Commit Graph

2618 Commits

Author SHA1 Message Date
Katharina Irrgang
506a0c3e9e 🔥 Removed certain fields from public user response (#9069)
no issue 

* Comment current state of toJSON for user model

- currently the user model does not return the email if the context is app/external/public OR if there is no context object at all
- i am not 100% sure why if there is no context we should not return the email address
- i think no context means internal access
- maybe change this condition cc @ErisDS

* Extend our access rules plugin

- we already have a instance method to determine which context is used
- this relies on passing options into `.forge` - but we almost never pass the context into the forge call
  - added @TODO
- provide another static method to determine the context based on the options object passed from outside

* Use the new static function for existing code

* Add comment where the external context is used

* Remove certain fields from a public request (User model only)

* Tests: support `checkResponse` for a public request

- start with an optional option pattern
- i would love to get rid of checkResponse('user', null, null, null)
- still support old style for now
- a resoure can define the default response fields and public response fields

* Tests: adapt public api test

* Tests: adapt api user test

- use new option pattern for `checkResponse`
- eww null, null, null, null....

* Revert the usage of the access rules plugin
2017-09-28 14:00:52 +01:00
Katharina Irrgang
42af268d1b 🎨 User is not allowed to add/modify certain fields (#9053)
no issue

- it's not allowed to change/add these attributes via the API
  - created_at = is only once set on adding the resource
  - created_by = is only once set on adding the resource
  - updated_by = is set on the server side when updating the model (based on who is logged in)
  - updated_at = is set on the server side when updating the model

* Revert the usage of the access rules plugin
2017-09-28 13:59:42 +01:00
Katharina Irrgang
d3d04a8e72 Fixed wrong handling of formats param (#9078)
closes #9077

- because of our API layer refactoring, see https://github.com/TryGhost/Ghost/pull/9068
- we can now see that code was written wrong because of this horrible API bug
- this fixes the formats parameter for querying a single post
2017-09-28 13:38:32 +01:00
kirrg001
e347163940 Removed bypassing option filtering in User model
no issue

- the logic here bypasses filtering options!
- that is wrong, because if we filter out certain options e.g. include
- the tests from the previous commit fail because of this
- if we don't fix this logic, the tests won't pass, because as said, you can bypass certain logic e.g. remove roles from include
- this has worked before, because we passed the wrong options via the API layer
- was introduced here 014e2c88dd, because of https://github.com/TryGhost/Ghost/pull/6122
- add proper tests to proof that these queries work!!
2017-09-28 10:18:18 +01:00
kirrg001
1e2beface1 Refactored the API layer: do not handle API response after pipelining
no issue

- this has a big underlying problem
- each task in the pipeline can modify the options
- e.g. add a proper permission context
- if we chain after the pipeline, we don't have access to the modified options object
- and then we pass the wrong options into the `toJSON` function of a model
- the toJSON function decides what to return based on options
- this is the easiest solution for now, but i am going to write a spec if we can solve this problem differently
2017-09-28 10:18:18 +01:00
Katharina Irrgang
a6d57d6324 🐛 Fixed missing cache invalidation header when uploading redirects (#9071)
closes #9065
2017-09-27 18:58:33 +01:00
Hannah Wolfe
fcd3c6847b 🐛 Fixed author role permission to change author (#9067)
🐛  Fixed author role permission to change author

no issue

- To be able to fix this bug, we had to solve tasks from #9043
- This bug affects the private / undocumented API only
- Author role users should not be allowed to change the author of a post
2017-09-27 13:12:53 +02:00
Katharina Irrgang
baf8116d6b Removed OAuth leftover: emit event when calling /users/me (#9061)
refs #8342

- was added in this commit 319a388277
- we can remove this event
2017-09-27 04:07:39 +01:00
Katharina Irrgang
3002747b68 Return dates from the database without milliseconds (#9054)
no issue

- we store dates without milliseconds in the database
- our test environment does not use our model layer to insert data, this is related to  https://github.com/TryGhost/Ghost/issues/7196
- so it can happen that the test env inserts unix timestamps instead of a formatted string
- e.g. adding data via the model layer (e.g. via the API) the format is always normalised to `YYYY-MM-DD HH:mm:ss`
- if we fetch the date from the database, we have a hook which sorts out knex returning different formats for dates
- this hook wraps the returned date into a UTC moment date, but adds the current milliseconds on top
- which can collide in tests when you have specific assertions
- use `startOf` to ignore milliseconds
- furthermore: remove the mentionings of `pg` (postgres)
2017-09-26 17:16:46 +01:00
Hannah Wolfe
b468d6dbe2 Support for attribute-based permissions (#9025)
refs #8602

- Add the wiring to pass attributes around the permission system
- Allows us to get access to the important "unsafe" attributes that are changing
- E.g. status for posts
- This can then be used to determine whether a user has permission to perform an attribute-based action
- E.g. publish a post (change status)
2017-09-26 18:06:14 +02:00
Katharina Irrgang
a80a09e483 🔥 Removed public API endpoint to fetch users by email address (#9059)
no issue

- our public API is still a beta/labs feature
- from api.ghost.org
  > The API is still under very (very) heavy development and subject to regular breaking changes.
- users should expect breaking changes in any release (independent from semver versions)
- the public user API never returns any email addresses to decrease the information we expose
- there is no need to keep the support fetching a user by email address
2017-09-26 16:42:58 +01:00
Katharina Irrgang
af01f51204 🐛 Fixed returning roles for the public user resource (#9039)
no issue

- this bug fix affects all endpoints for the public user access
- we allowed fetching `roles` via the public api by accident
- see our docs: https://api.ghost.org/docs/users)
  - we only allow `count.posts`
- returning roles via the public api exposes too many details
- this was never intentional
2017-09-26 15:43:21 +01:00
Katharina Irrgang
e921c7a044 Revert "🐛 Fixed returning roles for the public user resource (#9039)" (#9062)
This reverts commit 217bc6914d.

- NOTE: will be released in the next minor release
2017-09-26 14:28:34 +01:00
Katharina Irrgang
22017b8ede 🎨 Backup redirects.json file before overriding (#9051)
refs #9028

- if you upload a redirects file and a redirects file exists already, we backup this file to `data/redirects-YYYY-MM-DD-HH-mm-ss.json`
- decrease chance of random test failures by not comparing date format with seconds
2017-09-25 18:35:57 +01:00
Katharina Irrgang
472858f262 Removed unused API endpoint: POST /users (#9052)
no issue

- this endpoint does not exist anymore
- if you want to add a new user, you have to invite him via the invites API
- on invite accept, the user is inserted
2017-09-25 16:58:14 +01:00
Kevin Ansfield
ec6e25674c Removed markdown-it-named-headers and unused string deps (#8994)
refs https://github.com/TryGhost/Ghost-Admin/pull/856

- moves `markdown-it-named-headers` functionality into our own app code without requiring the [`string.js`](http://stringjs.com) sub-dependency
- matches Ghost-Admin markdown-it code
2017-09-25 16:36:34 +02:00
Katharina Irrgang
1dd365778f 🐛 Fixed persistent upgrade notifications showing for the currently installed version (#9048)
closes #9040

- introduced by https://github.com/TryGhost/Ghost/pull/9009
- a condition was missing, was removed by mistake
2017-09-25 12:22:56 +01:00
Katharina Irrgang
217bc6914d 🐛 Fixed returning roles for the public user resource (#9039)
no issue

- this bug fix affects all endpoints for the public user access
- we allowed fetching `roles` via the public api by accident
- see our docs: https://api.ghost.org/docs/users)
  - we only allow `count.posts`
- returning roles via the public api exposes too many details
- this was never attentional
2017-09-25 11:18:23 +01:00
Hannah Wolfe
9da7b956d5 Permissions: code cleanup & basic unit tests (#9037)
refs #9043

- Split public-related and context code into logical components
- Split tests up to match
- Ensure we have 100% unit test coverage
- General cleanup
2017-09-25 11:17:06 +02:00
Vikas
e8f85fd3da 🐛 Fixed redirects upload for various browsers/systems (#9042)
closes #9036
2017-09-22 21:57:43 +02:00
Katharina Irrgang
d943fc7cc9 Allow Upload/Download of redirects.json (#9029)
refs #9028

- add two new endpoints for uploading/downloading the redirects (file based)
- reload/re-register redirects on runtime
- migration for 1.9 to add permissions for redirects download/upload
2017-09-21 16:01:03 +01:00
kirrg001
f478e4f9c8 🎨 Enabled Unsplash by default
refs https://github.com/TryGhost/Ghost/issues/8859

There are four cases:

- unsplash setting is empty (default), admin can enable the app by default (hardcoded isActive:true)
- unsplash settings are set, unsplash is disabled, admin detects that app was disabled on purpose
- unsplash setting is set, unsplash is enabled and has a key, app is enabled, old key get's ignored and overridden on the next save
- unsplash setting is set, unsplash is enabled and has no key, app is enabled
2017-09-20 11:44:47 +01:00
kirrg001
79fead5516 Removed private configuration endpoint
refs https://github.com/TryGhost/Ghost/issues/8859

- We don't need the config option for Unsplash anymore
- The private endpoint (/configuration/private) was introduced for Unsplash
2017-09-20 11:44:47 +01:00
Katharina Irrgang
edf2348394 Improved log output for welcome email error (#9016)
* Improved log output for welcome email error

no issue

- if Ghost is unable to send a welcome email, the server log printe a huge error log
- the reason was that each component wrapped the original error into a new error instance
  - so the stack grows and grows
- the golden rule should always be: the smallest/lowest component should instanitate a specifc error
  - the caller can expect to receive a custom Ghost error

* Tidy up error messages for mail failures and fix tests

- We never use "Error:" notation in our translations
- Make the error messages consistent and show a reason if possible
2017-09-19 14:24:20 +01:00
Aileen Nowak
0ce24b48bd Moved published_at creation to fixtures/utils (#8595)
no issue

- follow-up from #8573
- bove the hack that creates published_at values from the migration fn to our fixture util
2017-09-19 12:54:01 +02:00
Katharina Irrgang
4ac34a7f33 🐛 Fixed api url for the ghost sdk (#9013)
no issue

- mirror LTS behaviour to master
- if your blog or admin url is configured to http, it's still possible that e.g. nginx allows both https/http
- that's why we should generate the api url without protocol in this case
- so it depends how you serve your blog, example:
  - blog url is http://example.com
  - generated api url for the sdk is //example.com (dynamic protocol allowed)
  - you serve your blog via https://example.com, protocol is https
  - you serve your blog via http://example.com, protocol is http
2017-09-18 16:28:22 +01:00
Katharina Irrgang
abb84d065e Improved debug logs for auth utils (#9015)
no issue

- reduce the debug logs
- it's okay to log the old token to delete, because this token is getting removed anyway
2017-09-18 16:23:47 +01:00
Katharina Irrgang
7b4c3fc085 Removed defunct Ghost OAuth code (#9014)
closes #8342

- no need to add a migration, because when we'released 1.0, OAuth was never an option
- it was disabled in April, 1.0-beta was released in June
- remove all remote authentication code
2017-09-18 13:01:58 +01:00
kirrg001
18abb425fc 🐛 Fixed doubled query params for url/admin-url redirection
no issue

- express adds the query parameters to the `originalUrl`
- we have to ensure that we don't add the query params twice
2017-09-14 07:55:14 +07:00
kirrg001
79959d9581 🐛 Fixed public api access on custom domain
no issue

- if you blog runs on a custom domain, but your admin panel is configured using a different domain
  -> Ghost losts the origin header
- we had this situation once with pretty urls (your request get's redirected from /posts to /posts/, see https://github.com/TryGhost/Ghost/pull/8094)
- we've moved all our redirect logic to Ghost and ran into the same situation
- i've added proper test to ensure it won't happen again
2017-09-14 07:55:14 +07:00
Katharina Irrgang
85f8498bd6 🎨 Changed showing update notifications for minor/major only (#9009)
closes #9006

- this is a temporary fix to only show update notifications for minor/major releases
- the notification refactoring is in the pipeline, but not yet merged into 1.X/LTS, see https://github.com/TryGhost/Ghost/pull/8871
2017-09-13 18:12:41 +07:00
Hannah Wolfe
4237446277 Misc cleanup & consistency amends (#9002)
no issue

- Consistent naming for postLookup
   - makes it easier to search and inspect the various usages
- Cleanup unneeded code
- Make res.render calls more consistent
- add some consistency to the calls to res.render
- Remove ancient reference to dataProvider
- Let's call it models everywhere now...
- Use consistent formatting across the API
- we're no longer using alignment in vars
- Misc other consistency changes in API
- always refer to local utils as apiUtils
- logical grouping of requires - dependencies, utils, "lib common" etc
- use xAPI to refer to API endpoints, e.g. mailAPI, settingsAPI for clarity
2017-09-12 17:31:14 +02:00
kirrg001
c99557d9a3 🐛 Fixed disqus comment id when exporting/importing 1.x content
no issue

- while i was testing random failures, i discovered an edge case for disqus
- you start a new 1.0 blog, you add disqus, the unique identifer is the post id (object id)
- now you export your content and import it on a new instance
- the importer detects that the amp field is null and imports the old object id as comment id
- but the post model is not prepared for this case
- see next commit for tests

**NOTE**: The comment id had two different data types (Number or String). Disqus expects a string. So this should not change any behaviour, now that the comment_id is always a string.
2017-09-12 16:29:59 +01:00
Aileen Nowak
a45a91c906 🐛 Fix invalid image URLs not being cached and causing timeouts (#8986)
refs #8868

* 📐  Use request util in image-size
- swapped the usage of `got` for requests with the request util

* 💄  Use catch predicates
- Uses catch predicates instead of conditionals in `getImageSizeFromUrl`
- Return `NotFoundError` if applicable in `getImageSizeFromFilePath` as the caller function `cachedImageSizeFromUrl` is differentiating those between this error and others.

