Commit Graph

1955 Commits

Author SHA1 Message Date
Katharina Irrgang
9349e99e54 🐛 fix delete by author as transaction (#7145)
closes #7137

Deleting the content from the database runs in a transaction. see
https://github.com/TryGhost/Ghost/blob/master/core/server/api/users.js#L390

`destroyByAuthor` is one of the operations we trigger to delete all the conent, see https://github.com/TryGhost/Ghost/blob/master/core/server/models/post.js#L647

The post model has a specific hook for deleting content to delete the relations as well, see https://github.com/TryGhost/Ghost/blob/master/core/server/models/post.js#L122

This hook is part of the transaction. But the `options` are ignored. `(model/*, attr, options*/)` 
We use the `options` to forward the transaction reference, which we need to pass into the bookshelf queries. So `return model.load('tags').call('related', 'tags').call('detach')` does not forward the transaction and that's why it stucks when deleting the content.
2016-09-19 14:45:36 +01:00
Katharina Irrgang
265f058466 🎨 use apiUrl helper for scheduling initialisation (#7400)
no issue
- extend apiUrl to return either an admin url for CORS or not
2016-09-19 14:41:50 +01:00
Cezary Kluczyński
83b426ad14 Changed formatting of run time to human readable (#7318) 2016-09-19 11:28:18 +01:00
Katharina Irrgang
ed9e90419d 🐛 generate correct apiUrl for scheduling (#7389)
closes #7388
2016-09-15 10:22:38 +01:00
Hannah Wolfe
a791b43f1e 🐛 😱 Fixing extract-zip derp-moment
There are no words for this!
2016-09-14 22:47:41 +01:00
David Wolfe
1cf0b940ad Do not show internal tags in RSS feed (#7385)
closes #7367

- checks tags are visibile if internal tags are enabled in labs
- dirty quick update to tests
2016-09-14 19:14:08 +01:00
Hannah Wolfe
a40ff3b276 🎨 Return gscan warnings from theme API (#7367)
- return warnings from gscan so we can let users know about potential issues
2016-09-14 18:49:41 +01:00
Hannah Wolfe
de66a61f59 hides internal tags from displaying in meta data (#7379)
closes #7348

- only filter keywords if the internal tag lab feature is turned on
2016-09-14 17:33:24 +00:00
Hannah Wolfe
43bcf5b374 🐛 better theme name consistency (#7380)
closes #7313

- Adds `getSanitizedFileName` function to storage/base.js which replaces non A-Z0-9@. chacracters with -
- modifies /api/theme.js so that zip.shortName is consistent throughout.
2016-09-14 17:24:28 +00:00
Austin Burdine
2b07f7a15b Add application/octet-stream to allowed types for theme uploads (#7382)
closes #7292 (again)
- fix more uploads
2016-09-14 17:53:36 +01:00
Katharina Irrgang
774a662fb2 🐛 re-run migration for sqlite/pg (#7323)
closes #7192

- add 008 migration
- added script to re-run 006/01
- re-run 006/01 migration for postgres in any timezone (transform formats only)
- re-run 006/01 migration for sqlite (transform formats only)
- rely on format checks for sqlite, do not check server TZ
2016-09-14 17:52:45 +01:00
Aileen Nowak
b598656ff1 Use migration to add AMP column in posts table (#7370)
no issue

Uses migration to '008' to add an `amp` column to the `posts` table.
2016-09-14 16:02:35 +01:00
Katharina Irrgang
94fdbdd267 🐛 move overrides into core folder (#7371)
closes #7336
- make sure overrides is still the first package to call
2016-09-14 15:50:17 +01:00
Austin Burdine
78f580763f ensure amp works when blog is running in subdirectory (#7353)
closes #7352
- use relative url instead of absolute url for post lookup
- add test that passes w/these changes
2016-09-14 12:47:25 +01:00
Sebastian Gierlinger
03ca49ca5e Respect subdirectory for preview pages (#7365)
no issue
- added subdirectory for preview route when doing cache invalidation
2016-09-14 12:32:48 +01:00
Aileen Nowak
a4427952e2 ⬆️ 🚨 Update Amperize dep and fix test (#7374)
no issue

