Commit Graph

88 Commits

Author SHA1 Message Date
Matt Enlow
9c0b203dce Merge pull request #3867 from hswolff/middleware-work
Makes the Ghost application more express middleware friendly.
2014-09-08 13:43:48 -06:00
Fabian Becker
5ab8c661ec Fix regex from #3898
refs #3898
2014-09-01 15:39:53 +02:00
Fabian Becker
a0b7941439 Restrict uncapitalise middleware for API
no ref
- Do not lowercase anything after /api/v0.1/<resource>/ to protect :key/:slug
2014-09-01 12:38:06 +00:00
Harry Wolff
8bc6a6e633 Makes the Ghost application more express middleware friendly.
refs #827

- Moves ./index to use Ghost in a similar manner to how someone uses
Ghost as an npm module.
- Allows Ghost to be cleanly mounted on another express application
on any arbitrary endpoint, all you need to customize is the mount path.
2014-08-29 17:30:16 -04:00
Hannah Wolfe
25ad4b39fd Uncapitalise middleware should not affect tokens
no issue

- Whilst testing on next, I noticed trying to signup didn't prepopulate email addresses any more, and this is why
2014-08-26 22:30:33 +01:00
Sebastian Gierlinger
cab8254539 Merge pull request #3860 from ErisDS/issue-3857
Redirect uppercase routes to lowercase version
2014-08-26 12:19:52 +02:00
Jason Williams
07ad400ee0 Replace the when promise library with bluebird.
Closes #968
2014-08-23 17:15:40 +00:00
Hannah Wolfe
6a52fc8ace Redirect uppercase routes to lowercase version
fixes #3857

- adds uncapitalise middleware which detects uppercase in req.path and
  redirects to the lowercase equivalent
- change the ghost route to a regex, just so it's consistent with other
  routes in the file
2014-08-23 17:59:58 +01:00
Jason Williams
8fb3cddcf6 Update express and body-parser dependencies.
No Issue
- Upgrade to versions of these packages that use qs >= 1.0.0.
2014-08-11 05:20:31 +00:00
Hannah Wolfe
7d37a829c3 Switch middleware order to result in proper error
fixes #3694

- Split the res.isAdmin check out into it's own thing because we need to detect whether we are in the admin, before everything else
2014-08-08 17:17:07 +01:00
Sebastian Gierlinger
c62d7ba43e Improve spam prevention
closes #3544
- limit forgotten password requests to five requests per IP per hour
for different email addresses
- limit forgotten password requests to five requests per email address
- limit signin requests to ten failed requests per IP per hour
- removed special treatment for tests
2014-08-05 12:58:58 +02:00
Sebastian Gierlinger
e1c0c5ce98 Change refresh token expiry
no issue
- acquiring a new access token using a refresh token sets the
expiration time of the refresh token to now + 24 hrs.
- moved all occurrences of ONE_HOUR, ONE_DAY and ONE_YEAR to
`core/server/utils`
2014-07-28 15:19:49 +02:00
Harry Wolff
be37070fb6 This aims to speed up both the ghost application and tests by
migration from usage of config() to just an object of config.

no relevant issue

- Change 'loadConfig' task to 'ensureConfig' to more accurately reflect
what it is actually doing.  Its sole purpose is to make sure a `config.js`
 file exists, and as such the name now reflects that purpose.

- Update config/index.js to export the ghostConfig object directly
so that it can be accessed from other modules

- Update all references of config(). to config.
This was a blind global find all and replace, treat it as such.

- Fixes to tests to support new config access method

- Allow each test to still work when invoked invidually
2014-07-22 22:37:44 -04:00
Hannah Wolfe
cfaa6f058a Wire permmissions for notifications, mail and tags
closes #2739

- wraps the api endpoints for mail, notifications, and tags in a canThis
  check
- add internal context to internal calls
- updates tests
2014-07-17 16:44:09 +01:00
Hannah Wolfe
3ff9146d9e Server side cleanup
- remove sessions
- remove all references to csrf
- create a shared base model for the 2 types of token
2014-07-14 21:50:12 +01:00
Sebastian Gierlinger
8c2258dc4c Move setup to API
closes #3136
- moved setup to authentication API
- added `POST /ghost/api/v0.1/authentication/setup` to execute the
setup process
- added `GET /ghost/api/v0.1/authentication/setup` to check if blog is
already set up (needed for #3145)
- removed unused methods from api/users.js
2014-07-11 14:17:09 +02:00
Hannah Wolfe
a593cbfb53 Move post slug endpoint & add endpoints for users
closes #3187

- move slug endpoint to post/slug/:slug
- create similar  slug and email endpoint for users
- add/update tests
2014-07-09 16:55:34 +01:00
Hannah Wolfe
f70f99b5cf Replace the old admin with the ember admin
closes #3056

