Commit Graph

174 Commits

Author SHA1 Message Date
Kevin Ansfield
ef143978e7
🎨 Reduced requests and 403 responses for comments auth check (#19840)
closes https://linear.app/tryghost/issue/ENG-721
ref https://linear.app/tryghost/issue/ENG-708

Comments-UI loads `/ghost/admin-frame/` in an iframe to check if a Staff User is authenticated in order to  show moderation options. That iframe request loads a HTML page which in turn contains a script that fires off an API request that attempts to fetch the logged-in user details, resulting in a 403 "error" showing up when not authenticated. In the vast majority of cases there will be no staff user authenticated so lots of extra requests and "errors" are seen unnecessarily.

- adjusted the `/ghost/auth-frame/` endpoint to check if the request contains an Admin session cookie
  - if it does, continue as before with rendering the HTML page so the script is loaded
  - if it doesn't, return an empty 204 response avoiding the script request and subsequent 403-generating API request
- eliminates the 403 error being generated for all typical visitor traffic, the error should only be seen when an Admin was previously logged in but their cookie is no longer valid (either from logging out, or going past the 6month validity period)
2024-03-12 12:27:18 +00:00
Kevin Ansfield
b704530d74
🐛 Fixed unexpected conversion of single-quoted attributes in HTML cards (#19727)
closes ENG-627

We were using `cheerio` to parse+modify+serialize our rendered HTML to modify links for member attribution. Cheerio's serializer has a [long-standing issue](https://github.com/cheeriojs/cheerio/issues/720) (that we've [had to deal with before](https://github.com/TryGhost/SDK/issues/124)) where it replaces single-quote attributes with double-quote attributes. That was resulting in broken rendering when content used single-quotes such as in HTML cards that have JSON data inside a `data-` attribute or otherwise used single-quotes to avoid escaping double-quotes in an attribute value.

- swapped the implementation that uses `cheerio` for one that uses `html5parser` to tokenize the html string, from there we can loop over the tokens and replace the href attribute values in the original string without touching any other part of the content. Avoids a full parse+serialize process which is both more costly and can result unexpected content changes due to serializer opinions.
  - fixes the quote change bug
  - uses tokenization directly to avoid cost of building a full AST
- updated Content API Posts snapshot
  - one of our fixtures has a missing closing tag which we're no longer "fixing" with a full parse+serialize step in the link replacer (keeps modified src closer to original and better matches behaviour elsewhere in the app / without member-attribution applied)
  - the link replacer no longer converts `attr=""` to `attr` (these are equivalent in the HTML spec so no change in behaviour other than preserving the original source html)
- added a benchmark test file comparing the two implementations because the link replacer runs on render so it's used in a hot path
  - new implementation has a 3x performance improvement
  - the separate files with the old/new implementations have been cleaned up but I've left the benchmark test file in place for future reference

Benchmark results comparing implementations:

```
❯ node test/benchmark.js

LinkReplacer
├─ cheerio: 5.03K /s ±2.20%
├─ html5parser: 16.5K /s ±0.43%

Completed benchmark in 0.9976526670455933s
┌─────────────┬─────────┬────────────┬─────────┬───────┐
│   (index)   │ percent │ iterations │ current │  max  │
├─────────────┼─────────┼────────────┼─────────┼───────┤
│   cheerio   │   ''    │ '5.03K/s'  │  5037   │ 5037  │
│ html5parser │   ''    │ '16.5K/s'  │  16534  │ 16534 │
└─────────────┴─────────┴────────────┴─────────┴───────┘
```
2024-03-06 09:11:49 +00:00
Chris Raible
c90e033fcf
Added an email rendering test for all Koenig cards (#19059)
refs TryGhost/Product#4125

This PR adds two new integration tests to ensure all our Koenig cards
are rendered properly after going through the EmailRenderer. Although we
have thorough tests for the cards themselves in the Koenig repo, the
EmailRenderer does post-processing on the rendered HTML, such as
inlining CSS, which can adversely impact the rendered output of our
cards in email clients (usually Outlook).

