Commit Graph

940 Commits

Author SHA1 Message Date
Ronald Langeveld
abc7af8082 Added test email rate limiting (#17505)
refs https://github.com/TryGhost/Product/issues/3651

- This is a security fix that addresses an issue causing malicious users
to abuse the test / preview email API endpoint.
- We have multiple procedures in place now to limit such users.
- First, we now only allow one email address to be passed into the
`sendTestEmail` method. This method only have one purpose, which is to
compliment the test email functionality within the Editor in Admin and
therefore have no reason to send to more than one email address at a
time.
- We then add an additional rate limiter to prevent a user from making
multiple requests, eg via a script.
- The new imposed limit is 10 test emails per hour.
2023-07-27 09:22:26 +02:00
Naz
6361423ff7 Fixed ability to remove post from an automatic collection
refs https://github.com/TryGhost/Arch/issues/16

- Post can be removed from a manual collection, but never from an automatic collection.
2023-07-21 19:46:22 +08:00
Naz
d7bbb0b935 Reworked PostsRepository to use model layer
refs https://github.com/TryGhost/Arch/issues/16

- Using the API directly on the repository level prevented us from ensuring collection consistency through transactions.
- This change migrates the PostsRepository to use Bookshelf model layer directly, which also allows to put queries into transactions.
- Additional optimization here was removing the `getAllPosts` method from CollectionService. This is an attempt to reduce the API surface of the  of the service before calling it a GA.
2023-07-21 19:46:22 +08:00
Naz
ef41fd86c2 Enabled all collection tests
refs https://github.com/TryGhost/Arch/issues/16
refs 97f24338bf

- With introduction of transactional post_collections updates the test flakiness should go away.
2023-07-21 19:46:22 +08:00
Steve Larson
22441fe730
Made lexical rendering async (#17438)
-moved lexical rendering to async
-includes rendering for front end and email
-necessary to pull dynamic data into render method, e.g. collections
2023-07-20 17:48:48 -05:00
Naz
53f9f954c1 Added tag filter support to collections
refs https://github.com/TryGhost/Arch/issues/41

- When an new collection is created the relational "tags" filter is now picked up properly and appropriate posts matching the tag filter are assigned and stored in the collection. Example collection filter that is now supported: `tags:['bacon']`
- Additionally cleaned up returned collection post DTOs, so we return as little data as possible and add only the fields that are needed
2023-07-18 20:18:54 +08:00
Kevin Ansfield
636b1e67b2
Fixed pages API test snapshot having a flaky cache string (#17391)
no issue

- `x-cache-invalidate` will vary across different runs as the post's preview uuid will be different each time the post is created
2023-07-17 13:21:00 +00:00
Naz
97f24338bf Commented out flaky collections tests
refs https://github.com/TryGhost/Arch/issues/16

- There's a race condition happening when processing multiple collection updates at the same time. It causes the state to be inconsistent between the runs.
- Once the event handling is improved these tests should be put back into action
2023-07-17 20:02:54 +08:00
Naz
ea2defb76c Updated collection descriptions
refs https://github.com/TryGhost/Arch/issues/25

- Updated collection descriptions to be less wordy and avoid a redundant "Collection" in them.
2023-07-17 18:43:21 +08:00
Naz
c733424cc5 Fixed collections ordering
refs https://github.com/TryGhost/Arch/issues/25

- When run against different DB Engines the returned order of collections belonging to a post is not consistent (SQLite vs MySQL). Having a primitive ordering by slug allows to keep the order compatible
2023-07-17 18:43:21 +08:00
Naz
9bfb197a85 Added fixtures for collection posts
refs https://github.com/TryGhost/Arch/issues/25

- Adds collection_posts fixtures
2023-07-17 18:43:21 +08:00
Naz
acbe3a250e Added built in collection fixtures
refs https://github.com/TryGhost/Arch/issues/25

- The instance should have two built-in collections "latest" (prviously known as "index") and "featured". These have been filled through in-memory tricks before, now they should come pre-populated through fixtures mechanism.
2023-07-17 18:43:21 +08:00
Fabien "egg" O'Carroll
605aa18d6a Added collections helper
This is an initial implementation which uses the Posts Content API rather than
the Collections Content API, this is because we haven't added the Collections
Content API yet, but we can added it later when necessary.
2023-07-17 11:35:30 +01:00
Chris Raible
b625fe76b1
Updated snapshots to include show_title_and_feature_image in event payload (#17378)
no issue

