Ref #1413
- If the user stops typing for 5 seconds, a "typingPause" action is sent from the GhCodemirrorComponent
- Editor-base-controller ties the "typingPause" action to its "autosave"
- If a post is being saved and does not have a title, the title is set to "(Untitled)"
- Cleanup editor base controller property dependencies and code
closes#4157
- adds cache-control header back to api routes
- moves cache rules object into testUtils
- adds cache-control header test to every existing API test
refs #3795
- updates all dev dependencies to their latest version number
- jshint now complains about the Promise global, removed it from predef in
lieu of a better solution
- changes in should require minor updates to the tests
- tests are passing and all major grunt commands appear to work: clean,
init, prod, validate and release
Closes#3955
- Change titleScratch from being bound to the title to being
set when entering the editor so it is not overwritten on a
model refresh.
- Ensure that the "unsaved content" dialog is shown when there are
changes to the "scratch" fields after a post-settings-menu change.
- Add tests to prevent regression.
Closes#3856
- No longer call clearData and initData in test setup because
migration.init is run during Ghost startup. The unhandled
error was a result of clearData removing all the tables while
Ghost was running--there was a timing issue with the oauth middleware
checking the refreshtokens table when it had just been deleted.
fixes#3857
- adds uncapitalise middleware which detects uppercase in req.path and
redirects to the lowercase equivalent
- change the ghost route to a regex, just so it's consistent with other
routes in the file
closes#3789
- Create a GhostServer class to manage state
- index.js now calls start on the exported server
- Alter tests to expect a GhostServer instance
See #3671
- As @JohnONolan’s suggestion, if the user enters an invalid value for
the ‘posts per page’ setting, the number autocorrects to 5, iOS
autocorrect-style
No Issue
- When an invalid, all whitespace slug is entered into the
slug input in the post settings menu, it's rejected but
the input's value still remains the same. This resets the
input back to its original value.
- Added test for the above behavior.
- Only show success notification if slug was actually changed.
- Convert whitespace from tabs to spaces in post-settings-menu.hbs
No Issue
- Defer save until after slug is checked.
- If new slug is empty or all whitespace, reset to previous value.
- If new slug is the same as existing slug except for an increment
value (e.g. ghost-user-2), use the original slug.
- If the slug has changed, change the URL path to reflect the
change so that the browser refresh and back button still work.
- Added tests.
Refs #3667, Refs #3776
- If saving a post fails, revert its status back to the
pre-save value.
- Added tests to check post status after failed save attempt
on both new and existing posts.
closes#3667
- If the ‘save’ function on a new post fails, the local Ember model
still beliefs that the status is ‘published’, resulting in wrong
buttons. A simple catch fixes that.
Amends #3736, references #3623
With `button.ghost-logo`, there's no `href`, so cannot be opened in a new window. This changes it back to an anchor and appends the blog URL to a href attribute. Win!
Bumps Ghost-UI version to 0.8.13 bring in related CSS changes.
Closes#3623
- Move hamburger logic to action with terrible name, "toggleSidebarOrGoHome"
- Move ".js-close-sidebar" events to a document.on(event, *selector*, f) to make sure they attach even when the js-close-sidebars aren't on page (ie, hidenav)
fixes#3724
- provide config.url to the ember client app via a data attribute
- create server and client side helpers to output the URL
- wire up the client side helper
- add a class for testing, and add tests for both the server and client side
fixes#3716
- change the importer to not override any user details
- only set published_by if it is not already set
- import users before anything else
- process the import and map user ids to existing users
- test fix - owner should have owner role
- test fix - catch invalid success in importer
closes#3631
- Removed the 'by + setupUser.name' from authentication.js
- Removed the 'by Test User' from feed_test.js
- Added a '.' to the end of each per issue comment example
closes#3544
- limit forgotten password requests to five requests per IP per hour
for different email addresses
- limit forgotten password requests to five requests per email address
- limit signin requests to ten failed requests per IP per hour
- removed special treatment for tests
closes#3468
- added rate limit to deny more than 5 attempt every hour
- updated spam prevention to be configurable
- added config values spamTimeout, ratePeriod, rateAttempts
- added ratePeriod:1 to config.example.js to prevent functional tests
from hitting the rate limit
- commented spam test, I’ll fix it tomorrow
Basic notifications are unnecessarily verbose and, in some instances, even cause line-wrapping to occur. This change shortens them to short, concsise statements to indicate what action has taken place.