Since email newsletters are a core feature of Ghost, these bugs are
typically fairly urgent, and since it is email, they are also quite
difficult to troubleshoot and fix. These two tests are intended to
prevent bugs of this sort, which in the past have been created by
seemingly harmless changes like bumping dependencies that are used in
the EmailRenderer.

The idea is to create a 'Golden Post' which has at least 1 of every card
from Koenig, run that post through the EmailRenderer, and take a
snapshot of the rendered HTML. In the future, if we make any changes to
the EmailRenderer or the Koenig cards themselves, this will trigger us
to carefully consider the changes, and it provides an 'expected' output
to compare our changes against.

Additionally, the second test simply checks that all cards from
`kg-default-nodes` are included in the 'Golden Post'. This protects
against any new cards that we will add in the future — as soon as we add
them to Koenig and bump `kg-default-nodes` in Ghost, this test will
fail, prompting us to add the new card to the Golden Post and update the
snapshots.

We should also run the 'Golden Post' through a test in Litmus, which
allows us to visually inspect the rendered email across many different
email clients. Ideally we would create a process to review the output of
the 'Golden Post' in Litmus whenever we update the snapshot as well.
2023-12-12 16:05:04 -08:00
Simon Backx
3f6ea04c43
Added portal default plan setting (#19238)
fixes PROD-61

This adds a new default plan setting. It defaults to yearly, which is
the current default selected interval in Portal.

Behind the new portal improvements feature flag, the default plan can be
changed. It will also change automatically if the available intervals
are changed.

This PR also wires up passing the new setting to the Portal preview.
2023-12-06 11:39:58 +01:00
Simon Backx
17ec1e8937
Added email address alignment protections (#19094)
ref GRO-54
fixes GRO-63
fixes GRO-62
fixes GRO-69

When the config `hostSettings:managedEmail:enabled` is enabled, or the
new flag (`newEmailAddresses`) is enabled for self-hosters, we'll start
to check the from addresses of all outgoing emails more strictly.

- Current flow: nothing changes if the managedEmail config is not set or
the `newEmailAddresses` feature flag is not set
- When managedEmail is enabled: never allow to send an email from any
chosen email. We always use `mail.from` for all outgoing emails. Custom
addresses should be set as replyTo instead. Changing the newsletter
sender_email is not allowed anymore (and ignored if it is set).
- When managedEmail is enabled with a custom sending domain: if a from
address doesn't match the sending domain, we'll default to mail.from and
use the original as a replyTo if appropriate and only when no other
replyTo was set. A newsletter sender email addresss can only be set to
an email address on this domain.
- When `newEmailAddresses` is enabled: self hosters are free to set all
email addresses to whatever they want, without verification. In addition
to that, we stop making up our own email addresses and send from
`mail.from` by default instead of generating a `noreply`+ `@` +
`sitedomain.com` address

A more in depth example of all cases can be seen in
`ghost/core/test/integration/services/email-addresses.test.js`

Includes lots of new E2E tests for most new situations. Apart from that,
all email snapshots are changed because the from and replyTo addresses
are now included in snapshots (so we can see unexpected changes in the
future).

Dropped test coverage requirement, because tests were failing coverage
locally, but not in CI

Fixed settings test that set the site title to an array - bug tracked in
GRO-68
2023-11-23 10:25:30 +01:00
Simon Backx
d5492bd63c
Revert "Removed usage of unquoted ids in filter strings" (#19052)
Reverts TryGhost/Ghost#19031

Browser tests are failing with an unknown cause
2023-11-20 13:50:07 +00:00
Simon Backx
320eaac4c4
Removed usage of unquoted ids in filter strings (#19031)
fixes GRO-34
fixes GRO-33

This also adds a new way to run all tests with enforced numeric ObjectIDs.
These numeric ids cause issues if they are used withing NQL filters. So they
surface tiny bugs in our codebase.

