Commit Graph

317 Commits

Author SHA1 Message Date
Hannah Wolfe
00656a729b Don't alter password from User.edit endpoint
- password changes should only be possible from the password change endpoint

Credits: An anonymous researcher working with Beyond Security's SecuriTeam Secure Disclosure program
2015-09-23 23:07:49 +01:00
Hannah Wolfe
95623e60ae Add underscores to general validation
fixes #5816

- general slugs and other fields should permit underscores as well as dashes
2015-09-17 12:24:11 +01:00
Sebastian Gierlinger
f22796ff7d Add dynamic client_id/client_secret
no issue
- added ghost-admin client_id to admin
- added ghost-admin client_secret to admin
- added client.read() api endpoint
- added random generation of client_secret to migration
- removed addClientSecret method
- updated tests
2015-09-02 16:39:34 +01:00
Austin Burdine
6c5fea40ca Remove auto-inclusion of jQuery via ghost_foot
closes #5298
- remove all harcoded instances of jQuery throughout the front-end of the blog
- add migration function to add cdn link to ghost_foot code injection when migrating up from version 003
- migration version bump
2015-09-02 13:39:22 +01:00
Hannah Wolfe
e9a96816ac Adding 'fields' param for browse requests
refs #5601, #5463, #5343

- adds rudimentary support for a 'fields' parameter on browse requests
2015-08-28 19:08:22 +01:00
Hannah Wolfe
2c29ae1ad2 Don't return from sending welcome mail
closes #5675

- welcome mail is non-critical, invalid mail setups shouldn't interfere with setting up a blog
2015-08-25 09:08:11 +01:00
Sebastian Gierlinger
a82e9aa3c5 Mail consolidation
refs #5489
- move mail.js -> mail/index.js
- move email-templates -> mail/templates
2015-08-20 11:36:14 +02:00
Hannah Wolfe
16407b41ee Merge pull request #5655 from sebgie/extract-permissions
Refactor handlePermissions
2015-08-11 19:32:20 +01:00
Sebastian Gierlinger
44622d943d Refactor handlePermissions
no issue
- extract handlePermissions to utils
- added NoPermissionError when canThis() rejects
- omitted users.js because it uses special permission handling
2015-08-11 16:03:57 +02:00
Sebastian Gierlinger
9376bdf699 Merge pull request #5646 from ErisDS/issue-5150-nextprev
Next/Prev Post helpers include author & tags
2015-08-11 15:46:23 +02:00
Hannah Wolfe
a00eace849 Next/Prev Post helpers include author & tags
closes #5150

- Post API understands next.author, next.tags, previous.author and previous.tags
- Post Read request filters out those properties and does the right thing with them
- Prev/Next post helpers send extra include properties
- Tests updated
2015-08-10 08:58:25 +01:00
Austin Burdine
392cb0038c apply pipeline to notifications endpoint
refs #5508
- adds pipeline to the add and destroy methods of the notifications api
2015-08-09 22:42:10 -06:00
Hannah Wolfe
524b247c58 Add public API permission handling
refs #4004, #5614

- added new public permission handling functions to permissions
- added a new util to handle either public permissions or normal permissions
- updated posts, tags and users endpoints to use the new util
- added test coverage for the new code
2015-08-03 19:30:17 +01:00
Kevin Ansfield
7ac6ebb920 Refactor notifications service & components
issue #5409

- change persistent/passive notification status to alert/notification
- replace showSuccess/Info/Warn/Error with showNotification/showAlert
- fix and clean up notification/alert components
2015-07-28 12:26:11 +01:00
Hannah Wolfe
ab2049e35c Merge pull request #5580 from halfdan/update-deps
Update lodash and cheerio
2015-07-22 21:35:02 +01:00
Fabian Becker
2878b5ae00 Update lodash and cheerio
- update lodash to 3.1.0
- cheerio update uses new css-select, css-what packages (others were deprecated)

refs #5578
2015-07-21 19:59:49 +02:00
Jason Williams
c3951c4fd7 Merge pull request #5570 from ErisDS/issue-5564
Fix regressions with password reset
2015-07-21 10:14:56 -05:00
Hannah Wolfe
4ba77e0da4 Fix regressions with password reset
fixes #5564

