Commit Graph

70 Commits

Author SHA1 Message Date
Sebastian Gierlinger
fa054a8eba Fix incorrect error
closes #3373
- added check if role is already assigned
- added check for unknown fields to fixDates/fixBools
- permissions are not implemented yet, so everyone is able to edit
owner ;-)
2014-07-24 10:17:10 +02:00
Jason Williams
739b57e05b Update Users API to handle role objects or ids
Closes #3357
- API method User#edit now handles User objects that have either
  an array of Role ids or objects.
- Fixed error handler notification on upload modal controller.
2014-07-22 05:48:16 +00:00
Sebastian Gierlinger
28b03ec87e Add edit roles
refs #3087
- added ability to edit user/roles relation
- user is not allowed assign roles to himself
- only one role per user is supported atm
- added tests
2014-07-21 22:50:43 +02:00
Maurice Williams
a8ca517c54 Pagination for Users Management screen
closes #3222
- implementing server-side pagination for /users API
- passing /users?limit=none will return all users
- passing /users?status=invited will filter base on user status
- creating 3 mixins (route, controller and view) to keep pagination logic DRY
- updating route, controller and view for Posts to use new mixing
- implementing infinite scrolling for Users Management screen (using new mixins)
- Users Management screen displays all invited users, but paginates active users
2014-07-21 14:03:26 -04:00
John O'Nolan
d10771b711 Larger default gravatar images 2014-07-20 18:50:07 +02:00
Hannah Wolfe
6e48275160 Extending context concept to models
fixes #3275, fixes #3290, ref #3086, ref #3084

- Ensure that we use the current logged in user and not just user 1 when
- removing hard coded user: 1 except where absolutely necessary
- passing context, rather than user to models
- base model has a new function to determine what id to use for created_by etc
2014-07-18 15:32:56 +01:00
Sebastian Gierlinger
42f461cb6d Restored spam prevention
closes #3128
- added spam prevention middleware
- restored tests
2014-07-17 14:22:07 +02:00
Hannah Wolfe
5c1a7a7349 Revert "Restore spam prevention" 2014-07-17 12:11:23 +01:00
Sebastian Gierlinger
e4e027d17b Restored spam prevention
closes #3128
- added spam prevention middleware
- restored tests
2014-07-16 10:00:49 +02:00
Hannah Wolfe
b03ecd9ebc Use bookshelf's model registry plugin
Refs #2170

This removes the circular dependency problem from our models thanks to
https://github.com/tgriesser/bookshelf/issues/181
- add the registry plugin
- switch all models and collections to be registered
- switch relationships to be defined using a string, which calls from the registry
2014-07-13 18:18:25 +01:00
Sebastian Gierlinger
8c2258dc4c Move setup to API
closes #3136
- moved setup to authentication API
- added `POST /ghost/api/v0.1/authentication/setup` to execute the
setup process
- added `GET /ghost/api/v0.1/authentication/setup` to check if blog is
already set up (needed for #3145)
- removed unused methods from api/users.js
2014-07-11 14:17:09 +02:00
Sebastian Gierlinger
215badc663 Setup hijacks owner user
closes #3074
- user generated by fixture is hijacked
- user is updated with name, email, password, slug and status
- creates new user if db is migrated but no user exists
- previously removed tests are back
2014-07-10 19:29:51 +02:00
Sebastian Gierlinger
5e4fae6f11 Add owner fixture
closes #3073
- added fixture for owner role
- added fixture for initial user (new db)
- added conversion administrator -> owner (existing db)
- changed tests to take over owner user
- removed some functional tests until /setup works with owner user
2014-07-10 12:00:51 +02:00
Sebastian Gierlinger
035fb04d34 closes #3197
- added role to user obj (only returned from the user endpoint)
- added `/users/?include=roles` and
`/users/?include=roles,roles.permissions` query parameters
- added and updated tests
2014-07-08 18:00:59 +02:00
Sebastian Gierlinger
84cfd529ed Allow user to accept invitation
closes #3081
- added route `/ghost/api/v0.1/authentication/invitation`
- added accept invitation
- added signup with token
- removed check() from users api
- fixed promise in resetPassword()
2014-07-03 17:06:07 +02:00
Sebastian Gierlinger
79a80b67ac Invite user API
closes #3080
- added users.invite() to add user from email with random password
- added `GET /ghost/api/v0.1/users/` to invite users and resend
invitations
- removed one user limit
- added global utils for uid generation
- changed some „“ to ‚‘
2014-07-02 16:22:18 +02:00
Sebastian Gierlinger
c8e8da4780 oAuth
closes #2759
closes #3027

- added oauth2orize library for server side oAuth handling
- added ember-simple-auth library for admin oAuth handling
- added tables for client, accesstoken and refreshtoken
- implemented RFC6749 4.3 Ressouce Owner Password Credentials Grant
- updated api tests with oAuth
- removed session, authentication is now token based

Known issues:
- Restore spam prevention #3128
- Signin after Signup #3125
- Signin validation #3125