- Tests were failing for me locally because the snapshot for testing
page event payloads didn't include the new
`show_title_and_feature_image` property
- Updated snapshot to include this property, which also changed a few content lengths and `x-cache-invalidate` headers as a side effect
2023-07-14 16:03:40 -07:00
Naz
382d7fa25f Removed unused collections repositories
no issue

- These repositories were leftover from first phases of collections development. Not needed any longer as we have more specialized bookshelf repositories in the core code
2023-07-14 14:20:37 +08:00
Kevin Ansfield
3fdf5adbfd
Moved show_title_and_feature_image to @page.show_title_and_feature_image (#17353)
no issue

- updated frontend's `formatResponse` method to add `@page` to the local template data
  - added here because it's the first place we have both context and page data available
  - makes the property available outside of the page context so it can be used to modify layouts
- updated `prepareContextResource()` to delete `show_title_and_feature_image`
  - ensures `@page.show_title_and_feature_image` is the only way of accessing that property
  - method is used when rendering multiple entries so it also prevents differences in context data between looped pages and single pages
2023-07-13 14:26:33 +00:00
Steve Larson
42d87d1437
Updated koenig lexical packages (#17325)
no refs
-updated to get collections card changes
2023-07-12 10:59:20 -05:00
Naz
cdae2a978d Added ability to fetch collection posts by slug
closes https://github.com/TryGhost/Arch/issues/27

- We need a more convenient method of fetching posts belonging to a collection than by collection's "id". This change adds an alias to the existing endpoint `GET /collections/:id/posts/`. A non-valid ObjectID in the parameter is treated as a slug.
2023-07-11 09:30:01 +08:00
Daniel Lockyer
6f5f608bcd Fixed resetting database in migrations tests
- due to schema changes between versions, we need to completely nuke the
  DB between these tests
- this is definitely not the best way to do it but I'll fix properly next week
2023-07-07 18:42:18 +02:00
Kevin Ansfield
d8d0bc8bd9
Moved posts_meta.hide_title_and_feature_image to posts.show_title_and_feature_image (#17239)
no issue

`show_title_and_feature_image` leads to more intuitive logic in themes and we can use `posts` rather than `posts_meta` as there are no longer row-length issues with MySQL 8.

- removed original add-column migration that was never in a release
- added new add-column migration that puts
`show_title_and_feature_image` column with a default of `true` on the `posts` table
- renamed property and default value everywhere
- bumped `@tryghost/admin-api-schema` to allow the new property through at the API level
2023-07-07 16:40:22 +01:00
Fabien "egg" O'Carroll
2808df7f87 Switched to bookshelf repository 2023-07-07 14:24:42 +08:00
Chris Raible
fc7e150cc2
Fixed importer breaking any posts written in the new editor (#17230)
refs @TryGhost/Product#3551

- PostsImporter would convert the HTML from the import file into
Mobiledoc, even if the post was written in Lexical
- As a result, the imported posts would have both mobiledoc & lexical
fields populated, which prevents the post from being updated in the
Lexical editor
- Added a check to see if the post was written in Lexical, and if so,
skip the HTML > Mobiledoc conversion
2023-07-06 18:37:19 -07:00
Kevin Ansfield
5d8ea79788
Implemented pages.hide_title_and_feature_image property in API (#17211)
closes https://github.com/TryGhost/Product/issues/3557

- bumped `@tryghost/admin-api-schema` to allow passthrough of the new property in API requests
- updated output mapper to ensure property always returns a boolean rather than `null` in the case where `posts_meta` doesn't exist for a page
- updated `PostsService.copyPost()` to include the new property when copying
- updated `checkResponse` test util and snapshots to expect `hide_title_and_feature_image` property in page API responses
- fixed pages e2e test so it doesn't inadvertently modify the match object breaking later tests
2023-07-05 14:01:24 +00:00
Kevin Ansfield
2a340bcab9
Added migration and schema change for posts_meta.hide_title_and_feature_image (#17187)
closes https://github.com/TryGhost/Team/issues/3550

We want to allow an option to hide the title and feature image on a
per-page basis, to do that we need somewhere to store the setting value.
The existing `posts_meta` table is the simplest candidate, especially as
this is a single setting and we don't have a desire to introduce many
such settings.

