added consistent debugs for api methods
 - a couple of other tweaks for easier understanding of what's happening on a request
2019-10-15 15:07:38 +01:00
Fabien O'Carroll
d680f33f10 Removed unused members getter
no-issue

This would have errored when used
2019-10-14 15:50:24 +07:00
Kevin Ansfield
78e16ddd3f Merge branch 'master' into v3 2019-10-11 11:31:31 +01:00
Fabien O'Carroll
3eb4427888
Exposed visibility prop for posts on canary api (#11229)
no-issue

This is required by the theme layer to style member only posts
differently
2019-10-11 13:58:50 +07:00
Rish
4f0ca2914f Updated members schema validation for name
no issue

- Removed minimum length requirement for `name` as its possible to have empty name for a member
2019-10-10 17:26:56 +05:30
Fabien O'Carroll
38832d5c6b Added note to member json schema
no-issue
2019-10-10 17:51:46 +07:00
Fabien O'Carroll
f3a8119870 Added note column to csv import/export for members
no-issue
2019-10-10 17:51:46 +07:00
Fabien O'Carroll
58651caa32 Removed members endpoint from admin v2 api
no-issue
2019-10-10 17:51:46 +07:00
Fabien O'Carroll
dd214d71dc Decoupled add from importCSV queries
no-issue
2019-10-10 17:51:46 +07:00
Kevin Ansfield
7fc10106dc Merge branch 'master' into v3 2019-10-10 10:37:42 +01:00
Nazar Gargol
977fb5f650 Added reading_time property to post/page resources in Content API 2019-10-10 15:42:04 +07:00
Nazar Gargol
4a10ddc8fa Fixed unsafeAttributes fetching in Admin API v2
no issue

- This check was misside and only was implemented for canary.
2019-10-09 21:16:27 +02:00
Kevin Ansfield
587bd8accb Merge branch 'master' into v3 2019-10-09 15:04:09 +01:00
Naz Gargol
0225936292
Removed subscribers from the codebase (#11153)
refs https://github.com/TryGhost/Ghost/pull/11152

- Added subscribers table drop migration
- Removed subscribers from schema
- Removed subscribers controllers/routes/regression tests
- Removed subscriber related API code
- Removed subscribers from internal apps
- Removed subscriber importer
- Removed subscriber model
- Removed subscriber related permissions
- Removed webhook code related to subscribers
- When upgrading to v3 it is on the site admin to migrate all zapps or any other webhook clients to use members
- Removed subscriber-specific translation
- Removed subscriber lab flag
2019-10-09 11:47:04 +02:00
Naz Gargol
786eaac57e
Added permission restrictions to editing members flag (#11217)
no issue

- Added test cases to check edit permission on settings endpoints
- Added test to demonstrate owner-only being able to toggle members flag
- Permission check when editing settings `lab.members`
- Passed additional function to permissions to allow custom selection of unsafe attributes due to settings object structure.
- Fully implementing this check on controller level would be wrong architecturally and not that straight forward because we lack role data in "frame"
- Cleaned up test after moving default_content_visibility to it's own property
2019-10-09 10:26:54 +02:00
Naz Gargol
daa77c5c00
Permission restrictions for post.visibility modifications (#11213)
no issue

- Limited posts visibility field permissions to Editor-Up + Admin Integrations
- We don't want contributors or other roles lower than Editor to be able to modify content gating attribute
2019-10-08 15:44:27 +02:00
Kevin Ansfield
6028fde666 Merge branch 'master' into v3 2019-10-08 13:58:08 +01:00
Kevin Ansfield
32f3f9d2c3 🐛 Fixed "unsaved changes" modal displaying when post has been saved
refs https://github.com/TryGhost/Ghost/issues/10477

The unsaved changes modal is displaying even when the post has been saved if images have been uploaded because the server is transforming absolute image urls to relative during input of the `mobiledoc` field but not transforming them back to absolute during output. The editor then thinks it's out of sync and shows the warning when trying to leave.

- `@tryghost/url-utils` has been updated with new methods for transforming URLs in mobiledoc content
- moves absolute->relative transformation from the API input serializers into the Post model
- transforms URLs in more fields for a more comprehensive transformation and fewer issues when re-configuring a site's domain
  - previously there could be problems with internal links between posts not being transformed so you could change the url config to newdomain.com but links in post content would still be pointing to olddomain.com
- updates the API post output serializers to transform all modified fields
- drops the `?absolute_urls=true` param switch from the `canary` API post output serializer so that all URLs are output as absolute
  - we're transforming more urls to relative when saving so this is necessary to ensure the unsaved changes modal is not triggered
  - the query param isn't documented and will disappear in v3
2019-10-07 22:59:19 +01:00
Naz Gargol
a4462c5753
Added members CSV export to Admin API (#11198)
no issue
2019-10-03 20:36:22 +02:00
Naz Gargol
bb355ac9f2
Added members CSV import to Admin API (#11197)
no issue

- Improved error handling for member creation. We should be returning 422s instead of 500 when possible
- Wrapped `members.add` method with Bluebird promise. Wrapping is needed to be able to use `.reflect()` in CSV export method
- Added proper members CSV fixture
2019-10-03 19:59:19 +02:00
Naz Gargol
30326cbd2d
Added handling for PUT members endpoint (#11194)
no issue

- Adds the ability to edit `name` field for a specific member by using `PUT /members/:id` endpoint
2019-10-03 13:38:22 +02:00
Naz Gargol
5228d9819b
Added members POST API (#11189)
no issue

- Added Regression full test coverage for members Admin API
- Added `POST /members` endpoint
- Added members schema definition + validation
- Added ability to pass through send_email/emal_type options to members API
2019-10-03 11:15:50 +02:00
Fabien O'Carroll
a3f3a56589 Fixed DELETE method for members on admin
no-issue

members-api uses async functions internally which return non-bluebird
promises, so the `return` method wasn't availiable.
2019-10-02 15:44:14 +07:00
Nazar Gargol
84b08e627d Removed #member tag logic from input/output serializers 2019-09-30 17:46:36 +02:00
Naz Gargol
36379b2806
Added content gating based on visibility flag (#11173)
no issue

- Checks content gating based on members current plan and visibility option set on the requested post/page
2019-09-30 17:40:03 +02:00
Naz Gargol
ff13821b27
Members post gating options (#11160)
no issue

- Removed uses of `visibility` column in frontend url service configs
- The value of `visibility` is always set to 'public' in posts at the moment and doesn't serve any specific purpose when used with these filters.
- Allowed new visibility attributes in post model
- `posts.visibility` column is being repurposed for the needs of member content gating
- Added test for visibility editing in Admin API
- Corrected test schema checks for Admin API post/page responses
2019-09-26 15:38:35 +02:00
Fabien O'Carroll
a6fa0bc043 Updated member.plans to member.stripe.subscriptions
no-issue

This is to support the new format in which stripe information is
returned from the members-api module.
2019-09-26 11:35:44 +07:00
Kevin Ansfield
d69440bd4f
Update dependency @tryghost/url-utils to 0.4.0 (#11156)
no issue

- updates usage of `htmlRelativeToAbsolute` to avoid unnecessary duplication of "home" url fetching (the UrlUtils instance already has that information)
2019-09-25 12:35:59 +01:00
Rishabh Garg
6d0f19ebfa
🏗 Migrated scheduler to work with v2 API (#11142)
* Updated scheduler to use v2 API by default

* Updated scheduling for post/page resource types

* Extended base method to take options param with token and jwt options

* Updated token expiration to 6 hours after publish/blog start time to allow retries
2019-09-23 21:42:53 +05:30
Naz Gargol
50546d8cba
🔥 Removed deprecated ghost_head and ghost_foot properties from /settings responses (#11144)
no issue 

- Removed ghost_head/ghost_foot propeties from Content API `GET /setting` response
- Removed ghost_head/ghost_foot from the output in Admin API
- Added validation when requesting ghost_head/ghost_food fields
- Updated deprecation comments
2019-09-23 12:59:00 +02:00
Naz Gargol
cb58115700
🔥 Moved user email removal to API serialization layer (#11110) 2019-09-16 15:42:14 +02:00
Kevin Ansfield
e57e19ec31
🏗 Migrated posts.page column to posts.type (#11111)
refs https://github.com/TryGhost/Ghost/issues/10922

- adds migrations to...
  1. add `post.type` column
  2. populate `post.type` column based on `post.page` value
  3. drop `post.page` column
- updates all code paths to work with `post.type` in place of `post.page`
- adds `nql-map-key-values` transformer for mapping `page`->`type` in `filter` params when using the v2 API
- modifies importer to handle `post.page`->`post.type` transformation when importing older export files
2019-09-16 11:51:54 +01:00
Rishabh Garg
8ec12d9eee
🏗 Extracted post metadata in new post_meta table (#11102)
NOTE: The post metadata table split is purely an internal optimization for v3 and doesn't require or expect any external actions including related API usage in v3

We keep running into issues adding new fields to the post table because there are too many fields making the post table "too wide". We have also hit MySQL limitations in how many bytes can be in a row (64kb) with post table.

In v3, we decided to split the 8 post fields (meta, twitter and og) used for meta data into a posts_meta table as these 8 fields are all "problem" `varchar` fields and make sense logically grouped together. The API layer is unaffected by the split as input/output serializers ensure the data flow works the same way as it was in v2. Only thing to note is json export in v3 will have slightly different structure with posts meta fields as separate.

- Creates new post_meta schema/table with 8 fields (2 meta_* , 3 twitter_* and 3 og_*)
- Update relations between post and post_meta table
- Update input/output serializers to keep existing API behavior
- Avoids new entry in post_meta table for post where all meta fields are null
- Keeps the current fields API param behavior
- Handles migration of existing posts to new table structure
- Updates importer/exporter to work seamlessly with table changes
2019-09-16 14:15:55 +05:30
Naz Gargol
0306c397d0
🔥 Removed v0.1 leftover code in model layer (#11107)
no issue

- Removed redundant model code in users
- Removed v0.1 specific attribute removal on model layer for post
- Removed property deletions comments handled in serialization layer
- Removed unused token.added listener. users.last_seen is  populated on middleware layer when a new access token is created
- Removed unneeded test for setting last_seen in users
2019-09-12 17:39:16 +02:00
Kevin Ansfield
d645afb416 Removed all accesstokens and refreshtokens related code
no issue

- v0.1 is ☠️ so the access/refresh token based auth is no longer used
- removed all code related to the `accesstokens` and `refreshtokens` tables
- removed all `passport` related dependencies as it's no longer used
2019-09-12 15:45:27 +01:00
Nazar Gargol
721118680d Updated API versioning README.md
- As 0.1 is dropped there is no need to mention it anymore
2019-09-12 16:27:09 +02:00
Naz Gargol
5b59c7b542
🔥 Removed v0.1 controllers & routes (#11103)
no issue 

- Removed v0.1 controllers
- Removed 0.1 API unit tests
- Removed 0.1 API app and mount point
- Removed leftover use of v0.1 in entry-lookup test suite
- Removed frontend client API enpoints and related code (middleware)
- Fixed prev/next test suites to use v2 API
- Set default API version to explicit v2 in UrlUtils
- Removed v0.1 API regex from public files middleware
2019-09-11 19:10:10 +02:00
Naz Gargol
b8b0a5ea18
💡Migrated session controllers for compatibility with "frame" (#11101)
no issue

- Session controllers were using API v1 http method which bypassed "frame" introduced with API v2. 
- Changes here are just a long-awaited cleanup to allow completely remove v0.1 code
2019-09-11 11:28:55 +02:00
Kevin Ansfield
1752132051 Merge branch 'master' into v3 2019-09-10 09:50:15 +01:00
Fabien O'Carroll
edca4138ff Updated getMember to return null rather than throw
no-issue

This allows members code to remove try/catch statements without having
to pass the Ghost/bookshelf specific `require: false` option
2019-09-05 11:14:50 +08:00
Rishabh Garg
b875cc339d
🔥 Dropped unused ghost_auth_* user fields
no issue

- Drops `ghost_auth_access_token` and `ghost_auth_id` fields since not used anymore
- Adds migration for dropping these columns from users table
- Drops Auth strategy - `ghostStrategy` - since its not used anymore
2019-09-03 20:48:42 +05:30
Rishabh Garg
303046bc0a
💡Added v3 API endpoint (#11073)
no issue

- Adds new /v3/ endpoint which currently aliases canary code
2019-09-03 12:33:31 +05:30
Nazar Gargol
548ed8b851 🔥 Dropped default inclusion of primary_tag/primary_author fields in Content API
no issue

- Content API doesn't return primary_tag and primary_author fields by default if authors or tags were not requested
- These fields are still always included in Admin API as a result of having authors and tags loaded (like a sideeffect)
2019-09-02 15:06:12 +02:00
Rishabh Garg
44a5da22b9 🐛 Fixed wrong icon being pulled into bookmark cards for some sites (#11055)
no issue

Current metascraper rule for fetching page metadata in case of bookmark card gives preference to publisher logo over icon tags. This PR updates giving first preference to icon link tags followed by logo.
2019-08-27 19:32:26 +01:00
Rishabh Garg
c2aa62083c Added support for bookmark card (#11024)
requires https://github.com/TryGhost/Ghost-Admin/pull/1293

- updates `oembed` endpoint behaviour
  - if an oembed provider is not found then we use `metascraper` to populate a metadata object
  - when metadata is returned rather than an oembed response the payload will look like this:
    ```json
    {
        "url": "...",
        "type": "bookmark",
        "metadata": {
            "url": "...",
            "title": "...",
            "description": "...",
            "author": "...",
            "publisher": "...",
            "thumbnail": "...",
            "icon": "..."
        }
    }
    ```
- adds a `bookmark` card which generates output for the bookmark card:
  ```html
  <figure class="kg-card kg-bookmark-card">
    <a href="[URL]" class="kg-bookmark-container">
      <div class="kg-bookmark-content">
        <div class="kg-bookmark-title">[TITLE]</div>
        <div class="kg-bookmark-description">[DESCRIPTION]</div>
        <div class="kg-bookmark-metadata">
          <img src="[ICON]" class="kg-bookmark-icon">
          <span class="kg-bookmark-author">[AUTHOR]</span>
          <span class="kg-bookmark-publisher">[PUBLISHER]</span>
        </div>
      </div>
      <div class="kg-bookmark-thumbnail">
        <img src="[THUMBNAIL]">
      </div>
    </a>
  </figure>
  ```
  - if a particular bit of data does not exist then the associated html element will not be present
2019-08-27 15:01:02 +01:00
Kevin Ansfield
80fbfd7a85 Revert post.page->post.type handling
no issue
- the column addition/removal can be too slow for large sites
- will be added back in 3.0

---

Revert "Fixed canary api for page/type column"
This reverts commit a5a7e7e919.

Revert "Updated frontend canary url config for page/type"
This reverts commit 19100ec5e6.

Revert "Updated canary api to handle type column correctly (#11006)"
This reverts commit c3e8ba0523.

Revert "Ensured `page` filter works in routes.yaml"
This reverts commit 9037c19e50.

Revert "Replaced usage of mongo util with nql-map-key-values"
This reverts commit 8c5f1d0ef0.

Revert "Added shared nql-map-key-values module"
This reverts commit ef4fd4b8ef.

