Commit Graph

177 Commits

Author SHA1 Message Date
Simon Backx
972c25edc7
Wired up member attribution from email clicks (#15407)
refs https://github.com/TryGhost/Team/issues/1899

- Added `addEmailAttributionToUrl` method to MemberAttributionService. This adds both the source attribution (`rel=newsletter`) and member attribution (`?attribution_id=123&attribution_type=post`) to a URL.
- The URLHistory can now contain a new sort of items: `{type: 'post', id: 'post-id', time: 123}`.
- Updated frontend script to read `?attribution_id=123&attribution_type=post` from the URL and add it to the URLHistory + clear it from the URL.
- Wired up some external dependencies to LinkReplacementService and added some dummy code.
- Increased test coverage of attribution service
- Moved all logic that removes the subdirectory from a URL to the UrlTranslator instead of the AttributionBuilder
- The UrlTranslator now parses a URLHistoryItem to an object that can be used to build an Attribution instance
- Excluded sites with different domain from member id and attribution tracking
2022-09-14 15:50:54 -04:00
Fabien "egg" O'Carroll
4726742673 Renamed redirects to custom-redirects
We're going to be adding more redirection logic into Ghost and it's
going to get confusing if we have names this generic. This makes it
clear which feature this service is related to.

Ideally in the future we can combine all of these into one redirects
service, but for now we will be running a specific service per feature
2022-09-14 13:24:17 -04:00
Simon Backx
d5b332ab02 Added temporary fix for random test failures in comments
refs https://ghost.slack.com/archives/C02G9E68C/p1663162175224299

This requires a better fix in the future that properly awaits the emails (not really possible at the moment) or disables sending new member emails when using loginAs
2022-09-14 17:02:13 +02:00
Kevin Ansfield
a7c4991af5 Wired up lexical editor saving
no issue

- fixed API returning "Invalid mobiledoc structure" errors when `mobiledoc:null` is sent in the payload alongside `lexical: '{...}'`
- updated Admin's `posts` and `pages` adapters to always add `?formats=mobiledoc,lexical` because the API doesn't return `lexical` by default
- added `lexical` attribute to Admin's Post model
- updated `lexical-editor` controller and related components to work with `lexical` always being a JSON string rather than a parsed object
- updated `<KoenigLexicalEditor>` to pass through the lexical state string as initial state and wired up the `onChange` prop
2022-09-13 21:01:53 +01:00
Kevin Ansfield
6fc9cd5f80
Added passthrough + saving of lexical property on posts/pages (#15403)
no issue

- bumped `@tryghost/admin-api-schema` to allow passthrough of the `lexical` property on post and page API endpoints
- prevented saving of blank document in the `mobiledoc` field if `lexical` is provided
- prevented API input containing both `mobiledoc` and `lexical` fields to avoid issues when both are present:
  - not possible to know which content is latest/has precedence
  - not possible to know which editor should be displayed in Admin
2022-09-13 17:29:37 +01:00
Kevin Ansfield
c8dc23cbb5 Fixed Content API posts/pages e2e tests
refs 7ad1be2555

- snapshot comparisons were missing matchers for dynamic fields in the body response
2022-09-13 15:05:53 +01:00
Kevin Ansfield
30611cf2c4 Really fixed e2e Admin API posts test
refs 9471384020

- previously added tests (any subsequent matcher updates) for browse endpoint were not using matchers that sufficiently covered the dynamic portions of the body
2022-09-13 14:09:45 +01:00
Kevin Ansfield
eebdb1d5df Fixed e2e Admin API posts test
refs 9471384020

- previously added tests for browse endpoint were not using matchers that sufficiently covered the dynamic portions of the body
2022-09-13 14:05:03 +01:00
Kevin Ansfield
9471384020 Added tests for Admin API not returning lexical by default but including when requested
no issue