You can run tests using this option via:
NUMERIC_IDS=1 yarn test:e2e

Also removed some defensive logic that could be explained by unquoted ids.
2023-11-20 14:00:31 +01:00
Sag
6db7cc8156
Removed email from Mailgun's suppression list on unsubscribe (#18922)
closes https://github.com/TryGhost/Product/issues/4075

- when a member clicks on "Unsubscribe from that list" from Apple Mail,
the member's email is put into Mailgun's Unsubscribe suppression list.
Ghost listens for "Unsubscribe" events from Mailgun, and unsubscribes
the member from all the newsletters
- now, the member is only unsubscribed from the newsletter they
unsubscribe to (not all of them)
- now, the email is also deleted from Mailgun's suppression list, so
that it doesn't affect any other membership
2023-11-13 16:56:37 -03:00
Kevin Ansfield
9b1f79f601
Cleaned up lexicalEditor labs flag, switched Post model to lexical-by-default (#18607)
no issue

- flag is no longer used in Admin so we can clean it up in Core too
- updated Post model to set blank document to `lexical` field rather than `mobiledoc` as a default value
- switched over to returning `mobiledoc,lexical` as default formats in Admin API
2023-10-23 17:51:34 +01:00
Chris Raible
5a5a756415
Updated theme fixtures for casper and source (#18677)
no issue

- Casper and Source theme files were out of date — this commit updates the theme fixtures, and fixes up a few tests to pass with the updated themes
2023-10-18 14:51:35 -07:00
Chris Raible
80a6fe17d0 Added Source as the new default theme
refs TryGhost/Product#3510

- Added `TryGhost/Source` as a submodule in `ghost/core/content/themes` so `Source` will ship with Ghost (along with Casper)
- With this change, new installs will use `Source` as the default theme. Existing sites will have `Source` installed, but not activated, as this is a large change and we don't want to drastically change existing sites without warning. Users can upgrade to use `Source` simply by clicking 'Activate' in design settings.
- Updated protections to prevent users from uploading their own conflicting version of `Source`
2023-10-03 14:02:08 +02:00
Simon Backx
b82a93beac
Added recommendation_notifications column to users table (#18304)
fixes https://github.com/TryGhost/Product/issues/3939
2023-09-22 15:35:55 +00:00
Kevin Ansfield
f98467611c
Added page html reset and re-render to handle dynamic collection card content (#18265)
no issue

Collection cards contain dynamic data that can change when there's any change to a published post but in Ghost all post/page content is rendered once on save and stored as a static string meaning we need a new approach for triggering a re-render of pages that plays well with caching.

- fixed typo in the relations/authors code that meant we weren't correctly calling the prototype method on the Post model inside the `onFetchedCollection` event handler
- updated Post model to clear the `html` field of all pages when saving or deleting a published post
- updated Post model to re-render `html` fields when fetching individual posts or a collection of posts
- modified `insertExtraPostsTags` fixture util to wrap it's concurrent post edits in a transaction otherwise MySQL errors because it hits a deadlock
2023-09-21 14:51:08 +00:00
Simon Backx
098f4353a7
Disabled network retries for webmentions in tests (#18269)
refs https://ghost.slack.com/archives/C02G9E68C/p1695296293667689

- We block all outgoing networking by default in tests. When editing a
post/page, Ghost tries to send a webmention. Because of my earlier
changes
(1e3232cf82)
it tries 3 times - all network requests fail instantly when networking
is disabled - but it adds a delay in between those retries. So my change
disables retries during tests.
- Adds a warning when afterEach hook tooks longer than 2s due to
awaiting jobs/events
- We reduce the amount of webmentions that are send, by only sending
webmentions for added or removed urls, no longer when a post html is
changed (unless post is published/removed).
2023-09-21 16:17:05 +02:00
Kevin Ansfield
ff3eb63fd8
Revert "Added page html reset and re-render to handle dynamic collection card content (#18146)" (#18229)
This reverts commit 3e9da6df0c.