Revert "Ensured page prop is present on content api response"
This reverts commit cfa0a0862b.

Revert "Fixed failing regression tests"
This reverts commit 9c2bb3811f.

Revert "Updated xmlrpc and slack service to use type column"
This reverts commit 44a02c7d36.

Revert "Updated v0.1 posts api to work with type column"
This reverts commit 2c81d7c914.

Revert "Removed updates to v0.1 specific code"
This reverts commit 08d83c1f53.

Revert "Added missing context from ValidationError"
This reverts commit cd45ab4f54.

Revert "Renamed page->type in the page&posts serializers"
This reverts commit df99e724e3.

Revert "Added mongo helper to input serializers"
This reverts commit fb8eadb4a8.

Revert "Passed mongoTransformer through to NQL"
This reverts commit 0ae3f0fdfc.

Revert "Permitted mongoTransformer option for read methods"
This reverts commit a89376bf26.

Revert "Updated the count plugin to reference the type column"
This reverts commit a52f15d3d3.

Revert "Updated hashes for db integrity check"
This reverts commit bb6b337be3.

Revert "Remove page column and remaining references"
This reverts commit 9d7190d692.

Revert "Added type column to data generator"
This reverts commit e59806cb45.

Revert "Removed references to page column in rss tests"
This reverts commit 04d0f855de.

Revert "Removed page column references in validation tests"
This reverts commit f0afbc5cc0.

Revert "Updated the post model to use the `type` column"
This reverts commit 1189bc823a.

Revert "Updated url service to use type column"
This reverts commit 61612ba8fd.

Revert "Updated the v2 api to deal with type column"
This reverts commit 57afb2de2b.

Revert "Added type property to post model defaults"
This reverts commit dc3345b1c5.

Revert "Added type property to the default post fixtures"
This reverts commit 82d8c38033.

Revert "Added type column to posts table"
This reverts commit 9b85fc6a69.
2019-08-19 12:02:14 +01:00
Kevin Ansfield
61420ae67f
Updated @tryghost/url-utils to v0.3.0 (#11027)
refs https://github.com/TryGhost/Ghost/issues/10793

- fixes `urlUtils.htmlRelativeToAbsolute` mangling attribute quote styles and removing indentation
2019-08-16 00:26:24 +01:00
Fabien O'Carroll
62f2c4a2bf Updated canary actions endpoint
closes #11015

This simplifies the actions endpoint and allows for filtering and
querying of all types of actions across separate resources and actors
2019-08-14 17:40:36 +08:00
Fabien O'Carroll
24c8da58e4 Fixed local package issue for npm users (#11019)
closes #11018
2019-08-14 13:19:01 +05:30
Fabien O'Carroll
a5a7e7e919 Fixed canary api for page/type column
no-issue

Canary didn't have all of the post/type changes copied across
2019-08-13 13:10:27 +08:00
Fabien O'Carroll
c3e8ba0523 Updated canary api to handle type column correctly (#11006)
refs #10922

* Updated canary api to handle type column correctly

* Updated unit tests

* Updated regression tests
2019-08-12 17:39:59 +05:30
Fabien O'Carroll
8c5f1d0ef0 Replaced usage of mongo util with nql-map-key-values
no-issue

Removes the shared module in favour of an "external" one
2019-08-12 18:41:43 +08:00
Fabien O'Carroll
cfa0a0862b Ensured page prop is present on content api response
refs #10922
2019-08-12 18:41:43 +08:00
Kevin Ansfield
4f3391cd04
Updated @tryghost/url-utils to v0.2.0 (#11004)
no issue

- updates `@tryghost/url-utils` following an internal refactor of the package
- renames `makeAbsoluteUrls` to `htmlRelativeToAbsolute` to better reflect what the function is doing
- renames `getBlogUrl` to `getSiteUrl`
- updates UrlUtils test stubbing util to work with a class
- fixes use of invalid port numbers in tests (max port number is 65535, any higher is an invalid URL that will error with some parsers)
2019-08-12 09:31:42 +01:00
Rish
7b761a8751 💡 Added canary api endpoint
no issue

Adds new canary api endpoint, currently replicating v2 endpoint but paving way for future updates to new version
2019-08-09 20:46:49 +05:30
Fabien O'Carroll
2c81d7c914 Updated v0.1 posts api to work with type column
refs #10922
2019-08-09 14:39:01 +08:00
Fabien O'Carroll
df99e724e3 Renamed page->type in the page&posts serializers
refs #10922
2019-08-09 14:39:01 +08:00
Fabien O'Carroll
fb8eadb4a8 Added mongo helper to input serializers
refs #10922

This helper assits in replaces keys and values as defined by the mapping object
2019-08-09 14:39:01 +08:00
Fabien O'Carroll
57afb2de2b Updated the v2 api to deal with type column
refs #10922

This replaces references to the `page` column with references to the
`type` column.
2019-08-09 14:39:01 +08:00
Nazar Gargol
00f95e7328 Migrated schedules controller to v2
closes #10060

- Implemented scheduling for posts and pages
- Added cache invalidation when scheduling
- Refactored admin token eneration function to accept existing key as parameter in tests
- Added Ghost Scheduler Integration fixture
- Added fixture for permissions for post publish action
- Migrated getScheduled method to v2
- Did not add support for 'from' and 'to' parameters as they were not used by DefaultScheduler
- This method needs rethinking in a long run as it's an ugly hack and should rather become proper endpoint that returns JSON data instead of models
- Removed unused auth middleware from v2 routes
- Added internal scheduler role
- Implemetnted transactions in v2 frame
- This takes into account scenario mentioned in c93f03b87e
- Specifically:
>if two queries happening in a transaction we have to signalise
  knex/mysql that we select for an update
  otherwise the following case happens:
  you fetch posts for an update
  a user requests comes in and updates the post (e.g. sets title to "X")
  you update the fetched posts, title would get overriden to the old one
2019-08-07 14:51:36 +02:00
Kevin Ansfield
d96be4907e
Fixed relative canonical_url values not being stored as root-relative (#10989)
no issue

- we try to store all urls as relative paths where possible in Ghost so that the `config.url` value can be changed
- all relative paths are stored as root-relative except for the `post.canonical_url` field which was storing subdirectory-relative paths
- adds a migration to put the subdirectory prefix onto any relative canonical_url paths
- updates the canonical_url input serialiser to keep the subdirectory rather than stripping it to match all other url fields
2019-08-05 13:56:28 +01:00
Fabien O'Carroll
21427ad73f
Created DB Backup integration (#10974)
* Simplified db controller permissions options

The existing objects were confusing because they did the same thing as
setting permissions to true, but gave the impressions that something
special was happening/required.

* Added DB Backup Integration Role

This will allow us to assign certain api_keys this role, in order to
automate db backups

* Allowed admin api_keys to have configurable roles

This will allow keys for the admin api to do customised things such as db export

* Added ghost-backup integration to fixtures

* Added migrations for DB Backup Integration and role
2019-08-02 17:28:02 +08:00
Rish
5f9f5ea0d5 Refactored oembed controller data validation
refs #10060

- Uses validation layer for checking url data on oembed requests
- Fixes typo in comment
2019-08-01 17:13:12 +05:30
Nazar Gargol
db9eed6288 Switched to use v2 http module instead of ovelooked v1
- Small adjustments in controller that came along with the switch
2019-08-01 13:06:15 +02:00
Nazar Gargol
956da204f2 Expanded authentication test suite with cases for password reset flow
- Added missing endpoint coverage
- Minor fixes with formatting and validations uncovered by the test
- Added same test to v0.1 coverage
2019-07-30 22:48:59 +02:00
Nazar Gargol
3945e8a5ee Added missing doSettings call in updateSetup 2019-07-30 16:52:37 +02:00
Nazar Gargol
589b78d575 Added missing validator to updateSetup method
- This is the code corresponding to processArgs function in v1 authentication.updateSetup method
2019-07-30 16:37:32 +02:00
Nazar Gargol
c7a836b926 Renamed sendNotification to sendWelcomeMail
- The only thing the method does now is sending welcome mail, so new naming seems natural :)
2019-07-30 16:15:53 +02:00
Nazar Gargol
7b97c1ada1 Added missing notification email when setting up a site 2019-07-30 15:42:16 +02:00
Nazar Gargol
8b651bff9d Migrated authentication.updateSetup method to v2 2019-07-25 17:12:39 +02:00
Nazar Gargol
4441ee15a0 Migrated authentication.isSetup method to v2 2019-07-25 17:13:05 +02:00
Nazar Gargol
ddabd5e808 Migrated setup method 2019-07-25 17:12:39 +02:00
Nazar Gargol
a5990e555b Fixed lint error 2019-07-25 17:12:39 +02:00
Nazar Gargol
132e278a22 Migrated authentication.isInvitation method to v2 2019-07-25 17:12:47 +02:00
Nazar Gargol
f4b97d3bc8 Migrated authentication.acceptInvitation method to v2 2019-07-25 17:12:39 +02:00
Nazar Gargol
4da03a38b6 Corrected debug namespace 2019-07-25 17:12:39 +02:00
Nazar Gargol
8135d4d188 Added validation layer to password reset
- Adding a new method in all.js seems a little dirty, but that seems like the best place for now as similar method was added for changePassword method
2019-07-25 17:12:39 +02:00
Nazar Gargol
b3ed11719e Migrated authentication.resetPassword method to v2 2019-07-25 17:12:20 +02:00
Kevin Ansfield
1aa7e368a2
🎨 Added url value to the Content API /settings/ endpoint (#10946)
closes https://github.com/TryGhost/Ghost/issues/10945

- adds the `url` property to the returned output manually because it's a config value rather than a settings value
2019-07-24 11:12:07 +01:00
Kevin Ansfield
2b6830b747 Ensured Admin API cannot fetch internal integrations (#10501)
no issue

- Forced a filter on read and browse requests to the integrations endpoint to limit fetches to only "custom" and "builtin" integration types
- Expanded test coverage for "internal" integrations
2019-07-24 11:52:55 +02:00
Nazar Gargol
bf5824a7ba Fixed ability for the owner to change password of other users
closes #10927

-  Previous fix 2823c0b342
- It didn't work because the validation layer in "frame" doesn't take into account the value under `required` property of the controller, so to prevent validation on the field whole `required` key/value have to be removed
- Removed unused variables
- Extended regression suite to prevent similar problems in the future
2019-07-22 19:00:21 +02:00
Aileen Nowak
496f873ac4
Updated links to docs (#10941)
no issue
2019-07-22 18:17:50 +08:00
Fabien O'Carroll
078060abdc
Refactored members service logging and errors (#10919)
* Installed @tryghost/members-ssr@0.2.1

refs https://github.com/TryGhost/Members/issues/38

This updates allows for dynamic access of the membersApi, which will be
used in future when replacing the membersApi instance with a newly
configured one.

* Set the membersApiInstance logger to use common.logging

refs https://github.com/TryGhost/Members/issues/38

Passes the Ghost logger to the members api, so that we can keep an eye
on errors produced by the api.

* Refactored memberService use to always use getter

refs https://github.com/TryGhost/Members/issues/38

This will allow us to switch out the membersApi and the consumers of it
to have the updated reference by going through a getter.

* Installed @tryghost/members-api@0.3.0

refs https://github.com/TryGhost/Members/issues/38

Adds support for setting the logger

* Uninstalled stripe@7.0.0

refs https://github.com/TryGhost/Members/issues/38

The stripe module is now a dep of members-api, as it should be

* Updated members service to reconfigure settings

refs https://github.com/TryGhost/Members/issues/38

Previously we were unable to stop an invalidly configured members api
instance, now that we create a new instance, we can wait for the ready
or error event and only switch it out then.
2019-07-18 15:37:11 +08:00
Rish
01ea872af2 🐛 Fixed cache invalidation header on theme override
closes #10920

- Fixed incorrect property name to correctly set cache invalidation header on theme override
2019-07-17 18:41:25 +05:30
Naz Gargol
46706646e3
Refactored authentication controller v0.1 (#10893)
refs #10060

- Modules extractions done here are meant to make upcoming migration of authentication controller to v2 more manageable and reduce code repetition
- There were couple modules extracted for different areas that controller touches: passwordrest, accept (for invitation), setup 
- The aim was to keep changes to the minimum while making small readability improvements to new functions through async/await syntax
- The biggest barrier to make more encapsulated functions was the fact that we mutate options parameter on multiple levels in the controller. e.g mutations of options.data during validation on the password reset ties it up to the implementation of doReset function
2019-07-17 12:28:16 +02:00
Vikas Potluri
2823c0b342 🐛 Allowed administrators to change other users' passwords (#10891)
closes #10427

- Administrators don't know other users' passwords, but they should be able to change other users' password
- Don't require oldPassword to be provided
2019-07-15 14:19:31 +08:00
Rish
e26635620e 🐛 Fixed theme upload error when overriding existing
no issue

- Cache invalidation header was set wrongly in frontend theme service
- This moves cache invalidation out of theme service to themes controller by passing `themeOverriden` flag along with theme
2019-07-11 15:34:15 +05:30
Naz Gargol
f3ec2fb2f7
Cleaned up theme service (#10884)
refs #10790

- Following TODO in theme index file was waiting for 2 years, and today is the day to cross it out:
- "Reduced the amount of things we expose to the outside world"
- "Made this a nice clean sensible API we can all understand!" - by @ErisDS
- Cleaned exposed methods from themes module
- Removed unused storage getter
- Removed list method
- Removed validate method
- Renamed Storage to ThemeStorage
  - Named the file the same way the class defined inside of it is named
  - Naming was conflicting with coming rename of  `settings` -> `storage`
- Renamed theme settings to storage
2019-07-09 16:35:18 +02:00
Nazar Gargol
bc8f8979c1 Removed stray use of urlService.utils
refs #10773

- All instances of `urlService.utils` were previously migrated to use standalone SDK module `url-utils`
2019-07-08 17:53:29 +02:00
renovate[bot]
db53ac0721 Update Test & linting packages (major) (#10858)
no issue 

- Updated Test & linting packages
- Updated use of hasOwnProperty
- Using Object.prototype.hasOwnProperty instead (ref. eslint.org/docs/rules/no-prototype-builtins)
- Removed already defined built-in global variable Intl
- Applied `--fix` with lint command on `core/test` folder
- The rules were broken because some of them were made stricter for `eslint: recommended` ruleset (ref. https://eslint.org/docs/user-guide/migrating-to-6.0.0#eslint-recommended-changes)
- Removed redundant global variable declarations to pass linting
2019-07-05 13:40:43 +02:00
Naz Gargol
4529ab514c
Themes controllers code extraction (#10818)
refs #10790

- Extracted 'setFromZip' method into themes services
- Extracted 'activate' method
- Extracted 'destroy' method
- Extracted 'download' method
- The method name here tries to follow 'setFrom...` convention we've agreed upon. So, in this case, we have get() which returns JSON response and getZip() which returns a file
2019-07-01 16:56:23 +02:00
Naz Gargol
8ae5db9922
Extracted frontend code from settings API controllers (#10797)
* Moved settings#upload method out of settings controller

* Moved out code from download to serve method

* Moved API v0.1 settings upload/downalod routes.yaml methods to use setting handler service

