closes#3136
- moved setup to authentication API
- added `POST /ghost/api/v0.1/authentication/setup` to execute the
setup process
- added `GET /ghost/api/v0.1/authentication/setup` to check if blog is
already set up (needed for #3145)
- removed unused methods from api/users.js
closes#3074
- user generated by fixture is hijacked
- user is updated with name, email, password, slug and status
- creates new user if db is migrated but no user exists
- previously removed tests are back
This frees us up to enforce one single point of access, thus paving
the way towards allowing us to initialize the models at are request,
and not when it's require().
addresses #2170
closes#3073
- added fixture for owner role
- added fixture for initial user (new db)
- added conversion administrator -> owner (existing db)
- changed tests to take over owner user
- removed some functional tests until /setup works with owner user
Closes#3226
- Remove dependent property from the computed content property
that is used to build the active theme selector.
- Add validation to the Settings model so that it rejects
attempts to set an activeTheme that is not installed.
- added role to user obj (only returned from the user endpoint)
- added `/users/?include=roles` and
`/users/?include=roles,roles.permissions` query parameters
- added and updated tests
Closes#3199
-If datatype is dateTime convert to javascript Date object when
retrieved from the database.
-Add tests to make sure models and internal API are using Date
objects for dateTime fields.
-Add tests to make sure the HTTP API is returning ISO 8601
date strings for dateTime fields.
Closes#3122
-Fix validation so that all values are validated instead
of just values that evaluate to true.
-Ensure validation methods consistently return promises
and switch error handling from try/catch to promise.catch
to get rid of unhandled rejection warnings.
-Add 0 and 1 to list of acceptable values in boolean validation.
closes#3080
- added users.invite() to add user from email with random password
- added `GET /ghost/api/v0.1/users/` to invite users and resend
invitations
- removed one user limit
- added global utils for uid generation
- changed some „“ to ‚‘
closes#2759closes#3027
- added oauth2orize library for server side oAuth handling
- added ember-simple-auth library for admin oAuth handling
- added tables for client, accesstoken and refreshtoken
- implemented RFC6749 4.3 Ressouce Owner Password Credentials Grant
- updated api tests with oAuth
- removed session, authentication is now token based
Known issues:
- Restore spam prevention #3128
- Signin after Signup #3125
- Signin validation #3125
**Attention**
- oldClient doesn't work with this PR anymore, session authentication
was
removed
fixes#3072
- Change router to handle /ember/setup/
- Adjust doSignup to also handle setup
- Adjust tests and add new where necessary
- Add setup controller, setup validation, setup route
- Adjust casper emberSetup to handle new setup
closes#2822
- added destroy user method
- added remove user permission
- added API end point for get reset token
- added API end point for reset password
- added API end point for change password
Closes#2061
- Lazy load the defaultSettings value in Settings model
- Populate individual defaults before read/edit
- Populate all defaults before first browse call
- Remove populateDefaults calls from init code
Closes#2866
-update slug API to handle users and apps in addition to
posts and tags
-update existing tests
-add new functional tests for slug endpoint on http api
Closes#2798
-fetch full model for active post in Backbone content preview view
-remove unnecessary type check in Models.Post.saving
-add functional tests for all post settings menu actions in editor screen
-add functional tests for all post actions in content preview
screen for posts with and without tags
closes#2610, refs #2697
- cleanup API index.js, and add docs
- all API methods take consistent arguments: object & options
- browse, read, destroy take options, edit and add take object and options
- the context is passed as part of options, meaning no more .call
everywhere
- destroy expects an object, rather than an id all the way down to the model layer
- route params such as :id, :slug, and :key are passed as an option & used
to perform reads, updates and deletes where possible - settings / themes
may need work here still
- HTTP posts api can find a post by slug
- Add API utils for checkData
Closes#2738
- Re-introduce the TargetModel.permissable interface check in the
regular permission flow path
- Pass loadedPermissions, hasUserPermission and hasAppPermission to
permissable interface to reduce logic necessary
- Refactor recursive call to pass original arguments but with actual
model
- Refactor canThis(this.user) use in api/posts.js to just canThis(this)
closes#2653
- enforce strict whitelists for model methods
- create a class method that reports a model method's valid options
- create a class method that filters a model's valid attributes from data
- create a class method that filters valid options from a model method's options hash
- The API has the BREAD naming for methods
- The model now has findAll, findOne, findPage (where needed), edit, add and destroy, meaning it is similar but with a bit more flexibility
- browse, read, update, create, and delete, which were effectively just aliases, have all been removed.