- left `mobiledoc` as the only default format added in the post/page input serializers for now to minimize API/test churn during these early stages of lexical development
- tested that the `lexical` field is not returned by default but can be requested via `?formats=lexical`
2022-09-13 13:30:29 +01:00
Kevin Ansfield
7ad1be2555 Fixed Content API returning lexical format when requested
no issue

- similar to the `mobiledoc` field, the Content API should not return the source `lexical` field if requested via `?formats=`
  - renamed `removeMobiledocFormat()` to `removeSourceFormats()` to better match it's behaviour
2022-09-13 13:30:29 +01:00
Daniel Lockyer
f8679f22d7
Updated settings snapshot
refs 067bfe92a4

- this was missed in the previous commit
2022-09-13 12:37:33 +01:00
Kevin Ansfield
8cdd2e10b7
Added posts.lexical database field (#15397)
closes https://github.com/TryGhost/Team/issues/1884

- adds `post.lexical` ready for use by the lexical-powered editor re-write
- fulfils the same purpose as `posts.mobiledoc` so uses the same field properties
- added `lexical` to allowed formats in Post model so it won't be included by default in API responses meaning tests/snapshots don't need updating at present
2022-09-13 11:21:47 +01:00
Rishabh
054833992e Wired events for triggering email alerts for subscription creation/cancellation
refs https://github.com/TryGhost/Team/issues/1865

- refactors subscription creation/cancellation to dispatch proper events which are used for email alerts
- cleanup
2022-09-10 11:06:34 +05:30
Rishabh
2fbaa7b9bc Moved member email alert trigger to member creation
closes https://github.com/TryGhost/Team/issues/1864
refs https://github.com/TryGhost/Team/issues/1881

- triggers free member email alert via event dispatch from member create method
- passes subscription/stripe data to member creation for paid members so free member alert can be ignored for them
- moves subscription created event being called from webhook controller to `linkSubscription`, allows creating subscription events for all new subscriptions instead of ones just via webhooks
2022-09-10 11:06:34 +05:30
Rishabh
4187f0da54 Updated staff service to trigger alerts via events
refs https://github.com/TryGhost/Team/issues/1865

- refactors staff service to listen to member and subscription events
- triggers email alerts based on events instead of directly calling the service
- removes staff service dependency for members api
2022-09-10 11:06:34 +05:30
Hannah Wolfe
04f3ac37d3 Removed defunct applyPublicRules code
closes: https://github.com/TryGhost/Toolbox/issues/369
refs: https://github.com/TryGhost/Toolbox/issues/229

- this code is defunct as we no longer accept a status parameter via the API for posts, pages, users or authors
2022-09-09 17:14:15 +01:00
Hannah Wolfe
b0234dd58e
Removed apiVersions from test urlUtils
refs: https://github.com/TryGhost/Toolbox/issues/229

- These properties were removed from urlUtils in 5.0 and no longer do anything
2022-09-09 13:32:30 +01:00
Ronald Langeveld
c9e6f42ca8 Bumped Portal to 2.12.0
ref https://github.com/TryGhost/Team/issues/1800

- Adds v 2.12.0 of Portal
- Updates snapshots for tests
2022-09-09 13:54:43 +02:00
Naz
235d716048
Refactored notifications e2e tests to use test framework
no issue

- Bumped into these tests when doing cleanup in the notifications service. Having full snapshot of requests is useful to have as a sanity check, so migrated this test suite quickly.
2022-09-09 19:51:50 +08:00
Ronald Langeveld
eb6534bd7f
Replaced all 'bio' references with 'expertise' for member comments. (#15359)
closes https://github.com/TryGhost/Team/issues/1772

- The user facing side of comments recently replaced `bio` with `expertise`.
- To remain consistent we replaced all the references of `bio` with `expertise` throughout the codebase.
- This includes a database column name changing migration, within the `members` table.
- Bumped up the comments-ui version to a new minor (0.10.x) as its a breaking change.
2022-09-09 10:14:49 +02:00
Daniel Lockyer
790e4c5598
Added history log for staff actions
fixes https://github.com/TryGhost/Toolbox/issues/356