* Reverted unintended change

* Moved RoutesHandler into settings module

- To keep in convention with settings described in - https://github.com/TryGhost/Ghost/issues/9528 , extracted routes handler into separate settings folder

* Frontend settings for API v0.1

* Renamed 'routes' to 'dynamic-routing'

* Renamved activate/serve methods as suggested in discussions

* Moved settings dynamicRouting to routing.settings
2019-06-21 16:52:07 +02:00
Naz Gargol
be27db46eb
Extracted frontend code from redirects API controllers (#10798)
refs #10790

- The code was moved out of controllers to reduce the number of coupling points between the API controllers and "frontend" services
- A nice side effect of this move is a decreased amount of code that will need to be maintained and reusability between existing controllers
- Calling just a few methods from frontend services on API level makes it easier to abstract fronted away from API
2019-06-21 16:50:16 +02:00
Nazar Gargol
c7522f896b Moved settings dynamicRouting to routing.settings 2019-06-21 16:34:17 +02:00
Nazar Gargol
a84c15689e Renamved activate/serve methods as suggested in discussions 2019-06-21 13:58:26 +02:00
Nazar Gargol
f3b4e2e39a Renamed 'routes' to 'dynamic-routing' 2019-06-21 13:12:23 +02:00
Nazar Gargol
19d3c4bc5c Frontend settings for API v0.1 2019-06-20 17:20:44 +02:00
Nazar Gargol
61dc9e8c24 Moved RoutesHandler into settings module
- To keep in convention with settings described in - https://github.com/TryGhost/Ghost/issues/9528 , extracted routes handler into separate settings folder
2019-06-20 16:58:26 +02:00
Nazar Gargol
06a6dc835d Moved API v0.1 settings upload/downalod routes.yaml methods to use setting handler service 2019-06-20 13:34:22 +02:00
Nazar Gargol
8709f5cc55 Moved out code from download to serve method 2019-06-20 13:23:58 +02:00
Nazar Gargol
c3b14f82fd Moved settings#upload method out of settings controller 2019-06-20 13:19:22 +02:00
Nazar Gargol
58a077564f Fixed stray rename after frontend extraction
refs #10790

- The name should be themeService as everywhere else in the codebase
2019-06-19 17:58:07 +02:00
Naz Gargol
df7e64fafa
Extracted frontend folder (#10780)
refs #10790

- Moved /core/apps into core/frontend
- Moved /core/server/helpers to /core/frontend/helpers along with /core/server/services/themes
- Changed helper location in overrides
- Moved /core/server/services/routing to /core/frontend/services
- Moved /core/server/services/url to /core/frontend/services
- Moved /core/server/data/meta to /core/frontend/meta
- Moved /core/server/services/rss to /core/frontend/services
- Moved /core/server/data/xml to /core/frontend/services
2019-06-19 11:30:28 +02:00
Naz Gargol
abda6e6338
Migrated to use url-utils from Ghost-SDK (#10787)
closes #10773

- The refactoring is a substitute for `urlService.utils` used previously throughout the codebase and now extracted into the separate module in Ghost-SDK
- Added url-utils stubbing utility for test suites
- Some tests had to be refactored to avoid double mocks (when url's are being reset inside of rested 'describe' groups)
2019-06-18 15:13:55 +02:00
Hannah Wolfe
d1e3205569 Add url as context to oembed unknownProvider error
- This is so that we can use logs to see urls that turn up with this error
2019-06-13 12:57:02 +01:00
Fabien O'Carroll
53b884ec2b
Refactored json-schema to use one instance of ajv (#10746)
refs https://github.com/TryGhost/Team/issues/211

Previous code was creating a new ajv instance for each call, as well as
loading the schemas, which are cached. This was causing a memory leak as
ajv caches all schemas.

We've replaced it with one instance of ajv, and conditionally
loading/compiling the schemas if they haven't been seen before.
2019-05-15 13:28:10 +02:00
Aileen Nowak
b2ed906773 🎨 Allowed protocol overwrite for canonical URLs (#10729)
closes #10709

- Only transform a canonical URL that is identical with the Blog URL to a relative URL when the protocol matches as well
- Leave the canonical URL absolute for all other cases
- Use case for this is e. g. when users want to port over their Facebook comments/shares/likes after a move from `http` to `https`
2019-05-06 15:27:54 +02:00
kirrg001
a31ed7c71d Added comments for Ghost API
no issue

- jsdoc
- added more information & context
2019-05-06 14:49:25 +02:00
Nazar Gargol
cb322fc1be Improved error context usage
refs #10571

- Change was done to avoid usage of hardcoded value and provide more context. Additionally errorDetails are formatted in a readable way
2019-04-23 09:45:11 +02:00
Nazar Gargol
cea598597b Restructured theme check logic
refs #10571

- Removes dependency on 'context' property being set in error when
checking a theme
- Refactoring was needed to be able to avoid passing checked theme as a
part of thrown error (logic was relying on error having this specific
data in context property). This created a problem where we controlled
the logic flow with data in error object.
- Introduced 2 different types of theme check handling, one behaves the
same way as before, the other gives more granulac control to the caller
to decide what to do with returned errors.
2019-04-22 22:34:12 +02:00
Nazar Gargol
e1dca54bf7 🎨 Made notifications dismissible per user
refs #10656

- To make sure more users see important updates or announcements
notification dismissal now works per user instead of globally
- Expanded acceptance test for notification deletion
- Expanded regression test covering multiuser dismissal of notification
- Added clarifying comment about destroyAll method use in API
2019-04-19 09:43:14 +02:00
kirrg001
22c2d0cbcb Added comments for update check service
no issue

- jsdoc
- inline comments
- clarified variable names
2019-04-17 20:03:26 +02:00
Nazar Gargol
c519ce55e3 Fixed failing integration test
refs #9875

- Moved the comment about filtering by version closer to version checks as it doesn't apply to whole `.filter(...)` block
2019-04-17 14:48:09 +02:00
Nazar Gargol
1211c70eb3 🐛 Fixed Ghost out of date notification
closes #9875

- The solution here is a quick patch and should be cleaned up once https://github.com/TryGhost/Ghost/issues/10236 is implemented
2019-04-16 18:29:51 +02:00
Fabien O'Carroll
f9899cb8c4
Updated theme layer to use members-ssr (#10676)
* Removed support for cookies in members auth middleware

no-issue

The members middleware will no longer be supporting cookies, the cookie
will be handled by a new middleware specific for serverside rendering,
more informations can be found here:

https://paper.dropbox.com/doc/Members-Auth-II-4WP4vF6coMqDYbSMIajo5

* Removed members auth middleware from site app

no-issue

The site app no longer needs the members auth middleware as it doesn't
support cookies, and will be replaced by ssr specific middleware.

https://paper.dropbox.com/doc/Members-Auth-II-4WP4vF6coMqDYbSMIajo5

* Added comment for session_secret setting

no-issue

We are going to have multiple concepts of sessions, so adding a comment
here to be specific that this is for the Ghost Admin client

* Added theme_session_secret setting dynamic default

no-issue

Sessions for the theme layer will be signed, so we generate a random hex
string to use as a signing key

* Added getPublicConfig method

* Replaced export of httpHandler with POJO apiInstance

no-issue

This is mainly to reduce the public api, so it's easier to document.

* Renamed memberUserObject -> members

no-issue

Simplifies the interface, and is more inline with what we would want to export as an api library.

* Removed use of require options inside members

no-issue

This was too tight of a coupling between Ghost and Members

* Simplified apiInstance definition

no-issue

* Added getMember method to members api

* Added MembersSSR instance to members service

* Wired up routes for members ssr

* Updated members auth middleware to use getPublicConfig

* Removed publicKey static export from members service

* Used real session secret

no-issue

* Added DELETE /members/ssr handler

no-issue

This allows users to log out of the theme layer

* Fixed missing code property

no-issue

Ignition uses the statusCode property to forward status codes to call sites

* Removed superfluous error middleware

no-issue

Before we used generic JWT middleware which would reject, now the
middleware catches it's own error and doesn't error, thus this
middleware is unecessary.

* Removed console.logs

no-issue

* Updated token expirty to hardcoded 20 minutes

no-issue

This returns to our previous state of using short lived tokens, both for
security and simplicity.

* Removed hardcoded default member settings

no-issue

This is no longer needed, as defaults are in default-settings.json

* Removed stripe from default payment processor

no-issue

* Exported `getSiteUrl` method from url utils

no-issue

This keeps inline with newer naming conventions

* Updated how audience access control works

no-issue

Rather than being passed a function, members api now receives an object
which describes which origins have access to which audiences, and how
long those tokens should be allowed to work for. It also allows syntax
for default tokens where audience === origin requesting it. This can be
set to undefined or null to disable this functionality.

{
    "http://site.com": {
        "http://site.com": {
            tokenLength: '5m'
        },
        "http://othersite.com": {
            tokenLength: '1h'
        }
    },
    "*": {
        tokenLength: '30m'
    }
}

* Updated members service to use access control feature

no-issue

This also cleans up a lot of unecessary variable definitions, and some
other minor cleanups.

* Added status code to auth pages html response

no-issue

This was missing, probably default but better to be explicit

* Updated gateway to have membersApiUrl from config

no-issue

Previously we were parsing the url, this was not very safe as we can
have Ghost hosted on a subdomain, and this would have failed.

* Added issuer to public config for members

no-issue

This can be used to request SSR tokens in the client

* Fixed path for gateway bundle

no-issue

* Updated settings model tests

no-issue

* Revert "Removed stripe from default payment processor"

This reverts commit 1d88d9b6d73a10091070bcc1b7f5779d071c7845.

* Revert "Removed hardcoded default member settings"

This reverts commit 9d899048ba7d4b272b9ac65a95a52af66b30914a.

* Installed @tryghost/members-ssr

* Fixed tests for settings model
2019-04-16 16:50:25 +02:00
Fabien O'Carroll
b3f66c6c91 Blacklisted private member settings for HTTP calls
no-issue

Previously it was possible to fetch the private key and session secret
for the members service, this is a security issue as we do not have
specific permissions for individual settings yet, and could have
possibly exposed secrets to admin integrations.
2019-04-16 14:39:01 +02:00
Rishabh Garg
c03ca79c66
Added Admin API for deleting members (#10673)
no issue

- Added new API to delete members
- Added methods to handle e2e member deletion
- Deleting member via Admin leads to
  - Removal of member from payment processor and cancelling all active subscriptions immediately
  - Removal of member information from DB
2019-04-13 10:38:56 +05:30
kirrg001
1e6f4ba340 🐛 Fixed Admin API v2 wasn't returning preview url
no issue

- Admin API v2 returned /404/, see comment in code base:

/**
* CASE: admin api should serve preview urls
*
* @NOTE
* The url service has no clue of the draft/scheduled concept. It only generates urls for published resources.
* Adding a hardcoded fallback into the url service feels wrong IMO.
*
* Imagine the site won't be part of core and core does not serve urls anymore.
* Core needs to offer a preview API, which returns draft posts.
* That means the url is no longer /p/:uuid, it's e.g. GET /api/v2/content/preview/:uuid/.
* /p/ is a concept of the site, not of core.
*
* The site is not aware of existing drafts. It won't be able to get the uuid.
*
* Needs further discussion.
*/
2019-03-21 19:08:38 +01:00
Kevin Ansfield
507d8b32db
Fixed previews not reflecting changes to scheduled posts on Ghost(Pro) (#10601)
closes https://github.com/TryGhost/Ghost/issues/10600
- modifies conditions for when to send a cache invalidation header for preview URLs to include changes to scheduled posts
2019-03-12 18:35:54 +00:00
Naz Gargol
34fad7eaaf
Added Canonical URL support to posts&pages in Admin & Content API v2 (#10594)
refs #10593

- Added `canonical_url` field to post&pages resources in Admin & Content APIs
- Support for canonical URL on metadata layer (used in {{ghost_head}} helper)
- Made sure the new field is not accessible from API v0.1 
- Added handling same domain relative and absolute URLs
2019-03-12 17:51:29 +08:00
kirrg001
0c583135ba Added TODO to settings input serializers
no issue

- we need these rules globally
2019-03-11 20:07:48 +01:00
kirrg001
20ab9651dc Removed force_i18n in API v2 settings serializer
refs #10582

- deprecated
- won't serve
- won't save
2019-03-11 20:07:48 +01:00
kirrg001
037ac4d748 Added input serialization for settings API v2 to transform "0"/"1" booleans
refs #10582

- otherwise we will forward string booleans to model layer
- causes trouble if we trigger events
- causes trouble if we want to add conditions to the model e.g. setting.get('value') ?
2019-03-11 20:07:48 +01:00
Nazar Gargol
9a831d1306 Fixed url for settings images saved in the db
closes #10590

- All images stored in the db should be relative urls and should only be served as absolute
2019-03-11 11:59:06 +08:00
Katharina Irrgang
04c60b4ce1
🐛 Fixed private blogging getting enabled when saving any setting (#10576)
no issue

- Reported here: https://forum.ghost.org/t/in-version-2-16-3-found-bug/6065/3

---

Admin Client sends false or true booleans for `is_private` key.

The settings table has two columns "key" and "value". And "value" is always type TEXT.

If you pass value=false, the db will transform this value into "0".
`settingsCache.get('is_private')` is then always true, even though the value is meant to be false.

We should add a migration in v3 and normalize all setting values to ensure consistent database values. Furthermore, we should improve the handling around settings values in general.