Updates Amperize dep to v0.3.1 and fixes test for `amp_content`.
2016-09-14 12:30:37 +01:00
Katharina Irrgang
8c1e5fbc61 🐛 add missing dependency lodash.orderBy (#7333)
no issue
2016-09-14 11:22:16 +01:00
Katharina Irrgang
5f4da361aa 🐛 fix 006 transform dates for sqlite server offset 0 (#7322)
refs #7192, refs #7248, refs #7351
2016-09-14 11:19:39 +01:00
Hannah Wolfe
4287e0e78b 🐛 Reactivate theme on override + cache clear (#7368)
closes #7350

- When the active theme is overridden, ensure that the activateTheme middleware gets called by removing the `req.app.activeTheme` value.
- Additionally, ensure that the full cache is invalidated
2016-09-14 10:18:52 +00:00
Ryan McCarvill
98a17d5116 fix: Empty Sitemap.xml (#7354)
closes #7341
2016-09-14 10:44:08 +02:00
Aileen Nowak
b3b1bcca94 🐛 Return reg. HTML on Amperize time-out (#7324)
no issue

`{{amp_content}}` helper can handle error now, if returned from `Amperize` module. In case of on error, we return the unprocessed HTML, which will then get validated by the `Sanitize` functionality.

The unprocessed HTML will be stored in the cache, until the post is updated.

Points to Amperize fork of AileenCGN as dependency to have include the error handling changes incl. timeouts.
2016-09-06 15:29:21 +02:00
Hannah Wolfe
761d963893 💄 Output overall from -> to version during migration (#7329)
no issue

- Migrations weren't clear what version the database was
2016-09-06 13:59:54 +02:00
Katharina Irrgang
2142a9c587 🐛 fix direct blog migration and permission fixture options (#7320)
* 🐛 fix direct update

closes #7297
- move sitemap initialisation into sitemap handler
- initialise sitemap on first request to sitemap

* 🐛 fix how we pass options to migration files

refs #7317
- clone options when passing them into the migration/fixture files
- do not use default sequence, because it does not clone the arguments
2016-09-06 13:16:32 +02:00
Kevin Ansfield
0b6459cb91 Fix upgrade notification type value (#7308)
refs #7305

* 🎨 display upgrade alerts with the correct "info" style
* 💄 update use of notifications status/type/location attrs to reflect current usage
2016-09-01 17:58:46 +02:00
Aileen Nowak
11436317c0 🐛 Remove oldschool HTML attribrutes (#7309)
no issue

Uses `allowedAttributes` functionality of `Sanitize` HTML and whitelists attributes for certain tags, regarding
AMP validation rules.

This PR fixes issues with inline style like `border`, `bgcolor`, `align` and so on.
2016-09-01 16:05:39 +02:00
Austin Burdine
7854b65848 fix subscriber uploads from windows (#7306)
no issue
- allow 'application/octet-stream' as a valid content type for an
  uploaded subscriber csv
2016-09-01 12:43:50 +02:00
Katharina Irrgang
54559f24f9 fix: memory leak (#7291)
closes #7189

- downgrade lodash to 3.x
- downgrade bookshelf to 0.9.x
- downgrade knex to 0.10.x
- keep lodash 4.x functions
2016-09-01 10:53:08 +02:00
Austin Burdine
c8bc1b0d3c allow windows flavor of zip mime type to be uploaded (#7293)
refs #7292
- add 'application/x-zip-compressed' to allowed mime types for import
  and theme upload
2016-09-01 08:49:54 +02:00
Aileen Nowak
587337aab3 🐛 Allow .zip file upload for file import (#7278)
closes #7277

Adds `.zip` to `extensions` and `application/zip` to `contentTypes` in config, specificly for uploads to `db`, to allow .zip-file file uploads from labs.
2016-08-29 09:19:49 +02:00
Aileen Nowak
1bc1f165f1 💄 Add post image to AMP template and style fixes (#7272)
no issue

Will show the post image on top of the AMP page, if image is uploaded.
Some minor style changes.
2016-08-26 12:28:45 +02:00
Aileen Nowak
d59f199ee3 🐛 🎨 Improves AMP validation for video and iframe (#7270)
no issue

Video tags aren't supported in Amperize yet, therefore, we strip them out. If a `<video>` tag has nested `<source>` elements, they would stay because they are whitelisted regarding `Sanitize`, as we use them for `<audio>` tags as well.