- added jsDoc for the model methods
closes#2643
- added error type
- added error property for validations
- wrapped errors in an array
- returns multiple errors for validation
- updated tests and admin
closes#2593
- added new format to user API methods
- changed all places where the user api was used
- updated tests and added more coverage
- little bit of cleanup in utils/api
Closes#2606
- Refactor settings api responses to { settings: [ ] } format
- Update all code using api.settings to handle new response format
- Update test stubs to return new format
- Update client site settings model to parse new format into one object of key/value pairs
- Refactor to include all setting values
- Remove unused settingsCollection method
- Update settingsCache to store all attributes
- Update settingsResult to send all attributes
- Remove unnecessary when() wraps
- Reject if editing a setting that doesn't exist
- Reject earlier if setting key is empty
- Update tests with new error messages
- Use setting.add instead of edit that was incorrectly adding
- Update importer to properly import activePlugins and installedPlugins
- Update expected setting result fields
- Fix a weird situation where hasOwnProperty didn't exist 🤷
closes#2609
- added include parameter to api.posts.*
- changed toJSON to omit objects that are not included
- added include parameter to admin
- added include parameter to frontend.js
- updated tests
- removed duplicate code from posts model
**Known Issue:** It is not possible to attach a tag using an ID.
Closes#1563
- Add new updatedAttributes() functionality to base models
- Update Post.edit(...) to pass along _updatedAttributes values
- Update Post.delete to set statusChanged to true
- Add checking for statusChanged to cacheInvalidationHeader()
- Update route tests that check for cache invalidation header
Closes#2608
- added toJSON method override for post model
- in the event no expanded author relation is present the id will be used
- removed author_id from expected response JSON for posts.
- updated integration tests to check for existence or not of author and author_id
closes#2604
- moved ‚pagination‘ to ‚meta‘ property
- added response test for pagination property
- changed ‚next‘ and ‚prev‘ to be set to null and exist on every
response
- removed unnecessary call to API for RSS author
closes#2264
- added permissions check to db, users and posts
- added register method to users
- added doesUserExist method to users
- added user from session to internal calls
- changed permissible to overwrite canThis
- removed action map and action type from permissable method
closes#2058
- fixed apiContext as suggested in the issue
- added user to options object for models
- added api.users.register() for public registration
- changed models to use options.user for created_by, updated_by,
author_id and published_by
- added override to session model to avoid created_by and updated_by
values
- added user (id: 1) to tests
- added user (id: 1) for registration
- added user (id: 1) for import, fixtures and default settings
- added user (id: 1) for user update
- added user (id: 1) for settings update (dbHash, installedApps, update
check)
- updated bookshelf to version 0.6.8
closes#2138
- Adds new models for AppField and AppSetting
- Removed permitted attributes from App model (handled by base)
- Added reference from Post to AppFields
- Added fixture data to DataGenerator
- Added integration tests for Apps, AppSettings, AppFields
- Added import for Apps
- Added app_fields to default fixtures
- Pass permissions loading to buildObjectTypeHandlers to eliminate
shared state
- Load both app and user permissions to check
- Check app permissions if present
- Create apps table and App model
- Move effectiveUserPermissions to permissions/effective
- Change permissable interface to take context; user and app.
- Add unit tests for app canThis checks and effective permissions
closes#2580
- added new format to post API methods
- added post object parsing and wrapping to admin
- removed unused ‚user‘ object from API response
- updated tests
closes#2261
- reserved 'feed' in the list of reserved keywords for slugs
- added a 301 redirect from /feed/ to /rss/
- added a route test, and realised that standard express redirects don't get the right headers
- fixed the headers across all 301 redirects & added tests for the admin redirects
- removed the redirect from /ghost/login/ to /ghost/signin/ as this happens automatically if you're logged out, and isn't very useful if you're logged in as it just redirects again to /ghost/
fixes#2480
- when the santisation of a slug results in an empty string, we use a basename instead.