* 🐛  Fixed ImageObject URL & simplify no protocol URL logic

- Using `ImageObject` as a global var resulted in having the `url` property being the same for all requests coming in.
- The logic that checked for an existing protocol (e. g. gravatar URLs) was overly complicated. Refactored it to be more simple.
- Passing the correct value to `fetchDimensionsFromBuffer` as the population of `imageObject.url` happens there. These are used in our structured data and need to be full URLs (in case of locally stored files) or the original URL (in case of URLs missing the protocol)
- Added two more debug logs in `getCachedImageSizeFromUrl` so it's logged when an image is added to the cache even tho it was returned as error.

* 👀  Differentiate error codes between request and storage

* 🔥  Remove not needed `Promise.resolve()`

We're always resolving the result in `getCachedImageSizeFromUrl`, so there's no need to return the values with a `Promise.resolve()`. The caller fn uses waits for the Promises to be fulfilled.

* ☂️  Wrap already rejected predicate errors in catch all

* Use errorDetails instead of context

* ☂️  Support /assets/ image paths

- adds a guard that checks the image URL for `/assets/` in the beginning and passes a completed URL to the request util to try and fetch the image size
- adds tests
2017-09-12 12:53:18 +01:00
Katharina Irrgang
add9e541c2 🐛 Fixed private blogging leaking post information (#8999)
* 🐛  Fixed private blogging leaking post information

closes #8990

- a condition in the private blogging app redirected rss && sitemap to 404, which can possibly leak content
- remove this condition and ensure we always redirect to /private

* lint 😋
2017-09-11 14:09:19 +01:00
Katharina Irrgang
7e211a307c 🐛 Fixed custom redirects with query/search params (#8998)
closes #8997

- improved the logic for custom redirects
- added more tests
2017-09-11 13:20:29 +01:00
Hannah Wolfe
45fd2d437f Properly return a bluebird promise (#8988)
refs #8980

- ☹️ apparently this is actually the only way
2017-09-07 20:48:20 +07:00
Aileen Nowak
6c216b81be Request util to wrap got library (#8980)
no issue

This PR includes a new util which wraps the `got` library. It is not used in the codebase yet, but tested with `image-size` util:
- wraps `got` request library in its own `request.js` util that returns bluebird promises and validates URL before starting a request
- adds tests
2017-09-07 12:17:24 +01:00
Hannah Wolfe
cdf6a10490 ghost_head improvements (#8983)
no issue

- Added debug statements to ghost_head
  - useful for determining how much render time is spent in ghost head
- Make promises more readable
- Used join instead of props for less code
2017-09-07 12:59:02 +02:00
Aileen Nowak
56d64e53bf Logging for image size (#8978)
no issue

- added debug logs to image size util and related fn:
    - when fetched via network request
    - when fetched from storage
    - when added to cache
    - when read from cache
2017-09-07 10:34:10 +01:00
Hannah Wolfe
6c47285bba Added error handling for ghost_head (#8982)
refs #8945

- Ensure that errors in ghost_head are logged
- Render some content despite the error!
2017-09-07 09:29:44 +02:00
Katharina Irrgang
d460cf1291 🐛 Fixed post scheduling (#8976)
closes #8975

- recursive logic was broken
- caused via bf47397ac2
2017-09-05 19:23:11 +01:00
Hannah Wolfe
69657a1ac6 Keep the original error in registerAsyncTheme (#8977)
refs #8945

- pass the original error as part of the errorDetails
- improves logging, so we know what really went wrong
- for debug purposes - can be removed at some point
2017-09-05 20:11:59 +02:00
Katharina Irrgang
71cee504c2 Added default logging rotation config (#8974)
no issue

- define `period` and `count` in our defaults.json config
- advantage: easier access and better overview how logging is configured by default
- period is 1d and count is 10
2017-09-05 17:25:20 +02:00
Katharina Irrgang
1fe87a6110 Tests: Stub image request for dimensions (#8973)
no issue
- test cases were trying to fetch image sizes for `localhost:port/favicon.ico` but no server is running so they time out
- stub the `getImageSizeFromUrl` method so it resolves instantly
2017-09-05 16:24:04 +01:00
Aileen Nowak
eef7932e94 Refactor: fetch image dimensions from local file storage (#8900)
refs #8868

- Removed image-size in blog logo fn for meta data and made it synchronous
- Renamed `image-size-from-url.js` to `image-size.js` (incl. the test)
- Added second fn `getImageSizeFromFilePath` that reads from local file storage
- Added guard in `getImageSizeFromUrl` that checks if the image should be on local file storage and uses the new fn then instead
- Added a fn `fetchDimensionsFromBuffer` that takes the file buffer and returns an `imageObject` with dimensions.
- Added a new utils.js in `adapters/storage` for getting the file storage path
2017-09-05 14:13:22 +02:00
Austin Burdine
a9e668a949 🐛 Fixed only save imported post ids if amp field is empty (#8967)
closes #8963

- if an LTS export is imported into a 1.0 blog, then the 1.0 blog is
exported and re-imported into another 1.0 blog, any post ids from the
lts import were getting clobbered. This only saves the post id if the
amp field does not already exist
- add failing test that passes w/change
2017-09-04 09:48:56 +02:00
Kevin Ansfield
47322e4239 Re-instate mobiledoc dom rendering with bypass of SimpleDOM parsing (#8937)
closes #8757

- update the markdown card render method to use SimpleDOM's `createRawHtmlSection`. This avoids SimpleDOM parsing and tokenization of broken or unsupported free-form HTML that markdown allows
- replace markdown extraction/render with mobiledoc's renderer in the `Post` model
- removes `jsdom` as it's no longer necessary
2017-08-31 12:09:02 +02:00
Vikas
8606ea22a2 Normalize docs URLs (#8949)
no issue

v1.0.0 is no longer the standard in the docs, so I updated all of the URLs containing it with v1
Note: I tried squashing commits, but failed. I'll try again in the future with throwaway changes
Secondary Note: I tested most of the URLs listed and got no 404s!
2017-08-31 11:45:59 +02:00
Aileen Nowak
30bee115fe Used got to handle requests for image-size (#8892)
refs #8589, refs #8868

- swap `request` with `got` in `getImageSizeFromUrl` util
- less handling for request cases e.g. timeouts, follow redirects
2017-08-31 11:39:37 +02:00
Katharina Irrgang
bf47397ac2 Small improvements for the scheduler (#8957)
no issue

- add caching logic to adapter creation (same as we use for storages)
- add debug logs to the default scheduler
- add `requestTimeout` to the default scheduler to support custom timeouts
- add `isRunning` logic to protect running the scheduler twice
2017-08-31 14:12:44 +07:00
Katharina Irrgang
7dec743bba Blog and Admin redirects with trailing slash (#8955)
no issue

- reduce the number of redirects
- before: you are redirected from example.com/ghost to admin.example.com/ghost and Ghost would detect a missing slash and redirect you to /ghost/
- now: you are redirected from example.com/ghost to admin.example.com/ghost/
2017-08-30 17:42:00 +01:00
Katharina Irrgang
029a2a276c 🐛 Fixed redirects loop if admin url does not equal blog url (#8950)
no issue

- this bug was invented with this commit 25c4e5025a
- the updated logic ensures that
  - only if you have configured a custom admin url and your requested host does not match, we redirect you
  - we still keep the wish of no force redirect if you have only configured a custom blog url and you navigate to /ghost
2017-08-29 10:13:56 +01:00
Hannah Wolfe
688d8c9051 🐛 Downgraded errors to warnings for img_url
refs #8703

- Instead of throwing errors, throw warnings for incorrect usage of the img_url helper
- Differentiate between no attribute passed, and attribute evaluating to undefined
2017-08-29 10:31:00 +02:00
Hannah Wolfe
c49dba12a0 🐛 Added error handling to prev/next post helpers
refs #8703

- On API error, call inverse with a data error, the same as the get helper
2017-08-29 10:31:00 +02:00
Hannah Wolfe
b6b2930d15 🐛 Fixed error handling in async helpers
refs #8703

- Always always call cb() even if we get an error!
- Ensure the error is handled, and converted to a GhostError if not already
- If we're in development mode, render the error. Else render nothing.
2017-08-29 10:31:00 +02:00
Hannah Wolfe
c6d54ceea1 🐛 Fixed internal tags being used as primary tags (#8934)
fixes #8920

- Implements logic such that internal tags cannot be primary tags
- If the first tag on a post is an internal tag, that post will not have a primary tag
2017-08-24 13:07:19 +01:00
John O'Nolan
b15f09426e 🛠 Removed "archive" from reserved slugs (#8928) 2017-08-22 17:21:24 +01:00
Kevin Ansfield
f7ce8d0e79 Fix lint error 2017-08-22 14:06:36 +01:00
Kevin Ansfield
2928f649a0 Fix "add-backup-client" migration
no issue
- use correct parameters for `addFixturesForModel` method
2017-08-22 13:51:44 +01:00
David Wolfe
be54da265b Add segment analytics for blog data (#8912)
no issue
- adds data to track such as post published
- adds ability to add custom data and event prefix via config file
2017-08-22 12:23:23 +01:00
Hannah Wolfe
ff15dc1667 Added any & all matching to {{#has}} helper
closes #8901

- Adds support for

```
{{#has any="twitter, facebook, website"}}
{{#has any="author.facebook, author.twitter,author.website"}}
{{#has any="@blog.facebook, @blog.twitter, @labs.subscribers"}}
{{#has all="@labs.subscribers,@labs.publicAPI"}}
```
2017-08-22 11:21:47 +01:00
Hannah Wolfe
746ac2db4d Optimise {{#has}} helper code
refs #8901

- Reduce the amount of code in the helper
- Optimise the checks, so that we only do the minimal amount of work necessary
2017-08-22 11:21:47 +01:00
David Wolfe
c3fcb3105f Add ghost-backup client to trigger export (#8911)
no issue
- adds a ghost-backup client
- adds a client authenticated endpoint to export blog for ghost-backup client only
- allows some additional overrides during import
- allows for an import by file to override locking a user and double hashing the password
2017-08-22 11:15:40 +01:00
Hannah Wolfe
b1cfa6e342 Improved version match logic (#8922)
closes #8821

- Use semver to do constraint matching
- Use client to generate a caret constraint
- E.g. if the client is 1.1, then the constraint ^1.1.0 will match >=1.1.0 <2.0.0
- Updated tests
2017-08-22 10:59:01 +01:00
Aileen Nowak
b086b432ad Dumped icojs and use image-size for .ico (#8888)
refs #8868

The `image-size` library supports now `.ico` files, which means there is no longer need to use the `icojs` library.
- removes unnecessary `icojs` dependency
- refactors `getIconDimensions` fn in blog icon util to fetch image sizes synchronus
- removes unnecessary `getIconDimensions` fn in blog icon validation, as there is no longer need to use different image size fn for different file extensions, and uses `getIconDimensions` from blog util fn instead.
- updates and adds more tests
2017-08-17 17:44:05 +01:00
Hannah Wolfe
4f3a8f6b38 API express app routing & middleware improvements (#8883)
no issue

- Split routes out from the API app 🎨
    - Use the same pattern as the blog app
    - General cleanup/unification across all of the `app.js` files

- Split middleware config out from API routes
    - Logical groupings make it easier to see WTF is going on 😬
2017-08-17 17:52:58 +07:00
Hannah Wolfe
8c7d305cd5 🐛 Fixed channel context to be based on res.locals (#8910)
closes #8907, closes #8908

- Add a bunch of tests to detect these breakages!
- Then change all the places where req.channelConfig was still being used
2017-08-16 11:06:30 +01:00
Hannah Wolfe
86e4b7b723 Added slug & id matching to {{#has}} helper (#8903)
refs #8901

- Adds support for

```
{{#has slug="welcome"}}
{{#has slug=../../slug}}
{{#has id=post.id}}
```
2017-08-15 16:25:06 +01:00
Hannah Wolfe
6ee9bb491c Added number & index matching to {{#has}} helper (#8902)
refs #8901

- Adds support for:

    ```
    {{#has number="3"}} // A single number
    {{#has number="3, 6, 9"}} // list the numbers you want to match against
    {{#has number="nth:3"}} // special syntax for nth item
    ```

    And

    ```
    {{#has index="3"}} // A single number
    {{#has index="3, 6, 9"}} // list the numbers you want to match against
    {{#has index="nth:3"}} // special syntax for nth item
    ```
2017-08-15 16:00:17 +01:00
Kevin Ansfield
d064eda229 Add configuration/private endpoint and settings for Unsplash (#8895)
refs #8859

- adds new `configuration/private` endpoint for exposing config that should not be accessible without authentication
- adds `unsplashAPI` to private config
- adds empty `unsplash` config to default settings
2017-08-15 15:59:16 +01:00
Hannah Wolfe
b6b299a8f7 Used ghost-ignition.debug, removed debug dep (#8881)
no issue

- Upgraded ghost-ignition
- Use debug from ghost-ignition everywhere in the code base
- Remove debug dependency
- Fixed random typo in Gruntfile.js
2017-08-15 18:29:27 +07:00
Hannah Wolfe
cafabff89e 🐛 Fixed duplicate subdirs in plaintext (#8882)
fixes #8845

- We had a report of weird URLS being output in admin stories view
- This is due to plaintext being incorrectly generated
- In order for a URL to be correct, it would need to already contain the subdirectory
- This line in the post model adds it as well, causing a duplicate
- Hence removing this line is the fix
2017-08-15 11:31:22 +01:00
Hannah Wolfe
512808e8b4 🐛 Added 409 UpdateCollisionError for the editor (#8899)
fixes #8898

- This is a user error, not a system error
- Downgrading to a 4xx status code means it doesn't appear in logs where it shouldn't
- We didn't have a suitable error available so I added UpdateCollisionError with 409 status
2017-08-15 12:06:40 +02:00
Hannah Wolfe
852155075f 🐛 Added 409 DisabledFeatureError for labs features (#8890)
fixes #8889

