Commit Graph

84 Commits

Author SHA1 Message Date
Naz
22738b1b50 🔒 Disabled editable relations by default
refs https://github.com/TryGhost/Ghost/security/advisories/GHSA-9gh8-wp53-ccc6
refs https://github.com/TryGhost/Toolbox/issues/465

- Bookshelf relations allows us to edit relational records by default, which was used liberally in the codebase.
- Not having a clear track record of editable relations left the model layer prone to triggering unwanted nested saves and created a vulnerability where members were able to edit newsletter settings.
- With explicit editable relations it's easier to keep track of relations having editable access to related records. Makes the relational data modification pattern safer to use too.
- Anyone running 5.x should update to 5.24.1

Credits: Dave McDaniel and other members of [Cisco Talos](https://talosintelligence.com/vulnerability_reports)
2022-11-28 18:39:39 +07:00
Ronald Langeveld
08232bd538
Cleaned up GA Flags (#15762)
closes https://github.com/TryGhost/Team/issues/2126

- Cleaned up the following GA flags: `newsletterPaywall`, `freeTrial`, `compExpiring`, `searchHelper`, `emailAlerts`, `fixNewsletterLinks`.
2022-11-18 16:09:25 +07:00
Ronald Langeveld
e0787b4e83
Added specific newsletter support for bulk unsubscribes (#15742)
closes https://github.com/TryGhost/Team/issues/2013

Added support to bulk unsubscribe a selected (filtered) list on members from specific, selected newsletters.
2022-11-16 14:29:00 +07:00
Naz
6989d08b19
Fixed validation for Members API newsletters endpoint
refs https://github.com/TryGhost/Toolbox/issues/465
refs 31546a6fd3/packages/admin-api-schema/lib/schemas/members.json (L93-L103)

- Updated Members API newsletter validation to match the subset of Admin API's members validation schema.
2022-11-07 17:18:36 +07:00
Rishabh Garg
007637973e
🐛 Fixed comped member creation via Admin API (#15714)
closes https://github.com/TryGhost/Team/issues/2184

- when using the old legacy method of `comped:true` to add complimentary subs to a member along with a label, the API call failed with `Internal Server error` and the member was added as free on the site.
- patches the options sent for fetching default product to only pick the relevant keys, as it was picking up the `withRelated` for `labels` that caused the API failure
2022-10-28 01:59:05 +05:30
Simon Backx
076e3c02b2
Added linking between member and subscription created events (#15693)
fixes https://github.com/TryGhost/Team/issues/2160

- Adds a `batch_id` to both events that contain the same ID if they were created at the same time.
- Removes duplicate signup/conversion events using the batch_id
- Requires an update in mongo-knex to work (refs https://ghost.slack.com/archives/C02G9E68C/p1666773313272409?thread_ts=1666767872.375009&cid=C02G9E68C)
- Some dependencies needed an update to load the latest mongo-knex
- Added tiers to membersUtils, loaded on startup (we can start to use this instead of fetching it every time)
2022-10-27 11:44:19 +02:00
Naz
0e094b371b
Reused getDefaultProduct where possible
refs 82ed10473b
refs https://github.com/TryGhost/Team/issues/1869

- getDefaultProduct has unified logic across different places (see refed commit). It is recommended to use instead of writing custom queries prone to mistakes.
- Also added more readable name to the possible error message thrown by setComplimentarySubscription
2022-10-20 17:23:59 +08:00
Daniel Lockyer
e2ba19b0df
Fixed import of bson-objectid in accordance to the typings
- there's a few different ways we can import it but I've chosen to
  append `.default` as we have done in several other places in the code
2022-10-12 14:54:35 +07:00
Rishabh Garg
8a598fe721
🐛 Fixed member importer crash for failed imports (#15560)
refs/closes https://github.com/TryGhost/Team/issues/2004

- for imports, members are created inside a transaction, which causes the member created events to be dispatched.
- its possible that transactions for import can be rolled back if for some reason there is an error down the line while inserting other member properties. The rollback doesn't commit the member to DB, but the event dispatched earlier will still try to create the member created event which fails due to missing member id.
- knex transactions resolve the `executionPromise` both in case of explicit commit or rollback from the user, so just the transaction end check will not be good enough to make sure the member exists in DB
- adds explicit config to knex to reject transaction in case of rollback, which is then caught and event is not dispatched
2022-10-07 19:15:18 +05:30
Fabien 'egg' O'Carroll
35bc5fa08a
Fixed no-shadow lint warnings (#15520)
We're planning to change this from a warning to an error and need to
clean the codebase up before we do so.

