Commit Graph

1734 Commits

Author SHA1 Message Date
Daniel Lockyer
8a534c5b14
🐛 Fixed sending emails via SES or non-standard SMTP config
fixes https://linear.app/tryghost/issue/CORE-45/

- this commit fixes two email related issues:
    - SES transport: the auth mechanism was set up wrong and so none of
      the requests would go through. This now follows the docs on https://nodemailer.com/transports/ses/
    - SMTP transport: the latest versions of Nodemailer don't seem to
      allow overriding of options if a service is present. I've filed
      https://github.com/nodemailer/nodemailer/issues/1327 but in the
      mean time, I assign the options back to the transporter object
      to ensure they always get applied
- I've fixed this in our `@trghost/nodemailer` package and so this commit
  bumps that here
2021-09-20 15:53:44 +01:00
Renovate Bot
12f59e7ec0 Update dependency coffeescript to v2.6.0 2021-09-20 08:04:52 +01:00
Renovate Bot
9fb78b338c Lock file maintenance 2021-09-20 02:46:58 +00:00
Daniel Lockyer
93e4b2eafd 🔒 Fixed remote command injection when using sendmail email transport
refs https://github.com/TryGhost/Ghost/security/advisories/GHSA-wfrj-qqc2-83cm
refs https://github.com/advisories/GHSA-48ww-j4fc-435p

- a vulnerability in `nodemailer` means that the `sendmail` transport is
  vulnerable to command injection for flags passed to the `sendmail`
  binary
- updating to the latest version of Nodemailer required creating
  `@tryghost/nodemailer`, which is a wrapper around Nodemailer and
  several plugins that used to be in the core
- this commit switches to using that package, and fixes up some small
  code + test changes
2021-09-17 16:46:51 +01:00
Renovate Bot
3eb41d3e36 Update dependency @tryghost/root-utils to v0.3.4 2021-09-15 08:44:13 +01:00
Renovate Bot
fc66c6621f Update dependency @tryghost/logging to v0.1.7 2021-09-15 08:44:04 +01:00
Renovate Bot
b6c8a8efdf Update dependency @tryghost/validator to v0.1.5 2021-09-15 08:43:53 +01:00
Renovate Bot
3e7f9cd54c Update dependency @tryghost/request to v0.1.5 2021-09-14 18:30:37 +01:00
Renovate Bot
ac7f92b8d5 Update dependency @tryghost/debug to v0.1.5 2021-09-14 18:30:22 +01:00
Renovate Bot
50dfe20369 Update dependency @tryghost/bookshelf-plugins to v0.3.1 2021-09-14 17:51:14 +01:00
Renovate Bot
18945ef805 Update dependency @tryghost/version to v0.1.4 2021-09-14 17:50:46 +01:00
Renovate Bot
fb452d739a
Update dependency sanitize-html to v2.5.1 2021-09-14 14:56:18 +00:00
Renovate Bot
5251d1e559
Update dependency analytics-node to v5.1.0 2021-09-13 22:22:11 +00:00
Renovate Bot
66a705930c
Update metascraper to v5.24.6 2021-09-13 08:35:39 +00:00
Kevin Ansfield
a277ff5bf4 Bumped @tryghost/kg-* dependencies
no issue

- includes bump to minimum version of `markdown-it` for consistency between Ghost and Admin markdown rendering
2021-09-13 09:34:18 +01:00
Daniel Lockyer
0c7c34ff67 Updated bookshelf-relations dependency to 2.2.0 2021-09-10 16:59:11 +01:00
Daniel Lockyer
7b93efddd0 Updated bookshelf dependency to 1.2.0 2021-09-10 16:59:11 +01:00
Renovate Bot
74c43bcea5 Update dependency c8 to v7.9.0 2021-09-10 11:25:21 +01:00
Daniel Lockyer
10fa1283ca Updated ghost-storage-base to v0.0.6
no issue