- adds missing part of `/setup/` url in authentication middleware
- ensures data is passed through from API to model in correct (new) format for password reset
- re-adds missing/incorrectly commented out auth tests, and verifies that reset as far as token validation
2015-07-21 08:47:26 +01:00
Hannah Wolfe
e044136503 API Option Handling
refs #2758

- add a set of default options to utils
- update validation function to only pass through permitted options
- pass permitted options into validate where necessary
- setup basic validation for each known option, and generic validation for the remainder
- change slug to treat 'name' as data, rather than an option
2015-07-14 18:20:27 +01:00
Hannah Wolfe
843dd31b74 Merge pull request #5523 from Remchi/change-reset-password-refactor
Refactor changePassword and resetPassword
2015-07-11 11:31:50 +01:00
Austin Burdine
a16be11038 re-added revoke method to authentication api
closes #5530
- adds revoke api method back into code base
2015-07-07 17:39:43 -04:00
Rem Zolotykh
9323abbb44 Refactor changePassword and resetPassword
issue #5500
- make `changePassword` and `resetPassword` methods on `user` model
  consistent: use `object` and `options` arguments instead of multiple
  different arguments
- change User API `changePassword` method to use these new arguments
2015-07-07 22:03:17 +02:00
Fabian Becker
7f5250af0e Pipeline roles and slugs API
refs #5508
2015-07-02 16:38:31 +02:00
Hannah Wolfe
b8415e8b90 Merge pull request #5349 from acburdine/onboarding-api
Add PUT route to authentication setup
2015-06-30 12:03:21 +01:00
Austin Burdine
a2a0ba9023 adds put route to authentication setup
closes #5342
- adds put version of authentication/setup that allows for updating of owner/settings values
- doesn't send welcome email
- adds tests for new put route
2015-06-29 13:16:10 -04:00
Hannah Wolfe
51ac3f6532 Refactor to using pipeline for the API
refs #2758

- Post, Tag & User API methods are refactored to use pipeline
- Each functional code block is a named task function
- Each function takes options, manipulates it, and returns options back
- Tasks like permissions can reject if they don't pass, causing the pipeline to fail
- Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint
- Tasks like the data call can be extremely complex if needs be (like for some user endpoints)
- Option validation is mostly factored out to utils
- Option conversion is factored out to utils
- API utils have 100% test coverage
- Minor updates to inline docs, more to do here
2015-06-28 22:52:31 +01:00
Hannah Wolfe
f6322da4c9 Use extends correctly & consistently
- extends clobbers the first argument you pass to it, so that should not be a variable that is used elsewhere, if you're also assigning the value, as it will have unintended side effects.
2015-06-25 19:56:27 +01:00
Hannah Wolfe
7705e30995 Use 'author' for relation instead of 'author_id'
- this clears a todo in the codebase & gets rid of a few lines of unnecessary code
2015-06-24 10:00:24 +01:00
Hannah Wolfe
254e0f0597 Improve API error handling
close #2757, refs #5286

- moves error formatting from api/index into errors lib
- moves error handling from api/index into its own middleware
- adds extra middleware for method not allowed which captures all unsupported routes
2015-06-15 10:08:30 +01:00
Joe Wegner
75faf0109d invite users after signing up during setup
closes #5338
- moves skip link to below the submit button
- makes the submit button better represent form status
- posts notifications based on success/failure of notifications
- goes to the invite page after user creation
- actually sends invites!

functional tests passing for onboarding invitations

cleanup for linitng

remove unreachable return

access the notifications service better

use link-to instead of an anchor with an action

failed user creations get caught, and bubble as errors

a slew of other cleanup stuff via jason
2015-06-09 11:50:24 -07:00
Hannah Wolfe
7eacd2876d Ensure middleware functions are named
refs #5091