In all of these cases the shadowing was known about and was not
causing unexpected behaviour, so the refactor consists entirely of
renaming, rather than refactoring/bug fixes.
2022-10-03 15:50:28 +01:00
Rishabh Garg
e3600d70ef
Added referrer attribution from request context (#15499)
closes TryGhost/Team#2007

- uses request context to add referrer source and medium for a new member
- uses integration name as referrer medium if exists
2022-09-29 22:31:48 +05:30
Rishabh
054833992e Wired events for triggering email alerts for subscription creation/cancellation
refs https://github.com/TryGhost/Team/issues/1865

- refactors subscription creation/cancellation to dispatch proper events which are used for email alerts
- cleanup
2022-09-10 11:06:34 +05:30
Rishabh
2fbaa7b9bc Moved member email alert trigger to member creation
closes https://github.com/TryGhost/Team/issues/1864
refs https://github.com/TryGhost/Team/issues/1881

- triggers free member email alert via event dispatch from member create method
- passes subscription/stripe data to member creation for paid members so free member alert can be ignored for them
- moves subscription created event being called from webhook controller to `linkSubscription`, allows creating subscription events for all new subscriptions instead of ones just via webhooks
2022-09-10 11:06:34 +05:30
Rishabh
4187f0da54 Updated staff service to trigger alerts via events
refs https://github.com/TryGhost/Team/issues/1865

- refactors staff service to listen to member and subscription events
- triggers email alerts based on events instead of directly calling the service
- removes staff service dependency for members api
2022-09-10 11:06:34 +05:30
Ronald Langeveld
eb6534bd7f
Replaced all 'bio' references with 'expertise' for member comments. (#15359)
closes https://github.com/TryGhost/Team/issues/1772

- The user facing side of comments recently replaced `bio` with `expertise`.
- To remain consistent we replaced all the references of `bio` with `expertise` throughout the codebase.
- This includes a database column name changing migration, within the `members` table.
- Bumped up the comments-ui version to a new minor (0.10.x) as its a breaking change.
2022-09-09 10:14:49 +02:00
Rishabh Garg
c4041e46c8
🐛 Fixed email alerts for paid members on import (#15347)
closes https://github.com/TryGhost/Team/issues/1868

- email alerts should not be sent out when paid subscriptions are created via our importer
2022-09-01 20:00:37 +05:30
Simon Backx
aec2badc6c
🐛 Fixed removing comped subscriptions for members with active subs (#15332)
fixes https://github.com/TryGhost/Team/issues/1859

**Problem:**
When for some reason a member has an active subscription (or legacy comped subscription) for product A, and a comped subscription for product B. You cannot remove comped subscription B.

**Fixed by:**
Updating the API to allow more flexible product changes on members.
- Allow the removal of (comped) products on a member, as long as that product doesn't have a related subscription
- (still) allow the addition of comped products to a member, as long as that member doesn't have other active subscriptions. This matches the existing behaviour, but now this is only checked for added products.
- Includes tests for these edge cases
2022-08-30 16:48:44 +01:00
Rishabh
4ac1a2c21e Added paid subscription cancel email alert
refs TryGhost/Team#1826

- triggers paid subscription cancellation alert for staff users
- passes tier and subscription information for the email - loads tier info from DB for the subscription tier
2022-08-25 19:53:02 +05:30
Rishabh
216eeb9d71 Added paid subscription start email alert
refs TryGhost/Team#1826

- triggers paid subscription start email via staff service
2022-08-25 19:53:02 +05:30
Naz
8892a60948 Renamed verification threshold parameter
refs https://github.com/TryGhost/Toolbox/issues/387

- There will three distinct verification limits soon. To keep the naming clear "configThreshold" would be too generic/confusing to use.
- Introduced jsdoc descriptions for the "source" parameter, which will be corelating with each new config parameter ("apiTriggerThreshold", "importTriggerThreshold", "adminTriggerThreshold", etc.). This should give a better visibility into parameters we are dealing in this area.
2022-08-25 14:26:44 +08:00
Naz
02a0fd5a32 Fixed source attribution for staff token API requests
closes https://github.com/TryGhost/Toolbox/issues/386