This PR uses `cheerio` to strip out in `<video>` nested `<source>` tags, without removing the fallback text.
It also removes prohibites attributes for `<amp-iframe>` which are e. g. used by Vimeo embeds.

Removes every kind of inline `style` attributes, as they will cause validation errors as well.
2016-08-25 12:47:28 +02:00
Aileen Nowak
93ee19f36e 🐛 fix: make small media types not stretch (#7265)
no issue

Fixes a bug with displaying small media types like images or gif. Two reasons for that:
1. In many cases, we only have the relative URL instead of the absolute URL for the media source and therefore, `Amperize` module wasn't able to detect the image size and set the default image size of `width="600"` and `height="400"`.
2. Even if we have detected the correct image size, the attribute `layout="default"` would still make it strech. This issue is fixed in `Amperize`, but it wasn't merged at this time, so I set the dependency on my fork.

Adds `amp-anim` to the `.post-content` class, to have same CSS style as an image.
2016-08-25 11:09:25 +02:00
Hannah Wolfe
84a35a4753 🎨 Theme events (#7269)
no issue
- add events for uploaded, downloaded & deleted
2016-08-25 10:36:12 +02:00
Hannah Wolfe
545d2cb8b0 Use node-archiver to create zips (#7268)
closes #7266, closes #7267

- Adds node-archiver as a dependency
- Adds new zip-folder utility
- Switch out exec 'zip' for zip folder utility
- Store generated zips in os.tmpdir
- Don't delete zips from content/themes when uploading or deleting
- Fixes path resolution for delete
2016-08-25 09:22:22 +02:00
Aileen Nowak
f7129a0e39 🎨 Util to convert relative urls in absolute (#7264)
no issue

This PR takes the existing function `processUrls` in `data/xml/rss` and refactors it to be a stand-alone util.
The change is needed, as this functionality will be accessed from `apps/amp` to convert relative URLs.
2016-08-25 07:09:40 +01:00
Hannah Wolfe
5739411c51 🐛 Ensure sitemap items are valid (#7261)
closes #7186

- Add a concept of validity to each generator
- Refactor base generator to handle invalid (empty) nodes for both events & the initial generation
- Update the tests a bit, to fix some bugs in the tests
- Ensure the homepage is always present
2016-08-25 07:13:08 +02:00
Hannah Wolfe
02ca986ed7 🎨 Improve theme validation error messaging (#7253)
refs #7204

- Adds a new ThemeValidationError class
- This error has a top level message, but will also contain all the individual errors within the `errorDetails` property
- Updated the API error handling to return `errorDetails` if it is present
2016-08-24 14:45:54 +02:00
Katharina Irrgang
fb4a4817ef improvement: storage error handling (#7257)
no issue

- while testing different situations for custom storage adapters after switching from 0.9 to 0.10, it turned out the error output was not optimal
- this PR improves that
2016-08-24 13:32:29 +01:00
Katharina Irrgang
a91e54cf1a feature: theme upload/download/delete (#7209)
refs #7204

- added 3 new themes permissions
- change core/client
- add theme upload/download logic
- extended local file storage to serve zips
- added gscan dependency
- add ability to handle the express response within the api layer
- restrict theme upload to local file storage
- added 007 migration
2016-08-23 13:07:25 +01:00
Jesse Dijkstra
f546a5ce1d Remove open redirect by removing double slashes from redirects (#7247)
no issue

Double slashes are treated as a HTTP calls as specified in [RFC1801](http://www.ietf.org/rfc/rfc1808.txt). Because of this behaviour the uncapitalise created an open redirect. By removing double slashes in the path we ensure open redirects cannot be created.