**Attention**
- oldClient doesn't work with this PR anymore, session authentication
was
removed
2014-06-30 14:58:10 +02:00
Sebastian Gierlinger
1db0431e4d User API changes
closes #2822
- added destroy user method
- added remove user permission
- added API end point for get reset token
- added API end point for reset password
- added API end point for change password
2014-06-20 11:15:01 +02:00
Jason Williams
9a9593536d Update when.js dependency to version 3.2.3 2014-06-16 04:11:22 +00:00
Hannah Wolfe
c02ebb0dcf Refactor API arguments
closes #2610, refs #2697

- cleanup API index.js, and add docs
- all API methods take consistent arguments: object & options
- browse, read, destroy take options, edit and add take object and options
- the context is passed as part of options, meaning no more .call
  everywhere
- destroy expects an object, rather than an id all the way down to the model layer
- route params such as :id, :slug, and :key are passed as an option & used
  to perform reads, updates and deletes where possible - settings / themes
  may need work here still
- HTTP posts api can find a post by slug
- Add API utils for checkData
2014-05-15 10:41:05 +01:00
Jacob Gable
0dc6dc29a7 Add apps permissable checks in posts and users
Closes #2738

- Re-introduce the TargetModel.permissable interface check in the
regular permission flow path
- Pass loadedPermissions, hasUserPermission and hasAppPermission to
permissable interface to reduce logic necessary
- Refactor recursive call to pass original arguments but with actual
model
- Refactor canThis(this.user) use in api/posts.js to just canThis(this)
2014-05-14 09:22:25 -05:00
Sebastian Gierlinger
fd0f5a5028 Add distinct error classes
closes #2690
- added new error classes
- moved errorhandling.js to /errors/index.js
- changed API errors to use new classes
- updated tests
2014-05-09 12:11:29 +02:00
David Arvelo
87cda81c84 Sanitize models' attributes/options before passing to bookshelf/knex
closes #2653
- enforce strict whitelists for model methods
- create a class method that reports a model method's valid options
- create a class method that filters a model's valid attributes from data
- create a class method that filters valid options from a model method's options hash
2014-05-06 23:02:49 -04:00
Sebastian Gierlinger
b98709b3ce Refactor omit of password
- remove password in toJSON() instead of filtering every occurrence of
user
- changed faulty error type ‚NotFound‘ to ‚NoPermission‘
2014-05-06 12:14:58 +02:00
Hannah Wolfe
31fc84cefb Consistency in model method naming
- The API has the BREAD naming for methods
- The model now has findAll, findOne, findPage (where needed), edit, add and destroy, meaning it is similar but with a bit more flexibility
- browse, read, update, create, and delete, which were effectively just aliases, have all been removed.
- added jsDoc for the model methods
2014-05-06 00:36:42 +01:00
Hannah Wolfe
f2071eedb2 Move user API to primary document format
closes #2593

- added new format to user API methods
- changed all places where the user api was used
- updated tests and added more coverage
- little bit of cleanup in utils/api
2014-05-02 20:50:44 +01:00
Hannah Wolfe
3eb284e4b5 Update & grunt-groc and fix docs errors
issue #2622

- Updated grunt-groc to 0.4.5
- Fixed the few places which made the docs fail to generate
- There is still a mix of styles
2014-04-21 19:04:20 +01:00
Sebastian Gierlinger
e47e9c62d0 Add permissions to API
closes #2264
- added permissions check to db, users and posts
- added register method to users
- added doesUserExist method to users
- added user from session to internal calls
- changed permissible to overwrite canThis
- removed action map and action type from permissable method
2014-04-16 18:22:22 +02:00
Sebastian Gierlinger
61e94a6e8b Use current user in models
closes #2058
- fixed apiContext as suggested in the issue
- added user to options object for models
- added api.users.register() for public registration
- changed models to use options.user for created_by, updated_by,
author_id and published_by
- added override to session model to avoid created_by and updated_by
values
- added user (id: 1) to tests
- added user (id: 1) for registration
- added user (id: 1) for import, fixtures and default settings
- added user (id: 1) for user update
- added user (id: 1) for settings update (dbHash, installedApps, update
check)
- updated bookshelf to version 0.6.8
2014-04-16 18:20:09 +02:00
Jacob Gable
9369dd3bf7 Add app permission checking to canThis
- Pass permissions loading to buildObjectTypeHandlers to eliminate
shared state
- Load both app and user permissions to check
- Check app permissions if present
- Create apps table and App model
- Move effectiveUserPermissions to permissions/effective
- Change permissable interface to take context; user and app.
- Add unit tests for app canThis checks and effective permissions
2014-04-16 18:06:39 +02:00
Matt Enlow
f8d90f1cc6 Added populate last login time
closes #2515
- sets last_login when user is saved if user status changed to active
- added integration test in user Basic Operations
2014-03-27 12:29:43 -06:00
Hannah Wolfe
438cbab68e Ensure generateSlug gets transaction for tags
fixes #2460

- add transacting to tag saving
- add same to users while we're here
2014-03-25 11:14:17 +00:00
Jonathan Johnson
e4bb6d08cc Update validator to 3.4.0
Closes #1379