- When the API request was made using staff token the source attribution was "user" instead of "api". Misattribution caused ripple effects in  limit service.
- The fix also adds a new combination of data available on the  `req` object - both `user` and `api_key` can be present when the request is done using a staff (user) token. Having both pieces of data on the request object gives more context for business logic, did not find a good reason to keep it "pure" with either `api_key` or `user` property.
2022-08-23 14:38:46 +08:00
Naz
6121451b5d Reused _resolveContextSource method in member update
refs https://github.com/TryGhost/Toolbox/issues/386

- Reusing tontext mapping logic to improve maintainability. It seems like the `update` method was not updated properly or intentionally was left out from  'import' source as that should not ever happen theoretically. Probably the latter is most likely.
- My reasoning on reusing same context to source mapping is: it is better to attribute an appropriate "import" source here. Who knows, maybe we'll have logic in the future where the importer updates instead of skipping existing members. It would not make sense to attribute the source to 'member' in that case, amirite?
- This refactor also makes maintainability of this code way easier
2022-08-23 14:38:46 +08:00
Naz
32343a7adb Extracted context to source mapping logic
refs https://github.com/TryGhost/Toolbox/issues/386

- Before changing the mapping logic it needs to become testable!
2022-08-23 14:38:46 +08:00
Rishabh
c19d2d8712 Updated subscription flow to only attach single tier to member
refs https://github.com/TryGhost/Team/issues/1728

- previously, we allowed a member to be mapped to multiple tiers simultaneously as an edge case, in case they managed to signup via another subscription
- since this was always an edge case and not supported, to simplify the flows going forward now that complimentary members can also upgrade, in case of an active subscription we'll always just attach the associated tier to member and remove all other tiers mapped to it
2022-08-19 20:55:31 +05:30
Simon Backx
da24d13601
Added member attribution events and storage (#15243)
refs https://github.com/TryGhost/Team/issues/1808
refs https://github.com/TryGhost/Team/issues/1809
refs https://github.com/TryGhost/Team/issues/1820
refs https://github.com/TryGhost/Team/issues/1814

### Changes in `member-events` package

- Added MemberCreatedEvent (event, not model)
- Added SubscriptionCreatedEvent (event, not model) 

### Added `member-attribution` package (new)

- Added the AttributionBuilder class which is able to convert a url history to an attribution object (exposed as getAttribution on the service itself, which handles the dependencies)
```
[{
    "path": "/",
    "time": 123
}]
```
to
```
{
    "url": "/",
    "id": null,
    "type": "url"
}
```

- event handler listens for MemberCreatedEvent and SubscriptionCreatedEvent and creates the corresponding models in the database.

### Changes in `members-api` package

- Added urlHistory to `sendMagicLink` endpoint body + convert the urlHistory to an attribution object that is stored in the tokenData of the magic link (sent by Portal in this PR: https://github.com/TryGhost/Portal/pull/256).
- Added urlHistory to `createCheckoutSession` endpoint + convert the urlHistory to attribution keys that are saved in the Stripe Session metadata (sent by Portal in this PR: https://github.com/TryGhost/Portal/pull/256).

- Added attribution data property to member repository's create method (when a member is created)
- Dispatch MemberCreatedEvent with attribution

###  Changes in `members-stripe-service` package (`ghost/stripe`)

- Dispatch SubscriptionCreatedEvent in WebhookController on subscription checkout (with attribution from session metadata)
2022-08-18 17:38:42 +02:00
Rishabh
52e3ae2058 Handled mapping offer to subscription for free trials
refs https://github.com/TryGhost/Team/issues/1726

Free trial offers don't have a Stripe coupon created for them, as the trial is directly added to checkout session. So for mapping a subscription to offer, we pass the offer id directly from checkout metadata to link the subscription in backend with right offer data. This also handles the case where the offer id against a subscription can get overwritten for a subsequent subscription event, as the sub event from Stripe doesn't has the trial offer info.