- this feature allows site Administrators to view a history log of staff
  actions on their site so they can audit when and by whom that something happened
- this commit promotes the History log to GA
2022-09-08 18:23:39 +01:00
Hannah Wolfe
7084217d3d
Added same-origin referrer rule to post previews
- this prevents the referrer/referer header being sent for requests that go to external domains
- this in turn prevents preview URLs from appearing in the analytics of sites that are linked to and clicked on from previews
- otherwise, preview URLs can be leaked to the owners of the linked and clicked sites
2022-09-08 12:39:13 +01:00
rw4nn
dc84983550
🐛 Fixed square brackets being % encoded in URLs (#14977)
fixes: #14863
refs: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURI#encoding_for_ipv6

- added a simple Regex replace for the percent-encoded square brackets to get them back to non-encoded
- a preferred solution might be using new URL(), but that causes other issues. The regex solves the immediate need.
2022-09-08 12:09:40 +01:00
Simon Backx
6bffa893b1
Added snapshot tests to ghost_head helper (#15327)
refs https://github.com/TryGhost/Team/issues/1795

- Snapshots help us detect unexpected changes in the `<head>` of all sites (e.g., newly introduced script tags)
- Added ghost_head tests for comment count helper
2022-09-08 13:04:34 +02:00
Simon Backx
4534b693e4
Added test that validates output HTML of email template (#15365)
refs https://github.com/TryGhost/Team/issues/1871

This commit adds a test to the serialize method of `post-emaiserializer`. It checks whether the generated email HTML is valid and standard HTML5 and that all properties are escaped.

To do this validation, I depend on the new `html-validate` dev dependency. Just parsing the HTML with a HTML parser is not enough to guarantee that the HTML is okay.

Apart from that this fixes:
- Removed the sanitizeHTML method and replaced it with normal HTML escaping. We don't want to allow any HTML in the escaped fields. Whereas `sanitizeHTML` still allows valid HTML, but we don't want that and want the same behaviour as on the site. E.g., a post with a title `All your need to know about the <br /> tag` should actually render the same title and non-html content, being `All your need to know about the &lt;br /&gt; tag`
- The file, nft and audio card didn't (always) escape the injected HTML fields (new version @tryghost/kg-default-cards) 
- `@tryghost/string` is bumped because it contains the new escapeHtml method
2022-09-08 10:11:01 +02:00
Daniel Lockyer
04e3ee9f10 Added property cleaning to tag relations on pages + posts
refs https://github.com/TryGhost/Ghost/pull/15375

- we currently pass all properties for the `tags` property of a
  `page`/`post` body down further into Ghost, which is causing issues
  because it's handling properties it doesn't expect
- this is showing up because it's triggering save history events for
  tags when a post is edited
- this commit introduces a clean util which has an allowlist of
  properties allows on tag relations
- this list was taken from the schema: 128f8fb006/packages/admin-api-schema/lib/schemas/posts.json (L214-L227)
2022-09-07 22:28:56 +01:00
Daniel Lockyer
4a6f57b105
Merged v5.13.2 into main
v5.13.2
2022-09-06 16:45:52 +01:00
Fabien 'egg' O'Carroll
f7a58ecafc
🐛 Fixed OpenSea NFT OEmbeds (#15372)
refs https://github.com/TryGhost/Team/issues/1879

OpenSea updated their URL format for NFTs after adding support for Solana
which broke our regex, this updates to support the new format.
2022-09-06 11:29:35 -04:00
Simon Backx
8b4d5504e8
Moved (un)like endpoint code to comments service (#15371)
fixes https://github.com/TryGhost/Team/issues/1861

- Moved like and unlike endpoint handling to comments service and controller
- Moved small part of report logic to comments controller
- Added proper 401 authentication error when not authenticated as member
2022-09-06 17:20:55 +02:00
Ronald Langeveld
1f177e1c17
Added optional data-attribute to enable and disable auto redirection. (#15335)
closes https://github.com/TryGhost/Ghost/issues/15104 https://github.com/TryGhost/Team/issues/1800