Closes#3402, Closes#3428
-------------------
### Components
- Added GhostSelectComponent to handle async select creation (h/t @rwjblue)
- Added GhostRolesSelector (extends GhostSelect) for displaying user role options
- Created StoreInjector for surgically inserting the store into things that normally wouldn't have them.
### Users Settings
- InviteNewUserModal now uses GhostRolesSelector & defaults to Author
- The role dropdown for user settings has permissions set per 3402
### User Model
- Added `role` property as an interface to getting and setting `roles`
- Refactored anything that set `roles` to set `role`
- isAdmin, isAuthor, isOwner and isEditor are all keyed off of `role` now
### Tests
- Added functional tests for Settings.Users
- updated settings.users and settings.users.user screens
- fix spacing on screens
### Server Fixtures
- Fixed owner fixture's roles
No Issue
- Move authentication related handlers to the Application route.
- Switch Sign Out from a button to a link. Use the signout route
to handle invalidating the session and redirecting instead of
an action from a button.
- Clear error messages on signin page when pressing log in button.
- Errors are now always shown on sign in screen and a success
notification is shown after sign out.
- Update functional tests.
closes#3431
- change feed_test.js to call casperjs getHTML() instead of
getPageContent(), because the latter now strips markup
Alternative fix would be to use .page.frameContent directly
instead of using a casperjs wrapper.
Change runs cleanly on Travis (old casperjs tag) and locally
in the Ghost-Vagrant setup with both the old casperjs tag
and the current HEAD SHA (29bbd03f7cdc9fc1e70f0fe1400635dd7d3537ad)
no issue
- acquiring a new access token using a refresh token sets the
expiration time of the refresh token to now + 24 hrs.
- moved all occurrences of ONE_HOUR, ONE_DAY and ONE_YEAR to
`core/server/utils`
no issue
- Refactor all integration tests to specify and load ONLY the fixtures
they require to run, rather than initialising the whole kit-and-kaboodle
for every single test which takes FOREVER.
- Refactor the route tests to share a doAuth function, and also specify
additional fixtures required
- Move import and export unit tests, which are actually integration tests
(they touch the DB)
- Comment out most of the permissions unit tests for now as they need more
stubs/mocks so as to not touch the DB
Still todo:
- prevent default DB initialisation in route tests, and specify all
fixtures requires as per the integration tests
- fix up the unit/permissions_spec
Closes#3161
- Add a config.js file for the client which is used to configure
Ember.Application during runtime. The correct version of config.js
is copied into place by grunt via the copy:(dev|prod) task from
either config-dev.js or config-prod.js.
- Serve minified and production versions of libraries where applicable
including handlebars-runtime and ember-prod.
- Bundle third party libraries into vendor.min.js.
- Bundle Ghost's Ember app and templates into ghost.min.js
- Remove all fixture data and code from the client.
closes#3222
- implementing server-side pagination for /users API
- passing /users?limit=none will return all users
- passing /users?status=invited will filter base on user status
- creating 3 mixins (route, controller and view) to keep pagination logic DRY
- updating route, controller and view for Posts to use new mixing
- implementing infinite scrolling for Users Management screen (using new mixins)
- Users Management screen displays all invited users, but paginates active users
closes#3128 (now really)
- added express variable disableLoginLimiter
- added disableLoginLimiter to all tests that use Ghost as module and
do authentication
- fixed isSetup not working for status other than active
- removed ‚Ensure a User is Registered‘ test as this is covered by the
new setup test
Closes#3145
- Prevent navigation to the setup screen if Ghost setup
has previously been completed.
- Fix templates that were incorrectly using foreach instead of each.
- Add validation for minimum password length.
- Fix up functional tests and split out tests for setup to a separate
instance of casper because setup requires a new database.
- Add a cleanDatabase task to grunt which resets the database to
new.
Closes#3105, Closes#3175
- Removed notification on successful post's `page` status change
- Removed notification on successful post `featured` status change
- Added `closePassive()` notifications on error in the post-settings-menu
- Persistent notifications will close whether their `DELETE` request was
successful or not.
#### Misc
- Added `name` attribute to `post-setting-menu.hbs` inputs to facilitate testing
- Removed `return <Promise>` from action in `PostSettingsMenuController`. Actions should only return `true`
- Toggling `post.featured` won't fire NProgress.