For now, we protect parsing values from DB, which we anyway need to transform the values into the correct data type, because we always save strings. This will protect values being stored as "false" or "1" or whatever.
2019-03-06 12:56:26 +01:00
kirrg001
e79fc9a9be Fixed incorrect codeinjection_* assignment
no issue

- discovered while testing
2019-03-05 11:00:16 +01:00
Nazar Gargol
30c005f848 🐛 Fixed field filtering for /authors/:id endpoints
closes #10512

- Removed field filtering in blog owner fetching because it didn't work before (fields weren't reduced) and now broke generated sql queries (ambiguous id field)
2019-03-05 15:18:32 +08:00
Nazar Gargol
62c4ae119d 🐛 Fixed field filtering for /tags/:id endpoints
refs #10512

- Fixed ability to fetch specific fields when fetching tag resource by id
- Also only returning `url` field when specified in `fields` parameter
2019-03-05 13:17:38 +08:00
kirrg001
97cf337907 🐛 Fixed 404 when trying to update codeinjection_* settings in Admin API v2
refs #10560
2019-03-04 22:59:13 +01:00
kirrg001
449bae9a48 🐛 Fixed missing "value" property for settings Admin API v2
closes #10518

- we had a very generic logic to remove "unwanted" null values
  - copied from v0.1
  - originally added in 7d4107fec4
- this logic transformed: settings = [{key: 'key', value: null}] to [{key: 'key'}], which is wrong
- i've removed this generic logic completely, because i don't know which purpose it serves
- if there a specific case where we want to remove null values, we should either use the JSON schema or use a specific serializer for the target resource
- added tests to proof that settings API behaves as it should
- one test failed because we removed the isNull logic -> if you send published_at = null on a published post
  - the model layer has a piece of logic to force a date if you set published_at to null if the status is published
  - protected
2019-03-04 20:06:53 +01:00
Kevin Ansfield
5a7356de5b 🐛 Fixed excerpt property being missing if plaintext is NULL or ""
closes https://github.com/TryGhost/Ghost/issues/10558
- added conditional to explicitly set `excerpt` to `null` in the API output serializer when a post has no `plaintext` or `custom_excerpt` value
2019-03-04 14:30:26 +00:00
Rish
20a898a986 Refactored members auth flow with dynamic settings
no issue

- Updated members auth flow UI
- Updated members settings and routing to be dynamic
2019-02-26 15:43:36 +07:00
kirrg001
90aef4f6c9 Stripped "excerpt" and "plaintext" from API v2 schema
no issue

- exceprt -> virtual field
- plaintext -> generated field
2019-02-26 09:07:14 +01:00
kirrg001
38e93c19b5 Reverted & Solved apiType differently
no issue

- was unable to revert 9dd7aff9c6, because it contains members changes
- functional calls did not work correctly, because the content and admin ctrl differentiation happend in the web layer
- `isContentAPI` returned true for `api.v2.settings.edit(data, {context: {internal:true{})`
- content & admin API are using different controllers
- we can just tell which ctrl is content API and which is not
- the direction fits for the content & admin API split
2019-02-26 08:33:10 +01:00
kirrg001
46d7a5666e Renamed authors ctrl to authors-public
no issue

- consistency
2019-02-26 08:33:10 +01:00
kirrg001
7a2398b7f2 Fixed error handling for API frame
no issue

- throwing an object from a catch handler is not a good idea
- unexpected and broke functional call to API (always returned a 500, because API returned {err: err, method: ...}
2019-02-26 08:33:10 +01:00
Nazar Gargol
3baf52fba9 Added 'property' field to errors returned from API
refs #10438
2019-02-26 13:41:13 +07:00
kirrg001
370f3bbcc0 Removed single author serializer from v2
no issue
2019-02-25 23:35:09 +01:00
kirrg001
d6872de0b2 Added "useGravatar" to config endpoint in Admin API v2
no issue
2019-02-25 15:39:47 +01:00
kirrg001
3278e8df22 Returned prefix for site & config response
no issue

- otherwise it's super inconsistent to our other responses
- we always expose the resource type first
2019-02-25 13:24:19 +01:00
kirrg001
bd7da54ce3 Changed config endpoint for Admin API v2
no issue

- re-designed config endpoint
- timezones.json should live in Ghost-SDK long-term
2019-02-25 13:24:19 +01:00
kirrg001
f9974a91a9 Added public /site endpoint to Admin API v2
no issue
2019-02-25 13:24:19 +01:00
kirrg001
b5155e280e Returned tags & authors by default for Admin API v2
no issue

- tags, authors, authors.roles by default
2019-02-25 13:22:50 +01:00
kirrg001
28a222703b Added computed "excerpt" field to Admin API v2
no issue
2019-02-25 13:22:50 +01:00
kirrg001
e65a82833c Changed default format from html to mobiledoc for Admin API v2
no issue

- Ghost-Admin needs mobiledoc only
- Ghost-Android needs mobiledoc only
- any other client can fetch other formats using the query param
2019-02-25 13:22:50 +01:00
Nazar Gargol
f558b58c89 Combined /images* endpoints into /images/upload
- refs #10438

- /images/upload now accepts all the image uploads and distinguishes their purpuse using new `purpose` form data field
2019-02-25 19:15:16 +07:00
kirrg001
23fed961e5 Removed requirement to provide authors for admin api keys
no issue

- we just fallback to owner user
- reason: consistent with how the importer works, easier to work with the API
2019-02-25 09:16:32 +01:00
Nazar Gargol
50ea7f0eff Added user friendly error messages to Admin API
refs #10438

- Adds new fields to errors returned from API:  help, code, and id
- Makes `message` more descriptive towards non technical users
2019-02-25 10:40:35 +07:00
kirrg001
0665c72dda Removed primary_tag & primary_author if null from Admin API v2
refs #10438

- "null" means the resource does not exist (it was sett to "null"), which is not true
- we won't serve primary_tag and primary_author by default
- TODO: add the same change to the Content API v2 (raise issue)
2019-02-24 13:31:43 +01:00
kirrg001
377d7e4271 Removed serving primary_tag when members is enabled
no issue

- Content API v2 served primary_tag by default if members flag is enabled
- reference: b2201d4179
- it's safe to remove, because members is behind the dev flag
2019-02-24 11:54:04 +01:00
Nazar Gargol
9d4b0c09a8 Renamed uploads to images
refs #10438

- As the support of /uploads endpoint has been dropped in Admin API, all related files have to correspond to new naming
2019-02-24 11:18:45 +07:00
kirrg001
48bd7a094c Stripped virtual fields from Admin API v2: primary_tagg & primary_author
refs #10438

- you cannot add or update these fields
- these are virtual fields
2019-02-23 22:58:57 +01:00
kirrg001
4fb783d4a3 Stripped virtual field from Admin API v2: "url"
refs #10438
2019-02-23 22:31:23 +01:00
Katharina Irrgang
a361a8d7c0
Added support for short format when attaching authors/tags in Admin API v2 (#10505)
closes #10504

- both formats are supported
2019-02-22 13:01:04 +01:00
Nazar Gargol
55289d04c8 Changed response structure for /images
refs #10438

- To make response structure future proof and conform to the rest of API responses /images* now returns an object with url property instead of plain url string
2019-02-22 18:17:44 +07:00
Katharina Irrgang
dfd350bd69
Cleaned up Admin API v2 posts/pages input serializer (#10516)
no issue

- make use of filter instead of status=all or data.page
- nql was designed to filter data on database layer
- do not break v0.1
- we just got rid of the "status" query param, you should use the filter instead
- get rid of the ugly condition to remove page field if "fields" param was used
- allow filtering on model layer for "findOne"
  - do not allow filtering for "findOne" on API layer for now
  - the API controller defines what is allowed
  - the model layer can allow more by default
  - we can re-use the powerful filter logic without adding hacks
2019-02-22 12:07:34 +01:00
Katharina Irrgang
0a70226128 Separated pages & posts in Admin API v2 (#10494)
refs #10438, refs #10106

* Renamed existing pages ctrl
* Splitted posts & pages for Admin API v2
* Added pages JSON input schema for Admin API v2
* Removed single author for Content & Admin API v2
  - single author is not documented
  - single author usage is deprecated in v0.1
  - single author usage is removed in API v2
* Splitted posts & postsPublic controller for v2
* Removed requirement to send `status=all` from Admin API v2
* Removed `status` option from pages Content API v2
* Removed `status` options from Users Admin API v2
2019-02-22 10:17:14 +07:00
kirrg001
cf8622ea99 Removed "status" query option from Authors Content API v2
no issue

- this is either documented, not does it work
- the Content API returns authors independing on the status
- filtering by status should not work, because otherwise you could guess the status of a user
- we do not expose the status (!)
2019-02-21 12:24:16 +01:00
kirrg001
0dd3aad2d0 Required updated_at for Admin API v2 when updating a post/page
refs #10438

- the `updated_at` functions as version control value
- it is required for collision detection
- we might redesign this feature at some point
2019-02-21 08:39:17 +01:00
Nazar Gargol
9020293e61 Added posibility to accept html as an input source for post
closes #10471

- Allows accepting HTML input for /posts endpoint when `?source=html` is
present in query parameter along with `html` in request payload
2019-02-15 18:58:46 +00:00
Nazar Gargol
18921747bb Added check for empty name for tags
refs #10438

- Also corrected and expanded test cases for tag validation
2019-02-15 13:19:06 +00:00
Nazar Gargol
921f9d394f Removed posts.tags.parent sanitation
refs #10438

- As we strip parent and parent_id fields in /tags endpoint, similarly stripping it for posts related tags
2019-02-15 12:19:49 +00:00
Nazar Gargol
c58e03a359 Added stricter validation for post.authors
refs #10438

- By stripping relational fields, it allows to remove redundant code in post input serializer
2019-02-15 12:19:49 +00:00
Nazar Gargol
e305d5e9cb Skiped 'all' validations for posts/tags endpoints
refs #10438

- Skipped validations that are now handled on JSON Schema level and would make sure error messages are consistent for these endpoints
2019-02-15 12:19:49 +00:00
Katharina Irrgang
40f359a238 🐛 Fixed night mode when using API v2 (#10499)
no issue
2019-02-15 12:15:37 +00:00
Fabien O'Carroll
9dd7aff9c6
Updated Content API to use members plans to determine permission (#10483)
no-issue


* Refactored hideMembersOnlyContent to 3 "stages"
* Exported paymentConfigured flag from members service
* Updated Content-API to check members service for paymentConfigured
* Updated members content output serializer to remove content if plan required and no plan
* Updated isContentAPI method
* Moved api util test
2019-02-14 18:17:02 +01:00
Nazar Gargol
5f7c2b4d87 Improved error messaging returned from JSON Schema validations
refs #10438
2019-02-14 10:52:42 +00:00
Nazar Gargol
fa42a71181 🐛 Fixed validation error when adding tag from PSM
refs #10438

- Relaxed validation rules for tag.slug property to allow 'null' values
2019-02-14 10:04:02 +00:00
Katharina Irrgang
c2b3520652
Removed id restriction for posts relations in Admin API v2 (#10489)
refs #10438

- we now try to match by slug or id or email
- fallback to owner
- you cannot create a user via post endpoint
- Ghost uses the invite flow to add users
- get rid of `id` restriction on API level
2019-02-13 20:38:25 +01:00
Fabien O'Carroll
6bdeeaba10
Added apiType property to frame for {Content,Admin} API (#10487)
no-issue

This sets the `apiType` property of the `frame` to 'content' and 'admin'
for the Content & Admin API respectively.
2019-02-13 16:59:10 +01:00
Katharina Irrgang
90c421a8a8 Removed client credentials from Admin API v2 (#10485)
refs #10438
- v2 does not use client credentials anymore
- exception: scheduler & backup clients
2019-02-13 13:51:51 +00:00
Naz Gargol
ae437a89dd
Updated posts JSON Schema with 'strip' properties (#10488)
refs #10438
refs #9100

- Added 'strip' attributes to properties that need to be ignored
- Relaxed 'uri' format to 'uri-reference'
- Made input array for posts more restrictive
2019-02-13 13:34:45 +00:00
Naz Gargol
40cc6e6548
Added JSON Schema validations for /tags (#10486)
Added JSON Schema validations for /tags endpoints

refs #10438
refs #9100

- Added JSON Schemas for POST/PUT /tags endpoints
- Added 'strip' keyword definition schema allowing to strip data and not throw errors on further validation stages
2019-02-13 12:26:32 +00:00
kirrg001
f8b62a063b Removed more unused fields from Admin API v2 response
refs #10438

- these fields are not used
- no need to expose them in v2
- we will either remove them in the next major or use them for new features (will see)
2019-02-13 11:42:08 +01:00
kirrg001
36547a9c3a Removed ghost_auth_id from Admin API v2 response
refs #10438

- unused field
- no need to expose this field
2019-02-12 23:36:42 +01:00
kirrg001
db148e653f Removed tag.parent from Admin API v2 response
refs #10438

- this is an unused field
- no need to expose this field
- if we start working on nested tags, this field might become interesting/used
2019-02-12 19:26:31 +01:00
Nazar Gargol
d0d299285c Fixed tests for post input serialization
refs #10472

- Moved config related variable into function scope, so it can be reset by unit tests
- e47d1e275f broke the build and is being fixed by this commit
2019-02-12 12:04:18 +00:00
Nazar Gargol
e47d1e275f Fixed image URL to be stored as relative in mobiledoc
refs #10477
closes #10472

- Adds transformation for any asset absolute URL's into relative used in mobiledoc
2019-02-11 19:20:16 +00:00
Nazar Gargol
d299e8676f Fixed JSON Schema validation error message format
refs #10438
2019-02-08 12:17:39 +00:00
Nazar Gargol
28986b3b77 Fixed post.tags validation schema
refs #10438

- Change oneOf to anyOf to allow any of the required fields
2019-02-08 11:29:42 +00:00
Nazar Gargol
96cdde80b9 Fixed validation error when creating new tag from PSM
refs #10438

- Expanded required fields for related tags to have either one of 'id', 'slug' or a 'name' field
2019-02-08 11:02:18 +00:00
Naz Gargol
19643c75dd
Added JSON Schema validation for /posts endpoint (#10468)
refs #10438

- Added  validation helper based on JSON schema
- Added schema validation for POST/PUT in /posts endpoints
- Refactored existing authors validation test suite
- Extended test coverage with a minimally required structure of post.add validator
2019-02-08 10:40:58 +00:00
kirrg001
e1436e2985 Required "event" & "target_url" for webhook creation
refs #10461
2019-02-07 23:21:59 +01:00
kirrg001
b83232bf0c Added more webhooks & changed payload
refs #10461

- do not break the existing webhooks by keeping both payload formats for subscribers events
- refactored webhooks service to run models through target API version
- added new events described in the target issue reference
- this refactoring & enhancement is undocumented, further breaking changes will happen because we are actively working on: https://github.com/TryGhost/Ghost/issues/10438
2019-02-07 23:14:27 +01:00
kirrg001
7810140f15 Avoided site.changed event if nothing has changed
refs #10461
2019-02-07 22:08:36 +01:00
kirrg001
a8e0a173c2 Redefined context.integration
no issue

- we only have access to the ID at the moment
- we really don't want to end up in the same situation as with "context.user"
2019-02-06 21:36:09 +01:00
kirrg001
2fd4cbb93b Added v2 actions endpoint
refs #10431

- added v2 endpoint with browse permissions
- context.integration was never accessible in the model layer
  - why? https://github.com/TryGhost/Ghost/issues/10099
2019-02-06 21:36:09 +01:00
Aileen Nowak
93b936d2fb Added back "theme.uploaded" analytics event (#10450)
no issue

- With the changes in 79ca6c575c we removed old unused events
- The theme upload event is still used and needed to be put back
- Added the event emit right after the successful upload of the theme
- Renamed analytics events for more consistency
- We need to add the same event emitter to the v0.1 API as it's not deprecated
- emits a `theme.uploaded` event after the theme was successfully uploaded and saved
2019-02-05 17:38:40 +01:00
kirrg001
93092c8f20 Removed author from Admin API v2 output
refs #10438

- single author is deprecated and get's completely dropped in v3
2019-01-31 16:27:56 +01:00
kirrg001
7f7b477ce9 Fixed error message being unclear when admin api keys create posts without authors
refs #10438

- integrations != users
- Ghost's assumption is: if you create a post, the primary author becomes the logged in user
- we have to require authors for integrations
- short fix and needs some more thoughts later
2019-01-31 16:27:56 +01:00
Nazar Gargol
a463a56971 Changed path returned for uploads to absolute
refs #10438

- This change affects all /uploads/* and /images/* endpoints in Admin API
2019-01-31 15:02:33 +00:00
kirrg001
eafbaaeba5 Added v2 theme controller
refs #10060
2019-01-30 19:45:02 +01:00
Rishabh Garg
8fd4b3f09f
Added new admin API for members (#10435)
no issue

- Added read and browse admin API for members
2019-01-30 17:06:09 +05:30
notanengineercom
631716053a 🐛 Fixed files staying in temp directory after upload is done
closes #10174