- On custom sign up and login forms, creators often wouldn't want their members to be redirected to that page after signing in.
- This takes a new data-attribute value (eg `data-members-autoredirect="false"`) that can be set on [custom sign up / login forms](https://ghost.org/docs/themes/members/#signup-forms) into account before parsing the referrer on the magic link URL that gets sent to the member for login.
2022-09-06 14:36:06 +02:00
Naz
920a3aeb4c
Fixed adapter-related unit test
refs 37dd187fe6
refs c36575627d/ghost/core/core/server/data/importer/handlers/image.js (L16)

- The tests were failing because they were stubbing a "generic" adapter, instead of the one which the module under test was using (see referenced code to see what I mean)
2022-09-06 18:46:32 +08:00
Naz
c36575627d
Fixed unit test
refs 37dd187fe6

- The referenced commit lacked cleanup after module removal
2022-09-06 18:11:22 +08:00
Naz
a96a7340c0
Added JSDoc to adapter options resolver
refs https://github.com/TryGhost/Toolbox/issues/384

- Added jsdoc for intellisence/typechecking
- Cleaned up the naming of returned values to resemble the usecases a bit better
2022-09-06 17:51:57 +08:00
Naz
67df9a6105
Removed unused adapterType variable
refs https://github.com/TryGhost/Toolbox/issues/384

- The adapter manager can parse the adapter type internally from the "type:feature" syntax, so there's no need to pass it around.
2022-09-06 17:51:57 +08:00
Naz
1fc8c8d671
Added more explicit adapter config syntax
refs https://github.com/TryGhost/Toolbox/issues/384

- Existing adapter config was based on the notion there can only be one configuration per one adapter class. With adapter cache now allowing instantiating multiple adapter instances with the same base class it opened up a possibility to have shared configuration for a base class and then extend/override it in "feature" configurations (see tests in this commit for specific examples)
2022-09-06 17:51:57 +08:00
Naz
a0d0c38aaf
Fixed typo complementary -> complimentary 2022-09-06 17:51:56 +08:00
Hannah Wolfe
db6fb2d6d0
Removed unused fixture tasks
- these old concepts aren't used anymore
2022-09-06 10:18:55 +01:00
Daniel Lockyer
79368f565f
Fixed Tier events being created when Posts are edited
refs https://github.com/TryGhost/Team/issues/1875

- due to an misbehavior in our model layer, when `tiers` is set on a Post, it'll
  trigger a save of the Tier, and this produces an extra event in the
  `actions` table
- mapping the Tier(s) to just the ID prevents bookshelf-relations from
  editing the Tier and thus prevents the extra event
- also fixed tests which were implicitly assuming supplying a slug to a
  post would create the product
2022-09-05 17:19:27 +01:00
Hannah Wolfe
f1bc8026b7
Removed unused resetRoles method
- working on cleaning up our fixture mechanism and making it easier to understand
2022-09-05 09:32:54 +01:00
Simon Backx
2e85ae98be
🐛 Fixed sending emails from email domain that includes www subdomain (#15348)
fixes https://github.com/TryGhost/Team/issues/1855
fixes https://github.com/TryGhost/Team/issues/1866

This commit moves all duplicate methods to get the support email address to a single location. Also methods to get the default email domain are moved.