- This is a user error, not a system error
- Downgrading to a 4xx status code means it doesn't appear in logs where it shouldn't
- We didn't have a suitable error available so I added DisabledFeatureError with 409 status
- Ref: https://stackoverflow.com/questions/36874263/expected-http-status-code-for-an-action-on-a-disabled-resource
- Also tweaked the error message slightly as it didn't read clearly to me
2017-08-15 10:50:36 +02:00
Hannah Wolfe
bd41dba35b 🦄 Channels: Stored config in res.locals not req (#8884)
refs #5091

- This tiny refactor opens the door for using channel config inside of helpers
- This means that ghost_head, and the next_post/prev_post helpers can be context aware
2017-08-14 10:21:24 +07:00
Hannah Wolfe
137b8bf973 Optimised usage of debug (#8874)
no issue

- Reduced debug calls down for redirects
- Added start/end debug for custom redirect loading
- Removed duplicate request debug logs
2017-08-11 00:23:49 +02:00
Katharina Irrgang
e930b12e6c Be able to define a custom Update Check endpoint (#8870)
no issue

- helps developing
2017-08-10 15:01:51 +01:00
Hannah Wolfe
4474ca1a1d 🐛 Fixed Infinite 404s for images (#8869)
refs #8868

- Improve the error returned from local file store
- Use the new code to differentiate between static & non-static errors
2017-08-10 15:31:52 +02:00
Hannah Wolfe
1cc4be8010 🦄 Channels: make RSS & Pagination configurable (#8857)
refs #5091

- occurred to me whilst documenting the custom homepage config, that RSS and pagination
need to be optional
- added a very quick if statement & tests
- needs further refactoring & test improvements
- this will not disable the RSS url output in meta data yet 😔
2017-08-10 11:12:09 +02:00
Hannah Wolfe
147ec91162 🎨 Switched to 404 error in image size utility (#8862)
refs #8850

- This reduces the amount of noise from the image size utility.
2017-08-09 19:24:28 +02:00
Hannah Wolfe
d9b97c2a92 🛠 Moved 404 requests from error log to access log (#8850)
no issue

- 404 errors clutter up the log files and stdout when developing
- We don't really need these as more than a single line, like other requests
- This is how it worked in LTS
- This is also more consistent with other software (e.g. nginx)
2017-08-08 12:48:10 +02:00
Hannah Wolfe
2e8a8ad88a 🐛 Fixed meta on subscribe page if labs not enabled (#8848)
refs #8597

- Only set the subscribe context if the labs flag is set
- Committed at 38000ft
2017-08-08 09:45:37 +02:00
Hannah Wolfe
dbd7060e69 🦄 Added /edit/ redirect to admin for post previews (#8836)
no issue

- This already works for posts and channels
- It always felt like a bug that it didn't work for previews
- Now it does 😬
2017-08-08 09:32:55 +02:00
Aileen Nowak
cfbb7f6c6b Facebook and Twitter data per post feature (#8827)
closes #8334

- adds title, image and description to structured data to be rendered as open graph and twitter data.
- if meta title and description for a post exists already, the custom structured data will overwrite those for `og:` and `twitter:` data. `JSON-LD` (Schema.org`) is not affected and will stay the same.
- adds tests
- adds new og and twitter fields to schema incl. migration
2017-08-03 15:48:39 +04:00
Sam Wilskey
d73133d74b 🐛 Fixed keeping user inactive during user import (#8738)
closes #8651

- inactive users are suspended users or the owner user on blog setup
- added a check to see if user is inactive in import
- passes all tests
2017-08-03 13:21:37 +04:00
Hannah Wolfe
0c54541b4d 🐛 Fixed error in error template hiding errors (#8832)
closes #8808

Problem:
- In certain cases, particularly in production mode, errors would be hidden
- E.g. fatal theme errors could not be seen, users instead saw "Failed to lookup view 'error' in views directory"
- This is extremely unhelpful, particularly for people upgrading from 1.0.0 or 1.0.1 where the disqus rule was added
afterwards and modified casper would error
Solution:
- Ensure that we properly setup handlebars when we throw an error
- If engines is not set, set all the view engine related properties
2017-08-03 13:12:16 +04:00
Hannah Wolfe
60de57163e 🐛 Fixed user images not being imported properly (#8834)
closes #8833

- Don't re-run gravatar check when importing users
2017-08-03 12:59:05 +04:00
Hannah Wolfe
f5443f8812 🐛 Fixed link that appears in update notification (#8830)
refs #8825

- The link was pointing to an install page, which had also moved
- Updated to point to the upgrade page
2017-08-03 11:32:35 +04:00
Aileen Nowak
a63c26a82b 🐛 Fixed custom post excerpt length (#8826)
closes #8823

- if a custom post excerpt is set, the default max length of 50 was used, which was wrong
- adds more tests
2017-08-02 15:09:12 +04:00
Katharina Irrgang
2f866a99f6 🐛 Fixed global and post code injection output (#8824)
no issue

- if a custom post code injection is defined, we output both
2017-08-02 15:06:51 +04:00
Katharina Irrgang
8f39d6cb5f Code Injection per Post feature (#8820)
no issue

- add 1.4 database migration to add two new fields to the database (use type text, because of max row size)
- handle global code injection vs. post code injection
- add tests
2017-08-02 13:38:19 +04:00
Hannah Wolfe
aa7f3dd5fd 🐛 Fixed pagination w/ letters duplicating content (#8796)
refs #8700

- if you used a url e.g. /page/2abc/ ghost would interpret the 2 as /page/2/
- these urls should have returned 404, but instead were responding correctly
- this effectively creates duplicate pages
- added a test, but needed a dirty hack to get it to work 😞
- TODO: update casper fixture and use it in channel tests!
2017-08-02 12:25:41 +04:00
Katharina Irrgang
c9e3f8b180 🐛 Fix ghost update with migrations (#8810)
no issue

- if you backup your database and you are in the middle of a transaction, the transaction was not fully forwarded
- we were running into a pool error in knex
2017-08-01 17:27:13 +04:00
Kevin Ansfield
4da94a287f 📝 Correct typos in default welcome posts (#8807)
closes #8806
- `omellete` -> `omelette`
- `sleak` -> `sleek`
2017-08-01 13:04:08 +04:00
Katharina Irrgang
7845617607 Custom Post Excerpt Feature (#8792)
closes #8793

- 1.3 post excerpt migration
  - add 1.3 migration to add `excerpt` to post schema

NOTE:
    - knex-migrator relies on the package.json safe version
    - so right now Ghost is on 1.2
    - the migration script is for 1.3
    - if you pull down the PR (or if we merge this PR into master), you have to run `knex-migrator migrate --v 1.3 --force`
    - knex-migrator will tell you what you have todo

- Bump dependencies
  - knex-migrator@2.1.3
- Soft limit for custom_excerpt
- Extended {{excerpt}} to use custom excerpt
   - when a `custom_excerpt` field exists, the `{{excerpt}}` helper will output this and fall back to autogenerated excerpt if not.
- Refactored behaviour of (meta) description
   - html tag `<meta name="description" />` for posts, tags and author doesn't get rendered if not provided.
        - fallback for `author.bio` removed
        - fallback for `tag.description` removed
   - structured data and schema.org for `post` context takes the following order to render description fields:
        1. custom excerpt
        2. meta description
        3. automated excerpt (50 words)
    - updated and added tests to reflect the changes
2017-08-01 12:39:34 +04:00
Grant Winney
d8fb7ce7f6 🐛 Fixed wrong min-width publication icon validation
closes #8797 

Changed the min-width for publication icon validation to allow icon greater or equal to 60px, rather than greater only.
2017-08-01 12:20:23 +04:00
Aileen Nowak
7ed706d653 ↙️ Minified CSS in AMP default template
closes #7314

Minified the CSS in the default `amp.hbs` template.
2017-07-31 16:24:03 +04:00
Katharina Irrgang
b003a6c173 🐛 fix transfer ownership (#8784)
closes #8781

- when the ownership get's transferred, the id of the new owner is not '1' anymore
- we previously added a database rule, which signalises if the blog is setup or not, see 827aa15757 (diff-7a2fe80302d7d6bf67f97cdccef1f71fR542)
- this database rule is based on the owner id being '1', which is wrong when you transfer ownership
- we should keep in mind, that the owner id being '1' is only the default Ghost setup, but it can change
- blog is setup if the owner is locked
2017-07-31 13:37:37 +04:00
John O'Nolan
0b5de14900 🎨 Improved SEO meta titles for paginated archives (#8785)
closes #8575
2017-07-31 13:13:06 +04:00
Hannah Wolfe
353e11dafb Primary tag (#8669)
refs #8668

- return primary tag from Post API
- support primary tag in URL
2017-07-31 13:00:03 +04:00
John O'Nolan
4333604480 Fix fixture typo 2017-07-31 12:43:58 +04:00
Austin Burdine
65d219c29a 🐛 🔗 resolve symlinks before building zip (#8780)
closes #8778

- if folderToZip is a symlink, find the target using fs.realPathSync so we zip the right thing
- add a test
2017-07-31 11:48:00 +04:00
Hannah Wolfe
301696632f 🛠 🙈 Rename ghost-url.js to ghost-sdk.js (#8767)
closes #8605

- This file has already been moved, might as well get the rename out of the way
- Especially as we don't migrate clients - everyone will now need to make just one change
2017-07-28 18:23:32 +04:00
Katharina Irrgang
3462f07f58 🎨 take the latest attached role when importing (#8765)
refs #8756

- there was a bug in one of the last LTS releases, which produced duplicated attached roles to users
- we want to prevent that on import and take the latest created based on the autoincrement id
2017-07-27 13:25:01 +04:00
Katharina Irrgang
948c279f60 🔥 fromaddress support (#8753)
refs #8748

- please use `from`
- documentation was already updated
2017-07-27 12:27:38 +04:00
John O'Nolan
0698be503a Site description fixture update (#8763)
No issue
2017-07-27 12:26:31 +04:00
Kevin Ansfield
57ffa4571c 🐛 fix "unbalanced tag" errors on save/import (#8759)
refs https://github.com/TryGhost/Ghost/issues/8757

- remove mobiledoc parsing, it's reliance on SimpleDom makes it too
fragile when dealing with the unconstrained user-entered HTML that is
allowed in markdown
2017-07-27 12:10:15 +04:00
Katharina Irrgang
ce3830f8a9 🚓 disqus comments (#8762)
closes #8760

- we have to remember the old post id's when migrating a blog from LTS to 1.0
- otherwise we would break disqus comments, because they rely on the post id
- this should fix the discovered situation
2017-07-27 11:55:23 +04:00
Kevin Ansfield
4f994a1a17 🐛 fix incorrect rendering of non-closing tags (eg. <br></br>) (#8749)
closes https://github.com/TryGhost/Ghost/issues/8743

- the serializer in our mobiledoc renderer didn't have the list of non-closing HTML tags passed in which meant that tags such as `<br>` in the markdown HTML output were being re-serialized to `<br></br>` which is invalid HTML which (at least Chrome) then attempts to fix by rendering it as `<br><br>` instead
- the elements with incorrect rendering that may result in unwanted "fixing" by browsers are `AREA`, `BASE`, `BR`, `COL`, `COMMAND`, `EMBED`, `HR`, `IMG`, `INPUT`, `KEYGEN`, `LINK`, `META`, `PARAM`, `SOURCE`, `TRACK`, and `WBR`
2017-07-25 15:50:33 +04:00
Katharina Irrgang
5ff7574324 🐛 user was not imported, but the importer tries to correct the reference (#8722)
no issue

- this is usually an edge case, but i investigated because i thought that the importer is broken
- the importer logic is build like this:
   - it creates a transaction
   - this transactions runs through:
      - beforeImport
      - doImport
      - afterImport
   - afterImport corrects user references and if a user could not be imported, we have to protect that
       NOTE: we could create two transactions to be more correct, but building this had no priority because of edge cases only
             having two transactions would solve: you first add the data (error or success), then you correct the data
   - usually a user can be always imported (!), but there are a few edge cases (e.g. multiple roles attached)
2017-07-21 09:59:18 +01:00
Katharina Irrgang
d6aaf2dbc7 🎨 do not run model listeners on import (#8720)
no issue

- if you upload a huge import file, parallel operations can throw errors e.g. lock wait exceeds
- this can happen if multiple transactions run in parallel
- there is no need to run:
  1. the removal of active tokens on import, because imported users have no active session
  2. rescheduling logic on timezone, because importing scheduled posts works out of the box via the model layer (if a published date is detected and it's in the future, the post get's scheduled)
2017-07-21 09:58:58 +01:00
Katharina Irrgang
60558a776f 🐛 be able to serve locked users (#8711)
closes #8645, closes #8710

- locked users were once part of the category "active users", but were moved to the inactive category
  -> we have added a protection of not being able to edit yourself when you are either suspended or locked
- but they are not really active users, they are restricted, because they have no access to the admin panel
- support three categories: active, inactive, restricted

* - revert restricted states
- instead, update permission layer: fallback to `all` by default, because you are able to serve any user status
- add more tests

- ATTENTION: there is a behaviour change, that a blog owner's author page can be served before setting up the blog, see conversation on slack
   -> LTS serves 404
   -> 1.0 would serve 200
2017-07-20 12:45:13 +01:00
Katharina Irrgang
59d7302da5 🐛 import invalid dates (#8712)
closes #8703, closes #8015

- add sanitize fn to importer
- check wether an imported date is a valid date
- if not, print a warning
2017-07-20 11:24:23 +01:00
Katharina Irrgang
90fc7a6c06 🐛 respect owner user id references when importing (#8693)
closes #8691 

There was a condition added when i've refactored the importer.