- this was 'post' and is now the table name for the model, minus the trailing 's'
- this isn't massively robust but works as a temporary fix
closes#2148
- Added core/server/xmlrpc.js
- Hook into post::saved to ping when a published post gets saved
- Added node package to hook into http requests
issue #2312
- The typography extension is still interfering in HTML blocks, reference style links and other bits and pieces it probably shouldn't be :(
- We'll add it back when it's ready.
fixes#2075
- Updates knex to latest version
- Fixes expected value in page test
- Change fixture insertion to be sequential
- Add orderBy to insertMorePostsTags fixture helper
hooking into when ghost has finished loading
addresses item 9 in #2078
and makes progress on #2182
- has files that startup ghost return a promise
that is resolved once ghost has finished loading
- moves getSocket into config file
- removes models.reset() as it's not used anywhere
- update functions in server startup
- remove unused version hash variable
Closes#1379
- Convert to new api usage for both server-side and client-side
- Provide way require a negative response for boolean methods in
default-settings.json
- Add field validation functional tests
- Settings (General)
- Title length validation
- Description length validation
- postsPerPage, numeric, min, max
- Settings (User)
- Bio Length validation
- Location length validation
- Url validation
- Login
- Email validation
- Editor
- Title required validation
fixes#2272
- Remove libraries from shared/vendor
- Remove libraries from client/assets/vendor
- Add bower to package.json and postinstall
- Add bower.json with dependencies
- Add scripts from bower_components to concat/uglify
- Fix tests
- Serve jquery from /ghost/built/theme/
#closes #1655
- removed models as parameter for bookshelf-session
- changed to read permittedAttributes from schema.js
- changed updateTags to be executed at saved event
- added validate to execute after saving event
- added test for published_at = null (see #2015)
- fixed typo in general.hbs
fixes#2111
- modified Post model to support a tag query
param that will filter the desired post collection
to only include posts that contain the requested tag
- in the updated Post model it includes the Tag model
under a nested object called 'aspects'
- added tests for updated Post model, updating
test utils to add more posts_tags relations
- adds two new routes to frontend,
one for initial tag page,
another to page that tag page
- for tag pages the array of posts
is exposed to the view similarly
to the homepeage
- on the tag view page the information
for the tag is also accessible
for further theme usage
- the tag view page supports a hierarchy of
views, it'll first attempt to use a tag.hbs
file if it exists, otherwise fall back
to the default index.hbs file
- modified pageUrl and pagination helper
to have it be compatible with tag paging
- added unit tests for frontend controller
- added unit tests for handlebar helper modifications
- add functional tests for new tag routes
no issue
- added check that a combination of email + expires is rejected after
10 attempts
- changed comparison to time independent method
Thanks to @chiiph for reporting this issue!
issue #2015
- this is another little workaround / improvement to try to reduce the number of people who end up with a published post with no published_at set
- I assume we need to complete #1655 to fix this properly
fixes#1498
- emails are no longer converted to lowercase, local mailbox can validly
be mixed case
- getByEmail uses JS to compare emails to ensure we can support unicode
- tests that users can be retrieved by their email address with case
insensitivity
Fixes#1907
Refactored `updateTags` to correct a loop issue where the `insert`
method was mistakingly being passed rather than `update`, triggering a
duplicate PK SQL error.
closes#1880
- added `rss` to core/server/models `generateSlug` reserved keywords
- added integration test for safe slug generation to core/test/integration/model/model_posts_spec.js
#1351
- prevent a new post (not saved on server) from
updating its slug/date to the server
- fix jshint
- add back creation of a posts slug upon a post creation
- update for rebasing
- hide ability to ‘delete this post’ from post settings
menu when a post hasn’t yet been saved to the server
issue #1378fixes#1328
- xss santization does some odd things. This isn't needed until we have multi-user support, and we are investigating better solutions.