- adds names to all middleware functions, for debugging purposes
2015-06-02 14:49:18 +01:00
Austin Burdine
e69c8c89ac remove settings email
closes #5299
- removes settings/general email field from both client and server side
- fixes tests to reflect removal of email
2015-05-22 15:23:31 -06:00
Tushar Bhushan
3fca65a3c5 Fixed the invite user email to include the email address of the user who invited you
closes #5283
- due to the changes with the api call in pr #5159 the email address wasn't showing up
- modified the api call to fetch user data to pass the context object to the toJSON object
2015-05-20 15:49:35 -07:00
Hannah Wolfe
023755c566 Cache invalidate for previews
no issue

- draft updates now need to affect the preview route
2015-05-19 18:32:00 +01:00
Adrian Estrada
107c9602c1 API: Adding featured filter option to posts.browse
Closes #5152
- Adds `featured` filter option to posts.browse method modifying the model to take it too
2015-05-13 16:18:50 -05:00
Austin Burdine
bd2b206e4b finish up password protection
closes #5073
- takes password protection out of labs and moves it to general settings
- adds random-words generator to randomly generate passwords
2015-05-12 12:02:18 -06:00
Jason Williams
263bbd5092 Fix up filtering implementation 2015-05-10 20:48:32 -05:00
Austin Burdine
2865662ee5 added password protection
closes #4993
- brings password protection to the frontend of blogs
- adds testing for password protection
- upgrades bcrypt-js to 2.1.0
2015-04-30 23:44:43 -05:00
Matt Enlow
433956c102 Add post preview via uuid (/p/:uuid)
Refs #5097

- All drafts will show a preview link (this needs real css)
- Published posts will redirect
- prev/next post helpers only activate on published posts
- Powered by ~10 pints between the two of us (@ErisDS, @novaugust)
2015-04-30 11:57:37 +01:00
Sebastian Gierlinger
fdcb67d3cc Rename error.type to error.errorType
closes #5178
- renamed error.type to error.errorType
2015-04-22 22:29:45 +02:00
Hannah Wolfe
e26e83d40a Refactor to remove author.email from API
refs #2330

- Pass through `options` to all toJSON calls on posts, tags, and users
- Use options.context.user to determine whether it's OK to return user.email
- Remove author.email handling code from frontend.js
2015-04-17 22:27:04 +01:00
Hannah Wolfe
1b585f213c Cache invalidation can no longer be so clever
no issue

With the introduction of the prev/next helpers (and soon, get helper) we can no longer make any assumptions
about exactly which pages need to be cleared from the cache when a post is published/unpublished.
2015-04-14 16:34:34 +01:00
Hannah Wolfe
0b1497a75b No more feature flag for Code Injection
closes #1993

- remove the feature/config flag that means code injection has to be enabled
2015-04-09 17:52:41 +01:00
Katie Fenn
980b0a8610 Refactoring hard-coded frontend route keywords
closes #4519

- Added configurable route keywords
- Replaced instances of hard-coded keywords with config
- Added keywords to frontend tests stub config
2015-03-23 15:00:02 +00:00
Hannah Wolfe
cde1842750 Check ids match on edit
no issue

- It should not be possible to provide a different ID in the object being edited to that provided in the URL
- We now send the id to check object to ensure there is a match

Credits: Matteo Beccaro
2015-02-28 16:25:37 +00:00
Hannah Wolfe
2450f18170 Make the {{navigation}} helper global
refs #4535

- Rather than storing navigation data as a top level key, store it as @blog.navigation
- Reference the global data from the helper
2015-02-28 12:53:00 +00:00
Hannah Wolfe
70a200d53f Remove navigation config flag
ref #4535

- don't need this any more :)
2015-02-25 15:15:55 +00:00
Hannah Wolfe
4eee52d142 Add cache invalidation header when updating tags
no issue
2015-01-27 23:44:31 +00:00
Jason Williams
0fc152b2ad Fix up users API so admin role can edit owner
No Issue.
- Make sure that a user with the Admin role can edit the Owner.
- Add test for behavior.
2015-01-20 21:34:24 +00:00
Jason Williams
1c07273f5a Update grunt-jscs dependency
No Issue
- grunt-jscs@1.2.0
- Clean up some instances of multiple spaces.
- Remove jscs:disable for regexes now that jscs better supports them.
2015-01-16 18:06:20 +00:00
Sebastian Gierlinger
023a37b074 Merge pull request #4772 from ekulabuhov/4262_NextPrevPostWIP
[API] Retrieve next and previous post
2015-01-14 10:32:07 +01:00
Eugene Kulabuhov
0e2709c42f [API] Retrieve next and previous post
closes #4262
- implementation based on #1545
- added integration test. Modified mocked posts because code requires published_at timestamps to be different.
- fixed 2 broken tests that depended on mocked posts to have "new Date()" as their timestamps
- added checks to only query db if next/previous post requested
2015-01-13 12:49:16 +00:00
Paul Adam Davis
6cc5a58b68 Navigation UI Ember Integration
Closes #4537