For the location, I initially wanted to put it at the settings service. But that service doesn't feel like the right place. Instead I created a new settings helpers service. This service takes the settingsCache, urlUtils and config and calculates some special 'calculated' settings based on those:

- Support email methods
- Stripe (active) keys / stripe connected (also removed some duplicate code that calculated the keys in a couple of places)
- All the calculated settings are moved to the settings helpers

I'm not 100% confident in whether this is the right place to put the helpers. Suggestions are welcome.
2022-09-02 16:57:59 +02:00
Simon Backx
51ddc39fa7 Updated snapshots of email preview tests
refs dd2bfb8c0e
2022-09-02 16:19:28 +02:00
Daniel Lockyer
dd2bfb8c0e
Merged v5.12.4 into main
v5.12.4
2022-09-02 15:13:37 +01:00
Simon Backx
999b111fce
🐛 Fixed paid email preview stopped working in emails (#15356)
fixes https://github.com/TryGhost/Team/issues/1870

Disables email sanitization that was enabled earlier because this bug is more important and urgent.

The recently introduced email sanitzation removes HTML comments from the post html.
- This breaks the email paid preview, because it depends on the `<!--members-only-->` comment.
- Breaks the Outlook comments `<!--[if !mso !vml]-->`

This commit reverts this change.
2022-09-02 15:49:39 +02:00
Hannah Wolfe
409a4783a3
Renamed content api agent auth method
- the query param is called key, so key is easier to remember
2022-09-02 10:48:03 +01:00
Hannah Wolfe
642b6ff8ae
Added loginAs[Role] to e2e framework with example
closes: https://github.com/TryGhost/Toolbox/issues/342
refs: 032a26f9f3
refs: 588c9d04e8

- Now that the old `users:no-owner` (now named 'users') is working correctly :)
- Was able to add loginAs[Role] methods for each staff role, so that it's possible to execute tests as that user and check permissions
- Refactored the email preview tests to use the new e2e framework and these methods, as an example
2022-09-02 10:38:22 +01:00
Hannah Wolfe
588c9d04e8
Renamed users:no-owner to users as main user fixture
- This fixture is the main user fixture you'd want to use when testing staff roles
- At the moment it has a weird name that makes it less likely people will use it
- A tiny step in trying to make our fixture system make a tiny bit more sense
2022-09-02 10:08:37 +01:00
Hannah Wolfe
032a26f9f3
Fixed users:no-owner fixture to add roles correctly
- This fixture would only work if the roles were inserted by the fixture system
- In most cases, this fixture was adding users without their associated roles
- Now we assume the roles exist already, and that we need to map users to each role
- This will allow us to more easily test user roles in e2e tests
2022-09-02 08:26:30 +01:00
Fabien 'egg' O'Carroll
e4cbb3d24d
Reset magic link rate limiting upon successful login (#15345)
refs https://github.com/TryGhost/Team/issues/1771

We don't have access to `req.brute.reset` due to the way the flow
works, we have one endpoint which sends an email with a magic link,
and another route which handles the login. We don't want to apply
brute force protection to both because our rate limiting is designed
for API requests not web page visits (which is how login is handled).

Because of this we require access to the underlying ExpressBrute
instance exposed by the spam-protection module, so that we can
perform the reset.
2022-09-01 08:54:14 -04:00
Fabien 'egg' O'Carroll
c9f782a3fc
🔒 Fixed rate limiting for user login (#15336)
refs https://github.com/TryGhost/Team/issues/1074

Rather than relying on the global block to stop malicious actors from
enumerating email addresses to determine who is and isn't a user, we
want our user login brute force protection to be on an IP basis,
rather than tied to the username.
2022-09-01 13:29:59 +01:00
Naz
945ebd4806
Fixed ERR_NOCK_NO_MATCH warning during test runs
refs https://github.com/TryGhost/Toolbox/issues/389

- The e2e test suite log was full of ERR_NOCK_NO_MATCH warnings when the logging level was set to "warn". The cause of this warning was legit duplicated webhook trigger processing on test environment. Gah!
- The source of duplicate webhook processing was duplication of event handlers. Event handlers were registered multiple times for same event because of the singleton nature of the "common/events" module - it remains the same instance and is not cleaned up between reboots. The deeper issue of events module initialization should be solved separately, this slightly hacky approach fixes the problem now and highlights it to be tackled in the future.
2022-09-01 12:25:47 +08:00