fixes#1765fixes#1811
issue #1833
New UrlFor functions
- moved body of url helper to config.path.urlFor, which can generate a URL for various scenarios
- urlFor can take a string (name) or object (relativeUrl: '/') as the first
argument - this is the first step towards issue #1833
- also added config.path.urlForPost which is async and handles getting
permalink setting
- frontend controller, ghost_head helper, cache invalidation all now use
urlFor or urlForPost all urls should be correct and consistent
URL Consistency Improvements
- refactored invalidateCache into cacheInvalidationHeader which returns a
promise so that url can be generated properly by urlForPost
- moved isPost from models to schema, and refactored schema to have a tables object
- deleted posts now return the whole object, not just id and slug,
ensuring cache invalidation header can be set on delete
- frontend controller rss and archive page redirects work properly with subdirectory
- removes {{url}} helper from admin and client, and replaced with adminUrl
helper which also uses urlFor
- in res.locals ghostRoot becomes relativeUrl, and path is removed
closes#1801
- adding fixBools method to `server/models/base.js` to convert bools to 1/0 to be consistent with MySQL & sqlite3 data providers (based on @ErisDS recommendation)
- this in turn fixes the check in `server/controllers/frontend.js`, which does an explicit `post.page === 0` comparison (in pgsql this is a `boolean`, since the schema declares it as "bool" in `server/data/schema.js`, but MySQL/sqlite3 don't have concept of Boolean, only an integer or bit)
- any model retrieved from persistence will pass through this (possible future refactoring is to combine fixBools & fixDates into one "canonicalize()" to have a single loop pass)
fixes#1696
- this is a temp workaround until full fledged support
is added directly to bookshelfjs
- when importing we use the import json blob’s timestamps
as the value that’s set in the DB
- added tests for this change
closes#1303
- removed where and orderBy from being passed from the API through to bookshelf, and ultimately knex
- ordering is now consistent across both front and backend, which fixes#1303
- validated / cleaned up all the API parameters
- added API tests for the status and staticPages parameters
Closes#499
* On wrong passwords, statuses: `active` -> `warn-1` -> `warn-2` -> `warn-3` -> `locked`
* On login check, if user's status is `locked`, login automatically fails and user is encouraged to reset password. Does not even bother to check for passwords.
* login attempts tell user how many attempts she has remaining in notification box
* successful login will reset status to `active`
* resetting password with forgotten password emailed token resets status to `active`
* complete with a test suite
- changed cookieSession to session
- added session.regenerate for login and logout
- added bookshelf session store
- added session table to database
- added import for databaseVersion 001
- added grunt task test-api
- cleanup of gruntfile to start express when needed only
- moved api tests to functional tests
No longer need `|| 'development'`, since it is defaulted in the top index. If we did need `|| 'development'` here, we'd need it on the next line too, otherwise it breaks.
Closes#1471
- add api and User model methods for generating and validating tokens
- add routes and handlers for reset password pages
- add client styles and views for reset password form
- some basic integration tests for User model methods
closes#1189
- added tests
- added request module
- added status codes to API calls
- fixed return values of API calls
- fixed that drafts caused an error when being deleted
- fixed X-Invalidate-Cache headers
- moved testUtils.js to utils/index.js
issue #1365
- added /*jslint unparam:true*/ to functions where absolutely necessary
- added /*jslint unparam:true*/ to functions in which keeping parameter
list added clarity to the underlying api, even when those parameters
are not currently used
- removed unused parameters in a few places
- Increased post-settings width to properly display "Static Page"
- Changed templates to display "Static Page" if set
- Added unit test for body_class helper
fixes#969
issue #938
- rather than using escape, use node-validatiors santize function which is designed for preventing xss vectors
- added listener for changes to both editor and settings page
- added more sanitization to the user model
- consistently use triple-braces when outputting blog post titles
Fixes#258
- Modified post collection to have default values for paging.
- Added scroll handler to content view to check for more posts and load
as appropriate.
- Sanitized result from server-side post paging, ensure page # is
returned as an integer.
- Added a functional test stub.
closes#733
- Exporter will read meta data to determine the tables which are present and export all data from those tables
- Exporter figures out which version to export, rather than requiring that information
- deleted old exporters
closes#748
- Removed the alpha software warning
- Better error message output for the whole app - can now specify an error, a context, and a help message
- Improved invalid node version, start and stop messaging
- Listens for Ctrl+C and exits nicely
- Minor improvements to handling and errors with old DBs (temporary)
issue #632
- removed old schemas
- updated base model to reflect all of the consistent behaviours and properties across the models
- updated all models to match the new schema
TODO
- no fixtures are currently loaded except settings
- need to rename properties across the codebase
closes#370
- Added new Backbone view for post settings menu
- Moved sass styles to global.scss for post settings menu items
- Added field to change post slug (permalink) using existing slug
validation
Closes#288
* I use SendGrid for sending the emails, and it works fine (provided you supply the correct credentials in `config.mail` in `config.js`)
* Generates a random 12 char long alphanumeric password, replaces user's pw, and sends an email about it.
closes#367closes#368
- Adds Tag model with a many-to-many relationship with Post
- Adds Tag API to retrieve all previously used Tags (needed for suggestions)
- Allows setting and retrieval of Tags for a post through the Post's existing API endpoints.