> if (models.User.isOwnerUser(obj[key])) {

This condition is absolutely wrong! If you import an owner user, this owner user get's imported as administrator. But the original owner user id reference must be updated as well, so that the reference points to the new administrator id ✌🏻
2017-07-20 11:11:56 +01:00
kirrg001
91f36fc241 🐛 invite existing users
refs #8692

- protect invite endpoint
2017-07-18 18:24:36 +01:00
kirrg001
d4c74e74c4 🐛 fix unknown user id on deactivated event
no issue

- if you delete an active user, Ghost logs an error message (Ghost does not crash!)
- but the event logic is not triggered, that means we don't delete the users tokens
- token deletion happens on: suspend a user and delete a user
2017-07-18 18:20:10 +01:00
kirrg001
522bd02224 🎨 Optimise permissble function in user model
no issue

- if you destroy a user with an unknown user id, Ghost would crash
- because `userModel.hasRole` is undefined

- there is actually a bigger underlying architectual problem:
   - the permission check should rely on an existing user
   - so there should be a first api layer, which 1. validates (this code exists) and 2. ensures that requested database id's exist
   - but this requires a bigger refactoring
2017-07-18 18:20:10 +01:00
Katharina Irrgang
35f12273ee 🔥 remove beta mentioning's (#8673)
no issue

- preparation for rc.1
2017-07-11 14:05:55 +01:00
Katharina Irrgang
e54d959289 🎨 transform console.log into logging (#8671)
closes #8361

- the console.log are not appearing in the logs
- fix jscs
- remove chalk.green from ghost server
2017-07-11 09:00:07 +01:00
John O'Nolan
cb2f754472 Update welcome post fixture (#8672)
Closes #8620

Info about how to delete the default Ghost user and all of the welcome posts along with it
2017-07-10 20:38:03 +07:00
Hannah Wolfe
6a45ca2605 🐛 Honour labs defaults on import (#8667)
closes #8601

- This makes sure that when you do an import, you still get the LATEST
  default settings for labs. Even if you had a different value before.
- LTS -> 1.0 is an upgrade, and Public API should be on by default, even if you
  had deliberately turned it off before.
- Cheeky test added
2017-07-09 14:31:53 +02:00
Aileen Nowak
c49e840fc6 🐛 Update amp.hbs image helper and meta (#8659)
no issue

Seems like we forgot to update the AMP template to reflect our image helper changes.

- Replaces `{{image}}` helper with `{{img_url}}` for `feature_image`
- Removes `{{meta_description}}` helper
2017-07-06 10:23:50 +02:00
Aileen Nowak
827aa15757 Add new fixture Ghost Author (#8638)
refs #8620

Adds a new Ghost Author user, which is the author of the new welcome blog posts. The user is set to active, so the author slug works (otherwise it would render a 404, when user is suspended). Furthermore, there's one little fix in the user model, which was checking only for `active` user to decide the signup or setup process for the UI. Adding one more conditional to check if the found active user is also the owner, prevents to get redirected to sign in.
2017-07-06 00:18:27 +02:00
Patrick Kim
83345d706f 🐛 Fix custom robots.txt via template directory. (#8648)
no issue

- serving a custom robots.txt from the active theme didn't work anymore
- re-ordering the blog middleware solves it
- see http://themes.ghost.org/docs/templates#section-robots-txt
2017-07-06 00:14:35 +02:00
Austin Burdine
49c8277390 fix(config): cleanup absolute path config function (#8641)
refs https://github.com/TryGhost/Ghost-CLI/issues/228

- don't try to reinvent path.isAbsolute
2017-07-06 00:04:18 +02:00
Aileen Nowak
dc25c06b31 🙈 Remove url from default production config (#8644)
closes #8619

Removes the `url` property from `config.production.json` as it's not needed and causes confusing errors.
2017-07-05 23:02:49 +02:00
Patrick Kim
c2e47f89ba 🐛 Modify regex to allow subdir/ghost urls. (#8627)
no issue

- redirect admin url's if Ghost uses a subdirectory
- fixes a bug where reset password and invite links do not route to the right destination
2017-06-27 09:08:59 +02:00
Hannah Wolfe
117aeaa61d Pass clientExtensions to Ghost Admin (#8617)
no issue

- pass through this additional config if it exists
2017-06-22 20:45:35 +02:00
Hannah Wolfe
2058127dc5 Enable Public API by default (#8600)
closes #8601 

- this doesn't take the feature out of beta, but does enable it by default
- no need to enable the public api in the test anymore
- because public api is enabled by default
2017-06-20 10:10:49 +07:00
Aileen Nowak
c3dbd0e56b 🐛 Remove trailing slash for {{@blog.url}} (#8596)
closes #8569

- remove the trailing slash for `{{@blog.url}}` data in theme middleware
2017-06-19 16:11:53 +02:00
Aileen Nowak
35bd0aeb60 🐛 Fix error message for login when password wrong (#8594)
closes #8565

- isPasswordCorrect fn returns a specific error, which we simply forward
- no need to wrap a custom error into a new custom error
- the rule is always: if you are using a Ghost unit/function, you can expect that this unit returns a custom error
2017-06-19 10:37:58 +02:00
David Wolfe
bc301463c7 Fix sitemap for author permalink (#8585)
refs #8494
- include author in postgenerator for sitemap
2017-06-15 18:25:18 +01:00
Kevin Ansfield
88ba07f657 📖 shorten mail config docs links (#8592)
no issue
- URL on docs.ghost.org has been shortened for more readable display in
errors
2017-06-15 18:04:48 +01:00
Aileen Nowak
5bc5eca315 🐛 Fix double slash in scheduling API URL (#8574)
closes #8568

- use our `urlJoin` util to concatenate the URL (not the query part of it, as this is not supported in `urlJoin`) and to prevent possible missing or double slashes, as `config.apiUrl` could be with or without trailing slash
2017-06-14 16:26:28 +02:00
Aileen Nowak
57f8367cdf 🐛 Add published_at to post model fixtures (#8573)
closes #8562
- before we create our model fixtures, we assign a `published_at` property with a difference of 1 second for each blog post, so the `prev_post` and `next_post` helpers work correctly
2017-06-13 10:27:42 +01:00
Katharina Irrgang
f5ef8dbb52 📖 replace any support.ghost.org link (#8555)
refs #7421
2017-06-08 20:34:20 +01:00
Katharina Irrgang
ce7d731d8f 📖 Update Ghost bootstrap logs (#8531)
refs #7421

Change Alpha wording to beta wording for the bootstrap logs.
2017-06-08 20:32:55 +01:00
Kevin Ansfield
f675a962cf 📖 new default post content (#8548)
closes #8542
- updates default post fixtures
- adds default logo and cover images to settings fixtures
- update tests due to coupling to dev/prod fixtures
2017-06-08 16:36:14 +01:00
Katharina Irrgang
d6d343865b 🎨 show clearer error for wrong content path (#8535)
no issue
2017-06-07 16:31:01 +07:00
Katharina Irrgang
216db60e74 🔥 config: remove print error stack option (#8528)
no issue

Stack printing was removed for now.
The config options weren't cleaned up correctly.
2017-06-07 15:02:19 +07:00
Hannah Wolfe
3996b5debb 🐷 💄 Tiny theme-related improvements (#8532)
refs #8530

- display theme name for non-fatal errors
- minor wording tweak
- remove duplicate lodash require
- use the shiny new calculated property syntax
2017-06-06 13:33:18 +02:00
kirrg001
8680099765 🎨 gscan 1.1.0 & optimisations
refs #8222

- differentiate between errors and fatal errors
- use gscan errors in theme middleware
- Adds a new `error()` method to `currentActiveTheme` constructor which will return the errors we receive from gscan
- In middleware, if a theme couldn't be activated because it's invalid, we'll fetch the erros and send them to our error handler. We also use a new property `hideStack` to control, if the stack (in dev mode and if available) should be shown or the gscan errors (in prod mode, or in dev if no stack error)
- In our error handler we use this conditional to send a new property `gscan` to our error theme
- In `error.hbs` we'll iterate through possible `gscan` error objects and render them.
- remove stack printing
- stack for theme developers in development mode doesn't make sense
- stack in production doesn't make sense
- the stack is usually hard to read
- if you are developer you can read the error stack on the server log
- utils.packages: transform native error into Ghost error
- use `onlyFatalErrors` for gscan format and differeniate fatal errors vo.2
- optimise bootstrap error handling
- transform theme is missing into an error
- add new translation key
- show html tags for error.hbs template: rule
2017-06-06 13:07:50 +07:00
Katharina Irrgang
a61e6e7cc2 🐛 fix settings cache (#8506)
closes #8505

- cache.get(..) auto converted "1" to integer
2017-06-04 17:52:22 +07:00
David Wolfe
b081ae34b5 🎨 Support LTS imports (#8498)
refs #8141

- update importer for LTS fields
- optimise for LTS export fixtures
- add image/language test for LTS import
- ensure post image is mapped to feature_image
- create mobiledoc values from markdown and html
- if mobiledoc is null, use markdown or html to create a mobiledoc markdown card
- update import mapping to use locale
- defaultLang in settings now maps to default_locale
- language for post and user models now maps to locale
- posts are not always loaded in correct same order so we select the posts we want to validate
- ensure if mobiledoc field is not in export we can still import from markdown
- map last_login to last_seen
- for users the importer maps last_login to last_seen
- add warning for legacyActiveTheme
- for export with old activeTheme key provide a warning that theme is not installed
- add importer test for LTS user long email
- add a test for LTS export where email address could be longer than alpha
- fix for importer date tests on mysql
- use valueOf in moment to compare times stored in different formats
- ignore warnings for not found settings in import
- use a flag to ignore NotFound Entries for settings during import
2017-06-04 11:53:00 +02:00
Katharina Irrgang
9023ff0b68 😝 replace removeSync by sync (#8513)
refs #8510

- nothing to see here!
2017-06-01 19:11:50 +07:00
kirrg001
78ac63d8ad 🎨 add cache control configurations into the default config
refs #7488

- cache control can be overridden if needed
2017-05-31 16:12:11 +01:00
kirrg001
e3ef3103a1 🎨 internalApps -> apps.internal
refs #7488

- simply rename the config usage
- we might want to add `apps.external` later
2017-05-31 16:12:11 +01:00
Katharina Irrgang
18b71f32b1 🎨 rename language to locale and use en as default locale (#8490)
no issue
- this PR references indirecty to https://github.com/TryGhost/Ghost/pull/8437
- i would like to have the settings change already in place before we release the beta
- the i18n feature is able to change the locale of Ghost
- most i18n libraries use locale
- adding/changing settings doesn't require a migration file, but it can make the database a bit messy (because you can end up with default_locale and lang)
- furthermore we agreed that the default locale for Ghost should be simply `en`, not `en_US` or `en_GB`
2017-05-31 16:05:49 +01:00
Kevin Ansfield
85496f409a 🔥 remove posts.markdown field (#8497)
closes #8479

- removes `markdown` field from schema
- removes `legacyMarkdown` converter
- updates tests to work with `mobiledoc` field instead of `markdown` and adapt for mobiledoc HTML output where necessary
2017-05-31 16:46:29 +02:00
Hannah Wolfe
3e60941054 Add ?formats param to Posts API (#8305)
refs #8275
- Adds support for `formats` param
- Returns `html` by default
- Can optionally return other formats by providing a comma-separated list
2017-05-30 11:40:39 +01:00
Katharina Irrgang
25c4e5025a 🔥 revert: force admin url redirect (#8493)
refs #8152
- as long as OAuth is disabled, we can revert the url redirection (see comment)
- the redirect only happens if you configure a specific `admin.url`
- add another test case, which was missing
2017-05-30 10:19:14 +01:00
John O'Nolan
476caa5c2f 🎨 Update fixtures: Ghost owner (#8460)
no issue

- use a better name for default user pre-setup
- make it clear that this email address is an example, not real
2017-05-29 19:25:19 +02:00
Katharina Irrgang
925d72198c 🐛 Ensure post tags sort order is correct when importing (#8481)
refs #6967, refs #5422

- imports posts tags by post id and sort order
- test: fix order problem (sqlite)
2017-05-23 19:12:08 +01:00
Katharina Irrgang
1f37ff6053 🎨 refactor the importer (#8473)
refs #5422

- we can support null titles after this PR if we want
- user model: fix getAuthorRole
- user model: support adding roles by name
- we support this for roles as well, this makes it easier when importing related user roles (because usually roles already exists in the database and the related id's are wrong e.g. roles_users)
- base model: support for null created_at or updated_at values
- post or tag slugs are always safe strings
- enable an import of a null slug, no need to crash or to cover this on import layer
- add new DataImporter logic
    - uses a class inheritance mechanism to achieve an easier readability and maintenance
    - schema validation (happens on model layer) was ignored
    - allow to import unknown user id's (see https://github.com/TryGhost/Ghost/issues/8365)
    - most of the duplication handling happens on model layer (we can use the power of unique fields and errors from the database)
- the import is splitted into three steps:
  - beforeImport
    --> prepares the data to import, sorts out relations (roles, tags), detects fields (for LTS)
  - doImport
    --> does the actual import
  - afterImport
    --> updates the data after successful import e.g. update all user reference fields e.g. published_by (compares the imported data with the current state of the database)
- import images: markdown can be null
- show error message when json handler can't parse file
- do not request gravatar if email is null
- return problems/warnings after successful import
- optimise warnings in importer
- do not return warnings for role duplications, no helpful information
- error handler: return context information of error
- we show the affected json entries as one line in the UI
- show warning for: detected duplicated tag
- schema validation: fix valueMustBeBoolean translation
- remove context property from json parse error
2017-05-23 17:18:13 +01:00
Ryan McCarvill
957f51e677 🐝 Allow unbalanced HTML in markdown card. (#8320)
no issue

The simpledom interpreter that the Mobiledoc DOM renderer uses does not allow for unbalanced or incorrect HTML such as that which is entered by a user.

This PR adds a step where the HTML is sanitised and balanced before being passed to simpledom.