- this package has been bumped to support Node 12 + 14
- AFAICT I added it to the Renovate list back when we had some timezone
  issues with moment, but we've since pinned the version of moment so we
  shouldn't experience that now
- therefore this commit also removes it from the Renovate ignore list
2021-09-09 10:15:26 +01:00
Renovate Bot
c05432889a
Update dependency sanitize-html to v2.5.0 2021-09-08 21:18:14 +00:00
Fabien O'Carroll
07e595b9aa Fixed webhook handler when Stripe is not connected
no-issue

The webhook handler did not correctly check for whether or not Stripe
was connected, and would attempt to handle webhooks anyway, resulting in
errors due to missing Stripe config. This fixes the handler to exit
early.
2021-09-08 12:41:20 +02:00
Renovate Bot
0bb14c115b Update dependency @tryghost/members-importer to v0.3.2 2021-09-08 10:34:07 +02:00
Fabien O'Carroll
fd574f527c Removed webhooks when disconnecting stripe
refs https://github.com/TryGhost/Team/issues/1006

The @tryghost/members-api module has been updated to remove webhooks
from Stripe when disconnecting. This will ensure that we do not leave
around old/invalid webhooks that will not be handled and generate
errors.
2021-09-07 18:58:25 +02:00
Fabien 'egg' O'Carroll
cd89c7e427
Used @tryghost/members-api Stripe disconnect logic (#13290)
refs https://github.com/TryGhost/Team/issues/1006

Moving the logic of disconnecting Stripe into the members-api module
decouples the Ghost API from the Members API internals. This method can
now be updated independently of Ghost, to implement the deletion of
webhooks from Stripe.
2021-09-07 18:25:53 +02:00
Fabien 'egg' O'Carroll
ae844db60b
Fixed handling of Complimentary Stripe subscriptions (#13289)
refs https://github.com/TryGhost/Team/issues/995

Since we reintroduced the comped status, we did not update the
subscription handling to correctly set members to a status of comped
when they were on a 'Complimentary' plan. This meant that 'comped' members
had a status of 'paid'. The changes to @tryghost/members-api ensure that
handling subscriptions going forward will not result in this error.

Since we handle the Complimentary plan correctly now, we do not need to
manually check for the existence of one, we can instead rely on the
status to set the `comped` flag.
2021-09-07 11:31:47 +01:00
renovate[bot]
677dc1a59b
Update dependency @tryghost/members-csv to v1.1.6 (#13273)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-09-06 16:16:10 +01:00
renovate[bot]
a8902bd1f8
Update dependency @tryghost/members-ssr to v1.0.12 (#13275)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-09-06 16:16:01 +01:00
renovate[bot]
b8b9707ddb
Update dependency @tryghost/magic-link to v1.0.11 (#13272)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-09-06 16:15:46 +01:00
Renovate Bot
f34a862526 Update dependency @tryghost/helpers to v1.1.52 2021-09-06 12:32:34 +01:00
Renovate Bot
b89967f9fb Update dependency @tryghost/logging to v0.1.6 2021-09-06 12:32:26 +01:00
Fabien O'Carroll
dd2def277c Fixed errors when creating complimentary subscriptions
no-issue

The ProductRepository changed to require the options parameter which is
not passed when created complimentary subscriptions. This updates the
code to no longer require the options parameter and instead provide a
default.
2021-09-06 12:55:20 +02:00
Renovate Bot
33d94dadb8 Lock file maintenance 2021-09-06 04:37:57 +00:00
Renovate Bot
da151790af Lock file maintenance 2021-09-06 02:47:49 +00:00
Renovate Bot
7851e4ce52
Update dependency oembed-parser to v1.4.8 2021-09-03 03:32:36 +00:00
Fabien O'Carroll
a39dd7255d Fixed updating products inside of a transaction
no-issue