- Remove clientold
- Remove clientold tests
- Cleanup old admin helpers
- Remove old routes from admin and controllers from admin controller
- Comment out / remove old and broken tests
- Cleanup Gruntfile.js, bower.js, package.json etc

Still TODO:

- cleanup / add removed tests
- do we still need countable?
2014-07-01 08:33:17 +01:00
Sebastian Gierlinger
c8e8da4780 oAuth
closes #2759
closes #3027

- added oauth2orize library for server side oAuth handling
- added ember-simple-auth library for admin oAuth handling
- added tables for client, accesstoken and refreshtoken
- implemented RFC6749 4.3 Ressouce Owner Password Credentials Grant
- updated api tests with oAuth
- removed session, authentication is now token based

Known issues:
- Restore spam prevention #3128
- Signin after Signup #3125
- Signin validation #3125

**Attention**
- oldClient doesn't work with this PR anymore, session authentication
was
removed
2014-06-30 14:58:10 +02:00
Fabian Becker
72156c7f89 New setup screen for blog installation.
fixes #3072
- Change router to handle /ember/setup/
- Adjust doSignup to also handle setup
- Adjust tests and add new where necessary
- Add setup controller, setup validation, setup route
- Adjust casper emberSetup to handle new setup
2014-06-26 15:31:44 +02:00
Harry Wolff
5d028b72fb Upgrade to Express 4.0
no related issue

- Updates package.json packages, adding express middleware packages
 that have been broken into their own modules

- Updates controllers/frontend.js to use the new Layer object that Express 4.0
 has.  Requires some monkey-patching as the Layer object isn't explicitly
 surfaced, however it should be safe to do.

- Moved the setup of routes into middleware/index.js because they need to
 be added as a middleware function before the 404 and 500 handlers. This is
 no longer possible with the old app.use(app.router) as that has been removed.

- Cleaned up middleware/index.js to make it compatible with Express 4.0.

- Simplified the way themes are activated and enabled when they are activated.
 The new handling is simpler, yet should still cover all the use cases that
 previously existed.

- The entire flow of activating a theme through middleware should be a little
 more centralized, letting it be easier to read and maintain.

- Moved every routes/*.js file to use an individual express.Router() instance.
2014-06-08 17:41:25 -04:00
Hannah Wolfe
9e8e1fa37d Ember redirect to signup
closes #2779

- adds temporary code to redirect the ember admin to signup if a user doesn't exist.
- done serverside as this makes most sense?
2014-06-03 19:21:45 +01:00
Hannah Wolfe
c02ebb0dcf Refactor API arguments
closes #2610, refs #2697

- cleanup API index.js, and add docs
- all API methods take consistent arguments: object & options
- browse, read, destroy take options, edit and add take object and options
- the context is passed as part of options, meaning no more .call
  everywhere
- destroy expects an object, rather than an id all the way down to the model layer
- route params such as :id, :slug, and :key are passed as an option & used
  to perform reads, updates and deletes where possible - settings / themes
  may need work here still
- HTTP posts api can find a post by slug
- Add API utils for checkData
2014-05-15 10:41:05 +01:00
Sebastian Gierlinger
fd0f5a5028 Add distinct error classes
closes #2690
- added new error classes
- moved errorhandling.js to /errors/index.js
- changed API errors to use new classes
- updated tests
2014-05-09 12:11:29 +02:00
Hannah Wolfe
d1f57a2569 Merge branch 'ember'
Conflicts:
	Gruntfile.js
	core/client/models/post.js
	core/client/models/settings.js
	core/client/models/user.js
	core/client/router.js
	package.json
2014-05-07 22:28:29 +01:00
Jacob Gable
298077582b ACL and strict rules for Settings API
Ref #2061

- Add canThis permission checks to settings api calls
- Add strict rules about accessing core settings without internal: true
- Omit core settings in browse() call unless internal: true
- Update unit tests to call api.settings with contexts
- Add a couple unit tests for new scenarios
- Update all api.settings calls in the app to call with internal context
- Re-arrange permissions.init in server startup so config.theme.update
can access settings without permissions error
2014-05-07 10:56:03 -05:00
Fabian Becker
2a803aecdd Proper endpoints for persistent notifications
closes #2637
- Add new get API route for all notifications
- Wrap API responses to comply with JSON-API
- Add new tests / adjust fixtures
- Adjust all occurences of passive notifications
2014-05-06 00:05:14 +02:00
Hannah Wolfe
f2071eedb2 Move user API to primary document format
closes #2593

- added new format to user API methods
- changed all places where the user api was used
- updated tests and added more coverage
- little bit of cleanup in utils/api
2014-05-02 20:50:44 +01:00
Jacob Gable
7e9880ce8d Settings API Primary Document refactor
Closes #2606