- handles storing an offer id for a subscription
- updates member detail in Admin to show the offer info for a subscription
2022-08-11 12:03:38 +05:30
Simon Backx
eb4d882bb2 Fixed whitespace in bio not removed
fixes https://github.com/TryGhost/Team/issues/1755
2022-08-05 17:10:56 +02:00
Rishabh Garg
5704ac061e
Handled storing of trial start/end info for subscription (#15161)
refs https://github.com/TryGhost/Team/issues/1724

With free trials, members can start subscriptions with a trial period. This change stores the information about trial start and end date for every subscription so it can be shown on Admin/Portal for member.

- adds new `trial_start_at` column for storing trial start date on Stripe subscription. Will in most cases match the start of subscription date.
- adds new `trial_end_at` column for storing trial end date on Stripe subscription.
- wires storing trial start and end values on stripe subscription
2022-08-05 17:50:40 +05:30
Simon Backx
bac8f4b8db
Added bio to members api (#15168)
refs https://github.com/TryGhost/Team/issues/1716

- Adds the bio field to the API output
- Allow setting bio when updating the member
- Includes new E2E tests for the members API that were missing
2022-08-04 15:51:23 +02:00
Simon Backx
31a4135fec
Added members.last_commented_at and last_seen_at update when commenting (#15088)
refs https://github.com/TryGhost/Team/issues/1717

- Updates last_commented_at and last_seen_at (only once a day)
- Used the LastSeenAtUpdater, so we can combine updating last_commented_at and last_seen_at in one query + used same pattern
- Updated comments service to await emails in order to make E2E tests more stable (as we don't have any method to await emails and test emails otherwise). This removed the email sending logic from the `onCreated` hook of the model.
2022-07-25 17:35:46 +02:00
Naz
08b49a3475 Updated method signatures and added JSDocs
refs https://github.com/TryGhost/Team/issues/1674

- While preparing the changes had a look around and made small refactors to understand the codebase a little better. In general it's best to keep the method parameters as small and precise as possible instead of passing around a "bag-of-all-the-things" like "data" around
2022-07-15 03:12:35 +12:00
Naz
05105e1173 Updated method signatures and added JSDocs
refs https://github.com/TryGhost/Team/issues/1674

- While preparing the changes had a look around and made small refactors to understand the codebase a little better. In general it's best to keep the method parameters as small and precise as possible instead of passing around a "bag-of-all-the-things" like "data" around
2022-07-14 12:54:58 +01:00
Naz
2a7166ffc3 Fixed typo 2022-07-14 12:10:18 +01:00
Simon Backx
011c7cb0a2 Added support for updating member enable_comment_notifications
refs https://github.com/TryGhost/Team/issues/1664

This makes it possible for members to update their comment notification preferences
2022-07-07 14:14:02 +02:00
Simon Backx
9b0259dc6f Removed usage of dashboardV5 feature flag
refs https://github.com/TryGhost/Team/issues/1616
2022-05-25 10:29:55 +02:00
Simon Backx
62c992c8e3 Improved bulk unsubscribe operation to use member_id column (#400)
refs https://ghost.slack.com/archives/C02G9E68C/p1652980792270029

When bulk unsubscribing members, the number of deleted newsletter relations are returned instead of the number of members with newsletters that were cleared. This update deletes newsletter relations on member_id, so we can return the count of members instead of newsletter relations that were deleted.

Tests in https://github.com/TryGhost/Ghost/pull/14871
2022-05-20 12:25:58 +02:00
Matt Hanley
f0798578c4 Fixed issue with filter transform not applying to bulk operations 2022-05-12 09:44:30 +01:00
Aileen Nowak
376db4d085 Removed duplicate usage of importer source
no issue

- Setting a dedicated source for imported members was already done with 455778662c
- This unifies the same source but keeps the usage of context setting on init alive
2022-05-10 10:53:19 -04:00
Simon Backx
eb8cf49f40 Fixed updating non-existing member internal error (#395)
refs https://github.com/TryGhost/Team/issues/1580

- When you tried to update a member that doesn't exist, an internal error was thrown
- It should throw a 'not found' error instead
- Optimized when to fetch the initialMember

Tests for 4.x in https://github.com/TryGhost/Ghost/pull/14657
Tests for 5.x in https://github.com/TryGhost/Ghost/pull/14658
2022-05-03 16:38:55 +02:00
Simon Backx
8a40d8e76b Fixed member webhooks (#394)
refs https://github.com/TryGhost/Team/issues/1577

The call to `edit` was not loading the newsletter relations which is needed
by the serializer used by the webhooks service.