- Hooks up the editor's tag suggestion box to the Ghost install's previously used tags
- Tidies the client code for adding tags, and encapsulates the functionality into a Backbone view
Fixes#469
- Added client-side trimming of title on blur if it is not already
trimmed.
- Added server-side trimming of title on 'saving' event of post model.
closes#422, issue #295
- Added GFM mode to codemirror
- Took the github.js extension for Showdown and added all useful behaviour
- Now supports strikethrough, line breaking and
multiple underscores, and auto linking urls & emails without breaking
definition urls
- Also added definition url handling in preparation for #295
- Added unit tests for the extentions individually and integrated with
showdown
closes#528
- adds method (isPost)to models index.js that returns true if content, content_raw, title and slug are valid properties
- adds url helper which checks context is post using isPost method
- adds unit test to check a url is prefixed with /
-adds unit test which checks for empty string if either of the 4 properties above are not present.
- fixes#517
- prevents this from occuring again in future with other relations
- validation function & stripping done for all models
- casper test for flow, plus validation & logged out tests
- introduced validation method in the post and user model
- moved signup validation onto model
- consistent use of validation & error messaging in the admin UI
- helper methods in base view moved to a utils object
Fixes#358
- Altered post model to enable eager loading of author and
user relationships
- Fixed broken base model toJSON method, which prevented
eager resolution of relationships (thanks @tgriesser)
- Passes author information to template.
- Added unit tests for author helper.
- Added unit tests for findOne and findAll additions to Post Model
which take into account the eager relationships
Usage:
`{{author}}` -- returns the full name of the post author
`{{author.attribute}}` -- returns property of the current post author
as described by the user model
Closes#374
* Included node-validator as a package
* Implemented server side validation (the client side js is a mess, need a LOT of work)
* Validates email address both on signup and login screens, gives error message on malformed email addresses
* Requires at least 8 chars of password
* Tells user if password is too short
* Tells user if no such user on login
* Tells user if wrong password on login
* Tells user if server responds with a 404 (goes away, dies, etc)
* Added middleware between req and login / signup for validation
Closes#364
- Confirmed integration with local mysql installation works.
- Updated fixtures and migration with appropriate schema-conforming
values.
- Updated schema with appropriate defaults and nullable columns.
- Updated fixDates function on model base to appropriately deserialize
values coming from SQLite now that dates are stored as actual DateTime
objects/ISO strings.
- Updated default language to be 'en_US'.
Closes#340. Closes#375
* Replaced session with id of current user
* Added method to ghostlocals to always send profile picture and full name to templates (template checks if falsy)
* Modified user saving (`forge().set(new).save()` died on me, `forge().save(new)` didn't)
* If user has profile picture, that will be used
* If user has name, that will be used
* Password changing doesn't care about your email. Uses cookies. Tasty!
* User pane uses current user id. Had to set path to me, otherwise goes to `browse` instead of `read`.
* Added logic to user api to check for `id === 'me'`, and then use the cookie value
* User data saves are now correct
* There is no logout error
Closes#282
* Added a new route
* Added new methods
* Triple security!
* Passwords are actually changed
* Also added a change password button, because 'save' has too much baggage.
On security: checks whether you're logged in. Then checks whether your old password is actually the one that belongs to you (gets value from the email field for the email, see caveat no2). Checks the new passwords for === and length > 6 on client and server side as well. And THEN changes passwords.
Caveats:
* didn't add a test, as mocha fails spectacularly on my machine. SQLITE_CORRUPT: database disk image is malformed. Cute, huh?
* Because we don't have / I'm not aware of / could not find a "currentuser" variable, I need to get the email address of the user we want to change from the email field. Theoretically if they replace that with another user's email address, and supply their pw, they will change THEIR password instead of their own.
- added line to index.js to set node_env to development if it is not set
- fixed a small bug with the persistent notifications and used them on debug page from server side
- added 002 files to manage export and import for 002
- 002 import is somewhat smarter than 001, merging settings (except version), replacing user & clearing primary keys
- added reset to models and migration, which does the down operation the same way that init does the up operation
- import and reset clear session & redirect to login / signup
- additional unit tests
- This is a first pass at getting a more logical structure. The focus is on moving from admin/frontend to client/server.
- The location of the databases is highly important, this isn't expected to change again
In the future
- client/assets should probably become public/
- more stuff should be shared (helpers etc)
- cleanup some confusion around tpl and views