- use latest jsdom (+pin version), update yarn.lock, add comments
- don't use node-4 incompatible shorthand method definition
- grab <body> content rather than document content
- update markdown card specs to match markdown-it behaviour
- revert to jsdom 9.12.0 for node 4.x support, close window to free memory
- moved 3rd party libs into render function
2017-05-23 16:15:32 +02:00
Katharina Irrgang
b22151ac92 🎨 do not ping slack if we import content (#8476)
closes #7275

- forward options for events (post model only for now)
2017-05-22 17:24:59 +09:00
Aileen Nowak
c7bbaffec3 ️ Throw clear error message when config.url has no protocol (#8466)
closes #8449

- throw a more clear error message
2017-05-21 18:00:11 +02:00
Kevin Ansfield
5d868d14ad replace custom showdown fork with markdown-it (#8451)
refs https://github.com/TryGhost/Ghost-Admin/pull/690, closes #1501, closes #2093, closes #4592, closes #4627, closes #4659, closes #5039, closes #5237, closes #5587, closes #5625, closes #5632, closes #5822, closes #5939, closes #6840, closes #7183, closes #7536

- replace custom showdown fork with markdown-it
- swaps showdown for markdown-it when rendering markdown
- match existing header ID behaviour
- allow headers without a space after the #s
- add duplicate header ID handling
- remove legacy markdown spec
- move markdown-it setup into markdown-converter util
- update mobiledoc specs to match markdown-it newline behaviour
- update data-generator HTML to match markdown-it newline behaviour
- fix Post "converts html to plaintext" test
- update rss spec to match markdown-it newline behaviour
- close almost all related showdown bugs
2017-05-15 18:48:14 +02:00
Aileen Nowak
3bae41ccff 🎨 Use svg icons in default templates (#8343)
refs #8107

- replace icon fonts in server side rendered default templates with svgs
2017-05-15 13:43:58 +02:00
Rei
e066094044 🐛 https image urls if accessed over SSL (#8373)
closes #8372

- https image urls if accessed over SSL (fix secure option for images)
2017-05-15 13:09:48 +02:00
Aileen Nowak
1b965fab95 🎨 Move scheduling and storage in adapters/ (#8435)
no issue

Move `core/server/scheduling` to `core/server/adapters/scheduling` and
`core/server/storage` to `core/server/adapters/storage`
2017-05-15 12:52:01 +02:00
Katharina Irrgang
9bea2077cf 🐛 ensure import of scheduled posts works (#8454)
closes #8354

- i thought about transforming scheduled posts into drafts on export, but this has two disadvantages:
  1. existing exports with scheduled posts won't import
  2. if you schedule a post for next week and you export/import earlier, the post is back to draft
- by this we ensure that we can simply import the post back to a scheduled post
- if the published_at is already in the past, the scheduler will care and instantly publish the post
2017-05-12 15:11:52 +02:00
Katharina Irrgang
524cc4c343 🐛 escape blog title for mail header (#8453)
closes #8436

- this is how the from field looks like "blog title <owner@blog.com>"
- so if you set your blog title with double quotes, it throws a syntax error from the smtp library
2017-05-12 15:09:45 +02:00
Katharina Irrgang
37e28cb6ef 🐛 fix updated_at is null (#8434)
closes #8426

- if you import posts with updated_at=null, you are not able to save this post anymore
- i am not sure how this is even possible, but maybe there is a case where updated_at can be null
2017-05-12 12:36:26 +01:00
Kevin Ansfield
c71cf643e2 update default post to use a single markdown card (#8448)
no issue

- now that we've switched to using a SimpleMDE based editor in Ghost-Admin the default post needs to match the expected single-markdown-card format
2017-05-12 10:08:45 +02:00
Katharina Irrgang
7549473a86 🚑 Disable remote authentication (#8346)
closes #8342
- extend auth validation to deny auth type "ghost" for now
- skip some tests
2017-04-24 18:56:49 +01:00
Katharina Irrgang
2300219016 🎨 optimise error handling (#8378)
no issue
- if you start Ghost and you theme is invalid, you only get a warning, but no reason
- furthermore, if any error is thrown in Ghost, which is not a custom Ignition error, we take care that the error message to inherit from shows up
2017-04-24 18:46:10 +01:00
Katharina Irrgang
4e2474a018 🎨 settings inconsistency (#8381)
no issue
- replace camelCase settings keys with underscore_case for consistency
- discussed here https://github.com/TryGhost/Ghost-Admin/pull/661#discussion_r112939982
2017-04-24 18:41:00 +01:00
Katharina Irrgang
76bd4fdef6 🙀 Image field naming & new img_url helper (#8364)
* 🙀  change database schema for images
    - rename user/post/tag images
    - contains all the required changes from the schema change

* Refactor helper/meta data
    - rename cover to cover_image
    - also rename default settings to match the pattern
    - rename image to profile_image for user
    - rename image to feature_image for tags/posts

* {{image}} >>> {{img_url}}
    - rename
    - change the functionality
    - attr is required
    - e.g. {{img_url feature_image}}

* gscan 1.0.0
    - update yarn.lock

* Update casper reference: 1.0-changes
    - see 5487b4da8d
2017-04-24 18:21:47 +01:00
Katharina Irrgang
c93f03b87e post update collision detection (#8328) (#8362)
closes #5599

If two users edit the same post, it can happen that they override each others content or post settings. With this change this won't happen anymore.

 Update collision for posts
- add a new bookshelf plugin to detect these changes
- use the `changed` object of bookshelf -> we don't have to create our own diff
- compare client and server updated_at field
- run editing posts in a transaction (see comments in code base)

🙀  update collision for tags
- `updateTags` for adding posts on `onCreated` - happens after the post was inserted
   --> it's "okay" to attach the tags afterwards on insert
   --> there is no need to add collision for inserting data
   --> it's very hard to move the updateTags call to `onCreating`, because the `updateTags` function queries the database to look up the affected post
- `updateTags` while editing posts on `onSaving` - all operations run in a transactions and are rolled back if something get's rejected

- Post model edit: if we push a transaction from outside, take this one

  introduce options.forUpdate
- if two queries happening in a transaction we have to signalise knex/mysql that we select for an update
- otherwise the following case happens:
  >> you fetch posts for an update
  >> a user requests comes in and updates the post (e.g. sets title to "X")
  >> you update the fetched posts, title would get overriden to the old one

use options.forUpdate and protect internal post updates: model listeners
- use a transaction for listener updates
- signalise forUpdate
- write a complex test

use options.forUpdate and protect internal post updates: scheduling
- publish endpoint runs in a transaction
- add complex test
- @TODO: right now scheduling api uses posts api, therefor we had to extend the options for api's
  >> allowed to pass transactions through it
  >> but these are only allowed if defined from outside {opts: [...]}
  >> so i think this is fine and not dirty
  >> will wait for opinions
  >> alternatively we have to re-write the scheduling endpoint to use the models directly
2017-04-19 14:53:23 +01:00
Aileen Nowak
482ea12a08 🎨 New default favicon.ico (#8351)
no issue

- new default `favicon.ico`
- design has changed
2017-04-19 11:03:38 +02:00
Katharina Irrgang
f2fd075075 🎨 fix previos/current date comparison (isEqual in bookshelf) (#8357)
no issue

- client dates are sent as ISO format (moment(..).format())
- server dates are in JS Date format
  >> when bookshelf fetches data from the database, all dates are transformed into JS dates
  >> see `parse` helper function
- Bookshelf updates the model with the client data via Bookshelf's `set` function
- therefor Bookshelf uses a simple `isEqual` function from lodash to detect changes
- .previous(attr) and .get(attr) return false
- that has the concequence that dates are always marked as "changed"
- internally we use our `hasDateChanged` if we have to compare previous/updated dates
- but Bookshelf is not in our control for this case
2017-04-19 10:59:09 +02:00
Katharina Irrgang
f7393686f8 🐛 UTC offset for scheduled posts when changing timezone (#8356)
no issue

- the UTC offset diff of the current and previous timezone must switch
- i have added more tests and more example case descriptions to understand why
2017-04-19 10:26:33 +02:00
Aileen Nowak
e19e91044d 🙇 Blog icon utils and publisher.logo for JSON-LD (#8297)
refs #8221, closes #7688, refs #7558

🙇  Improve meta data publisher logo behaviour
This is a follow-up PR for #8285.

Reasons: The code changes of #8285 caused error messages when falling back to the default `favicon.ico`, as the `image-size` tool doesn't support `ico` files.

This PR takes the logic to decide which logo needs to be listed in our schema into a new fn `blog_logo.js`. There we have now three decisions:
1. If we have a publication **logo**, we'll take that one
2. If we have no publication logo, but an **icon** we'll use this one.
3. If we have none of the above things, we fall back to our default `favicon.ico`

Additional, we're hard coding image dimensions for whenever the logo is an `.ico` file and built and extra decision to not call `image-size` when the dimension are already given.

I will create another follow-up PR, which checks the extension type for the file and offers it as a util.

🛠  Blog icon util

refs #7688

Serve functionality around the blog icon in its own util:
- getIconDimensions -> async function that takes the filepath of on ico file and returns its dimensions
- isIcoImageType -> returns true if file has `.ico` extension
- getIconType -> returns icon-type (`x-icon` or `png`)
- getIconUrl -> returns the absolut or relativ URL for the favicon: `[subdirectory or not]favicon.[ico or png]`

📖  Get .ico sizes for meta data & logo improvement

refs #7558
refs #8221

Use the new `blogIconUtil` in meta data to fetch the dimensions of `.ico` files.

Improvements for `publisher.logo`: We're now returning a hard-coded 'faked' image dimensions value to render an `imageObject` and prevent error our schema (Google structured data). As soon as an image (`.ico` or non-`.ico`) is too large, but - in case of non-`.ico` - a square format, be set the image-dimensions to 60px width and height. This reduces the chances of getting constantly error messages from Googles' webmaster tools.

- add getIconPath util
2017-04-11 18:32:06 +02:00
Katharina Irrgang
049b6d9874 add issued_by column to access token (#8284)
closes #6626

- see https://github.com/TryGhost/Ghost/issues/6626#issuecomment-291445977
- adding this column could make our lives easier in the future
2017-04-11 13:12:14 +01:00
Aileen Nowak
a3387adb99 🐝 Add image property to rss (#8289)
refs #7688

Adds an image property to our generated rss data, which links to the favicon (has to be `.png` reg. http://www.rssboard.org/rss-2-0-1#ltimagegtSubelementOfLtchannelgt).
2017-04-11 13:54:52 +02:00
Aileen Nowak
d9d182f7ba 🎨 Blog icon improvements (#8260)
refs #7688

- blog icon error message
- change default favicon to 60px
2017-04-11 13:40:17 +02:00
Hannah Wolfe
06fc5f4508 Autofill plaintext field on save (#8304)
refs #8275

- If the HTML field has changed, update the plaintext field
- Use html-to-text to generate a plaintext version of the HTML which retains some structure
- Add a couple of tests - although there's much to do here!
2017-04-11 10:55:36 +02:00
Aileen Nowak
4ba5cc862a 🐛 Blog icon improvements (#8298)
refs #7688

- renders the correct `/favicon.ico` or `/favcicon.png` in `{{ghost_head}}`
- removes an regex issue in `serve-favicon`
2017-04-10 12:04:46 +01:00
Hannah Wolfe
a413d70313 Asset amends (#8294)
refs #8221

🔥 Remove ghost=true concept from asset url helper

 💯 Introduce CSS minification with cssnano
- add new grunt-cssnano dependency
- wire up grunt task to minify public/ghost.css

🎨 Rename minification config & hash params
- Change minifyInProduction -> hasMinFile
  - this means this asset should have a .min file available
- Change minifyAssets -> useMinFiles
  - this means that in this env we want to serve .min files if available

🎨 Update public/ghost.css to serve .min for prod
- add the new `hasMinFile` property

🎨 Move minified asset handling to asset_url util
- this logic should be in the util, not the asset helper
- updated tests

📖 Error handler always needs asset helper
- this removes the TODO and adds a more sensible comment
- we also need to update our theme documentation around error templates

🔥 Don't use asset helper in ghost head
- use getAssetUrl util instead!
- removed TODO

📖 Update proxy docs
🎨 Simplify asset helper & add tests
- this refactor is a step prior to moving this from metadata to being a url util
- needed to skip some new tests

🐛 Add missing handler for css file
2017-04-10 11:30:21 +02:00
Aileen Nowak
f0f3c2f2a7 👋🏼 Don't use ghosticon.jpg from admin assets (#8285)
refs #8221

Use our default `favicon.ico` instead of `ghosticon.jpg` which is served from the admins' assets.
Adds additionally fake image dimensions for our json-ld data to satisfy Google.
2017-04-07 14:07:47 +01:00
Aileen Nowak
83f084608f 💁🏻 Moveshared/ to server/public (#8273)
refs #8221

Instead of serving our shared assets from a `shared/` folder, we move the file, which are used server side to `server/public`.
Adds a new `config.paths` entry: `publicFilePath` and renames the middleware to serve the files to reflect the changes.
Adds `404-ghost.png` images to be used by the server side rendered default template `error.hbs`.
2017-04-07 13:21:41 +01:00
Katharina Irrgang
be5b58432b 🎨 change location of adapters (#8286)
closes #7687

- change location from content/storage or content/scheduling to content/adapters/storage or content/adapters/scheduling
- i have added a @TODO to https://github.com/TryGhost/Ghost/issues/7421 to check if both adapter types needs an update in the documentation
2017-04-07 10:53:38 +01:00
Katharina Irrgang
59a8911830 🐛 fix hasDateChanged (#8291)
no issue
- i don't know if this never worked or has worked and something changed in bookshelf
- but this fixes: saving the content (no change for published_at) of a scheduled post within the 2minutes window
- add `beforeWrite` option to hasDateChanged helper, see comment
- use previous for `beforeWrite` operations
- add a test and fix some other small issues in the scheduler tests
2017-04-06 17:49:59 +01:00
Katharina Irrgang
38fe4d2842 🐛 subscriber: sanitize email vol. 2 (#8280)
no issue


🐛  subscriber: sanitize email vol. 2
- ensure email get's sanitized for every error case