- changes introduced an error fetching `/admin/pages/` when using MySQL
- "The values in where clause must not be object or array"
2023-09-19 16:59:56 +00:00
Kevin Ansfield
3e9da6df0c
Added page html reset and re-render to handle dynamic collection card content (#18146)
no issue

Collection cards contain dynamic data that can change when there's any change to a published post but in Ghost all post/page content is rendered once on save and stored as a static string meaning we need a new approach for triggering a re-render of pages that plays well with caching.

- fixed typo in the relations/authors code that meant we weren't correctly calling the prototype method on the Post model inside the `onFetchedCollection` event handler
- updated Post model to clear the `html` field of all pages when saving or deleting a published post
- updated Post model to re-render `html` fields when fetching individual posts or a collection of posts
- modified `insertExtraPostsTags` fixture util to wrap it's concurrent post edits in a transaction otherwise MySQL errors because it hits a deadlock
2023-09-19 16:46:38 +01:00
Sag
f1cd6432a8
Added new setting to enable Recommendations (#17856)
closes https://github.com/TryGhost/Product/issues/3772

- Recommendations are disabled by default and will get enabled when a
first recommendation is added. The "recommendations_enabled" setting
will be not shown explicitly in Admin, it will rather be set implicitly
based on whether there is at least one recommendation
- The "recommendations_enabled" setting belongs to a new setting group
called "recommendations"

Tech Spec: https://www.notion.so/ghost/Recommentions-Tech-Spec-598f09e4109f4eef8d9e32db7245a90c?pvs=4
2023-08-30 08:56:21 +00:00
Simon Backx
935ac43584
Added recommendations CRUD api (#17845)
fixes https://github.com/TryGhost/Product/issues/3784

- Includes migrations for new permissions needed for the new endpoints
2023-08-29 15:06:57 +00:00
Simon Backx
a011151e24
🐛 Fixed handling multiple Stripe subscriptions for same member (#17773)
fixes https://github.com/TryGhost/Product/issues/3752

- Added some extra tests for edge cases
- Updated handling of multiple subscriptions so they are handled better
- Canceling a subscription when the member still has other subscriptions will now get handled correctly where the status and products of the member stay intact
2023-08-22 13:27:21 +02:00
Simon Backx
13b732f905
Added Playwright tests for donations (#17699)
fixes https://github.com/TryGhost/Product/issues/3723

This also fixes usage of localhost instead of 127.0.0.1 as a test URL
for playwright. This caused issues for cookies because the member
impersonation navigated to 127.0.0.1 instead of localhost, meaning that
the next page.goto call would go to localhost and lose the cookies.
2023-08-15 15:20:18 +02:00
Simon Backx
690fbf3f73
🔒 Fixed arbitrary file read via symlinks in content import
refs https://github.com/TryGhost/Product/issues/3726
refs https://github.com/TryGhost/Ghost/security/advisories/GHSA-9c9v-w225-v5rg

- credits to https://github.com/ixSly
2023-08-15 13:01:11 +02:00
Simon Backx
e14df6479b
Added E2E tests for donations API (#17694)
fixes https://github.com/TryGhost/Product/issues/3722
2023-08-11 14:25:53 +02:00
Simon Backx
4c8179312d
🎨 Added support for relative links in emails (#17630)
fixes https://github.com/TryGhost/Product/issues/3687

After this change, relative URLs in emails will be replaced with
absolute URLs using the post URL. Making relative Portal URLs possible
etc.

Updates the test data generator to fix invalid URL encoding (somehow a
backslash + escaped double quote was added when it wasn't required).
2023-08-08 13:22:56 +02:00
Simon Backx
66675a1383
Added donation notifications column (#17607)
fixes https://github.com/TryGhost/Product/issues/3691

When a site receives a donation, we'll send an email to all
administrator. They can disable this in their profile settings. This
migration adds the required column to make this possible. It defaults to
true.