When updating products we make many reads and writes to the database,
some of these reads were not happening inside of a transaction which was
causing issues when loading the members setting page. This bumps the
@tryghost/members-api dependency to ensure that all of the database
operations happen inside of the transaction
2021-09-01 19:14:21 +02:00
renovate[bot]
f52d0136ef
Update dependency @tryghost/kg-mobiledoc-html-renderer to v5.1.1 (#13251)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-09-01 09:12:09 +01:00
renovate[bot]
2f2939ec1b
Update dependency @tryghost/color-utils to v0.1.2 (#13269)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-09-01 09:11:21 +01:00
Naz
75744041c1 Allowed for a 'sent' status in canary Admin Post API
refs https://github.com/TryGhost/Team/issues/892

- When a published email-only post is edited on the client it sends through a "sent" status over to the backend over PUT endpoint. It's a valid new status that should be accepted by the validation
2021-09-01 10:55:13 +04:00
Renovate Bot
966f167fd9
Update dependency @sentry/node to v6.12.0 2021-08-31 16:25:51 +00:00
Renovate Bot
192f0d07ba Lock file maintenance 2021-08-30 05:34:49 +00:00
Renovate Bot
ac57c1b364
Update dependency mocha to v9.1.1 2021-08-30 00:13:33 +00:00
Fabien O'Carroll
b895b87add Errored when creating products if any error occurs
refs https://github.com/TryGhost/Team/issues/982

When creating a Product with invalid data for Stripe, e.g. a price of
one gazillion dollars - the Stripe API requests would fail, but we would
end up with a broken product created in the database. This updates
@tryghost/members-api to wrap these calls in a database transaction, and
will roll back any operations if one of them fails.
2021-08-26 20:10:31 +02:00
Fabien 'egg' O'Carroll
9a1417c8b9
Exposed dummy subscriptions to theme layer (#13257)
refs https://github.com/TryGhost/Team/issues/986

This updates the @tryghost/members-api module to return the full member
object from getMemberIdentityData, which is used to populate req.member
used by themes to construct the `@member` template data.

The full object is read from the service which handles all additional
properties and logic for retrieving members, including the dummy
subscriptions for comped members.
2021-08-26 16:03:32 +01:00
Fabien O'Carroll
e05fa6af38 Fixed subscription handling to remove old products
refs https://github.com/TryGhost/Team/issues/979

This bump to @tryghost/members-api includes a fix for handling a
subscription updating to a new price. Previously we would add the new
product to the member, but the old one would still be attached. Now we
check that there are no other active subscriptions for the product
associated with the old price, and remove it.
2021-08-26 15:55:22 +02:00
Fabien O'Carroll
76311484df Added dummy subscription to comped members
refs https://github.com/TryGhost/Team/issues/873

This includes the update to @tryghost/members-api which includes the new
MemberBREADService which is used to handle the logic for controller
methods outside of the controller.

With it, we've introduced the concept of a dummy subscription for comped
members. This gives API consumers a way to get the created_at date for a
comped members access to a product.
2021-08-26 15:28:55 +02:00
renovate[bot]
b2aa2dd7e1
Update dependency @tryghost/members-importer to v0.3.1 (#13231)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-08-25 13:43:13 +01:00
Renovate Bot
789773ae8a Update dependency nock to v13.1.3 2021-08-25 12:08:30 +02:00
Kevin Ansfield
5e83d87ab9 Updated email-cta card rendering to match editor
refs https://github.com/TryGhost/Team/issues/1007

- bumped `@tryghost/kg-default-cards` with updated rendering
  - aligns text as well as button
  - has single payload toggle for divider display
  - adds toggle for button display
- bumps other @tryghost/kg-*` packages that had minor dependency bumps
2021-08-24 18:10:07 +01:00
Fabien O'Carroll
3a6e71a2b6 Wired up MemberProductEvents to member product changes
refs https://github.com/TryGhost/Team/issues/873

This version of @tryghost/members-api handles creating
MemberProductEvents when a member is created, updated or has their
subscription updated. This populates the members_product_events table
and can be used to determine when a member was given access to a
product, which is useful with the concept of comped access to a product,
where we do not have a subscription as a record.
2021-08-24 15:22:10 +02:00
renovate[bot]
2ed9529fa0
Update dependency @tryghost/members-csv to v1.1.5 (#13246)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-08-24 14:17:02 +01:00