As an example, please click the following URL: https://dev.ghost.org///Google.com/.

This issue  has been reported by pentesters of our product [LearningSpaces.io](http://learningspaces.io).
2016-08-23 13:47:59 +02:00
Katharina Irrgang
6a1c10516e improvement: ensure custom storage adapter has required functions (#7234)
refs #2852

- improvement: ensure custom storage adapter has required functions
- serve, save and exists are from now on required functions for a custom storage adapter
- add delete as required storage function
2016-08-22 22:51:42 +01:00
Katharina Irrgang
41ae8c03b9 feature: storage adapter for images and themes (#7241)
refs #2852
- we offer the option to define a storage for themes and a storage for images
2016-08-22 18:55:28 +01:00
Aileen Nowak
a5c29dfc34 [FEATURE] AMP (#7229)
closes #6588, #7095

* `ImageObject` with image dimensions (#7152, #7151, #7153)
- Returns meta data as promise
    - returns a new Promise from meta data
    - uses `Promise.props()` to resolve `getClient()` and `getMetaData()`

- Adds 'image-size' util
The util returns an object like this
```
{
    height: 50,
    url: 'http://myblog.com/images/cat.jpg',
    width: 50
};
```
if the dimensions can be fetched and rejects with error, if not.
In case we get a locally stored image or a not complete url (like `//www.gravatar.com/andsoon`), we add the protocol to the incomplete one and use `urlFor()` to get the absolute URL. If the request fails or `image-size` is not able to read the file, we reject with error.
- adds 'image-size' module to dependencies
- adds `getImageSizeFromUrl` function that returns image dimensions

- In preparation of AMP support and to improve our schema.org JSON-LD and structured data, I made the following changes:
    - Changes the following properties to be `Objects`, which have a `url` property by default and a `dimensions` property, if `width` and `height` are available:
        - `metaData.coverImage`
        - `metaData.authorImage`
        - `metaData.blog.logo`
    - Checks cache by calling `getCachedImageSizeFromUrl`. If image dimensions were fetched already, returns them from cache instead of fetching them again.
    - If we have image dimensions on hand, the output in our JSON-LD changes from normal urls to be full `ImageObjects`. Applies to all images and logos.
    - Special case for `publisher.logo` as it has size restrictions: if the image doesn't fulfil the restrictions (<=600 width and <=60 height), we simply output the url instead, so like before.
    - Adds new property for schema.org JSON-LD: `mainEntityOfPage` as an Object.
    - Adds additional Open Graph data (if we have the image size): `og:image:width` and `og:image:height`
    - Adds/updates tests

* AMP router and controller (#7171, #7157)
Implements AMP in `/apps/`:
- renders `amp.hbs` if route is `/:slug/amp/`
- updates `setResponseContext` to set context to `['amp', 'post']` for a amp post and `['amp', 'page']` for a page, but will not render amp template for a page
- updates `context_spec`
- registers 'amp' as new internal app
- adds the `amp.hbs` template to `core/server/apps/amp` which will be the default template for AMP posts.
- adds `isAmpURL` to `post-lookup`

* 🎨 Use `context` in meta as array (#7205)
Instead of reading the first value of the context array, we're checking if it includes certain context values.
This is a preparation change for AMP, where the context will be delivered as `['amp', 'post']`.