- Convert to new api usage for both server-side and client-side
- Provide way require a negative response for boolean methods in
  default-settings.json
- Add field validation functional tests
  - Settings (General)
    - Title length validation
    - Description length validation
    - postsPerPage, numeric, min, max
  - Settings (User)
    - Bio Length validation
    - Location length validation
    - Url validation
  - Login
    - Email validation
  - Editor
    - Title required validation
2014-03-04 13:54:24 -07:00
Fabian Becker
1a9e91f120 Replace JSLint with JSHint.
closes #2277
- Added ES6 linting to core/client/
- Fix typeof array comparison
2014-03-04 15:47:39 +00:00
Sebastian Gierlinger
ac7f4f05c4 Add validation from schema.js
closes #1401
- added data/validation/index.js
- added generic validation for length
- added generic validation for nullable
- added validations object to schema.js for custom validation
- removed pyramid of doom from api/db.js
2014-02-19 18:32:23 +01:00
Sebastian Gierlinger
ea6c601b01 Improvements for models
#closes #1655
- removed models as parameter for bookshelf-session
- changed to read permittedAttributes from schema.js
- changed updateTags to be executed at saved event
- added validate to execute after saving event
- added test for published_at = null (see #2015)
- fixed typo in general.hbs
2014-02-19 14:57:26 +01:00
John-David Dalton
6eab7b3f92 Replace underscore with lodash. 2014-02-06 14:08:34 +00:00
Sebastian Gierlinger
d28bf3de4c Improve password reset token
no issue
- added check that a combination of email + expires is rejected after
10 attempts
- changed comparison to time independent method

Thanks to @chiiph for reporting this issue!
2014-01-30 13:00:30 +00:00
Hannah Wolfe
6098b83152 Adding case-insensitive User.getByEmail method
fixes #1498

- emails are no longer converted to lowercase, local mailbox can validly
  be mixed case
- getByEmail uses JS to compare emails to ensure we can support unicode
- tests that users can be retrieved by their email address with case
  insensitivity
2014-01-15 10:39:40 +00:00
Harry Wolff
a1f64d2f1f Extending halfdan’s work for UX settings improvements
#1351

- prevent a new post (not saved on server) from
updating its slug/date to the server

- fix jshint

- add back creation of a posts slug upon a post creation

- update for rebasing

- hide ability to ‘delete this post’ from post settings
menu when a post hasn’t yet been saved to the server
2014-01-06 21:33:24 -05:00
Hannah Wolfe
3f9b0fa618 Disable xss santization
issue #1378
fixes #1328

- xss santization does some odd things. This isn't needed until we have multi-user support, and we are investigating better solutions.
2014-01-06 20:17:20 +00:00
Hannah Wolfe
4bac1e3672 Fix gravatar retrieval
fixes #1778

- use http for initial request, store url with no schema
2014-01-01 18:10:55 +00:00
Sebastian Gierlinger
05ca5edeeb Remove fixed scheme from gravatar url
no issue
- removed scheme from gravatar url

Reason:
Gravatar supports ssl and the fixed scheme will cause ‚insecure
content‘ warnings.
2013-12-17 17:21:00 +01:00
Gabor Javorszky
c515e20ea3 Adds login limiter
Closes #499
* On wrong passwords, statuses: `active` -> `warn-1` -> `warn-2` -> `warn-3` -> `locked`
* On login check, if user's status is `locked`, login automatically fails and user is encouraged to reset password. Does not even bother to check for passwords.
* login attempts tell user how many attempts she has remaining in notification box
* successful login will reset status to `active`
* resetting password with forgotten password emailed token resets status to `active`
* complete with a test suite
2013-11-29 01:24:25 +00:00
Jacob Gable
34e453039b Improved Password Reset Tool
Closes #1471

- add api and User model methods for generating and validating tokens
- add routes and handlers for reset password pages
- add client styles and views for reset password form
- some basic integration tests for User model methods
2013-11-22 10:46:19 -06:00
Fabian Becker
89201a5c84 Lowercase email address.
fixes #1498
2013-11-18 00:34:51 +00:00
Declan cook
cbe8c15dc8 Add users Gravatar on signup
When a user registers try to find their gravatar.
2013-11-11 23:45:47 +00:00
Sebastian Gierlinger
bb17e1c0e9 Add API tests
closes #1189
- added tests
- added request module
- added status codes to API calls
- fixed return values of API calls
- fixed that drafts caused an error when being deleted
- fixed X-Invalidate-Cache headers
- moved testUtils.js to utils/index.js
2013-11-03 18:13:19 +01:00
Ben Gladwell
69d3a1460d Remove unparam:true from jslint config in Gruntfile.js
issue #1365
- added /*jslint unparam:true*/ to functions where absolutely necessary
- added /*jslint unparam:true*/ to functions in which keeping parameter
  list added clarity to the underlying api, even when those parameters
  are not currently used
- removed unused parameters in a few places
2013-10-31 14:02:34 -04:00
Fabian Becker
1af17725fc Replace nodejs-bcrypt with bcryptjs
* https://github.com/shaneGirish/bcrypt-nodejs
* https://github.com/dcodeIO/bcrypt.js
2013-10-23 15:43:45 +00:00