- Adds Navigation to the Settings menu
- Adds a `navigationUI` config flag (redirects if not an editor or author)
2015-01-11 20:04:01 +00:00
Hannah Wolfe
1f22d8c28c Move tag management from behind config/labs flags
issue #4248

- tag management is ready for release, this takes the training wheels off :)
- remove config flag
- remove labs checkbox and related code
2015-01-06 18:56:42 +00:00
Jason Williams
f6736049c3 Fix up HTTP API handler
No Issue
- Add Location header for tags.
- Ensure Location header has trailing slash.
- Remove unnecessary promises/async.
2014-12-28 05:27:29 +00:00
Jason Williams
591fa349aa Finish up post count support in tags API
Refs #4521
- Handle 'include' query param in tags API.
- Add post_count support when fetching a tag with findOne.
- Remove post_count from options.include after processing.
- Extra database query no longer used to fetch post_count.
2014-12-19 21:46:34 +00:00
Hannah Wolfe
20710b9eba Refactor importer with tests
refs #4605

- Move as much code as possible out of the DB API
- Split the importer into 2 concepts, code which handles different
  filetypes and code which takes the content of files and imports it into
  Ghost in some way
- Split the import process into 4 steps, load the file into a useful
  format, preprocess the data, do the import, generate a report
- Reporting is currently a no-op
- Adds a basic level of testing
2014-12-17 18:22:39 +00:00
Hannah Wolfe
a0db21d3ec Merge pull request #4629 from cobbspur/postpreview
Add view post link on published and updated posts
2014-12-15 13:28:47 +00:00
cobbspur
53d12a9659 Add view post link on published and updated posts
closes #1756

- adds a post url link to 'post updated' and 'post published' in editor
- adds join function in ghost paths
- adds a '/' detection to makeRoute method
- adds test for join function
2014-12-15 12:18:47 +00:00
Hannah Wolfe
35ee121761 Merge pull request #4628 from sebgie/issue#4624
Password change MU
2014-12-12 10:07:34 +00:00
Sebastian Gierlinger
40c78493a3 Password change MU
closes #4624
- added user_id to password reset request
- hide old password field
- updated changePassword method to check permissions
- updated changePassword method to work without oldPassword
- fixed bug for errors shown as [Object object]
2014-12-11 21:23:07 +01:00
Sebastian Gierlinger
f531ef19f8 Merge pull request #4626 from ErisDS/issue-4607
Add support for zip import
2014-12-11 20:52:04 +01:00
Hannah Wolfe
6ff51ad44e Add support for zip import
fixes #4607

- moves file checks from db and upload API endpoints to api utils
- adds code to accept and then extract a zip and pull out a JSON file
- zip handling requires a lot of dependencies - this needs a good refactor
2014-12-10 20:21:06 +00:00
cobbspur
cd5d87ddf2 Return computed url with post object
closes #4445

- post model gets permalink format
- post model queries urlPathForPost to return computed url
- url helper modified to use post url
- urlForPost method abolished and replaced where necessary
- updated tests
2014-12-10 17:23:02 +00:00
Sebastian Gierlinger
32959b2269 Merge pull request #4578 from ErisDS/pr-3489
Code Injection PR 3489 rebased and updated
2014-12-04 15:16:37 +01:00
Hannah Wolfe
904918d5cc Code Injection - adds perms, shortcuts, icon, flag
refs #1993