*  AMP helpers (#7174, #7216, #7215, #7223)
- Adds AMP helpers `{{amp_content}}`, `{{amp_component}}` and  `{{amp_ghost_head}}` to support AMP:
- `{{amp_content}}`:
    - Adds `Amperize` as dependency
    - AMP app uses new helper `{{amp_content}}` to render AMP HTML
    - `Amperize` transforms regular HTML into AMP HTML
    - Adds test for `{{amp_content}}` helper
    - Adds 'Sanitize-HTML` as dependendy
    - After the HTML get 'amperized' we still might have some HTML tags, which are prohibited in AMP HTML, so we use `sanitize-html` to remove those. With every update, `Amperize` gets and it is able to transform more HTML tags, they valid AMP HTML tags (e. g. `video` and `amp-video`) and will therefore not be removed.
- `{{amp_ghost_head}}`:
    - registers `{{amp_ghost_head}}` helper, but uses `{{ghost_head}}` code
    - uses `{{amp_ghost_head}}` in `amp.hbs` instead of `{{ghost_head}}`
- `{{ghost_head}}`:
    - Render `amphtml` link in metadata for post, which links to the amp post (`getAmpUrl`)
    - Updates all test in metadata to support `amp` context
    - Changes context conditionals to work with full array instead of first array value
    - Adds conditionals, so no additional javascript gets rendered in `{{ghost_head}}`
    - Removes trailing `/amp/` in URLs, so only `amphtml` link on regular post renders it
    - Adds a conditional, so no code injection will be included, for an `amp` context.
- `{{amp_components}}`:
    - AMP app uses new helper `{{amp_components}}` to render necessary script tags for AMP extended components as `amp-iframe`, `amp-anime` and `amp-form`
    - Adds test for `{{amp_components}}`
2016-08-22 18:49:27 +02:00
Aileen Nowak
2875f5a9bc 🐛 config.theme.timezone must not be overwritten (#7232)
closes #7182

When calling `config.set()` in the settings api, we want to set the active timezone of the blog to make it available in our `settingsCache`. But because the `theme` object in the `set` prototype was already set to `Etc/UTC` as default, the `_.merge` function would always overwrite our `activeTimezone` with the default value.

This PR changes the code in the way, that we always set 'Etc/UTC' for the timezone as default, _until_ we fetched our settings and therefore the `activeTimezone` setting, so we can overwrite it.

This issue had not only influence on the date helper, but everywhere in our codebase, where we rely on reading the `timezone` from our config, instead of our settings. The `{{@blog.timezone}}` helper reflected that quiet well, as it would always show `Etc/UTC`
2016-08-22 17:56:35 +02:00
Katharina Irrgang
07e59cf27e fixes: storage base getUniqueFileName (#7230)
no issue
- getUniqueFileName does not replace . by -
- added poor extensions validation
2016-08-22 16:54:10 +01:00
Katharina Irrgang
3b8f08e0ec fix: delete unused theme endpoints (#7231)
no issue
2016-08-22 10:54:54 +01:00
Aileen Nowak
18eda54cf0 🐛 Change default referrer policy (#7240)
closes #7235

Changes the default referrer policy to `no-referrer-when-downgrade` because Safari can't deal with `origin-when-crossorigin`.
2016-08-22 11:20:56 +02:00
Aileen Nowak
7fca4c8a4f 🐛 Don't overwrite config.theme.title in GhostMail (#7224)
closes #7212

When no Blog title is set and there is a `from` mail adress without custom name set up in `config.js`, it will overwrite `config.theme.title` in `GhostMailer.from` and forces to have a (wrong) Blog title after sending a test mail or an invitation.

- Uses a variable `defaultBlogTitle` instead of overwriting `config.theme.title`, when no blog title is set and therefore `config.theme.title` has no value.
2016-08-19 10:22:07 +02:00
John O'Nolan
61a8845ab5 Switch to new native system font stack (#7219)
no issue

Based on an increasingly popular trend and modern web typography capabilities, switch out Google Fonts for default native system fonts, tailored in a stack to suit every device. Also makes some very minor visual adjustments to suit.

Nixes all references to Google Fonts, and provides a faster rendering experience and fewer http requests. 💃

Reference material:

https://www.smashingmagazine.com/2015/11/using-system-ui-fonts-practical-guide/
https://medium.design/system-shock-6b1dc6d6596f#.rhqx5fmyz
Dependencies:

TryGhost/Ghost-Admin#211
TryGhost/Ghost-Desktop#190
2016-08-18 20:29:46 +01:00
Katharina Irrgang
663b410fd4 feature: upload validation middleware (#7208)
no issue

- Source out validation logic into a upload validation middleware for all upload types (csv, image, subscribers). This unit can be later used for Ghost 1.0 as a pre validation core unit. 
- More usage of route tests than controller tests. These are use case tests, a use case only changes if the product changes
2016-08-18 20:25:51 +01:00