Link to tech spec:
https://www.notion.so/ghost/Tech-Spec-5cd6929f7960462ebcbf198176e0d899?pvs=4#156834b0231d4968a203d797c6817d21
2023-08-07 15:31:36 +02:00
Sag
19bdb0efef
Added migrations for Tips & Donations' settings (#17576)
closes https://github.com/TryGhost/Product/issues/3668

- Tips and Donations feature offers two settings: "donations_currency", and "donations_suggested_amount"
    - "donation_currency": the currency to be used for the donation. Defaults to "USD", not nullable.
    - "donation_suggested_amount": an anchor price for the donation. Defaults to 0, not nullable.
- Both settings belong to a new group "donations"

Tech Spec: https://www.notion.so/ghost/Tech-Spec-5cd6929f7960462ebcbf198176e0d899?pvs=4#6e8b34c45f0c4c78b48c9e7725a307c8
2023-08-03 22:13:47 +02:00
John O'Nolan
265e62229f
2023 2023-08-03 20:40:44 +01:00
Steve Larson
6936007052
🐛 Updated gscan error handling for page errors (#17575)
refs https://github.com/TryGhost/Product/issues/3676

- add filter for sidebar display of theme errors (angry red box)
- filter specific to each page feature, will need to add each one by this approach
2023-08-02 09:56:40 -05:00
Steve Larson
5fe72462bc
Enabled page features (#17544)
no refs
-moved hide page title and feature image to GA
-updated gscan
2023-07-31 14:22:19 -05:00
Steve Larson
e45b947d61
Updated gscan (#17521)
no refs
- add check for unknown global use in themes
- removed `@page` check until ready for release
2023-07-27 15:43:22 +00:00
Steve Larson
b77521ece9
Updated gscan (#17509)
no refs
2023-07-26 15:58:22 +00:00
Steve Larson
005e80b466
Updated gscan (#17507)
no refs
2023-07-26 13:06:23 +00:00
Michael Barrett
184c6ae951
Retain newsletter subscriptions on suppression (#17373)
refs https://github.com/TryGhost/Product/issues/2610
2023-07-24 10:47:57 +01:00
Steve Larson
22441fe730
Made lexical rendering async (#17438)
-moved lexical rendering to async
-includes rendering for front end and email
-necessary to pull dynamic data into render method, e.g. collections
2023-07-20 17:48:48 -05:00
Naz
ea2defb76c Updated collection descriptions
refs https://github.com/TryGhost/Arch/issues/25

- Updated collection descriptions to be less wordy and avoid a redundant "Collection" in them.
2023-07-17 18:43:21 +08:00
Naz
9bfb197a85 Added fixtures for collection posts
refs https://github.com/TryGhost/Arch/issues/25

- Adds collection_posts fixtures
2023-07-17 18:43:21 +08:00
Naz
acbe3a250e Added built in collection fixtures
refs https://github.com/TryGhost/Arch/issues/25

- The instance should have two built-in collections "latest" (prviously known as "index") and "featured". These have been filled through in-memory tricks before, now they should come pre-populated through fixtures mechanism.
2023-07-17 18:43:21 +08:00
Simon Backx
8b610d46b1
Cleaned up batch email utils (#17165)
no issue
2023-06-29 15:29:16 +02:00
Simon Backx
c41694f5e6
Added E2E Koenig Lexical card tests for paragraphs and signup card (#17159)
refs https://ghost.slack.com/archives/C04TMVA1D7A/p1687987311455289
2023-06-29 11:10:56 +02:00
Daniel Lockyer
08e2fbeacb Removed Bluebird from tests
refs https://github.com/TryGhost/Ghost/issues/14882

- we're moving away from using Bluebird in favor of native Promises, so
  this commit removes nearly all instances from tests
2023-06-23 10:03:03 +02:00
Princi Vershwal
2798d43663
Removed Bluebird Promise.each from db.utils (#17032)
refs https://github.com/TryGhost/Ghost/issues/14882