- added migration that adds the `hide_title_and_feature_image` column to
the `posts_meta` table with a `boolean` data type and a default value of
`false` (matches behaviour of all existing pages)
- updated schema file for initial database creation
- removed property from API output via serializers to keep migration PR
minimal
2023-07-05 14:48:25 +01:00
Daniel Lockyer
289e459283 Added tests for migrations
refs https://github.com/TryGhost/DevOps/issues/39

- up until now, we've had a CI job which does a really basic test for
  migrations, but it barely functions and misses bugs all the time
- this commit removes that and switches to an actual test suite for our
  migrations, so we can ensure they function as expected
- also removes the env var hack I came up with for those migrations
  tests
- this should lead to safer migrations and faster tests
2023-07-05 11:00:06 +02:00
Simon Backx
1b33634495
🐛 Fixed sending newsletters with counter-reset CSS styles in custom HTML (#17194)
fixes https://github.com/TryGhost/Team/issues/2937

Bumps juice to 9.1.0:
- Support for 'auto' width and height attributes
- Fixed a bug with counter-reset styles
- Dependencies updates
2023-07-04 10:18:16 +02:00
Simon Backx
8b610d46b1
Cleaned up batch email utils (#17165)
no issue
2023-06-29 15:29:16 +02:00
Simon Backx
c90424542e
🐛 Fixed signup card in post plaintext and email preheader (#17163)
fixes https://github.com/TryGhost/Team/issues/3542

The signup card text was included in the post plaintext/excerpt and
email preheader
2023-06-29 14:45:30 +02:00
Simon Backx
e6dbc0bc4c
🐛 Fixed repeating text in plaintext version of emails (#17162)
fixes https://github.com/TryGhost/Team/issues/3541

The email preheader, which is only present in the html version of an
email, is also included in the plaintext version of all emails. This
results in all text being duplicated twice in plaintext emails.
2023-06-29 12:47:17 +02:00
Simon Backx
c41694f5e6
Added E2E Koenig Lexical card tests for paragraphs and signup card (#17159)
refs https://ghost.slack.com/archives/C04TMVA1D7A/p1687987311455289
2023-06-29 11:10:56 +02:00
Fabien "egg" O'Carroll
cf83d169db Added use of a slug generator to offload calculation of slugs
When we end up wiring this to the database, this generator will also ensure
uniqueness by appending/incrementing a number on the end of the slug. Long term
it would be good to offload this to a shared slug service, this could also
ensure that slugs are unique globally or between multiple tables, if desired
2023-06-29 01:40:05 +01:00
Michael Barrett
636c916715
Fixed leaking pivot fields (#17142)
fixes https://github.com/TryGhost/Team/issues/2657

The `omitPivot` option does not have an affect on a models
`_previousAttributes`. When we serialise a model and want to retrieve
the previous attributes we need to ensure we manually remove the pivot
fields

See
7704fbc5e8/lib/base/model.js (L512)
2023-06-28 13:16:50 +01:00
Naz
f74588f9c2 Fixed date filtering in collections
refs https://github.com/TryGhost/Team/issues/3169

- To be able to apply NQL filtering on Collection Posts the dates should be serialized to be ISO Date Strings instead of raw Dates. Otherwise, NQL filtering fails to compare Date with a Date String.
2023-06-27 12:52:10 +07:00
Kuba
9601285c3d
Added bulkEmail.batchSize option to configure batch size
refs https://github.com/TryGhost/Ghost/issues/15725

This pull request adds a new configuration option for the Mailgun email
provider that allows the user to set the maximum number of recipients
per email batch via a new config option `bulkEmail.batchSize`
2023-06-26 12:57:44 +02:00
Fabien "egg" O'Carroll
bd6e476c57 Added tables to persist Collections
refs https://github.com/TryGhost/Team/issues/3427
2023-06-23 16:11:55 +02:00
Simon Backx
78405a9cb8
Corrected image CORS (#17119)
refs
018f97e679
2023-06-23 14:33:00 +02:00
Michael Barrett
6f5baca849
Add endpoint to record mail events (#16990)
refs https://github.com/TryGhost/Team/issues/3319
2023-06-23 12:22:01 +01:00
Daniel Lockyer
08e2fbeacb Removed Bluebird from tests
refs https://github.com/TryGhost/Ghost/issues/14882

- we're moving away from using Bluebird in favor of native Promises, so
  this commit removes nearly all instances from tests
2023-06-23 10:03:03 +02:00
Princi Vershwal
2798d43663
Removed Bluebird Promise.each from db.utils (#17032)
refs https://github.com/TryGhost/Ghost/issues/14882

Co-authored-by: Princi Vershwal <princi.vershwal@Princis-MacBook-Pro.local>
Co-authored-by: Daniel Lockyer <hi@daniellockyer.com>
2023-06-23 09:46:41 +02:00
Princi Vershwal
308a3b286a
Replaced Bluebird Promise.mapSeries with sequence util (#17008)
refs https://github.com/TryGhost/Ghost/issues/14882