- adds ctrl/cmd+s for save
- adds config flag
- adds icon on settings page, puts items in the right order
- sorts out permissions for all settings pages with consistent configuration
2014-12-04 13:34:44 +00:00
Sebastian Gierlinger
319887c77b Merge pull request #4573 from ErisDS/limit-all-sitemaps
Add limit=all consistently to users, posts & tags
2014-12-04 09:45:33 +01:00
Hannah Wolfe
9b146e59bb Add limit=all consistently to users, posts & tags
refs #623, #4348

- this fixes sitemaps to list all posts, pages, tags and users
- makes the API behave consistently across all paginated resources
2014-12-03 18:46:26 +00:00
Sebastian Gierlinger
9b8141bb08 Merge pull request #4530 from ErisDS/issue-4498
API - no more m-2-m relation ids by default
2014-12-02 20:49:47 +01:00
Hannah Wolfe
4cb909542a API - no more m-2-m relation ids by default
closes #4498

- remove toJSON code which returns only IDs from objects
- don't auto-include tags & fields in post responses
- don't auto-include roles in user responses
- fix #allthethings that made assumptions about the auto-includes, or otherwise were only working because of the auto-include
2014-12-02 19:24:44 +00:00
Hannah Wolfe
c06e649ab1 Merge pull request #4554 from sebgie/issue#3872
URL safe base64 encoding
2014-12-01 16:56:14 +00:00
Sebastian Gierlinger
9ddabffa10 URL safe base64 encoding
closes #3872
- updated base64 escaping to respect + and \
- updated base64 escaping to remove = during transport
- updated tests
2014-12-01 16:59:49 +01:00
Hannah Wolfe
aa44743c67 Merge pull request #4531 from Gargol/issue-4485
Cleans up HTML data attributes on body in default.hbs
2014-12-01 10:54:19 +00:00
Jacob Gable
2cfa18475a Generate sitemap files
Closes #623

- Add basic init and eventing scaffold
- Add sitemap-index.xml generation
- Broke out generators to individual files, added request handler
- Add page, author and tag xml files; add index mapping
- Add SiteMapManager unit tests
- Add Generators tests
- Cache invalidation headers for sitemap-*.xml
- Redirect sitemap.xml to index and rename to sitemap-index
- Handle page convert and publish/draft changes
- Add very basic functional test for route existence
- Add cache headers to sitemap routes
2014-11-30 10:49:45 -08:00
Nazar Gargol
df5a598718 Cleans up HTML data attributes on body in default.hbs
closes #4485

- removes data attributes used on body in default.hbs
- introduces new way to generate configuration through meta tags
- config initializer consumes configurations from the meta tags using parser
- moves blog_title helper/value to be a property in a configuration api
2014-11-29 17:09:43 +01:00
Jason Williams
1d562c8914 Add Ghost version to config object.
No Issue
- Use Ghost version value that is already loaded instead of
  reading package.json from the filesystem and parsing it on
  every call into the configuration API.
2014-11-28 18:08:50 +00:00
Hannah Wolfe
af7bbb83e4 Merge pull request #4091 from hswolff/remove-a-cd
Removes objectTypeModelMap to reduce circular dependency.
2014-11-24 11:59:07 +00:00
Jason Williams
b31fec6e2f Fix updateConfigTheme method.
No Issue
- Fix exception being thrown when updateConfigTheme called before
  settingsCache fully populated.
- Remove unnecessary check in a conditional in the migration command
  builder.
2014-11-20 14:54:37 +00:00
Sebastian Gierlinger
819a978192 Merge pull request #4406 from RaoHai/tag-endpoints
full BREAD Tag endpoints and Tag api tests
2014-11-13 19:25:36 +01:00
Jason Williams
a2e670cb0b Merge pull request #4320 from felixrieseberg/iss4235
Work with case-sensitive email addresses
2014-11-12 19:35:38 -06:00
Felix Rieseberg
af1d2201b0 Work with case-sensitive email addresses
Closes #4235
2014-11-12 17:18:53 -08:00
surgesoft
d9643ed2f4 full BREAD Tag endpoints and Tag api tests
close #4263
- implemented full BREAD Tag API
- deleting a tag will also detach its relations to posts
- tests of Tag API
2014-11-13 00:44:36 +08:00
cobbspur
69d4852a6d Create Tags Management Stubs for Ember
closes #4260