- Introduced upload middleware that cleans up temporary files stored by mutler after the request is finished
- Removed redundant fs.remove calls as this work is now handled in newly introduced middleware
2019-01-30 09:24:29 +00:00
Nazar Gargol
bc90b8ec27 🐛 Fixed plaintext attribute error when it is empty
refs #10388

- Issue was caused by migration of empty strings to null 0edacf3fc1
2019-01-29 12:12:10 +00:00
Nazar Gargol
6318b65cab Changed context.api_key_id to an object containing key type information
refs #9865

- Changed id passed for api_key to an object to be able to differenciate between admin and content api requests
- Added integration id to frame context
- Small refactoring of frame context initialization
2019-01-24 17:22:58 +00:00
Nazar Gargol
5fbad09a56 Modified Admin API key output format
refs #9865

- Changed key format to {id}:{secret} so API consumer only has to worry about copying a single value during setup
- Updated key expiration time in getValidAdminToken test helper to match server side expiration check
2019-01-23 17:18:50 +00:00
Katharina Irrgang
4acc375fb6
Bumped knex & bookshelf dependencies (#10404)
refs #9389, refs #9248

- https://github.com/bookshelf/bookshelf/releases/tag/0.14.0
- Bookshelf has fixed it's previous attr handling, see https://github.com/bookshelf/bookshelf/pull/1848
- SQlite3 double slashes was merged into knex and released 👻tgriesser/knex@c746dea
2019-01-21 21:53:11 +01:00
Nazar Gargol
c3e22b6ab9 🐛 Fixed forced page filter not being respected in Content API
closes https://github.com/TryGhost/Ghost/issues/10395, https://github.com/TryGhost/Ghost/issues/10390

- The grouping was introduced due to a flasy conjunction of last filter in 'or' group with enforced page filter, due to this the rest of filters in the 'or' group were bypassed
- Additional grouping added here increases the possiblity of https://github.com/NexesJS/NQL-Lang/issues/7 bug happening
2019-01-21 13:26:45 +00:00
Hannah Wolfe
909f9012ed
Updated docs links to best equivalents (#10386)
* Updated docs links to best equivalents
   - Our documentation has been overhauled, this updates the all the old links sprinkled through Ghost
* Update integrity hash
2019-01-17 06:57:37 +00:00
Rishabh Garg
9d9690987a
🐛 Updated v2 content API output to return null instead of “” for empty fields (#10378)
refs #10345

- We are standardising on returning null from the Content API for any empty values
- Updated `post`, `tag` and `author` APIs
2019-01-15 17:58:51 +05:30
Naz Gargol
1a4497fc9a
🐛 Fixed default resource ordering in Content API (#10371)
refs https://github.com/TryGhost/Ghost/issues/10354

- Added ordering on input serialization layer for posts, pages, tags, and authors
- At the moment ordering is dependent on DB engine which will be resolved with https://github.com/TryGhost/Ghost/issues/6104
2019-01-15 12:21:04 +00:00
Katharina Irrgang
3924acd152
🗑Deprecated ghost_head & ghost_foot in favour of codeinjection_* for Settings API v2 (#10380)
closes #10373

- ghost_head & ghost_foot are deprecated from now on
- we want to remove them in v3
- this short fix is dirty (!)
- we return codeinjection_* for admin & content api
- this is a consistentency change e.g. posts return `post.codeinjection_*`
- need to raise a decoupling refactoring issue for the code comments
2019-01-15 13:03:17 +01:00
kirrg001
95b5fb1c81 Fixed relative image paths for settings v2 admin api
refs #10363
2019-01-14 21:01:12 +01:00
Katharina Irrgang
56db4ddd75
🐛 Fixed API v2 Settings browse returns relative image path (#10370)
closes #10363
2019-01-14 20:36:41 +01:00
Katharina Irrgang
732f97a074
De-aliased api versions in codebase (#10375)
closes #10357
2019-01-14 19:49:55 +01:00
Naz Gargol
48d6e7298a
Refactored content-disposition header handling in API v2 (#10374)
closes https://github.com/TryGhost/Ghost/issues/10331

- Left only a filename part to be handled by controller configuration, the rest was extracted to more generic headers layer
2019-01-14 18:05:16 +00:00
Rishabh Garg
a7ba90dfa1
🐛 Fixed filtering of page attribute when fields query param is used (#10352)
closes #10351

- Updated filtering logic for `page` in output serialisers of post/page in v2
2019-01-11 22:26:34 +05:30
Fabien O'Carroll
76bb40b7c0
Added clause in validation for include to not error (#10350)
* Added clause in validation for include to not error

refs #10337

Here we forgo erroring when an invalid property for include is sent, and
instead remove the invalid properties.

* Fixed authors test

* Fixed validators tests
2019-01-08 12:29:15 +01:00
Hannah Wolfe
954ca8c48f Removed unused visiiblity fields from Content API
refs #10337

- Trying to make the API output as clean as possible,
- We can add these back later if we start using them
2019-01-08 10:00:27 +00:00
Naz Gargol
4177548a84
Migrated redirects controller to API v2 (#10053)
refs #9866

- Migrated redirect routes to use new redirect controller
2019-01-07 11:32:53 +00:00
kirrg001
5548bbb2c1 Removed post.status from Content API v2 response
refs #10335

- only used for the preview feature, which does not remove the status field
2019-01-05 12:11:27 +01:00
kirrg001
a8dc29e794 Reverted page and status not being returned from Content API v2
refs https://github.com/TryGhost/Ghost/issues/10335

- temporary till Monday!!
2019-01-04 20:18:11 +01:00
Katharina Irrgang
30a0b1794a
Added calculated excerpt field to Content API v2 (#10326)
closes #10062

- return `post.excerpt` for Content API v2
- do not use `downsize`, because we might want to get rid of it if we drop v0.1 (downsize does not create good excerpts)
- simple substring of the plaintext field
2019-01-04 19:00:45 +01:00
Hannah Wolfe
5d977f23d4 Added Settings endpoint to V2 Content API
refs #10318

- This settings endpoint returns the commonly used, public information from our settings.
- The values are whitelisted each with a custom name for returning from the endpoint
2019-01-04 12:17:32 +00:00
Hannah Wolfe
80f9765a35 Removed deprecated settings
refs #10318

- cheap and dirty way of removing settings we don't use
- rewritten the settingsFilter function as that was unnecessarily complex
- aslo fixed the require of default-settings in the importer
2019-01-04 12:17:32 +00:00
Hannah Wolfe
ef98c65040
Clean v2 Content API (#10329)
* Removed unused fields from v2 Content API

- We want to ship the v2 Content API as clean and lean as we can
- Many fields in the DB aren't actually used, we shouldn't return these values
- Other values aren't useful outside of Admin clients, and shouldn't be returned either

Fields removed:
- tags: created_at, updated_at, parent
- authors: locale, accessibility, tour
- posts: locale, author status, page
2019-01-04 11:21:21 +00:00
Naz Gargol
d3f3b3dc20
Added plugin based author and public tag models in API v2 (#10284)
refs #10124

- Author model returns only users that have published non-page posts
- Added a public controller for tags (should be extracted to separate Content API controller https://github.com/TryGhost/Ghost/issues/10106)
- Made resource configuration dynamic based on current theme engine
- This needs a follow-up PR with fixes to the problems described in the PR
2019-01-03 20:30:35 +01:00
kirrg001
75037bcb28 Added some deprecation notes for x_by fields
closes #10286

- we will come up with a new activity stream/actions concept soon
2019-01-03 17:14:52 +01:00
kirrg001
789a3c0715 Removed x_by fields from API v2 response
refs #10286

- v2 no longer exposes x_by fields (published_by, updated_by, created_by)
- we will add a brand new concept called activity stream/actions soon
2019-01-03 16:38:52 +01:00
Nazar Gargol
6797da599b Added functional test for import endpoint in API v2
no issue

- This change is a follow up to this bugfix https://github.com/TryGhost/Ghost/pull/10299
- Added default export JSON to keep the state of db test suite intact
- Small typo fixe that noticed while debugging
2019-01-02 14:10:25 +01:00
Kevin Kuang
4a5a5acba7 🐛 Fixed broken content import in Admin API v2 (#10299)
no issue
2018-12-20 11:01:48 +01:00
Aileen Nowak
506d013f25
Ability to not send welcome email (#10293)
no issue

- We need to be able to not send the welcome email if needed
- Intruduces a new possible config setting `sendWelcomeEmail` which is set to `true` by default
2018-12-17 15:02:47 +01:00
Naz Gargol
aa8e75914d
Migrated db controller to API v2 (#10051)
refs #9866

- Migrated db import/export routes to use new db controller
2018-12-17 14:45:09 +01:00
Katharina Irrgang
5d2ab19881
Removed invitedBy from admin API: invitation endpoint (#10291)
refs #10286

- we want to deprecate all `x_by` fields
- we would like to get rid of all usages to be able to easily remove the fields in the future
- `invitedBy` is not used in the admin client
2018-12-17 14:16:39 +01:00
Naz Gargol
aca887a35d
Added async file header handling for API v2 (#10292)
refs #9866
2018-12-17 12:47:19 +01:00
Katharina Irrgang
9d7c3bd726
🐛 Fixed all known filter limitations (#10159)
refs #10105, closes #10108, closes https://github.com/TryGhost/Ghost/issues/9950, refs https://github.com/TryGhost/Ghost/issues/9923, refs https://github.com/TryGhost/Ghost/issues/9916, refs https://github.com/TryGhost/Ghost/issues/9574, refs https://github.com/TryGhost/Ghost/issues/6345, refs https://github.com/TryGhost/Ghost/issues/6309, refs https://github.com/TryGhost/Ghost/issues/6158, refs https://github.com/TryGhost/GQL/issues/16

- removed GQL dependency
- replaced GQL with our brand new NQL implementation
- fixed all known filter limitations
- GQL suffered from some underlying filter bugs, which NQL tried to fix
- the bugs were mostly in how we query the database for relation filtering
- the underlying problem was caused by a too simple implementation of querying the relations
- mongo-knex has implemented a more robust and complex filtering mechanism for relations
- replaced logic in our bookshelf filter plugin
- we pass the custom, default and override filters from Ghost to NQL, which then are getting parsed and merged into a mongo JSON object. The mongo JSON is getting attached by mongo-knex.

NQL: https://github.com/NexesJS/NQL
mongo-knex: https://github.com/NexesJS/mongo-knex
2018-12-11 11:53:40 +01:00
kirrg001
7af2802e14 Added validation for null|undefined values for required keys
closes #10071
2018-12-10 16:33:39 +01:00
kirrg001
ccd9541f75 Replaced hardcoded translation in shared input validator
no issue

- re-use existing keys
2018-12-10 16:33:39 +01:00
kirrg001
812e533554 Corrected incorrect syntax for required propierties
no issue
2018-12-10 16:33:39 +01:00
kirrg001
11f0f1c314 Fixed incorrect validation message for required values
no issue

- the message always showed: `Validation (FieldIsRequired) failed for key`
2018-12-10 16:33:39 +01:00
Nazar Gargol
da7fdfeae6 Extracted trimAndLowerCase utility to shared utility module
refs #9866
2018-12-10 13:56:42 +01:00
Rishabh Garg
bf295a96a8
Added configuration controller to v2 API (#10056)
refs #10060
2018-12-04 09:27:36 +05:30
Katharina Irrgang
e48c28b98f 🐛 Protected Ghost blog against invalid uploaded routes.yaml (#10100)
* 🐛  Protected Ghost blog against invalid uploaded routes.yaml

no issue

- e.g. you upload `filter:tag=this is a wrong filter value`
- ask the url service if it has finished it's work to ensure the upload was successful
- wait 5 seconds till Ghost will bring back the last uploaded valid version

* fixed test
2018-11-26 16:28:22 +07:00
Fabien O'Carroll
95ba6a55ec
Checked options.include when filtering tags (#10163)
no-issue
2018-11-14 17:54:15 +07:00
Rishabh Garg
b2201d4179 Removed formats from private posts in content api (#10154)
closes #10118

All behind a members labs switch for now

* Added filter for member only content

* Updated frame context

* Cleaned up members content check

* Cleanup

* Cleanup

* Ensured members filtering works without include=tags

* Protected against missing query

* Fixed usage of include vs withRelated

* Moved includeTags logic for members behind members flag to use tags

* Cleanup

* Update input serializer dependency

Co-Authored-By: rishabhgrg <zrishabhgarg@gmail.com>

* Added some explanations
2018-11-14 14:32:14 +07:00
Fabien O'Carroll
7323258415 🚧 Added req.member to the v2 api context object
closes #10112
2018-11-08 13:32:41 +07:00
Katharina Irrgang
ff6bf5f318 Renamed /users to /authors for Content API V2 (#10096)
refs #10061

- Made /authors endpoint available in Content API V2
2018-11-07 15:29:37 +01:00
Rishabh Garg
3b8621e19c Added slack controller to v2 API (#10086)
refs #10060

- Added slack controller to v2 admin API
- Added new API test for slack API controller
2018-11-06 23:20:43 +01:00
Naz Gargol
ec03b3cfc5
Content API v2 date formatting (#10095)
closes #10065 

- Added UTC offset to dates returned by Content API
- Added test checking new format is compatible with Admin API
- Refactored output serializer mapping logic
2018-11-06 16:12:12 +01:00
Rishabh Garg
7b38986316 Removed mobiledoc format from Content API V2 response (#10098)
closes #10097

- removed formats `mobiledoc` option directly in post input serializer for v2 Content API
2018-11-06 14:39:16 +01:00
Rishabh Garg
3345618731
Added helper to check for content API (#10104)
no issue

* Added helper to check if API called is content API
2018-11-06 17:36:22 +05:30
kirrg001
22911b5812 Fixed frame context being empty
no issue
2018-11-06 14:44:06 +05:30
Katharina Irrgang
1b9c61eed1
Returned relative paths in html for Content API V2 by default (#10091)
refs #10083

- you can send `?absolute_urls=true` and Ghost will also transform the paths in the content (this is optional/conditional)
2018-11-05 18:07:45 +01:00
Rishabh Garg
94b3735c6e Added oembed controller to v2 api (#10057)
refs #9866

- Added oembed controller to v2 API
2018-11-02 09:32:26 +01:00
kirrg001
8d12c8908f 🐛 Fixed missing filename when exporting subscribers csv
closes #10075

- the filename was missing
2018-10-27 18:39:39 +02:00
kirrg001
5f7401051c 🐛 Fixed pagination for subscribers
closes #10074

- the `page` option was missing
2018-10-27 18:27:35 +02:00
root@andrea:~#
3f91a9e8a2 Corrected 'Content-Length' header by using Buffer.byteLength (#10055)
Closes #10041
1. Why is this change neccesary?
String.prototype.length returns the number of code units in the string (number
of characters) while Buffer.byteLength returns the actual byte length of a
string.