- Refactor settings api responses to { settings: [ ] } format
- Update all code using api.settings to handle new response format
- Update test stubs to return new format
- Update client site settings model to parse new format into one object of key/value pairs
- Refactor to include all setting values
- Remove unused settingsCollection method
- Update settingsCache to store all attributes
- Update settingsResult to send all attributes
- Remove unnecessary when() wraps
- Reject if editing a setting that doesn't exist
- Reject earlier if setting key is empty
- Update tests with new error messages
- Use setting.add instead of edit that was incorrectly adding
- Update importer to properly import activePlugins and installedPlugins
- Update expected setting result fields
- Fix a weird situation where hasOwnProperty didn't exist 🤷
2014-04-30 23:15:27 -05:00
Lev Gimelfarb
a013840503 Support for urlSSL config option and forceAdminSSL 403 response
closes #1838
- adding `forceAdminSSL: {redirect: true/false}` option to allow 403 over non-SSL rather than redirect
- adding `urlSSL` option to specify SSL variant of `url`
- using `urlSSL` when redirecting to SSL (forceAdminSSL), if specified
- dynamically patching `.url` property for view engine templates to use SSL variant over HTTPS connections (pass `.secure` property as view engine data)
- using `urlSSL` in a "reset password" email, if specified
- adding unit tests to test `forceAdminSSL` and `urlSSL` options
- created a unit test utility function to dynamically fork a new instance of Ghost during the test, with different configuration options
2014-04-27 17:01:49 -04:00
Hannah Wolfe
16c8080636 Merge branch 'master' into ember
Conflicts:
	core/client/models/post.js
2014-04-21 18:35:38 +01:00
Sebastian Gierlinger
e47e9c62d0 Add permissions to API
closes #2264
- added permissions check to db, users and posts
- added register method to users
- added doesUserExist method to users
- added user from session to internal calls
- changed permissible to overwrite canThis
- removed action map and action type from permissable method
2014-04-16 18:22:22 +02:00
Hannah Wolfe
c746a88b2e Merge branch 'master' into ember
Conflicts:
	Gruntfile.js
	core/client/assets/lib/showdown/extensions/ghostdown.js
	core/client/views/editor.js
	core/clientold/assets/lib/showdown/extensions/ghostdown.js
	core/shared/lib/showdown/extensions/ghostimagepreview.js
	core/test/unit/showdown_client_integrated_spec.js
	core/test/unit/showdown_ghostimagepreview_spec.js
2014-04-07 22:26:53 +01:00
Matt Enlow
345fe1a6d4 Fixed check for a theme's custom error.hbs:
Closes #2513
- Checks for property `error.hbs` on active theme
- Added unit test to ensure `error` view is rendered when activeTheme has
  a custom error template.
- Removed unused variable, `userErrorTemplatePath` from errorHandler
- Refactored errorHandler.`updateActiveTheme` to take one argument, the new active theme, and to then check if the active theme has an error.hbs
- Changed errorHandler unit test to use rewire for mocking config.
2014-03-29 08:19:51 -06:00
Hannah Wolfe
79a333b480 Merge branch 'master' into ember
Conflicts:
	bower.json
	core/client/views/editor.js
2014-03-16 20:52:44 +00:00
Manuel Mitasch
ca9a23f2d6 Ember.js: Add assets img + css (ember-hacks.css) to ember admin
Closes #2276