🐛  validator.isEmptyOrURL doesn't accept non strings
- otherwise it shows a weird error message in the client

  new tests for subscriber app
- routing tests

* change tests for Ghost 1.0
* it took me 15min to find this 😡
2017-04-05 22:02:16 +01:00
Katharina Irrgang
64d2a94073 🐛 fix image size timeout (#8283)
closes #8041

- destroy socket is required, see https://nodejs.org/api/http.html#http_server_settimeout_msecs_callback
- optimise error messages in general
- make timeouts configureable
2017-04-05 21:58:26 +01:00
Katharina Irrgang
1bcd25fdbf 🎨 delete all content: do not delete subscribers (#8282)
closes #7875
2017-04-05 21:57:41 +01:00
Katharina Irrgang
587ff6f026 🎨 change last_login to last_seen (#8259)
refs #8258

* 🎨  change last_login to last_seen

- rename the column
- a change in Ghost-Admin is required as well

* test utils: revert export examples

* revert line breaks
2017-04-05 20:45:55 +01:00
Hannah Wolfe
9b3c3943ef Add new plaintext field (#8276)
refs #8275

- this PR only adds the field for now, so we can merge this along with other DB changes
2017-04-05 21:28:13 +02:00
Hannah Wolfe
4b49f39e55 📖 Change the welcome to ghost fixture to be mobiledoc (#8277)
refs #8275

- this switches over the fixture to be mobiledoc based. Most of the content was to do with markdown so it has been replaced with placeholder text
- content will be replaced via #8275
2017-04-05 21:16:28 +02:00
Aileen Nowak
581ff67499 🐛 correct favicon redirects with subdirectory (#8274)
refs #7688, #8221 

Use our url util `urlFor` to ensure, the redirect includes the subdirectory, if set up.
2017-04-05 15:28:52 +01:00
Katharina Irrgang
817b8d09ca 😱 🎨 Refactor storage adapter (#8229)
refs #7687

There are four main changes in this PR:

we have outsourced the base storage adapter to npm, because for storage developers it's annoying to inherit from a script within Ghost
we hacked theme storage handling into the default local storage adapter - this was reverted, instead we have added a static theme storage here
use classes instead of prototyping
optimise the storage adapter in general - everything is explained in each commit

----

* rename local-file-store to LocalFileStorage

I would like to keep the name pattern i have used for scheduling.
If a file is a class, the file name reflects the class name.
We can discuss this, if concerns are raised.

* Transform LocalFileStorage to class and inherit from new base

- inherit from npm ghost-storage-base
- rewrite to class
- no further refactoring, happens later

* Rename core/test/unit/storage/local-file-store_spec.js -> core/test/unit/storage/LocalFileStorage_spec.js

* Fix wrong require in core/test/unit/storage/LocalFileStorage_spec.js

* remove base storage and test

- see https://github.com/kirrg001/Ghost-Storage-Base
- the test has moved to this repo as well

* Use npm ghost-storage-base in storage/index.js

* remove the concept of getStorage('themes')

This concept was added when we added themes as a feature.
Back then, we have changed the local storage adapter to support images and themes.
This has added some hacks into the local storage adapters.
We want to revert this change and add a simple static theme storage.

Will adapt the api/themes layer in the next commits.

* Revert LocalFileStorage

- revert serve
- revert delete

* add storagePath as property to LocalFileStorage

- define one property which holds the storage path
- could be considered to pass from outside, but found that not helpful, as other storage adapters do not need this property
- IMPORTANT: save has no longer a targetDir option, because this was used to pass the alternative theme storage path
- IMPORTANT: exists has now an alternative targetDir, this makes sense, because
  - you can either ask the storage exists('my-file') and it will look in the base storage path
  - or you pass a specific path where to look exists('my-file', /path/to/dir)

* LocalFileStorage: get rid of store pattern

- getUniqueFileName(THIS)
- this doesn't make sense, instances always have access to this by default

* Add static theme storage

- inherits from the local file storage, because they both operate on the file system
- IMPORTANT: added a TODO to consider a merge of themes/loader and themes/storage
- but will be definitely not part of this PR

* Use new static theme storage in api/themes

- storage functions are simplified!

* Add https://github.com/kirrg001/Ghost-Storage-Base as dependency

- tarball for now, as i am still testing
- will release if PR review get's accepted

* Adapt tests and jscs/jshint

* 🐛  fix storage.read in favicon utility

- wrong implementation of error handling

* 🎨  optimise error messages for custom storage adapter errors

* little renaming in the storage utlity

- purpose is to have access to the custom storage instance and to the custom storage class
- see next commit why

* optimise instanceof base storage

- instanceof is always tricky in javascript
- if multiple modules exist, it can happen that instanceof is false

* fix getTargetDir

- the importer uses the `targetDir` option to ensure that images land in the correct folder

* ghost-storage-base@0.0.1 package.json dependency
2017-04-05 15:10:34 +01:00
Hannah Wolfe
243b387063 Helper Proxy & single express-hbs instance (#8225)
refs #8126, #8221, #8223

 New 'Proxy' for all helper requires
- this is not currently enforced, but could be, much like apps
- the proxy object is HUGE
- changed date to use SafeString, this should have been there anyway
- use the proxy for all helpers, including those in apps 😁

 🎨 Single instance of hbs for theme + for errors
- we now have theme/engine instead of requiring express-hbs everywhere
- only error-handler still also requires express-hbs, this is so that we can render errors without extra crud
- TODO: remove the asset helper after #8126 IF it is not needed, or else remove the TODO

🎨 Cleanup visibility utils
🎨 Clean up the proxy a little bit
🚨 Unskip test as it now works!
🎨 Minor amends as per comments
2017-04-04 18:07:35 +02:00
Katharina Irrgang
d4836af18a 🐛 fix owner user slug (#8263)
closes #8067

- this is only a bug present for remote authentication
- right now the remote service does not return the name of the user
- depends on an internal PR
- force regenerating the slug on setup
- override name for signin or invite if needed
2017-04-04 14:56:04 +01:00
Katharina Irrgang
fd75fcdd36 🎨 change default auth strategy for development mode (#8252)
no issue

- we would like to switch to password strategy when developing
- this can be overridden by a custom development configuration
2017-04-04 11:55:05 +01:00
Aileen Nowak
e06547ae78 Split css server templates (#8234)
closes #8126

* Remove default template dependency on client side CSS

See Issue #8126

Adds these files under /shared
- normalizer.css
- error.css
- extracted.css (for subscribers.css and private.css)

Also makes these files available as public static content

* Remove default template dependency on client CSS

closes #8126
needs e3acd3c

This is a replacement PR of #8217 (thanks @TienSFU25 for the whole work 🤗), because these changes are needed urgently and blocking other work.

Adds a new `ghost.css` file in `/core/shared/` to be used for server side template rendering (`error.hbs`, `subscribe.hbs` and `private.hbs`).
2017-04-04 10:06:38 +01:00
Katharina Irrgang
e9438c650d 🐛 fix get helper: public api labs (#8255)
no issue
2017-04-03 17:42:50 +01:00
Hannah Wolfe
0fff91c860 🐛 Fix the config for compression (#8226)
refs #7488

- This has always been documented as top-level "compress", and yet the code references server.compress
- Should be top level
2017-04-03 10:58:07 +02:00
Kevin Ansfield
c9e0c252f0 grunt dev admin livereload (#8176)
refs https://github.com/TryGhost/Ghost/issues/8161, requires https://github.com/TryGhost/Ghost-Admin/pull/590
- adds a development-only route to the admin app that redirects to ember-cli's livereload script
- updates Gruntfile `watch` task to pass the `live-reload-base-url` param with subdirectory support
- updates Gruntfile `bgShell:client` task to filter potentially confusing output from `ember serve`
  - removes `Livereload server on http://localhost:49153`
  - removes `Serving on http://localhost:4200/`

With this and the required Ghost-Admin PR, when using `grunt dev` the admin screen will refresh any time a file is changed. It will also allow client tests to be run simultaneously by visiting http://localhost:4200/tests
2017-03-30 13:27:07 +01:00
Ryan McCarvill
d0dc7c5ee1 📦 Card-Rename (#8218)
no issue
- Renames Cards so they comply with the `card-{{name}}` convention rather than `{{name}}-card`
- Adds an unkonwnCardHandler to the editor.
2017-03-24 10:03:33 +00:00
Hannah Wolfe
3cea203459 🔥 🎨 Cleanup & simplify theme helpers (#8223)
no issue

🔥 Remove adminHbs concept from tests
🔥 Get rid of unnecessary helper test utils
🔥 Remove helper missing code
- this hasn't been registered / used for ages 😱
- gscan no longer allows us to activate themes that have missing helpers, so this wouldn't be used anyway
TODO: consider whether we should make a way to override this?

🎨 Reduce coupling inside of /helpers
🎨 Use settingsCache in ghost_foot
 Labs util for enabling helpers
🎨 Move loadCoreHelpers to blog
- This needs a proper home, but at the very least it doesn't belong
in server/app.js!

🎨 Use settingsCache in ghost_head
2017-03-23 20:00:58 +01:00
Hannah Wolfe
317daf5549 🎨 🚨 Split theme tests, clean config & add tests (#8205)
refs #7491

- split themes_spec up into several files
- clean up the code for configuration
- ensure its tested
2017-03-22 07:52:58 +01:00
Katharina Irrgang
e903be6679 🐛 fix favicon path (#8190)
closes #8187

- if you start Ghost via the Ghost-CLI, the path to the favicon must be absolute
- because the CLI spawns a Ghost process from the root folder of the CLI folder e.g. node current/index.js
2017-03-21 11:44:39 +00:00
Hannah Wolfe
495eee7747 Use "mounting" concept for active theme (#8193)
no issue

🔥 Remove DIRTY HACK for API
- this is no longer needed, because themes get mounted in every case

 Switch to concept of 'mounted' theme
- check if active theme is mounted
- if not, mount it
- mounting is a function OF the active theme

🎨 Move theme middleware to theme module

🎨 Update theme middleware function names
- update the function names and comments to be more representative of their current functions
- this was pretty old and out of date!

🚨 Fixup tests for middleware
- ensure the objects match what we expect
- based partially on theme docs

Update TODO
2017-03-21 10:03:09 +01:00
Hannah Wolfe
47e00900cc 💄 🐷 Test consistency (#8199)
no issue

- change out should.equal for // jshint ignore:line
- ensure should is the first require in every test, and ALWAYS require
- make sinon the second require, and sandbox the last thing
- ALWAYS use sandbox, futureproofs tests against contributors who don't know it
- change require formatting
2017-03-21 09:24:11 +01:00
Hannah Wolfe
fad0ac7213 🐛🎨 Theme API minor improvements (#8197)
no issue

🎨 🐛 Ensure cache is updated correctly for themes
- Insure the cache invalidation headers are always set correctly for the themes API

📖  Theme API comments / function naming
- this is an update for clarity, so we can see what further improvements can be made

🐛 🎨 Add permissions to themes.browse
2017-03-20 19:02:44 +01:00
Katharina Irrgang
4e3e1bdfc9 Call getImageSize with timeout (#8044) (#8189)
refs #8041

Calls `getImageSize` with an timeout of 6sec. and adds a default timeout (in case, function is called without optional timeout) of 10sec, to prevent node from using its default timeout of 2minutes 😱
2017-03-20 12:17:27 +00:00
Hannah Wolfe
d294177966 🔥 Remove handlebars from serving admin (#8184)
refs TryGhost/Ghost#8140
refs TryGhost/Ghost-Admin#593

- now that the admin index page is just html, we don't need handlebars anymore
- as we can use res.sendFile to send the static HTML file, don't need to "render" it anymore
- remove the view engine, hbs and the use of helpers - it's all unneeded
- change the filenames to .html to reflect this
2017-03-20 12:00:18 +00:00
Ryan McCarvill
f61aa662c1 Removed ghost editor dependency (#8137)
refs #7429
- ☢️ 👷🏻‍♀️ This PR removes the dependency on Ghost-Editor and replaces it with the Mobiledoc DOM renderer. It includes new DOM based default cards and atoms.
2017-03-14 18:07:33 +00:00
Hannah Wolfe
3416c05064 Posts per page as theme-config (#8149)
closes #8131

- Remove ppp from default-settings.json
- Remove ppp from meta (unused?\!)
-  Basic concept of theme config
- use theme config ppp setting
-  Make @config.posts_per_page helper available
- rather than @blog.posts_per_page, we now have @config.posts_per_page
- 🚨 Test updates
- Adding TODO note
2017-03-14 18:03:36 +01:00
Hannah Wolfe
b8162b15e3 🐛 Move meta description into ghost head (#8150)
closes #4424

- meta description is an optional SEO tag that we can provide when we have sensible output
- in the cases where we have no useful output, we should not output the tag at all
- ghost_head now takes care of this, and themes should not include their own meta description tag
2017-03-14 17:50:35 +01:00
Hannah Wolfe
f52e3e779b 🎨 Allow foreach else inside of get helper (#8160)
closes #7242

- before this, the get helper's else was used for empty resultsets
- the argument was made that we should fall through to a foreach or with helper's else instead
- I agree that this is the more natural, consistent approach, and so would like to change it for Ghost 1.0

E.g. as of this PR we now have:

{{#get "posts" filter="tag:doesnt-exist"}}
  {{#foreach posts}}
  {{else}}
    this ges executed because there are no results
  {{/foreach}}
{{/get}}

instead of

{{#get "posts" filter="tag:doesnt-exist"}}
  {{#foreach posts}}
  {{else}}
  {{/foreach}}
{{each}}
    this ges executed because there are no results
{{/get}}
2017-03-14 17:44:52 +01:00
Hannah Wolfe
4a6f58d8d1 🙅🏽 Admin server split (#8142)
refs #8140

 Support new default-prod.hbs template for admin
 Redirect ghost admin urls without a #
 Update admin urls to include #
🎨 Move the admin templates
🔥 Remove redirect to setup middleware
🚨 Tests for new middleware
2017-03-14 17:03:30 +01:00
Hannah Wolfe
5605c964e4 🔥 Remove legacy content zero hack (#8156)
refs #7491