2. How does it address the issue?
Places that use String.prototype.length to calculate Content-Length
were switched to Buffer.byteLength instead.
2018-10-25 09:18:36 +07:00
Fabien O'Carroll
7fafa1e152 Fixed mail api usage of the notifcations api
closes #10047

Requiring in the api module correctly wraps the notification api and
exposes it as a function.
2018-10-24 13:18:51 +05:30
Kevin Ansfield
71f0c08a34
Added edit webhook route to v2 Admin API (#10033)
no issue
- webhooks UI requires the ability to edit webhooks
- added `edit` permission for `webhook`
- added `edit` method to v2 webhook controller
- added `PUT /webhooks/:id` route to v2 Admin API routes
2018-10-19 18:35:55 +01:00
kirrg001
99a2f3ba3a Fixed read pages with user access
refs #9866

- we still serve pages via /posts with user access
- we only differentiate this behaviour for the content api
2018-10-19 10:54:05 +02:00
kirrg001
759c25d03e Fixed read posts/pages for v2
refs #9866

- read does not support `filter`
2018-10-19 10:40:47 +02:00
Rishabh Garg
8ad951d7f3
Added new site.changed event and webhook trigger service (#10019)
refs #9942

* Added new middleware to trigger events

* Refactored webhooks service
- added new trigger service, moved listen service to its own file
- started listening to new site.changed event
- cleaned up trigger service to work with new webhook fields
- cleaned up tests
- removed redundant trigger method in v0.1 controller
2018-10-19 00:01:30 +05:30
kirrg001
e302be2749 Changed preview controller to support v0.1 and v2
refs #9866

- invent preview api, but only used internally
  - the idea of a preview api is definitiely reaslistic and came up in the past a couple of times
- by that we don't have to differentiate between pages or posts controller
- still support v0.1
- preview controller is not registered for http, only internal handling
2018-10-18 19:41:07 +02:00
kirrg001
cbf2817e39 Added missing read pages endpoint
refs #9866

- the endpoints were missing
- the site app needs pages.read for v2
2018-10-18 19:41:07 +02:00
Fabien O'Carroll
17feb14e4a Added HTTP BREAD for integrations resource (#9985)
refs #9865

* Added generic messaging for resource not found
* Ensured integration model uses transaction for writes
* Created POST /integrations endpoint
* Created GET /integrations/:id endpoint
* Created GET /integrations endpoint
* Created PUT /integrations/:id endpoint
* Created DELETE /integrations/:id endpoint
2018-10-18 14:03:56 +01:00
Rishabh Garg
915d5612a1 🐛 Fixed relative image URLs becoming absolute URLs on save (#10025)
closes #10024

- Updated input serializers for posts/tags/users to handle absolute urls conversion

-------
1. Ghost stores relative images urls
2. API V2 returns images with absolute urls
3. Ghost-Admin sends absolute urls back on any save e.g. update user

**Current behavior**: This will override the relative image path in db to absolute, which in turn won't get updated in future if domain or protocol changes for e.g.
**Fix**: On save/update, input serializers converts any absolute image url paths back to relative if the base URL from image fields matches the configured URL
2018-10-18 12:18:47 +01:00
Fabien O'Carroll
e865d2218c 🐛 Fixed pagination/duplicate posts and users appearing in admin area (#10031)
closes #10029

- allowed page option for users, posts, & tags browse 
  - The page query param was not forwarding to the query, meaning that when the admin client requested the next page of users or posts, it would receive the first page again.
2018-10-18 10:05:51 +01:00
Fabien O'Carroll
ae71f2deca Added spam prevention for v2 sessions (#10030)
no-issue

- Added spam prevention to POST /session
  - This blocks repeated requests the the /session endpoint preventing brute
force password attacks
- Updated session controller to reset brute middleware
  - This updates the session controller to reset the brute force protection
on a successful login. This is required so that a user is not locked out
forever :o!!
2018-10-18 09:58:29 +01:00
Nazar Gargol
fd958addb6 Migrated update check to use api v2
refs #9866

- Switched update checker to api v2
- Updated and cleaned up the corresponding test suite
- Updated the frame pipeline to respect context passed in with Frame instance
- Exposed 'active' verison from api index module
2018-10-18 00:13:31 +02:00
Fabien O'Carroll
4f1866a263
Allowed for repeated query parameters for arrays (#10021)
no-issue

There are a few libraries, including node core that when given an array
for a query parameter will encode it as repeated query params. e.g.

```
{someParam: ['a', 'b']}
// becomes
'?someParam=a&someParam=b'
```

This adds a check for the value to stop us 500ing on repeated keys and
to add easier interop with http clients
2018-10-17 13:43:32 +07:00
kirrg001
14a1bdbcf6 Removed invite before adding in v2
refs #9866

- the logic in v2 was missing
- it exists in v0.1
2018-10-16 17:26:24 +02:00
kirrg001
a65702df1d Extended api/index.js to export all available api versions
refs #9866
2018-10-16 16:03:32 +02:00
Nazar Gargol
d582c06eee Optimized usage of urls in API v2
refs #9866

- Extracted url decoration logic to utility in output serializers in posts, pages, users, and tags
- Added test cases for url usage by child object (tags of posts)
2018-10-16 13:02:04 +02:00
Fabien O'Carroll
2fbc5aa257
Added apiImpl.data to apiOptions for serialisation (#10016)
no-issue

This is to give serializers access to the expected data properties so
that can be used for filtering.
2018-10-16 16:51:50 +07:00
Rishabh Garg
51dde1e38c
Refactored config to handle direct calls for specific version (#10012)
refs #9866

- Refactored overrides config to include direct version configs(v0.1, v2), supported versions map to direct version
- Refactored `getApiPath` to handle direct versions as well as mappings of supported version
2018-10-16 15:20:51 +05:30
Nazar Gargol
9fd9186557
🐛 Fixed 'url' attribute miscalculation when when requested as the only part of fields filter (#9969)
closes #9962

- Fixed the bug with url being set to /404 when id was not present on the model
- Added a functional test to cover this bug
- Refactored url decorating methods to be more clear about the nature of passed parameters
2018-10-15 14:47:56 +02:00
Fabien O'Carroll
3db102a776
Added API Key auth middleware to v2 content API (#10005)
* Added API Key auth middleware to v2 content API

refs #9865

- add `auth.authenticate.authenticateContentApiKey` middleware
  - accepts `?key=` query param, sets `req.api_key` if it's a known Content API key
- add `requiresAuthorizedUserOrApiKey` authorization middleware
  - passes if either `req.user` or `req.api_key` exists
- update `authenticatePublic` middleware stack for v2 content routes

* Fixed functional content api tests

no-issue

This fixes the functional content api tests so they use the content api
auth.

* Fixed context check and removed skip

* Updated cors middleware for content api

* Removed client_id from frame.context

no-issue

The v2 api doesn't have a notion of clients as we do not use oauth for it

* Fixed tests for posts input serializer
2018-10-15 16:23:34 +07:00
Nazar Gargol
76f4a4bb03
Enforced non-page posts only to be returned by /posts endpoint from Content API (#10002)
refs #9866

- Added logic ensuring page filter is always set to false in posts endpoint for Content API
- Added functional tests to pages and posts
- Added absolute_url logic in pages controller
2018-10-13 00:48:49 +02:00
Katharina Irrgang
4aaff31890
Added users ctrl to v2 (#10001)
refs #9866
2018-10-12 23:27:30 +02:00
Katharina Irrgang
1ee4d53bfe
Added tags ctrl to v2 (#10000)
refs #9866
2018-10-12 23:10:43 +02:00
Nazar Gargol
310526b6c5 Added upload controller to v1 (#9997)
refs #9866
2018-10-12 22:41:39 +02:00
Nazar Gargol
cfea6375ab Added subscribers controller to v2
refs #9866
2018-10-12 22:27:37 +02:00
kirrg001
0338ba56c0 Added removal of null values in v2
refs #9866

- also moved id mismatch to global validator
- this is not specific to posts
2018-10-12 21:46:16 +02:00
kirrg001
adc5b18fb7 Added invites ctrl to v2
refs #9866
2018-10-12 21:13:20 +02:00
kirrg001
1472035137 Added mail ctrl to v2
refs #9866
2018-10-12 21:13:20 +02:00
kirrg001
9f2d68a027 Added notifications ctrl to v2
refs #9866
2018-10-12 21:13:20 +02:00
kirrg001
b899a6fec8 Added settings ctrl to v2
refs #9866
2018-10-12 21:13:20 +02:00
kirrg001
8b54cfea81 Supported status code as function
refs #9866
2018-10-12 21:13:20 +02:00
kirrg001
850e3139ee Added api permissions before hook support
refs #9866
2018-10-12 21:13:20 +02:00
kirrg001
4dcf256371 Added ability to define permission identifier
refs #9866

- by default it used `options.id`, which tells the permission layer the target id
- but some controllers want to use a different identifier
- e.g. settings -> settings.key
- e.g. password changes -> password[0].user_id
2018-10-12 20:02:08 +02:00
kirrg001
a153400164 Added posts controller to v2
refs #9866
2018-10-12 19:21:43 +02:00
kirrg001
27714075b5 Added handling for empty query options
refs #9866

- it's fine if you pass e.g. `?formats=`
- same behaviour as v0.1
2018-10-12 19:21:43 +02:00
kirrg001
5d3b026cd9 Fixed missing return statement in shared validators
refs #9866

- if the fn returns a Promise, it won't be returned
2018-10-12 18:34:57 +02:00
kirrg001
551f14d9ec Moved toJSON call to api v0.1 controller for ownership transfer
refs #9866
2018-10-12 18:12:16 +02:00
Rish
0a834d4223 Added webhooks controller to API v2
refs #9866

- Added new webhooks controller to v2 API
- Added webhooks tests to v2 API
2018-10-12 18:42:23 +05:30
Rishabh Garg
5683204371
Added v2 controller for slugs (#9978)
- Added slugs controller to v2 API
- Added slugs tests to v2 API
- Updated generic validation error message in shared validator to return validation error with sub-message
2018-10-12 17:55:20 +05:30
Fabien O'Carroll
caccda1aab
Implemented global validation on defined fields (#9992)
no-issue

This is to allow global validation to run on fields that have some user
validation defined.
2018-10-12 15:16:12 +07:00
kirrg001
7a73dfd9bc Extended all shared validator
refs #9866

- there was a missing step in the shared validator
- we have to differentiate between data validation for browse/read and data validation for add/edit
- furthermore, the data validation for add/edit was missing and was not copied over from v0.1 (check structure of incoming body)
- adds the ability to require properties from req.body.docName[0]
2018-10-12 09:40:34 +02:00
Nazar Gargol
86e9c35c3c Allowed passing an array directly instead of requiring object with values key for validation options
noissue
2018-10-10 16:48:22 +02:00
Nazar Gargol
eb0bc3068c Migrated roles controller to API v2
refs #9866

- Added new controller to v2 API
- Added roles tests to v2 API
2018-10-10 16:48:22 +02:00
Fabien O'Carroll
1b9aa2546f
Updated frame.context to use req.api_key_id (#9965)
* Added api_key_id to frame.context

refs #9865

This is to allow controllers to check permissions using api_key_id data.

* Removed client and client_id from frame.context

refs #9865

This is unused as we only support oauth on v0.1 API.
2018-10-09 18:28:38 +07:00
kirrg001
3e397275d1 Added protection against an empty notification response
no issue

- discovered in https://github.com/TryGhost/Ghost/pull/9940
- pulled the change out and push straight to master
2018-10-06 21:01:42 +02:00
kirrg001
2e3876b477 Moved user controller permission handling to user permissible fn
refs #9866

- prep for v2
- you can better unit test the permissible function
- this avoids copying over the permission handling to v2 controller
- it was possible to move this logic into the model layer, because we now support `unsafeAttrs`
2018-10-06 02:25:46 +02:00
kirrg001
301b18b0ed Moved custom invite permission to permissible fn
no issue

- now that we have a concept of `unsafeAttrs`, we can move the custom permissions to the invite model

Why doing now?

A) We won't copy this controller code to v2.
B) Makes it easier to unit test this behaviour
2018-10-05 15:38:14 +02:00
Katharina Irrgang
959912eca3
Added tiny framework to support multiple API versions (#9933)
refs #9326, refs #9866

**ATTENTION: This is the first iteration. Bugs are expected.**

Main Goals: 

- add support for multiple API versions.
- do not touch v0.1 implementation
- do not break v0.1

## Problems with the existing v0.1 implementation

1. It tried to be generic and helpful, but it was a mixture of generic and explicit logic living in basically two files: utils.js and index.js.

2. Supporting multiple api versions means, you want to have as less as possible code per API version. With v0.1 it is impossible to reduce the API controller implementation. 

----

This commit adds three things:

1. The tiny framework with well-defined API stages.
2. An example implementation of serving static pages via /pages for the content v2 API.
3. Unit tests to prove that the API framework works in general.

## API Stages

- validation
- input serialization
- permissions
- query
- output serialization

Each request should go through these stages. It is possible to disable stages, but it's not recommended.

The code for each stage will either live in a shared folder or in the API version itself. It depends how API specific the validation or serialization is. Depends on the use case.

We should add a specific API validator or serializer if the use case is API format specific.
We should put everything else to shared.

The goal is to add as much as possible into the shared API layer to reduce the logic per API version.

---

Serializers and validators can be added:

- for each request
- for specific controllers
- for specific actions

---

There is room for improvements/extensions:

1. Remove http header configuration from the API controller, because the API controller should not know about http - decouple.

2. Put permissions helpers into shared. I've just extracted and capsulated the permissions helpers into a single file for now. It had no priority. The focus was on the framework itself.

etc.

---

You can find more information about it in the API README.md (api/README.md)

- e.g. find more information about the structure
- e.g. example controllers

The docs are not perfect. We will improve the docs in the next two weeks.

---

Upcoming tasks:

- prepare test env to test multiple API versions
- copy over the controllers from v0.1 to v2
- adapt the v2 express app to use the v2 controllers
2018-10-05 00:50:45 +02:00
Fabien O'Carroll
b185892b7b
Created session controller (#9911)
refs #9865

Note that this controller is the singular, that's because we plan to
make a session resource controller to be used with /sessions, wheras
this is on /session
2018-10-03 20:45:42 +07:00
Nazar Gargol
82b7aea641
Refactor URL generation from models (#9917)
Moved URL attributes logic from the model into API layer 

refs #9866

- Moved URL related attribute calculation for posts, users, and tags into API layer
- Added test coverage for url attributes in tags/authors/primary_tags/primary_authors
2018-10-03 15:44:30 +02:00
Katharina Irrgang
efc5219afa Added empty api v2 + shared folder and README.md (#9920)
refs #9866
2018-09-28 00:03:21 +05:30
Rishabh Garg
6163d1f128 Updated overrides config for api versions with v0.1 to deprecated (#9921)
refs #9866

- v0.1 == deprecated
- v2 == active
2018-09-27 19:34:12 +02:00
Katharina Irrgang
b43ab65d8a
Moved api controllers into api/v0.1 (#9918)
refs #9866

- preparation for v2
- moved api/ to api/v0.1
- do export v0.1 straight from the api folder, we don't want to touch this right now
- that means currently if you require the api folder, we return v0.1 by default
- there were some direct requires of api files in the test env
  - some of them use rewire
  - for now, we just correct the require path to require api/v0.1/
  - we touch the test env next week

**Docs about V2 design are coming soon!**
2018-09-27 16:06:57 +02:00
Nazar Gargol
4c5bff0f49 Removed toJSON serialization in findPage method (#9899)
refs #9866

- Removed `toJSON` call in `findPage`
- Added JSON serialization on API layer
- Reason: model and api layer were coupled - all other model actions just returned the raw data and no specific format
- Corrected test suites to serialize fetched models to JSON
- Removed `absolute_urls` attribute from validOptions findPage methods as it's no longer needed in the data layer
- Changed 'include' test as this option is now tolerated and returns data
2018-09-26 14:11:22 +02:00
Fabien O'Carroll
6c35de7d95 Updated api.http handling of controller returned fns (#9907)
refs #9865

This is to ensure that if a controller returns a function, it will
always get called regardless of method.