- Adds "tags" route inside of the settings routes.
- Adds this route to router.js
- Links the route from the settings.hbs template
- Adds demo tags html in tag.hbs template
- Adds flag for tagsUI
2014-11-04 15:50:41 +00:00
Harry Wolff
6cbcfac72b Removes objectTypeModelMap to reduce circular dependency.
refs #2455

- also note areas where we still have lazy loading of modules.
- moves one lazy loading to non-lazy require.
2014-10-27 20:48:22 -04:00
Felix Rieseberg
7bb38f8c7b Accept Invitation: Generate Slug from Name
No issue, but ref #4211
2014-10-13 08:35:08 -04:00
Hannah Wolfe
4e58198381 Merge pull request #4188 from halfdan/1891-move
Abstract the allowed file types out of API
2014-09-29 21:31:22 +01:00
Fabian Becker
72b0a48483 Fix DB API
no ref
- Use correct error type
2014-09-28 19:38:41 +00:00
Fabian Becker
55293d0d1e Abstract the allowed file types out of API
closes #1891
- Moves contentType and extension check to config
2014-09-26 13:31:23 +00:00
Jason Williams
63546be1eb Prevent transition to signup on invalid invitation
Refs #3876
- Prevent signup page from flashing when an invalid invitation
  token is used.
- Clear sensitive information from signup controller.
- Make isInvitation API behavior consistent with other auth
  related APIs.
2014-09-19 04:52:45 +00:00
Felix Rieseberg
b1c1b03015 Redirect user if signup invitation isn't valid
Closes #3565
- Added server API isInvitation (analog to isSetup), checking if an
invitation exists for a given email address.
- If the invitation is no longer valid (or didn’t exist in the first
place), the user is redirected and an error notification is shown.
2014-09-18 19:11:40 -06:00
Harry Wolff
469aaa398c Add jscs task to grunt file and clean up files to adhere to jscs rules.
resolves #1920

- updates all files to conform to style settings.
2014-09-17 21:44:29 -04:00
Hannah Wolfe
b7fdf7d872 Merge pull request #3947 from hswolff/goodbye-config-theme
Removes config.theme and restructures how theme variables are cached
2014-09-15 21:30:44 +01:00
Harry Wolff
66845def85 Moves storage module to use prototypes for inheritance and structure.
addresses #2852

- Moves storage modules to use prototypes and to create prototypes
that inherit from the base storage ctor.

- Makes storage/base conform to an all Promise interface.
2014-09-12 21:41:29 -04:00
Fabian Becker
c684ee5b38 Delete revoked tokens
closes #3758
- new API method to delete access and refresh token
- use new ember-simple-auth config to revoke tokens on logout
- new method to delete tokens by .. token
2014-09-10 20:19:52 +02:00
Hannah Wolfe
2aff9ed8eb Force apps flag to be boolean in config API
ref #3969

- it shouldn't be possible to set keys via this flag
2014-09-09 08:40:38 +01:00
Harry Wolff
2bb1b14ebd Removes config.theme and restructures how theme variables are cached
resolves #1789

- removes config/theme.js
- moves caching of theme variables to api/settings.js which is where the
rest of the settings cache occurs.  this removes the requirement of having
to push changes to cache, now it simply occurs alongside when settings
are changed.
- updates relevant tests.
2014-09-02 23:15:15 -04:00
Fabian Becker
c0adf5894f Remove permissions from configuration API
closes #3909
- Remove permissions from configuration API
- Remove permission setup from integration test
- Remove permissions from permissions.json
2014-09-02 15:48:32 +00:00
Fabian Becker
688b3914e4 Implements new Configuration API
closes #3619
- adds new permissions for configuration API
- adds integration tests
- adds configuration API for reading allowed values
2014-08-31 20:54:17 +00:00
Hannah Wolfe
74c6a341be Delete tokens before deleting a user
fixes #3750

- Updated tests to create tokens for one user. This caused the tests to
  fail for MySQL exposing the bug.
- Delete user's tokens along with posts
2014-08-23 20:13:17 +01:00
Jason Williams
07ad400ee0 Replace the when promise library with bluebird.
Closes #968
2014-08-23 17:15:40 +00:00