Co-authored-by: Princi Vershwal <princi.vershwal@Princis-MacBook-Pro.local>
Co-authored-by: Daniel Lockyer <hi@daniellockyer.com>
2023-06-23 09:46:41 +02:00
Hannah Wolfe
6161f94910
Updated to use assert/strict everywhere (#17047)
refs: https://github.com/TryGhost/Toolbox/issues/595

We're rolling out new rules around the node assert library, the first of which is enforcing the use of assert/strict. This means we don't need to use the strict version of methods, as the standard version will work that way by default.

This caught some gotchas in our existing usage of assert where the lack of strict mode had unexpected results:
- Url matching needs to be done on `url.href` see aa58b354a4
- Null and undefined are not the same thing,  there were a few cases of this being confused
- Particularly questionable changes in [PostExporter tests](c1a468744b) tracked [here](https://github.com/TryGhost/Team/issues/3505).
- A typo see eaac9c293a

Moving forward, using assert strict should help us to catch unexpected behaviour, particularly around nulls and undefineds during implementation.
2023-06-21 09:56:59 +01:00
Daniel Lockyer
99aeb73ecc Optimized DB reset during tests
refs https://github.com/TryGhost/Toolbox/issues/592

- it turns out that `TRUNCATE` in CI takes ~300ms for all tables, but
  `DELETE FROM` takes ~30ms
- whilst truncating is generally known to be faster, I believe it's only
  faster on large tables
- this saves 90% of the time it takes to reset the DB in MySQL
2023-06-16 13:15:17 +02:00
Daniel Lockyer
082ab6dc3e Refactored truncateAll util to async-await
refs https://github.com/TryGhost/Toolbox/issues/592

- async-await makes the code easier to read
- also performs a small optimization to only load the foreign_keys
  pragma once for SQLite
2023-06-13 14:46:57 +02:00
Daniel Lockyer
264773ccd1 Reset URL service between test boots
refs https://github.com/TryGhost/Toolbox/issues/592

- we should reset the URL service to avoid event listeners piling up and
  slowing down CI due to the number of events it has to process
2023-06-13 12:52:03 +02:00
Daniel Lockyer
4639396c3a
Collected Ghost boot timing in test framework
refs https://github.com/TryGhost/Toolbox/issues/592

- this should help us track and calculate how much time is being spent
  in the boot/DB reset process during tests
2023-06-12 12:07:04 +02:00
Naz
05bb82cf1a Added collections CRUD permissions
refs https://github.com/TryGhost/Team/issues/3220

- Added permissions for collection resources
2023-06-09 21:13:06 +07:00
Rishabh Garg
5c209abdc0
Updated default value for image editor integration setting (#16897)
refs https://github.com/TryGhost/Team/issues/3145

Updates pintura integration to be switched on by default for all sites by adding a migration to update the default value for the setting.
2023-06-06 18:15:01 +05:30
Daniel Lockyer
f908a03fff
Enabled and tracked retries in CI tests (#16909) 2023-06-02 09:36:28 +02:00
Fabien "egg" O'Carroll
82acf85b29 Tested filtering visibility in Tiers Content API
refs https://github.com/TryGhost/Team/issues/3248

The current test fixtures didn't include any hidden Tiers, so I've added
a new fixture to test the filtering of hidden Tiers. It's not enabled by
default to avoid breaking the existing tests.
2023-05-19 13:12:33 -04:00
Fabien "egg" O'Carroll
c0ca7b16f6 Added caching to TierRepository
refs https://github.com/TryGhost/Toolbox/issues/515

Tiers are very frequently queried and we want to reduce the number of DB calls
we're making. We can store the Tiers in-memory, using the existing in-memory
repository patterns, but still persisting writes the the database.

We also have to update our test helpers, because they were bypassing the
repository for writes, but using it for reads resulting in an invalid cache
2023-05-12 16:38:32 -04:00