- this hack is so legacy I almost forgot about it 😈
- in the beginning of Ghost there were no post images
- someone figured out you could do {{content words="0"}} and it would pull out the first image in your post
- this was never documented, but enough theme developers found it that when we upgraded downsize to get rid of the bug
- we needed to add a hack to keep compatibility.
- This has to die in 🔥  for Ghost 1.0
2017-03-14 14:56:46 +01:00
Katharina Irrgang
974adee932 🔥 remove fileStorage option (#8144)
refs #8032

- this was used to disable the upload image functionality in Ghost-Admin
- we no longer need this boolean, because people can add their own storage adapter
2017-03-14 10:31:33 +00:00
Hannah Wolfe
27ee1dc7b8 Implement custom errors 2.0 (#8148)
closes #8079

- add a new view type of defaultViews, as this is NOTHING to do with the admin!
- rename user-error.hbs to error.hbs, because this can be for any sort of error
- reimplement custom errors, but with a stack like channels & single templates
- change ghost_head to only not output on 500+ server errors, rather than 400+ user errors
- add coverage for the new template functions
2017-03-14 10:06:42 +01:00
Hannah Wolfe
bb3cc8c0f8 Reimplement custom theme templates (#8147)
closes #8082

- Update the `pickTemplate` logic to
  a) rely on getActive().hasTemplate() instead of being passed a list of paths
  b) support the concept of a fallback, which is returned if there is no theme, or if the theme doesn't have a more specific template
- Update every instance of template picking, across the 3 internalApps, and render-channel, to use this new logic
- update the tests
2017-03-14 00:15:50 +01:00
Hannah Wolfe
b06f03b370 New fully-loaded & validated activeTheme concept (#8146)
📡 Add debug for the 3 theme activation methods
There are 3 different ways that a theme can be activated in Ghost:

A. On boot: we load the active theme from the file system, according to the `activeTheme` setting
B. On API "activate": when an /activate/ request is triggered for a theme, we validate & change the `activeTheme` setting
C. On API "override": if uploading a theme with the same name, we override. Using a dirty hack to make this work.

A: setting is done, should load & validate + next request does mounting
B: load is done, should validate & change setting + next request does mounting
C: load, validate & setting are all done + a hack is needed to ensure the next request does mounting

 Validate w/ gscan when theme activating on boot
- use the new gscan validation validate.check() method when activating on boot

 New concept of active theme
- add ActiveTheme class
- make it possible to set a theme to be active, and to get the active theme
- call the new themes.activate() method in all 3 cases where we activate a theme

🎨 Use new activeTheme to simplify theme code
- make use of the new concept where we can, to reduce & simplify code
- use new hasPartials() method so we don't have to do file lookups
- use path & name getters to reduce use of getContentPath etc
- remove requirement on req.app.get('activeTheme') from static-theme middleware (more on this soon)

🚨 Improve theme unit tests (TODO: fix inter-dep)
- The theme unit tests are borked! They all pass because they don't test the right things.
- This improves them, but they are still dependent on each-other
- configHbsForContext tests don't pass if the activateTheme tests aren't run first
- I will fix this in a later PR
2017-03-13 21:13:17 +01:00
Katharina Irrgang
7556e68c48 🎨 Ghost bootstrap: optimise requires (#8121)
* 🎨  Ghost bootstrap: optimise requires

no issue

- require as less as possible on bootstrap

* do not load icojs on bootstrap
2017-03-13 20:07:12 +00:00
Katharina Irrgang
e0cd5b55ce 🎨 fetch user profile by auth id (#8110)
no issue

- this is secured by client credentials
- you can only fetch the user info if the user is connected to your blog (invited, owner)
- passport ghost instance stores the client credentials in the instance, no need to pass them into
- tested on staging
2017-03-13 19:49:30 +00:00
Katharina Irrgang
ea0f696c4d 🐛 fix usages of logError (#8138)
no issue
2017-03-13 19:47:09 +00:00
Hannah Wolfe
e060a4f811 🎨 🐛 Improve theme lib, middleware & error handling (#8145)
no issue

🎨 simplify loader - use loadOneTheme for init
- use loadOneTheme for init
- move updateThemeList to the one place that it is used
- this just reduces the surface area of the loader

🎨 Move init up to index temporarily
- need to figure out what stuff goes in here as well as loading themes
- will move it again later once I've got it figured out

🎨 Reorder & cleanup theme middleware
- move the order in blog/app.js so that theme middleware isn't called for shared assets
- add comments & cleanup in the middleware itself, for clarity

🎨 Simplify the logic in themes middleware
- Separate out config dependent on settings changing and config dependent on request
- Move blogApp.set('views') - no reason why this isn't in the theme activation method as
  it's actually simpler if it is there, we already know the active theme exists & can remove the if-guard

🎨 Improve error handling for missing theme
- ensure we display a warning
- don't have complex logic for handling errors
- move loading of an empty hbs object into the error-handler as this will support more cases

🐛 Fix assetHash clearing bug on theme switch
- asset hash wasn't correctly being set on theme switch

🎨 Remove themes.read & test loader instead
- Previously, we've simplified loader & improved error handling
- We are now able to completely remove theme.read as it's nothing more than a wrapper for package.read
- This also means we can change our tests from testing the theme reader to loader
2017-03-13 17:30:35 +01:00
Katharina Irrgang
c9f551eb96 suspend user feature (#8114)
refs #8111 
- Ghost returns now all (active+none active) users by default
- protect login with suspended status
- test permissions and add extra protection for suspending myself
- if a user is suspended and tries to activate himself, he won't be able to proceed the login to get a new token
2017-03-13 12:03:26 +00:00
Hannah Wolfe
b2f1d0559b Themes API activation permissions & validation (#8104)
refs #8093

 Add activate theme permission
- add permission to activate themes
- update tests
- also: update tests for invites
TODO: change how the active theme setting is updated to reduce extra permissions

 Move theme validation to gscan
- add a new gscan validation method and use it for upload
- update activate endpoint to do validation also using gscan
- change to using SettingsModel instead of API so that we don't call validation or permissions on the settings API
- remove validation from the settings model
- remove the old validation function
- add new invalid theme message to translations & remove a bunch of theme validation related unused keys

📖  Planned changes

🚨 Tests for theme activation API endpoint
🐛 Don't allow deleting the active theme

🚫 Prevent activeTheme being set via settings API
- We want to control how this happens in future.
- We still want to store the information in settings, via the model.
- We just don't want to be able to change this info via the settings edit endpoint

🐛  Fix warnings for uploads & add for activations
- warnings for uploads were broken in f8b498d
- fix the response + adds tests to cover that warnings are correctly returned
- add the same response to activations + more tests
- activations now return a single theme object - the theme that was activated + any warnings

🎨 Improve how we generate theme API responses
- remove the requirement to pass in the active theme!
- move this to a specialist function, away from the list

🎨 Do not load gscan on boot
2017-03-13 12:44:44 +01:00
Katharina Irrgang
27f17c973d 🎨 handle case: sync email after logout (#8097)
no issue

If the user changes the email in the remote auth service and executes a logout directly afterwards, the user would lock himself out of his blog, because the email sync happens once per hour right now.
For that case, we have to store the ghost auth id.
2017-03-08 14:31:22 +00:00
Hannah Wolfe
94d53cf5fb Move activation to themes endpoint (#8093)
no issue
- browse will now include the correct activated theme again
- PUT /theme/:name/activate will activate a theme
- tests now read from a temp directory not content/themes
- all tests check errors and responses
2017-03-08 10:46:03 +00:00
Katharina Irrgang
27e659a21e 🐛 export database read settings from database (#8103)
* 🐛  export database read settings from database

no issue

- the backup script uses the export database lib and is broken if knex-migrator is called via shell, the settings cache is not loaded
- i have changed the export database lib to read the settings key directly from the db

* use get('value')
2017-03-08 10:26:57 +00:00
Hannah Wolfe
9aec9c6a63 🐛 Use isIgnitionError to detect unhandled errors (#8100)
closes #8099, refs https://github.com/TryGhost/Ignition/issues/28

- use new utility to detect if an error has not yet been handled & convert it to a generic Ghost error
- update theme_spec tests to include checking error messages, which catches this issue
2017-03-06 17:37:16 +01:00
Katharina Irrgang
773eb92960 🐛 fix cors middleware (#8094)
no issue

- same fix as https://github.com/TryGhost/Ghost/pull/8066
- just for master
2017-03-03 16:41:20 +00:00
Katharina Irrgang
efe24fa9ec 🐛 subscriber: sanitize email (#8078)
no issue
2017-03-03 15:44:07 +01:00
sahand12
481154a55b fix uid method in core/server/utils/index.js to return a string which length is equal to len argument (#8025)
closes #7998
2017-03-03 15:35:08 +01:00
Hannah Wolfe
e3c82c1643 🎨 Use settingsCache in theme handler (#8091)
no issue

- we already have the settingsCache here, makes no sense to call the API
2017-03-02 23:05:35 +01:00
Hannah Wolfe
a5ab2ffc13 🔥 🎨 No more updateSettingsCache (#8090)
no issue

🔥 Remove unnecessary cache update
🎨 simplify updateSettingsCache()
🎨 Simplify readSettingsResult
- although this is more code, it's now much clearer what happens in the two cases
🎨 Don't use readSettingResult for edit
🎨 Simplify updateSettingsCache further
🔥 Remove now unused readSettingsResult
🎨 Change populateDefault to return all
🎨 Move the findAll call out of updateSettingsCache
🔥 Remove updateSettingsCache!!
🎨 Restructure init & finish up settingsCache
- move initialisation into settingsCache.init AT LAST
- change settingCache to use cloneDeep, so that the object can't be modified outside of the functions
- add lots of docs to settings cache
🎨 Cleanup db api endpoints
🔥 Don't populate settings in migrations
2017-03-02 23:00:01 +01:00
Katharina Irrgang
9fafc38b79 🎨 deny auto switch (#8086)
* 🎨  deny auto switch

no issue

- deny auth switch after the blog was setup
- setup completed depends on the status of the user right now, see comments

* Updates from comments

- re-use statuses in user model
- update error message
2017-03-02 19:50:58 +00:00
Austin Burdine
144544e83d 🎨 fix admin and theme caching issues (#8058)
refs #7812, closes #7958

- fixes boolean logic wrt to theme cache value from config
- disable cache for admin assets in development
- only add asset hash in production
2017-03-02 18:18:21 +01:00
Hannah Wolfe
f8b498d6e7 🔥 No more availableThemes (#8085)
no issue

🎨 Switch themes API to use config.availableThemes
- this gets rid of the only places where settings.availableThemes are used

🔥 Get rid of settings.availableThemes
- this is no longer used anywhere
- also get rid of every related call to updateSettingsCache

🔥 Replace config.availableThemes with theme cache
- Creates a tailor-made in-memory cache for themes inside the theme module
- Add methods for getting & setting items on the cache
- Move all references to config.availableThemes to use the new cache
- This can be abstracted later to support other kinds of caches?

🎨 Start improving theme lib's API
Still TODO: simplifying/clarifying:
- what is the structure of the internal list
- what is the difference between a package list, and a theme list?
- what is the difference between reading a theme and loading it?
- how do we update the theme list (add/remove)
- how do we refresh the theme list? (hot reload?!)
- how do we get from an internal list, to one that is sent as part of the API?
- how are we going to handle theme storage: read/write, such that the path is configurable

🎨 Use themeList consistently
🎨 Update list after storage
2017-03-02 17:53:48 +01:00
Katharina Irrgang
0b68458eb7 🎨 optimise requires for MigratorConfig (#8088)
no issue

- if knex-migrator loads the MigratorConfig too much stuff was required, which increases the memory usage
- i have deleted the IncorrectUsage errors for now, because this error should actually never appear
2017-03-02 16:02:23 +00:00
Hannah Wolfe
c70fbc2c7e 🎨 Collect & simplify package utils (#8080)
closes #8056

🎨 Collect together the package-related utils
- read directory actually reads a directory of packages
- parse package json is very tighly related to this

🎨 Move filterPaths -> packages.filterPackages
- this function is related to packages, not settings
- move the function to the new utils/packages
- add 100% test coverage

🎨 Simplify filterPackages code
🎨 Simplify reading of packages & themes
- This massively reduces all the complex code in the read packages & themes utils
- Added full test coverage

🎨 Improve & clarify active prop in filterPackages
- active is returned from API endpoints to combine data from multiple sources
- see https://github.com/TryGhost/Ghost/pull/8064#discussion_r103514810

🎨 Better error handling
🔥 Temporarily remove custom error templates
- we will reimplement this later when we have got a better concept of loading the active theme in place
- refs #8079
2017-03-01 14:09:31 +01:00
Katharina Irrgang
fa38257170 🐛 🎨 old accesstokens are not cleaned up (#8065)
closes #8035
- create auth/utils
- use authUtils.createTokens for all cases
- decrease the expiry of the old access token before creating a new one
2017-03-01 10:12:03 +00:00
Hannah Wolfe
690ff05588 🔥 🎨 Themes & settings misc cleanup (#8061)
no issue

🔥 remove unused loadThemes API method
🚨 Add tests for themes.readOne
🔥 Don't update settings cache for imports
- this isn't needed as of #8057
- settings.edit fires an event, that will result in the update happening automatically
🎨 Move validation to themes
- slowly collecting all theme-related code together
🔥 Reduce DEBUG output
- all this info is a bit tooooo much!
2017-02-27 23:30:49 +01:00
Katharina Irrgang
dfde5d14f1 🐛 protect setup (#8030)
refs #7452

- we have to query the owner user by "inactive" status
- otherwise it is possible to override the owner's email address
2017-02-27 19:07:00 +00:00
Hannah Wolfe
63723aa36a 🎨 Move settings cache & cleanup settings API (#8057)
closes #8037

🔥 Remove API-level default settings population
- This is a relic!
- We ALWAYS populate defaults on server start therefore this code could never run.
- This was a lot of complicated code that wasn't even needed!!