Closes#3254, closes#3138, closes#3245
### Settings Routing and View refactoring
- Refactored `SettingsView` to handle transitions between mobile and desktop layouts
- `SettingsRoute` will only transition to `settings.general` if the screen is large enough to show both the menu and the content
- Added `SettingsIndexView` to handle showing the settings menu on mobile screens
- Added `SettingsContentBaseView` to be inherited by any settings view that is not index.
- Updated Settings templates appropriately to work with new views
- Removed extraneous `active` class from `settings-content`
- Changed settings menu to use `gh-activating-list-item`
- Retooled settings tests
### Mobile Utils
- Renamed file to `mobile.js`, since it's inside of `utils/`
- Added `mobileQuery` MediaQueryList to help detect layout changes
- Removed unused `hasTouchScreen`, `device.js` should be used instead.
- Removed unused `smallScreen` function
- Moved FastClickInit to codemirror-mobile
Closes#3271
- Change validations on both server and client to allow the
Website field to be empty or a valid URL.
- Add new schema validation helper isEmptyOrURL.
- Remove duplicate call to UserValidator in the save action
of the SettingsUser controller.
- User.last_login and User.created_at are already Moment objects
so Moment#fromNow can be called on them directly.
closes#3074
- user generated by fixture is hijacked
- user is updated with name, email, password, slug and status
- creates new user if db is migrated but no user exists
- previously removed tests are back
closes#3073
- added fixture for owner role
- added fixture for initial user (new db)
- added conversion administrator -> owner (existing db)
- changed tests to take over owner user
- removed some functional tests until /setup works with owner user
- added role to user obj (only returned from the user endpoint)
- added `/users/?include=roles` and
`/users/?include=roles,roles.permissions` query parameters
- added and updated tests
Closes#3199
-If datatype is dateTime convert to javascript Date object when
retrieved from the database.
-Add tests to make sure models and internal API are using Date
objects for dateTime fields.
-Add tests to make sure the HTTP API is returning ISO 8601
date strings for dateTime fields.
Fixes#3078
- new "users" resource, with matching controller and template
- fetching real data from /ghost/api/v0.1/users/
- updated "user" route to accept a :slug as a URL parameter
- updated labels everywhere (from "user" to "users")
- updated "profile" link to header to point to proper "users/:slug" route
- updated core/client/.jshintrc to recognize moment as a valid global function
- adjusted DOM selector used in Casper to properly identify the new screen
- adding "slug" as a new property of the user data used during the Casper functional tests
Closes#3158, Closes#3143, Closes#3134
- Added `model.rollback()` when PSM fails to save.
- Added `showErrors` and `showSuccess` helper functions to PSM to abstract
closing and showing of notifications.
- Added `togglePage` action to indirect the setting of `page`.
- Removed `isStaticPage` property in favor of `togglePage` action
- moved `updateSlug` error catching to outer promise (slugGenerator promise)
- modifying the `page` and `published_at` properties will no longer cause a new post to save
- Close passive notifications on published date parse fail
- Removed promise creation in catch statements
- Changed tests to click on label, rather than the input for
.post-setting-static-page.
closes#3056
- Remove clientold
- Remove clientold tests
- Cleanup old admin helpers
- Remove old routes from admin and controllers from admin controller
- Comment out / remove old and broken tests
- Cleanup Gruntfile.js, bower.js, package.json etc
Still TODO:
- cleanup / add removed tests
- do we still need countable?
closes#2759closes#3027
- added oauth2orize library for server side oAuth handling
- added ember-simple-auth library for admin oAuth handling
- added tables for client, accesstoken and refreshtoken
- implemented RFC6749 4.3 Ressouce Owner Password Credentials Grant
- updated api tests with oAuth
- removed session, authentication is now token based
Known issues:
- Restore spam prevention #3128
- Signin after Signup #3125
- Signin validation #3125
**Attention**
- oldClient doesn't work with this PR anymore, session authentication
was
removed
- PostsController orderBy function sorts posts with isNew to the top, otherwise their undefined dates fail to compare
- also catch when `updated_at` is undefined, happens when model is being written with results from the server
- catch objects of type Error in validation engine, helps catching client errors
- join server errors with BR tag in ajax util
- add `emberBuild` task to `grunt test-functional`
- add a test helper, `thenTransitionAndWaitForScreenLoad`, to test transitioning to major parts of the app
- add a test that transitions from Content to the Editor, and back to Content
closes#2998
- update PostSerializer to use DS.EmbeddedRecordsMixin
- create PostAdapter to include include=tags in query params for POST and PUT
- set include=tags for various GET post requests
- change PostModel to have { embedded: always } instead of { async: true }
- update Ember-Data to beta8 from beta7
- make call to get tags from model in editor.edit route synchronous since the tags now exist in the store
- change casper test to wait for call to posts api with `?include=tags`
ref #3060
- Some of our tests use the old signin/signout as part of the setup/teardown process. The old stuff is going away, so this PR switches everything over to use the new admin by default.