- Adds the images to `core/client/assets/img`
- Adds css with ember hacks to `core/client/assets/css`
- Configures middleware to provide assets as static files at url `/ghost/ember`
- Adds ember option to assets helper
- Modifies default-ember.hbs to use ember option on asset helper
- Remove inline style definition in editor.hbs
- Modifies .gitignore to include ember-hacks.css (in ignored `core/client/assets/css` folder)
2014-03-15 00:08:15 +01:00
Fabian Becker
c3417fe090 Serve default robots.txt
closes #2062
- Server robots.txt from theme if available
- Serve default robots.txt from /core/shared/ otherwise
- Added tests for default robots.txt
2014-03-13 21:31:41 +01:00
Hannah Wolfe
31f41822e0 Merge branch 'master' into ember
Conflicts:
	.gitignore
	Gruntfile.js
	bower.json
	core/client/assets/lib/showdown/extensions/ghostdown.js
	core/client/assets/vendor/showdown/extensions/ghostdown.js
	core/client/router.js
	core/clientold/assets/vendor/chart.min.js
	core/clientold/assets/vendor/codemirror/addon/mode/overlay.js
	core/clientold/assets/vendor/codemirror/codemirror.js
	core/clientold/assets/vendor/codemirror/mode/gfm/gfm.js
	core/clientold/assets/vendor/codemirror/mode/gfm/index.html
	core/clientold/assets/vendor/codemirror/mode/gfm/test.js
	core/clientold/assets/vendor/codemirror/mode/markdown/index.html
	core/clientold/assets/vendor/codemirror/mode/markdown/markdown.js
	core/clientold/assets/vendor/codemirror/mode/markdown/test.js
	core/clientold/assets/vendor/countable.js
	core/clientold/assets/vendor/fastclick.js
	core/clientold/assets/vendor/icheck/jquery.icheck.min.js
	core/clientold/assets/vendor/jquery.hammer.min.js
	core/clientold/assets/vendor/nprogress.js
	core/clientold/assets/vendor/packery.pkgd.min.js
	core/clientold/assets/vendor/showdown/extensions/ghostdown.js
	core/clientold/assets/vendor/showdown/showdown.js
	core/clientold/assets/vendor/validator-client.js
	core/test/unit/client_ghostdown_spec.js
	core/test/unit/client_showdown_int_spec.js
2014-03-05 23:10:44 +00:00
Fabian Becker
cd74b0e232 Switch to bower for client assets.
fixes #2272
- Remove libraries from shared/vendor
- Remove libraries from client/assets/vendor
- Add bower to package.json and postinstall
- Add bower.json with dependencies
- Add scripts from bower_components to concat/uglify
- Fix tests
- Serve jquery from /ghost/built/theme/
2014-03-04 20:09:26 +00:00
Fabian Becker
1a9e91f120 Replace JSLint with JSHint.
closes #2277
- Added ES6 linting to core/client/
- Fix typeof array comparison
2014-03-04 15:47:39 +00:00
Hannah Wolfe
bee58922b2 Rename client -> clientold
issue #2271

- should allow development of new admin UI whilst still having access to the old ui
2014-02-27 00:52:04 +00:00
Michael Bradshaw
b410f5833b Respect subdirectory in authenticate middleware 2014-02-20 09:46:20 -07:00
Sebastian Gierlinger
ea6c601b01 Improvements for models
#closes #1655
- removed models as parameter for bookshelf-session
- changed to read permittedAttributes from schema.js
- changed updateTags to be executed at saved event
- added validate to execute after saving event
- added test for published_at = null (see #2015)
- fixed typo in general.hbs
2014-02-19 14:57:26 +01:00
Hannah Wolfe
e81924282c Merge pull request #2190 from sebgie/issue#2171
Make session expiry less arsey
2014-02-18 22:05:44 +00:00
Sebastian Gierlinger
d3c641ea31 Make session expiry less arsey
closes #2171
- added authentication middleware
- removed authentication from routes
- moved authentication before CSRF validation
- moved caching rules before authentication
- changed/added test
2014-02-14 11:00:11 +01:00
Fabian Becker
691e9e773b Add logging config option
closes #2103
- Deactivate logging for testing environments
- Override logging with settings from config
2014-02-10 21:07:11 +00:00
Harry Wolff
f16dc290b7 Improve bootstrap flow of a Ghost application
addresses #1789, #1364

- Moves ./core/server/loader -> ./core/bootstrap.
The bootstrap file is only accessed once during startup,
and it’s sole job is to ensure a config.js file exists
(creating one if it doesn’t) and then validates
the contents of the config file.

Since this is directly related to the initializing 
the application is is appropriate to have 
it in the ./core folder, named bootstrap as that
is what it does.

This also improves the dependency graph, as now
the bootstrap file require’s the ./core/server/config
module and is responsible for passing in the validated
config file.

Whereas before we had ./core/server/config
require’ing ./core/server/loader and running its
init code and then passing that value back to itself,
the flow is now more straight forward of
./core/bootstrap handling initialization and then
instatiation of config module

- Merges ./core/server/config/paths into 
./core/server/config
This flow was always confusing me to that some config
options were on the config object, and some were on
the paths object.

This change now incorporates all of the variables
previously defined in config/paths directly
into the config module, and in extension,
the config.js file.

This means that you now have the option of deciding
at startup where the content directory for ghost
should reside.

- broke out loader tests in config_spec to bootstrap_spec

- updated all relevant files to now use config().paths

- moved urlFor and urlForPost function into 
 ./server/config/url.js
2014-02-07 17:34:21 -05:00
John-David Dalton
6eab7b3f92 Replace underscore with lodash. 2014-02-06 14:08:34 +00:00
Hannah Wolfe
be9afc439c Merge branch '0.4-maintenance' 2014-01-28 09:25:38 +00:00
Lev Gimelfarb
6cf586aae6 Fix error page resources loading when forceAdminSSL is true
closes #1837
- moved admin theme static resource service above 'checkSSL', otherwise
  when forceAdminSSL is true it will try to redirect them to HTTPS, and
  error pages will be unstyled
2014-01-27 21:57:58 +00:00