Co-authored-by: Princi Vershwal <princi.vershwal@Princis-MacBook-Pro.local>
2023-06-23 09:04:37 +02:00
Simon Backx
8d6fb51908 Added Playwright tests to comments-ui
refs https://github.com/TryGhost/Team/issues/3504

Not complete yet, but contains the basic structure and a few tests that work and should run in CI.
2023-06-22 15:06:13 +02:00
Hannah Wolfe
6161f94910
Updated to use assert/strict everywhere (#17047)
refs: https://github.com/TryGhost/Toolbox/issues/595

We're rolling out new rules around the node assert library, the first of which is enforcing the use of assert/strict. This means we don't need to use the strict version of methods, as the standard version will work that way by default.

This caught some gotchas in our existing usage of assert where the lack of strict mode had unexpected results:
- Url matching needs to be done on `url.href` see aa58b354a4
- Null and undefined are not the same thing,  there were a few cases of this being confused
- Particularly questionable changes in [PostExporter tests](c1a468744b) tracked [here](https://github.com/TryGhost/Team/issues/3505).
- A typo see eaac9c293a

Moving forward, using assert strict should help us to catch unexpected behaviour, particularly around nulls and undefineds during implementation.
2023-06-21 09:56:59 +01:00
Simon Backx
0c28cebfd4 Updated rate limiting snapshot for updated copy
refs https://ghost.slack.com/archives/C02G9E68C/p1687303342271029
2023-06-21 10:36:53 +02:00
Fabien 'egg' O'Carroll
41cbc40353
Moved collections initialisation behind labs flag (#17057)
We ran into an issue where the large `published:true` query was
affecting the boot time of large sites which had knock-on effects with
availability.
2023-06-19 16:40:15 +02:00
Daniel Lockyer
99aeb73ecc Optimized DB reset during tests
refs https://github.com/TryGhost/Toolbox/issues/592

- it turns out that `TRUNCATE` in CI takes ~300ms for all tables, but
  `DELETE FROM` takes ~30ms
- whilst truncating is generally known to be faster, I believe it's only
  faster on large tables
- this saves 90% of the time it takes to reset the DB in MySQL
2023-06-16 13:15:17 +02:00
Naz
09264261b7 Added ability to fetch posts by collection
closes https://github.com/TryGhost/Team/issues/3423

- For convenience we need a way to fetch posts that belong to a certain collection. This change adds support for `collection` query parameter: `/?collection=` which can be either an id or slug of the collections we are trying to fetch.
- When posts are fetched by collection we ignore any filters passed along in query parameters as collection is a "filter" by it's very nature.
2023-06-16 17:28:12 +07:00
Ronald Langeveld
cfbc97b033
🐛 Fixed revisions relation not linked to Posts api (#17037)
no issue

This was a bit of an oversight from our feature built at the retreat. We
didn't take revisions into account for pages at all, but luckily it made
revisions without issues regardless.
It just wasn't accessible and users weren't able to restore via ADMIN
because the API didn't serve them at all.

This wires up the revisions relation to be served by the API so we can
retrieve it in Admin.
2023-06-16 09:49:12 +02:00
Fabien "egg" O'Carroll
0d7f98f4d1 Supported adding/removing post to collection via Posts API
We've got some fairly simple diffing logic here to update the collections which
a post is in, the bulk of the changes here are to support the return of a DTO
rather than Bookshelf Model. This also helps improve the architecture because
we are step closer to removing infrastructure concerns (HTTP Response Headers)
from the business logic layer.

For now there is a crappy EventString which can be passed back to the
controller which can then handle any HTTP related concerns, although long term
these should be actual events like PostPublished or PostUpdated.
2023-06-16 09:28:19 +02:00
Fabien "egg" O'Carroll
f3f9e5a2f3 Moved serialisation of formats into the serialiser-layer
This prepares us to return a DTO rather than BookshelfModel to the serialiser
layer. When passing a BookshelfModel, the serialisation layer uses the model to
read from when building computed properties. By stripping values out in the
toJSON method it means that the DTO will be missing them and the computed
properties won't be able to be calculated. Instead we return ALL values to the
serialisation layer, and then strip out the ones that weren't requested in the
"clean" step.

This also inadvertently fixes the issue with `reading_time` requiring the
`html` field to be requested, we can now request just `reading_time`, as well
as have it included by default.
2023-06-16 09:17:47 +02:00
Fabien "egg" O'Carroll
41716a06ae Fixed mutation of shared state for matcher
This can cause bugs due to the matcher constraints changing in each test
2023-06-16 09:17:47 +02:00