- There wil be a further PR to remove the old stuff completely soon.
fixes#3072
- Change router to handle /ember/setup/
- Adjust doSignup to also handle setup
- Adjust tests and add new where necessary
- Add setup controller, setup validation, setup route
- Adjust casper emberSetup to handle new setup
Closes#3036 Refs #3012
-Enable validation for settings/general
-Turn on functional tests for the validations
-Move notification closeAll calls so that notifications
are cleared on attempted saves instead of just on
successful saves
Closes#1558
- Adds a wrapping tag around the notification message
- Change tests to look for new wrapping tag
For the fix to work properly, it needs styles from the [0.8 branch](b98029911c) of Ghost-UI
Closes#2976, Closes#3017
- Move logic to signup controller
- Add ValidationEngine mixin to signup controller
- Add signup validator with code from clientold login view
- Add signin validator and integrate into signin controller
- Add validation to forgotten controller
- Switch to button action to support hitting enter in text field to submit
- Clear all notifications in notifications.closeAll
- Modify ValidationEngine.validate to not format errors based on option
- Update casper test for signin to wait for notification before trying
to do another signin
fixes#3031
- Adds an initializer for passing config to the frontend, it's not pretty but it works
- Forwards the apps route and hides the apps menu item if apps:true is not present in config.js
- improving the implementation of thenOpenAndWaitForPageLoad
- adding a class into the settings templates to more easily test which pane we are on
- adding more, and updating more of the settings tests
- added the editor tests
issue #2989
- Adds lodash for bind and isNumber - looking for a better solution for this
- Still needs the editor and flow tests porting
- Some of the tests are commented out awaiting further implementations
Closes#2866
-update slug API to handle users and apps in addition to
posts and tags
-update existing tests
-add new functional tests for slug endpoint on http api
Closes#2798
-fetch full model for active post in Backbone content preview view
-remove unnecessary type check in Models.Post.saving
-add functional tests for all post settings menu actions in editor screen
-add functional tests for all post actions in content preview
screen for posts with and without tags
closes#2610, refs #2697
- cleanup API index.js, and add docs
- all API methods take consistent arguments: object & options
- browse, read, destroy take options, edit and add take object and options
- the context is passed as part of options, meaning no more .call
everywhere
- destroy expects an object, rather than an id all the way down to the model layer
- route params such as :id, :slug, and :key are passed as an option & used
to perform reads, updates and deletes where possible - settings / themes
may need work here still
- HTTP posts api can find a post by slug
- Add API utils for checkData
closes#2647
- GET method returns { db: [exportedData] }
- POST, DELETE methods return { db: [] }
- 'delete all content' test updated
- Attach 'Content-Disposition' header on DB export for 'Save As' browser dialog
- Add DB API functional test for Export
Ref #2061
- Add canThis permission checks to settings api calls
- Add strict rules about accessing core settings without internal: true
- Omit core settings in browse() call unless internal: true
- Update unit tests to call api.settings with contexts
- Add a couple unit tests for new scenarios
- Update all api.settings calls in the app to call with internal context
- Re-arrange permissions.init in server startup so config.theme.update
can access settings without permissions error
refs #2606
- Use new API format when updating settings from the client side
- Add additional test to test new API format
- Adjust functional tests to work with the new format
closes#2637
- Add new get API route for all notifications
- Wrap API responses to comply with JSON-API
- Add new tests / adjust fixtures
- Adjust all occurences of passive notifications
closes#2643
- added error type
- added error property for validations
- wrapped errors in an array
- returns multiple errors for validation
- updated tests and admin
closes#2635
- add new logic to the api request handler to set a location header
when new objects are created
- added an api context to config.urlFor() to return the root url
- added functional tests for the affected routes
closes#2593
- added new format to user API methods
- changed all places where the user api was used
- updated tests and added more coverage
- little bit of cleanup in utils/api
Closes#2606
- Refactor settings api responses to { settings: [ ] } format
- Update all code using api.settings to handle new response format
- Update test stubs to return new format
- Update client site settings model to parse new format into one object of key/value pairs