Also cleaned up top level const usage
2018-09-26 08:13:41 +02:00
Rishabh Garg
9624c88f3e Refactored url utility to generate multiple API version URLs (#9897)
refs #9866

- added api version config to overrides, which makes it possible to have a centralized api versioning configuration
- the next PR will use this config in the web folder
- make api url generation in url service flexible and dynamic
- remove hardcoded API_PATH
- updated all places which used `urlFor('api'..)` -> we now ask for explicit api version
2018-09-24 21:49:20 +02:00
kirrg001
bc4b637e30 Refactored direct usages of api controllers
refs #9866

- if we start with v2 controllers, the code base should not require specific api controllers
- because e.g. `require('../api/posts')` will no longer exist
- if you require the api folder, you will get the latest available version by default e.g. `require('../api').posts`
- this branch does not touch the test env (!)
2018-09-21 15:18:22 +02:00
Katharina Irrgang
727ff183f4 Normalised how we require models
refs #9866

- if I want to do a project search and looks for model usages e.g. `models.`, then I won't find these usages
- normalise how we require models -> consistency
2018-09-21 15:16:19 +02:00
Katharina Irrgang
213474835b Refactored how we require shared middlewares from web/ (#9893)
refs #9866

- use package notation
- get rid of x requires for middlewares
- improved readability
- do not refactor web/api/v0.1
2018-09-21 16:17:11 +05:30
Rishabh Garg
fcd275f6c0 Refactored web/middleware and web/utils to web/shared (#9892)
refs #9866

- Moved web/middleware to web/shared/middlewares
- Moved util file to web/shared/utils
2018-09-20 20:04:34 +02:00
Rishabh Garg
0549c9f7d4 ES6 migration: server/api/ (#9876)
refs #9589
2018-09-18 15:59:56 +02:00
Sumedh Nimkarde
efd1587ee9 Switched to eslint-plugin-ghost (#9835)
refs #9834

- @TODO: the test env eslint needs to use the plugin, not part of this PR
2018-09-17 20:49:30 +02:00
Mandeep Singh Gulati
03af23cddf ES6 migration: server/api (#9761)
refs #9589

- not all of the api files were updated
2018-09-10 14:30:48 +02:00
Fabien O'Carroll
c9b8ddde4b 🎨Added absolute_url flag to public api (#9833)
closes #9832

The API _should_ be returning absolute URLs for everything, 3rd party applications require absolute urls to read and display ghost data correctly. Currently they have to concat the blog url and the resource url, which is very uncomfortable.

Changing the public api like this would be considered a breaking change however so we've opted to put it behind a query parameter named `absolute_urls`.
2018-08-31 11:02:39 +01:00
Nazar Gargol
0faf89b5ab Added ability to resize and compress images on upload (#9837)
refs #4453

* On by default

* Added config to disable resizing

* Added basic image optimization processing

* Added dep: sharp (optional dep)

* Added resize middleware

* Take care of rotation based on EXIF information

* Removed all meta data from optimised image

* Added handling if sharp could not get installed

* Do not read ext twice - optimisation

* Do not call sharp if config is disabled

* Do not remove the original image which was uploaded (store 2 images)

* Support of `req.files` for internal logic

* Disabled cache to enable file removal on Windows
2018-08-30 17:30:36 +01:00
Fabien O'Carroll
8ccf27340b Oembed meta tag fallback for unknown providers (#9827)
closes #9786

- Make GET request when url has no provider match
  - The HEAD request was made in order to send less data over the wire when
checking for redirects for urls that do not have an oembed provider
match. We are now going to look for provider metatags withing the
response of the request - rather than making a HEAD followed by a GET if
no redirect is found, this condenses that to a single request.

- Try to get OEmbed data from tag if no provider
  - Here we parse the HTML response of the resource and look for a link tag
that will give us the oembed resource url which we can use to fetch the
embed html
2018-08-27 15:02:03 +01:00
kirrg001
bbde22a687 Fixed tests
no issue

- replace test themes
  - otherwise they are all invalid with the new GScan version
- fix general tests because of Ghost 2.0 logic
2018-08-16 12:13:24 +02:00
kirrg001
8bb7088ba0 🔥 Removed permalink setting
refs #9742

- removed usage of single permalink setting
  - with dynamic routing this configuration does no longer makes sense
  - because you can configure your permalinks in the routes.yaml
  - furthermore you can have multiple collections with multiple permalinks
- removed @blog.permalinks
- do not export permalink setting
- do not import permalink setting
- permalink setting UI will be removed soon
- get rid of {globals.permalink} completely
- remove yaml in-built migration
- do not expose settings.permalinks via the private API
- do not allow to edit this setting
- keep phyiscal value in case a blog needs to rollback from v2 to v1
- sorted out when the routers should be created
  - ensure routes.yaml file doesn't get validated before Ghost is fully ready to start
2018-08-16 12:13:24 +02:00
kirrg001
52a9eebabf Changed comments and deprecation notes
refs #9742
2018-08-16 12:13:24 +02:00
kirrg001
c40454f23c Added ability to upload/reload routes.yaml
refs #9744

- added two new endpoints to upload/download routes.yaml
- reload site express app on successful/valid upload
- reload url service on sucessfuly upload
- force clear cache of pages
- ensure we keep a backup of the routes.yaml file
- this feature was mostly tested manually
- @TODO: i have to write unit tests - will do later
- @TODO: do a memory test to ensure we haven't introduced any memory leaks with this feature
2018-08-16 12:13:24 +02:00
kirrg001
7b9c6af9d7 Updated docs links
refs #9742

- 2.0 will become the latest version on our readme pages
2018-08-16 12:13:24 +02:00
kirrg001
529bec8089 Renamed core/server/data/export to core/server/data/exporter
no issue

- i'vejust renamed the folder
- it makes more sense
  - data/importer
  - data/exporter
2018-08-16 12:13:24 +02:00
Kevin Ansfield
cfd9ff3993 🎨 Koenig - Added support for shortened URLs in embed card (#9781)
refs https://github.com/TryGhost/Ghost/issues/9724

- perform a HEAD request on a url if we don't find a matching provider, following any redirects until we hit success response before looking up providers for the resulting url
2018-08-12 15:57:19 +02:00
kirrg001
1ce504bb2d Fixed exporting extra tables for endpoint db/backup
refs #8719

- initial commit: 40c8eacd44
- we have forgotten that there is another endpoint which triggers an export (the backup endpoint)
- this endpoint needs to accept the new `include` query param as well (was missing)
2018-08-10 15:31:54 +02:00
kirrg001
75cc60c20a Added option to import clients and trusted domains
refs #9742, refs #8719

- make it possible to import more tables (optional)
  - available tables: clients, trusted domains
- by default we won't import these tables, you have to tell Ghost using `include` (same syntax on export)
- we won't announce this ability for now (stays hidden)
2018-08-03 14:12:06 +02:00
kirrg001
40c8eacd44 Added option to export extra tables
refs #9742, refs #8719

- you can now use `include` to export extra tables e.g. `include=clients`
- admin client won't make use of this option yet, maybe later and optional
- we won't announce this new ability for now (stays hidden)
2018-08-03 14:11:45 +02:00
Mandeep Singh Gulati
104a4a5c92 ES6 migration: server/api (#9756)
refs #9589
2018-07-30 12:28:05 +02:00
Mandeep Singh Gulati
75bcfba71b ES6 migration: server/api (#9733)
refs #9589
2018-07-23 14:38:40 +02:00
Antony Garand
742eed99bd Fixed typo in server/api/utils (#9714)
no issue

- removed the extra `*` from the jsdoc of the handlePermissions function
2018-07-10 12:20:43 +02:00
Kevin Ansfield
865acecaef
🐛 Koenig - Support schema-less URLs in embed card (#9725)
refs https://github.com/TryGhost/Ghost/issues/9724
- adjust the "base url" regex in the oembed endpoint to strip schemaless scheme `//` as well as `https?://`
2018-07-09 10:32:39 +01:00
Kevin Ansfield
ca20f3a6b0 Added /oembed API endpoint
refs https://github.com/TryGhost/Ghost/issues/9623
- add `oembed-parser` module for checking provider availability for a url and fetching data from the provider
  - require it in the `overrides.js` file before the general Promise override so that the `promise-wrt` sub-dependency doesn't attempt to extend the Bluebird promise implementation
- add `/oembed` authenticated endpoint
  - takes `?url=` query parameter to match against known providers
  - adds safeguard against oembed-parser's providers list not recognising http+https and www+non-www
  - responds with `ValidationError` if no provider is found
  - responds with oembed response from matched provider's oembed endpoint if match is found
2018-06-12 16:18:01 +01:00
Katharina Irrgang
b392d1925a
Dynamic Routing Beta (#9596)
refs #9601

### Dynamic Routing

This is the beta version of dynamic routing. 

- we had a initial implementation of "channels" available in the codebase
- we have removed and moved this implementation 
- there is now a centralised place for dynamic routing - server/services/routing
- each routing component is represented by a router type e.g. collections, routes, static pages, taxonomies, rss, preview of posts
- keep as much as possible logic of routing helpers, middlewares and controllers
- ensure test coverage
- connect all the things together
  - yaml file + validation
  - routing + routers
  - url service
  - sitemaps
  - url access
- deeper implementation of yaml validations
  - e.g. hard require slashes
- ensure routing hierarchy/order
  - e.g. you enable the subscriber app
  - you have a custom static page, which lives under the same slug /subscribe
  - static pages are stronger than apps
  - e.g. the first collection owns the post it has filtered
  - a post cannot live in two collections
- ensure apps are still working and hook into the routers layer (or better said: and register in the routing service)
- put as much as possible comments to the code base for better understanding
- ensure a clean debug log
- ensure we can unmount routes
  - e.g. you have a collection permalink of /:slug/ represented by {globals.permalink}
  - and you change the permalink in the admin to dated permalink
  - the express route get's refreshed from /:slug/ to /:year/:month/:day/:slug/
  - unmount without server restart, yey
- ensure we are backwards compatible
  - e.g. render home.hbs for collection index if collection route is /
  - ensure you can access your configured permalink from the settings table with {globals.permalink}

### Render 503 if url service did not finish

- return 503 if the url service has not finished generating the resource urls

### Rewrite sitemaps

- we have rewritten the sitemaps "service", because the url generator does no longer happen on runtime
- we generate all urls on bootstrap
- the sitemaps service will consume created resource and router urls
- these urls will be shown on the xml pages
- we listen on url events
- we listen on router events
- we no longer have to fetch the resources, which is nice
  - the urlservice pre-fetches resources and emits their urls
- the urlservice is the only component who knows which urls are valid
- i made some ES6 adaptions
- we keep the caching logic -> only regenerate xml if there is a change
- updated tests
- checked test coverage (100%)

### Re-work usage of Url utility

- replace all usages of `urlService.utils.urlFor` by `urlService.getByResourceId`
  - only for resources e.g. post, author, tag
- this is important, because with dynamic routing we no longer create static urls based on the settings permalink on runtime
- adapt url utility
- adapt tests
2018-06-05 19:02:20 +02:00
kirrg001
af5717762d Fixed incorrect return value for publicAPI from the configuration endpoint
no issue

- discovered while coding
- the value was always false, because we've tried to read the value from the config object
- the value lives in the database and is accessible via the labs service
2018-05-31 15:14:59 +02:00
kirrg001
5f5f0021db 🔥 Drop Node v4 Support
no issue

- support ends today
- see https://github.com/nodejs/Release
- removed `use strict`
2018-05-01 14:06:18 +02:00
kirrg001
e43bdad818 Fixed broken i18n keys
refs #9519

- discovered by https://github.com/TryGhost/Ghost/issues/9519#issuecomment-374891164
2018-04-18 15:05:20 +02:00
Aileen Nowak
23f59c341c Replaced routeKeywords in config with hard coded keywords (#9561)
no issue
- removed the `routeKeywords` property from the config and used hard coded keywords.
- removed `routeKeywords` from public configuration API endpoint, as it's no longer used in the Admin.
2018-04-17 10:36:05 +01:00
kirrg001
25cd7c7756 Simplify destroy post API endpoint implementation
no issue

- no need to fetch the post before
- the model implementation does that already
2018-04-06 15:49:25 +02:00
kirrg001
c8f2dd11ba Fixed post.unpublished when deleting all content
no issue

- if you delete all content, we expect two events
  - `post.deleted` and `post.unpublished`
- `post.unpublished` was never triggered, because the api implementation made use of `collection.invoke(`destroy`)`
- what happened?
  - you fetch all posts (columns:id)
  - you destroy the post (only id column is available)
  - the model events are triggered
  - but you have no access to a default set of data
  - the result is that the event handler can't even tell if this is a post or a page
- added a proper test to ensure which events are triggered
2018-04-06 15:49:25 +02:00
kirrg001
bda76acba6 Extended the API object validation
refs #9548

- do not forward `tag.parent` to the model layer
  - the model layer should only know `tag.parent_id`
  - and the API should only expose `tag.parent` (this is an API feature)
  - currently Ghost has a mixture of using `toJSON` and the API validation layer for this
  - we just continue with this for now (no time to fix this)
- disallow sending nested-nested relations
  - unsupported
  - see comment for more information
  - this can cause problems with calling `hasChanged` on relations
- add unit tests
2018-04-05 18:51:58 +02:00
Katharina Irrgang
40d0a745df Multiple authors (#9426)
no issue

This PR adds the server side logic for multiple authors. This adds the ability to add multiple authors per post. We keep and support single authors (maybe till the next major - this is still in discussion)

### key notes

- `authors` are not fetched by default, only if we need them
- the migration script iterates over all posts and figures out if an author_id is valid and exists (in master we can add invalid author_id's) and then adds the relation (falls back to owner if invalid)
- ~~i had to push a fork of bookshelf to npm because we currently can't bump bookshelf + the two bugs i discovered are anyway not yet merged (https://github.com/kirrg001/bookshelf/commits/master)~~ replaced by new bookshelf release
- the implementation of single & multiple authors lives in a single place (introduction of a new concept: model relation)
- if you destroy an author, we keep the behaviour for now -> remove all posts where the primary author id matches. furthermore, remove all relations in posts_authors (e.g. secondary author)
- we make re-use of the `excludeAttrs` concept which was invented in the contributors PR (to protect editing authors as author/contributor role) -> i've added a clear todo that we need a logic to make a diff of the target relation -> both for tags and authors
- `authors` helper available (same as `tags` helper)
- `primary_author` computed field available
- `primary_author` functionality available (same as `primary_tag` e.g. permalinks, prev/next helper etc)
2018-03-27 15:16:15 +01:00
kirrg001
e01b61dcf4 Proper error handling for permissible implementations
no issue

- currently if you would like to edit a resource (e.g. post) and you pass an invalid model id, the following happens
  - permission check calls `Post.permissible`
  - the Post could not find the post, but ignored it and returned `userPermissions:true`
  - then the model layer is queried again and figured out that the post does not exist
- A: there is no need to query the model twice
- B: we needed proper error handling for post and role model
2018-02-21 16:59:48 +01:00
Katharina Irrgang
c6a95c6478
Sorted out the mixed usages of include and withRelated (#9425)
no issue

- this commit cleans up the usages of `include` and `withRelated`.