Co-authored-by: Fabien "egg" O'Carroll <fabien@allou.is>
2022-05-02 19:07:30 +01:00
Simon Backx
3cb138ea25 Fixed events not having same created_at as members
refs https://github.com/TryGhost/Ghost/pull/14621
refs https://ghost.slack.com/archives/C02G9E68C/p1651126990299689?thread_ts=1651072733.859939&cid=C02G9E68C

- Events didn't always have the same created_at as created members
- This caused a test to fail randomly in the main repo
2022-04-28 09:29:41 +02:00
Aileen Nowak
ea237ebcee Used designated source importer for members event table
no issue

Using a designated source for members being added within the `importer` context will better describe the source in our members event table. It's more consistent with the usage of the other possible sources.
2022-04-27 15:27:19 -04:00
Aileen Nowak
dd702f6ef8 Allow setting context for members importer and use correct source
no issue

When importing members, the members-importer isn't aware of the context and therefore falls back to use `member` as a source in members event table. This makes it impossible to determine imported members from others.
- Added an `context` property to the options in the members-importer constructor
- Checked for `importer` context when creating member events and assigned the source `admin` to it
2022-04-27 15:27:19 -04:00
Simon Backx
f051f9aeeb Fixed bulk unsubscribe
refs https://github.com/TryGhost/Team/issues/1567

- Deletes the newsletter relations instead of setting subscribed to false
- Depends on these changes: https://github.com/TryGhost/Ghost/pull/14610
2022-04-27 19:03:33 +02:00
Simon Backx
27f48e743b Fixed linting error 2022-04-26 19:33:12 +02:00
Simon Backx
a82d0f499d Added mapping from member subscribed to newsletters on edit/create
refs https://github.com/TryGhost/Team/issues/1545

- When editing or creating a member with the subscribed property, it is mapped to the corresponding newletters value
- Defaults to all active newsletters with visibility = members and subscribe_on_signup = true
- Tests in https://github.com/TryGhost/Ghost/pull/14583
2022-04-26 19:28:05 +02:00
Simon Backx
6a6cc28e3d Added newsletter information in member subscribe events
refs https://github.com/TryGhost/Team/issues/1478

- When creating or editing a member, we'll add the newsletter ids to the subscribe events
- When susbcribing to multiple newsletters, we'll create multiple subscribe events
- When removing newsletters from a member, we'll create one or more subscribe events
- Tests in https://github.com/TryGhost/Ghost/pull/14579
2022-04-26 08:59:59 +02:00
Simon Backx
41e0aa17ff Updated offer_id matching logic to use stripe_coupon_id instead of metadata (#390)
refs https://github.com/TryGhost/Team/issues/1519

- Removed offer metadata again from offer (added in one of the previous commits)
- Added `getByStripeCouponId` method in offer repository (required to find an offer based on the stripe_coupon_id)
- Match discounts from Stripe based on the stripe_coupon_id instead of metadata
2022-04-19 11:21:48 +02:00
Simon Backx
f74b00fea6 Stored offer_id in subscriptions (#389)
refs https://github.com/TryGhost/Team/issues/1519

- Added offer repository dependency to member repository (offerAPI didn't work because it creates a new transaction that resulted in a deadlock during tests)
- Store the offer id from the Stripe subscription metadata in the subscription (only if the discount is still active)
- Also added the offer id to the metadata for a Stripe coupon, this will make adding and removing coupons a bit more foolproof
- Prefer the usage of the offer metadata from a coupon if it is present
- When no discount is applied to a subscription, it always sets the offer id to null, even when the metadata still contains the offer
- The offer_id remains stored when a subscription is canceled/expired
2022-04-19 09:15:33 +02:00
Rishabh
f9ce2d9064 Updated default newsletter subscriptions for member
refs https://github.com/TryGhost/Team/issues/1469

Previously, members were subscribed to all available newsletters by default when added. This change updates the default newsletters subscription for member to take into account newsletter preferences for auto opt-in as well as visibility.
2022-04-14 21:10:58 +05:30