- Refactor to include all setting values
- Remove unused settingsCollection method
- Update settingsCache to store all attributes
- Update settingsResult to send all attributes
- Remove unnecessary when() wraps
- Reject if editing a setting that doesn't exist
- Reject earlier if setting key is empty
- Update tests with new error messages
- Use setting.add instead of edit that was incorrectly adding
- Update importer to properly import activePlugins and installedPlugins
- Update expected setting result fields
- Fix a weird situation where hasOwnProperty didn't exist 🤷
closes#2628
- added /view/ route to the editor. if /view/ is appended to
the url of a post being edited a redirect to the frontend
will occur
- updated controller to check for /view/ and built the
correct url for the post
- added test for the new route
refs #2660
- removed timeout from routes tests (since Ghost is used as module it
is restarted before logging in)
- Casper.js does only one login and the existing waits are executed
after testing login limiters
- gain: 8 sec :-/
closes#1838
- adding `forceAdminSSL: {redirect: true/false}` option to allow 403 over non-SSL rather than redirect
- adding `urlSSL` option to specify SSL variant of `url`
- using `urlSSL` when redirecting to SSL (forceAdminSSL), if specified
- dynamically patching `.url` property for view engine templates to use SSL variant over HTTPS connections (pass `.secure` property as view engine data)
- using `urlSSL` in a "reset password" email, if specified
- adding unit tests to test `forceAdminSSL` and `urlSSL` options
- created a unit test utility function to dynamically fork a new instance of Ghost during the test, with different configuration options
closes#2609
- added include parameter to api.posts.*
- changed toJSON to omit objects that are not included
- added include parameter to admin
- added include parameter to frontend.js
- updated tests
- removed duplicate code from posts model
**Known Issue:** It is not possible to attach a tag using an ID.
Closes#1563
- Add new updatedAttributes() functionality to base models
- Update Post.edit(...) to pass along _updatedAttributes values
- Update Post.delete to set statusChanged to true
- Add checking for statusChanged to cacheInvalidationHeader()
- Update route tests that check for cache invalidation header
When setting the Content-Type header for the RSS feeds, the character
set is omitted. However, when running the feed through the
[Feed Validator](http://feedvalidator.org), it became apparent that
there was a problem as the encoding defaults to US-ASCII. See
[RFC 3023](http://www.ietf.org/rfc/rfc3023.txt) for further information
on the default XML charset over HTTP.
I have added a test and simple update to the 'Content-Type' header.
Closes#2605
- Change tags browse() response to { tags: [...] }
- Update client side collection to use nested tags document
- Update test references to use response.tags
Closes#2619
- If edit parameter is 'edit' redirect to editor.
- If edit parameter is anything other then undefined redirect to 404.
- Create edit post tests.
- Test redirect without trailing slash.
- Test redirect to editor.
- Test redirect to 404.
closes#2604
- moved ‚pagination‘ to ‚meta‘ property
- added response test for pagination property
- changed ‚next‘ and ‚prev‘ to be set to null and exist on every
response
- removed unnecessary call to API for RSS author
closes#2580
- added new format to post API methods
- added post object parsing and wrapping to admin
- removed unused ‚user‘ object from API response
- updated tests
issue #2273
- test draft/page/published label
- test green add new post button
- test status and author in preview header
- test edit post button
- test delete modal
close#2443
- Refactor API tests from `/core/test/functional/api` to
`/core/test/functional/routes/api`, using supertest instead of request
- Remove `core/test/functional/api` folder
closes#2442, issue #2182
- Server start refactored - messaging is just messaging, deferred resolves the httpserver so that the connection can be closed
- Updated travis config to set node env
- Updated example config to be less travis-specific
- Route tests updated to use this new functionality
- Grunt test-routes simplified
closes#2261
- reserved 'feed' in the list of reserved keywords for slugs
- added a 301 redirect from /feed/ to /rss/
- added a route test, and realised that standard express redirects don't get the right headers
- fixed the headers across all 301 redirects & added tests for the admin redirects
- removed the redirect from /ghost/login/ to /ghost/signin/ as this happens automatically if you're logged out, and isn't very useful if you're logged in as it just redirects again to /ghost/
issue #2312
- The typography extension is still interfering in HTML blocks, reference style links and other bits and pieces it probably shouldn't be :(
- We'll add it back when it's ready.