### API layer (`include`)
- as request parameter e.g. `?include=roles,tags`
- as theme API parameter e.g. `{{get .... include="author"}}`
- as internal API access e.g. `api.posts.browse({include: 'author,tags'})`
- the `include` notation is more readable than `withRelated`
- and it allows us to use a different easier format (comma separated list)
- the API utility transforms these more readable properties into model style (or into Ghost style)

### Model access (`withRelated`)
- e.g. `models.Post.findPage({withRelated: ['tags']})`
- driven by bookshelf

---

Commits explained.

* Reorder the usage of `convertOptions`

- 1. validation
- 2. options convertion
- 3. permissions
- the reason is simple, the permission layer access the model layer
  - we have to prepare the options before talking to the model layer
- added `convertOptions` where it was missed (not required, but for consistency reasons)

* Use `withRelated` when accessing the model layer and use `include` when accessing the API layer

* Change `convertOptions` API utiliy

- API Usage
  - ghost.api(..., {include: 'tags,authors'})
  - `include` should only be used when calling the API (either via request or via manual usage)
  - `include` is only for readability and easier format
- Ghost (Model Layer Usage)
  - models.Post.findOne(..., {withRelated: ['tags', 'authors']})
  - should only use `withRelated`
  - model layer cannot read 'tags,authors`
  - model layer has no idea what `include` means, speaks a different language
  - `withRelated` is bookshelf
  - internal usage

* include-count plugin: use `withRelated` instead of `include`

- imagine you outsource this plugin to git and publish it to npm
- `include` is an unknown option in bookshelf

* Updated `permittedOptions` in base model

- `include` is no longer a known option

* Remove all occurances of `include` in the model layer

* Extend `filterOptions` base function

- this function should be called as first action
- we clone the unfiltered options
- check if you are using `include` (this is a protection which could help us in the beginning)
- check for permitted and (later on default `withRelated`) options
- the usage is coming in next commit

* Ensure we call `filterOptions` as first action

- use `ghostBookshelf.Model.filterOptions` as first action
- consistent naming pattern for incoming options: `unfilteredOptions`
- re-added allowed options for `toJSON`
- one unsolved architecture problem:
  - if you override a function e.g. `edit`
  - then you should call `filterOptions` as first action
  - the base implementation of e.g. `edit` will call it again
  - future improvement

* Removed `findOne` from Invite model

- no longer needed, the base implementation is the same
2018-02-15 10:53:53 +01:00
Austin Burdine
777247cbc7 Contributor Role (#9315)
closes #9314 

* added fixtures for contributor role
* update post api tests to prevent contributor publishing post
* update permissible function in role/user model
* fix additional author code in invites
* update contributor role migration for knex-migrator v3
* fix paths in contrib migration
* ensure contributors can't edit or delete published posts, fix routing tests [ci skip]
* update db fixtures hash
* strip tags from post if contributor
* cleanup post permissible function
* excludedAttrs to ignore tag updates for now (might be removed later)
* ensure contributors can't edit another's post
* migration script for 1.21
2018-02-07 10:46:22 +01:00
Katharina Irrgang
a274d61a8c Removed html usage in error messages (#9444)
no issue

- all of the error message keys were unused
- the only html anchor i found was for mail, but this doesn't change anything, because the admin does only show the message and not the context at the moment
2018-02-07 09:35:48 +01:00
Kevin Ansfield
69d5fac61e
Resurrect the old alpha Koenig editor (#9277)
requires https://github.com/TryGhost/Ghost-Admin/pull/916
- add "enableDeveloperExperiments" config flag
- allow any HTML payload through in the HTML mobiledoc card
  - same approach as taken in the markdown card, running the markup through SimpleDOM isn't necessary and is prone to breaking because of it's limited parsing and error handling abilities

To use Koenig modify your `config.development.json` file and add the following flag to the top-level object:

```
"enableDeveloperExperiments": true
```

If you restart the dev server you will then see a new section on the Labs screen with a Koenig Editor checkbox to enable/disable the editor.

⚠️ The editor is in a _very_ broken state, it's there for developer testing and on-going development. _Do not_ try to use this on any production data!
2018-01-18 15:43:22 +00:00
kirrg001
357ea3dffd 🐛 Fixed showing old release notifications in the about page
no issue

- reported in slack (https://ghost.slack.com/files/U8QV8DXQB/F8TSBQ532/image.png)
- do not expose old release notification
  - e.g. you are on 1.20.0
  - you receive a notification for 1.20.1 to update
  - you update to 1.20.1
- ensure we protect exposing the release notification (compare against blog version)
- protect against wrong formats
- @TODO: the notifications could store a `version` property
  - by that we could use `notification.version` and don't have to match the version in the message
2018-01-18 12:19:55 +01:00
Katharina Irrgang
e480c7c50d 🐛 Reload translations if active theme get's overridden (#9392)
no issue

- discovered while testing
  - activate theme
  - download theme
  - modify theme
  - upload theme
  - override? yes
  - translation files are not reloaded, because the database is up-to-date
- remove un-used events in theme api layer
- trigger event from theme service
2018-01-12 09:19:28 +00:00
David Wolfe
b69b9780a9 Backup endpoint improvements (#9365)
closes #9297

- backup endpoint returns JSON
- allows setting of export filename
- DRY up code
- the endpoint is not documented, no breaking change
2018-01-11 16:03:21 +01:00
Katharina Irrgang
5b77f052d9
Update Notification improvements (#9123)
closes #5071

- Remove hardcoded notification in admin controller
  - NOTE: update check notifications are no longer blocking the admin rendering
  - this is one of the most import changes
  - we remove the hardcoded release message
  - we also remove adding a notification manually in here, because this will work differently from now on
    -> you receive a notification (release or custom) in the update check module and this module adds the notification as is to our database

- Change default core settings keys
  - remove displayUpdateNotification
    -> this was used to store the release version number send from the UCS
    -> based on this value, Ghost creates a notification container with self defined values
    -> not needed anymore

- rename seenNotifications to notifications
  -> the new notifications key will hold both
     1. the notification from the USC
     2. the information about if a notification was seen or not
  - this key hold only one release notification
  - and n custom notifications

- Update Check Module: Request to the USC depends on the privacy configuration
  - useUpdateCheck: true -> does a checkin in the USC (exposes data)
  - useUpdateCheck: false -> does only a GET query to the USC (does not expose any data)
  - make the request handling dynamic, so it depends on the flag
  - add an extra logic to be able to define a custom USC endpoint (helpful for testing)
  - add an extra logic to be able to force the request to the service (helpful for testing)

- Update check module: re-work condition when a check should happen
  - only if the env is not correct
  - remove deprecated config.updateCheck
  - remove isPrivacyDisabled check (handled differently now, explained in last commit)

- Update check module: remove `showUpdateNotification` and readability
  - showUpdateNotification was used in the admin controller to fetch the latest release version number from the db
  - no need to check against semver in general, the USC takes care of that (no need to double check)
  - improve readability of `nextUpdateCheck` condition

- Update check module: refactor `updateCheckResponse`
  - remove db call to displayUpdateNotification, not used anymore
  - support receiving multiple custom notifications
  - support custom notification groups
  - the default group is `all` - this will always be consumed
  - groups can be extended via config e.g. `notificationGroups: ['migration']`

- Update check module: refactor createCustomNotification helper
  - get rid of taking over notification duplication handling (this is not the task of the update check module)
  - ensure we have good fallback values for non present attributes in a notification
  - get rid of semver check (happens in the USC) - could be reconsidered later if LTS is gone

- Refactor notification API
  - reason: get rid of in process notification store
    -> this was an object hold in process
    -> everything get's lost after restart
    -> not helpful anymore, because imagine the following case
      -> you get a notification
      -> you store it in process
      -> you mark this notification as seen
      -> you restart Ghost, you will receive the same notification on the next check again
      -> because we are no longer have a separate seen notifications object
  - use database settings key `notification` instead
  - refactor all api endpoints to support reading and storing into the `notifications` object
  - most important: notification deletion happens via a `seen` property (the notification get's physically deleted 3 month automatically)
    -> we have to remember a seen property, because otherwise you don't know which notification was already received/seen

- Add listener to remove seen notifications automatically after 3 month
  - i just decided for 3 month (we can decrease?)
  - at the end it doesn't really matter, as long as the windows is not tooooo short
  - listen on updates for the notifications settings
  - check if notification was seen and is older than 3 month
  - ignore release notification

- Updated our privacy document
- Updated docs.ghost.org for privacy config behaviour
- contains a migration script to remove old settings keys
2018-01-09 15:20:00 +01:00
Katharina Irrgang
dcb2aa9ad4
Improved forwarding model options in the API layer (#9380)
no issue

- our API layer uses a unit to combine incoming data and options
- e.g. `options.data` is the end result
- we have to take care that we don't pass data into the model layer

Credits: Olivier Arteau
2018-01-09 13:26:09 +01:00
kirrg001
b474fb0d16 Moved ghost-version to lib
refs #9178
2017-12-14 22:14:55 +01:00
kirrg001
1a9a10c82b Moved zip folder, read csv and package-json to lib/fs
refs #9178, refs 849e97640f

- i've reconsidered, these modules belong to lib
- prettify package-json module
2017-12-14 22:07:53 +01:00
kirrg001
82597080be Burn dirty require of api utils
refs #9178

- `checkFileExists` and `checkFileIsValid` where dirty required from web/middleware
- these two functions are only used in the target middleware
- let's move them
2017-12-14 21:25:51 +01:00
kirrg001
a3091a3012 Moved utils constants to lib/constants
refs #9178
2017-12-14 14:13:40 +01:00
kirrg001
bb06a8426d Moved tokens, url safe and safe string utility to lib/security
refs #9178

- we could now also move any crypto usages to lib/security, but no priority
- the main goal is to tidy up our utils folder
2017-12-14 13:38:00 +01:00
kirrg001
4fe7c9d7fc Moved validateRedirects helper to data/validation
refs #9178
2017-12-14 11:55:10 +01:00
Katharina Irrgang
2956c2c247 Use request lib in webhooks api (#9336)
refs #9178

- add retries and timeout
2017-12-14 10:00:34 +00:00
Katharina Irrgang
192ebb1739
Moved labs, auth, permissions, settings, mail, themes to services (#9339)
refs #9178

- move tests as well
2017-12-14 03:01:23 +01:00
kirrg001
f83cbf6117 Moved pipeline/sequence to lib/promise
refs #9178

- continue with killing our global utils folder
- i haven't found any better naming for lib/promise
- so, require single files for now
- instead of doing `promiseLib = require('../lib/promise')`
- we can optimise the requires later
2017-12-13 22:20:02 +01:00
kirrg001
0d65e7f24f Renamed apiUtils to localUtils - consistency change
refs #9178

- we should always use the same naming patterns
2017-12-13 22:14:19 +01:00
kirrg001
485c264c69 Use Promise support which was added in fs-extra 3.x
no issue

- now that we use bluebird globally, we can use the promise support from fs-extra
2017-12-13 20:57:11 +01:00
kirrg001
d83f474ff8 Always require fs-extra - consistency change
no issue
2017-12-13 20:57:11 +01:00
kirrg001
6f6c8f4521 Import lib/common only
refs #9178

- avoid importing 4 modules (logging, errors, events and i18n)
- simply require common in each file
2017-12-12 10:28:13 +01:00
kirrg001
ac2578b419 Moved errors,logging,i18n and events to lib/common
refs #9178
2017-12-12 10:28:13 +01:00
kirrg001
4265afe580 Moved utils/url.js to UrlService
refs #9178

- we have to take care that we don't end up in circular dependencies
  - e.g. API requires UrlService and UrlService needs to require the API (for requesting data)
- update the references
- we would like to get rid of the utils folder, this is/was the most complicated change
2017-12-11 20:05:33 +01:00
Katharina Irrgang
7bcccc71dc
Moved apps into web folder (#9308)
refs #9178

- move express apps to one place (called `web`)
- requires https://github.com/TryGhost/Ghost-Admin/pull/923
- any further improvements are not part of this PR
- this PR just moves the files and ensures the paths are up-to-date
2017-12-06 17:37:54 +01:00
Kevin Ansfield
bffb3dbd90
Webhooks support for subscriber events (#9230)
no issue

Support for http://resthooks.org style webhooks that can be used with Zapier triggers. This can currently be used in two ways:

a) adding a webhook record to the DB manually
b) using the API with password auth and POSTing to /webhooks/ (this is private API so not documented)

⚠️ only _https_ URLs are supported in the webhook `target_url` field 🚨

- add `webhooks` table to store event names and target urls
- add `POST` and `DELETE` endpoints for `/webhooks/`
- configure `subscribers.added` and `subscribers.deleted` events to trigger registered webhooks
2017-11-21 15:43:14 +00:00
Kevin Ansfield
bcc98e5536 Added GET/DELETE /subscribers/email/:email/ endpoints (#9238)
no issue

- useful for managing subscribers via external systems/API calls where it's likely only the e-mail address will be known
- adds `GET /subscribers/email/:email/`
- adds `DELETE /subscribers/email/:email/`
2017-11-14 12:09:41 +01:00
Hannah Wolfe
bcf5a1bc34
Switch to Eslint (#9197)
refs #9178

* Add eslint deps, remove old lint deps
* Add eslint config, remove old lint configs
* Config for server and tests are different
* Tweaked rules to suit us
* Fix linting in codebase - lots of indent changes.
* Fix a real broken test
2017-11-01 13:44:54 +00:00
Aileen Nowak
c8cbbc4eb6 Improved password validation rules (#9171)
refs #9150 

- Moves the password length fn from `models/user` to `data/validation` where the other validator functions live.
- Added password validation rules. Password rules added:
   - Disallow obviously bad passwords: '1234567890', 'qwertyuiop', 'asdfghjkl;' and 'asdfghjklm' for example
   - Disallow passwords that contain the words 'password' or 'ghost'
   - Disallow passwords that match the user's email address
   - Disallow passwords that match the blog domain or blog title
   - Disallow passwords that include 50% or more of the same characters: 'aaaaaaaaaa', '1111111111' and 'ababababab' for example.
- Password validation returns an `Object` now, that includes an `isValid` and `message` property to differentiate between the two error messages (password too short or password insecure).
- Use a catch predicate in `api/authentication` on `passwordReset`, so the correct `ValidationError` will be thrown during the password reset flow rather then an `UnauthorizedError`.
- When in setup flow, the blog title is not available yet from `settingsCache`. We therefore supply it from the received form data in the user model `setup` method to have it accessible for the validation.
2017-10-26 11:01:24 +01:00
Hannah Wolfe
1c382792ef Prev & next post filtering, with primary tag support (#9141)
closes #9140
* Rip out existing prev/next implementation
* New implementation using filter
* Support next/prev in primary_tag
2017-10-13 15:44:39 +01:00