fixes#2385
- stolen the CM shim from js-bin
- if we're on a touchscreen device, don't use CM
- if we're on a touchscreen device, show a coming soon message for uploads
fixes PR#2395
- in editor_test.js line 272, I wait until the post settings menu appears, and THEN also wait until the delete post button appears, rather than just waiting for the first condition, this can result in a race condition which has been seen.
- in editor_test.js line 229, I click on the tag, then wait until it disappears, rather than asserting the tag doesn't exist immediately. This could potentially result in a race condition, but I have not seen it yet.
- in editr_test.js line 315, I click on the delete post button, and now wait for the modal container to appear before clicking the accept button. This could result in a race condition, but I have not seen it yet.
references #2273
- test tag creation and tag deletion
- tests image uploader appears after typing `![]()` in editor
- tests image URL matches url inside `![](url)`
- tests all input elements of post settings menu
closes#2260
- added routes for /tag/:slug/rss and /tag/:slug/rss/:page
- added support for tag in the rss controller
- added route tests for each extra case
- fixing a tiny typo in some test descriptions
references #2273
- added a test that clicks on both upload (image/cover) buttons and tests the same testing function on them since both modals are exactly the same
- the testing function checks for the '.js-drop-zone.image-uploader' selector, then clicks accept, and tests that a blank success notification appears
- shifted the test email test validation upwards so the ordering of tests matches the ordering of the UI elements
issue #2305
- changed validation for 'page' to expect '0' or '1', rather than 'true' or
'false'
- Added a 'can change a post to static page' test
- Added a 'can change a static page to a post' test
Closes#1379
- Convert to new api usage for both server-side and client-side
- Provide way require a negative response for boolean methods in
default-settings.json
- Add field validation functional tests
- Settings (General)
- Title length validation
- Description length validation
- postsPerPage, numeric, min, max
- Settings (User)
- Bio Length validation
- Location length validation
- Url validation
- Login
- Email validation
- Editor
- Title required validation
fixes#2272
- Remove libraries from shared/vendor
- Remove libraries from client/assets/vendor
- Add bower to package.json and postinstall
- Add bower.json with dependencies
- Add scripts from bower_components to concat/uglify
- Fix tests
- Serve jquery from /ghost/built/theme/
Closes#2083
* Added hbs template for apps listing
* Added settings to read the activeApps
* Added viewcontrol to activate / deactivate apps
* Added API handler to store activeApps (by `name` in the `package.json` file)
* On button click it turns the button into "Working" and changes class to `button` (grey one)
* On success, rerenders the pane, adds success notification about apps being saved
* On error, rerenders the pane, adds error notification with error message
Missing:
* tests: couldn't figure out how to add mock apps with mock package.json data
* actually registering, etc, re #2140
* icon from the sidebar
#closes #1655
- removed models as parameter for bookshelf-session
- changed to read permittedAttributes from schema.js
- changed updateTags to be executed at saved event
- added validate to execute after saving event
- added test for published_at = null (see #2015)
- fixed typo in general.hbs
fixes#2111
- modified Post model to support a tag query
param that will filter the desired post collection
to only include posts that contain the requested tag
- in the updated Post model it includes the Tag model
under a nested object called 'aspects'
- added tests for updated Post model, updating
test utils to add more posts_tags relations
- adds two new routes to frontend,
one for initial tag page,
another to page that tag page
- for tag pages the array of posts
is exposed to the view similarly
to the homepeage
- on the tag view page the information
for the tag is also accessible
for further theme usage
- the tag view page supports a hierarchy of
views, it'll first attempt to use a tag.hbs
file if it exists, otherwise fall back
to the default index.hbs file
- modified pageUrl and pagination helper
to have it be compatible with tag paging
- added unit tests for frontend controller
- added unit tests for handlebar helper modifications
- add functional tests for new tag routes
closes#2171
- added authentication middleware
- removed authentication from routes
- moved authentication before CSRF validation
- moved caching rules before authentication
- changed/added test