🎨 Move settings cache
- Move settings cache to be its own thing
- Update all references
- Adds TODOs for further cleanup

🎨 Create settings initialisation step
- Create new settings library, which will eventually house more code
- Unify the interface for initialising settings (will be more useful later)
- Reduce number of calls to updateSettingsCache
2017-02-27 16:53:04 +01:00
Katharina Irrgang
319a388277 ghost auth: sync email (#8027)
*   ghost auth: sync email

refs #7452

- sync email changes in background (every hour right now)
- sync logged in user only!
- no sync if auth strategy password is used
- GET /users/me is triggered on every page refresh
- added TODO to support or add long polling for syncing data later
- no tests yet on purpose, as i would like to get a basic review first

* 🐩  use events

- remember sync per user
2017-02-23 18:04:24 +00:00
Hannah Wolfe
fe90cf2be2 Theme loading part 1 (#7989)
no issue

*  Add new server start & stop events
* 🔥 Get rid of unused availableApps concept
- when we need an API endpoint for a list of apps, we'll build one 😝
*  Move theme loading into a module
- move loading from API method to a module method and use as needed
- wire up read one vs read all as per LTS
- read one (the active theme) on boot, and read the rest after
- fudge validation - this isn't all that helpful
* Settings API tests need to preload themes
- this used to automatically happen as part of loading settings
- now we need to trigger this to happen specifically for this test
2017-02-22 00:26:19 +01:00
Hannah Wolfe
294561cac7 Theme Browse API endpoint (#8022)
no issue
- adds `GET /themes/` endpoint for requesting all themes
2017-02-21 14:59:03 +00:00
Hannah Wolfe
348e4c2a95 Miscellaneous code cleanup (#8031)
no issue

- 🔥 Remove duplicated file
- 💄 🐷  Cleanup double slashes
- 💄 🐷 Remove duplicate require
2017-02-21 10:39:09 +01:00
Katharina Irrgang
aa670fa8b4 Updates for alpha.13 (#8026)
* 🐛  delete client if auth url has changed

no issue

* 🎨  update default auth config

refs #7488
2017-02-18 17:23:35 +01:00
Katharina Irrgang
2e1d7fcc42 🚨 database: change hard limits and field types (#7932)
refs #7432

🚨  database: change hard limits and field types

- we went over all schema fields and decided to decrease/increase the hard limits
- the core goal is to have more flexibility in the future
- we reconsidered string vs. text

There are 5 groups:

- small strings: 50 characters
    - static strings
    - status, visibility, language, role name, permission name, client name etc.
- medium strings: 191 characters
    - all unique fields or fields which can be unique in the future
    - slug, tokens, user name, password, tag name, email
- large strings: 1000-2000 characters
    - these fields need to be very flexible
    - these fields get a soft limit attached (in a different PR)
    - post title, meta title, meta description, urls
- medium text: 64kb characters
    - bio, settings, location, tour
- long text: 1000000000 chars
    - html, amp, mobiledoc, markdown

🙄  sort_order for tests

- sort order was not set for the tests, so it was always 0
- mysql could return a different result

in my case:
- field length 156 returned the following related tags ["bacon", "kitchen"]
- field length 157 returned the following related tags ["kitchen", "kitchen"]

Change client.secret to 191

Tweak field lengths

- Add 24 char limit for ids
- Limited fields are the exact length they need
- Unified 1000 and 2000 char string classes to all be 2000
- Changed descriptions to be either 2000, except user & tag which is text 65535 as these may be used to store HTML later?!
- Updated tests

🛠  Update importer tests

- The old 001-003 tests are kind of less relevant now.
- Rather than worrying about past versions of the data structure, we should check that the importer only imports what we consider to be valid data
- I've changed the tests to treat the title-length check as a length-validation check, rather than a test for each of the old versions

🔥 Remove foreign key from subscribers.post_id

- There's no real need to have an index on this column, it just makes deleting posts hard.
- Same as created_by type columns, we can reference ids without needing keys/indexes
2017-02-17 23:20:59 +01:00
kirrg001
a353a9e0ea 🐛 forward missing logging config: rotation
no issue
2017-02-17 18:24:14 +01:00
Hannah Wolfe
b00d9fee6d 🎨 ⏱ Cleanup / optimise the server.init() function (#7985)
refs #2182

* 🔥 Remove unused options from server init
- this is left over from old code and is now unused

* 🎨 Move knex-migrator check to db health

- Move complex check function into own module
- Call module from server/index.js
- This just improves the readability of server/index.js

* 🔥 Remove old comments

- These comments all make no sense now!

* 🎨 ⏱ Move model init out of promise chain

- Model.init() does not return a promise
- Therefore, we can move it to the top of the init function, outside of the promise change
- This should be a minor optimisation, and again improves readability /clarity of what's happening

*  ⁉️ Move DBHash init / first run to Settings model

- this structure is left over from when we had code we executed on the first run of Ghost
- the implementation used the API to initialise one setting before populateDefaults is called
- this had lots of dependencies - the whole model, API, and permissions structure had to be initialised for it to work
- the new implementation is simpler, it captures the dbHash getting initialised during populateDefaults()
- it also adds an event, so we can do first-run code later if we really want to (or maybe apps can?!)
- perhaps this is hiding behaviour, and there's a nicer way to do it, but populateDefaults seems like a sane place to populate a default setting 😁

* ⏱ Optimise require order so config is first

- the first require to config will cause the files to be read etc
- this ensures that it happens early, and isn't confusingly timed as part of loading a different module

* 🎨 Simplify settings model changes
2017-02-17 17:44:34 +01:00
Hannah Wolfe
9bd50cb527 ⏱ Boot time visibility amends (#7984)
refs #2182

* ⏱ Add boot timer - improve visibility of boot time

I've been playing around with Ghost start times a lot recently.
Every time I do, I add a console.time output for boot, which is annoying.
This commit adds that change permanently. We can always revert later before shipping 1.0 😁

* ⏱ Add debug call before main requires

- this demonstrates that the majority of boot time is spent on requires
- had to rejig the var pattern because of the linter... 💩

* 🐷 💄 Special debug mode for config

- I ❤️  being able to output the config, but this is not useful when trying to debug / optimise timings.
- This change makes it so we can see how long it takes to do config work by default
- If we want to output config specifically, we do `DEBUG=ghost:*,ghost-config npm start`
- This also prevents nconf.get() from being called unnecessarily
2017-02-17 16:27:02 +01:00
Katharina Irrgang
27f7b722fe 🎨 remove domain string replacement for logging (#8011)
no issue
2017-02-17 15:29:25 +01:00
Katharina Irrgang
dcca1aae5a 🎨 use passport-ghost retry hook (#8009)
no issue
2017-02-17 15:29:03 +01:00
John O'Nolan
f6c438475b New buttons 🎨 (#8007)
Matching commit for https://github.com/TryGhost/Ghost-Admin/pull/529
2017-02-16 19:52:32 +00:00
Katharina Irrgang
d9707eb57c public client registration: remember auth url (#7994)
no issue

- we have to remember the auth url in Ghost
- if Ghost starts for the first time, it registers a public client in the defined auth service
- if you change the auth service, Ghost won't recognize
- if Ghost doesn't recognize, you will see a client does not exist error in Ghost Admin
2017-02-14 12:41:28 +00:00
Katharina Irrgang
4f3f01ef56 🎨 optimise public client registration error handling (#7992)
no issue
- auth.init happens in background and if an error occurs, Ghost will log this error to stdout/file
- do not double create Ignition error
- update passport-ghost to handle a none response from the auth service (e.g. wrong auth url), see 123da4dd94
2017-02-14 12:09:52 +00:00
Katharina Irrgang
2a5927b4f9 🐛 fix email already in use (#7987)
refs #7981

- usage of data.id was wrong
- usage of id comparison was wrong
2017-02-13 15:36:21 +00:00
Katharina Irrgang
d9e87aa793 🎨 updates for database configuration (#7975)
* 🎨  update configuration files: database

refs #7488

- no default database configuration
- production: default is MySQL

* 🎨  add transport stdout to production for now

refs #7488

- production will log to stdout and file for now
- to reduce the risk of confusing users
- users would not see any stdout and they don't know that Ghost logs into file only in production

* 🎨  sanitize database properties

refs #7488
2017-02-11 18:02:12 +00:00
Felix Rieseberg
53bd7da063 🚀 Allow ServiceWorker /ghost/ scope (#7967)
ServiceWorkers can only control the scope from which they have been served. Our service workers live, like all other files, in an `asset` folder - and could in theory only work on other files in there.

This commit fake-serves our service workers from `/ghost/`, thus allowing them to give everything offline powers.
2017-02-11 14:43:09 +00:00
Katharina Irrgang
29fb68137f 🎨 increase token expiry (#7971)
refs #5202
- please read https://github.com/TryGhost/Ghost/issues/5202#issuecomment-278934768
2017-02-10 13:35:58 +00:00
Katharina Irrgang
7bc546c698 🎹 re-work url redirects (#7956)
refs #7488

- we have recently changed our url redirects
- see https://github.com/TryGhost/Ghost/pull/7937
- the url has a canonical meaning and that's why Ghost shouldn't force redirect to the blog url
2017-02-10 11:42:18 +00:00
Hannah Wolfe
1e60cbf16f 🔥 💩 Properly remove pageUrl (#7969)
no issue

- remove references to the old pageUrl helper, which was deprecated in favour of page_url
- this should have been done in a98efe1b68
2017-02-09 20:21:27 +01:00
Katharina Irrgang
72e9f0a95e 🐛 delete all content if subscriber is associated with a post (#7962)
closes #7875
- we need to delete the subscribers before deleting the posts
2017-02-08 15:40:47 +00:00
Vivek Kannan
4718d55630 Fixed issue where all only a few subscribers where exported via CSV. (#7925)
closes #7850

- export subscribers to CSV now uses .findAll() instead of .findPage()
2017-02-08 11:37:09 +01:00
janvt
e6662b6929 Add email validation in case of profile update (#7928)
closes #7256

- original code changes made by @golya in https://github.com/TryGhost/Ghost/pull/7304
- refactored edit method in user model to validate an existing email address
- added test coverage for existing email update in user model spec
2017-02-08 10:50:43 +01:00
kirrg001
f4f562b6db 🎨 rename redirects middleware to custom-redirects
no issue

- we had two middlewares:
  1. url-redirects
  2. redirects

- this was confusing, so i renamed (2) to custom redirects

custom-redirects.js: you can define custom redirects for your blog in a JSON file
url-redirects.js: Ghost takes care of required admin url or SSL redirects
2017-02-07 20:05:50 +01:00
Katharina Irrgang
c870710fcb 🎨 send LTS parameter if requesting the update check service (#7954)
no issue

- the update check service now supports a LTS option
- sending lts=false will force the update check service to search for the latest non LTS release
- as 1.0.0 is still in alpha, there is no latest release available
- that's why the update check service returns an error saying, there is no latest release available
- this error get's logged to shell right now
- as soon as we release 1.0.0, the error auto disappears

No behaviour change in any previous alpha version or any LTS release as they don't send the LTS option.
2017-02-07 19:51:19 +01:00
Katharina Irrgang
3ed009ac7b feature: define redirects in a custom file (#7719) (#7945)
refs #7707

- be able to add a custom redirect file into the content folder
- define redirects as JSON format

The redirects feature is already present in the LTS branch.
I was not able to cherry-pick over, too many changes or conflicts.
Creating a PR to ensure 1. tests pass and 2. overview of code changes.
I had to add an example active theme to our test fixture utils, because otherwise Ghost will complain when forking Ghost.
2017-02-06 15:32:40 +01:00
Katharina Irrgang
f3d16352b1 🎨 😎 config env usages (#7929)
refs #7488

- remove all ugly env checks
- rather use config properties
- replace process.env.NODE_ENV by config.get('env')
2017-02-03 18:25:39 +00:00
Katharina Irrgang
a68592a6b9 🔥 remove forceAdminSSL and urlSSL, add admin url (#7937)
* 🔥  kill apiUrl helper, use urlFor helper instead

More consistency of creating urls.
Creates an easier ability to add config changes.

Attention: urlFor function is getting a little nesty, BUT that is for now wanted to make easier and centralised changes to the configs.
The url util need's refactoring anyway.

* 🔥  urlSSL

Remove all urlSSL usages.
Add TODO's for the next commit to re-add logic for deleted logic.

e.g.

- cors helper generated an array of url's to allow requests from the defined config url's -> will be replaced by the admin url if available
- theme handler prefered the urlSSL in case it was defined -> will be replaced by using the urlFor helper to get the blog url (based on the request secure flag)

The changes in this commit doesn't have to be right, but it helped going step by step.
The next commit is the more interesting one.

* 🔥    remove forceAdminSSL, add new admin url and adapt logic

I wanted to remove the forceAdminSSL as separate commit, but was hard to realise.
That's why both changes are in one commit:

1. remove forceAdminSSL
2. add admin.url option

- fix TODO's from last commits
- rewrite the ssl middleware!
- create some private helper functions in the url helper to realise the changes
- rename some wordings and functions e.g. base === blog (we have so much different wordings)
- i would like to do more, but this would end in a non readable PR
- this commit contains the most important changes to offer admin.url option

* 🤖  adapt tests

IMPORTANT
- all changes in the routing tests were needed, because each routing test did not start the ghost server
- they just required the ghost application, which resulted in a random server port
- having a random server port results in a redirect, caused by the ssl/redirect middleware

* 😎  rename check-ssl middleware

* 🎨  fix theme-handler because of master rebase
2017-02-03 18:13:22 +00:00
Katharina Irrgang
2a52af1d99 🔥 remove imageRelPath (#7927)
refs #7488

- remove imageRelPath
- instead add a static image prefix to the url helper
2017-02-03 14:42:05 +00:00
Katharina Irrgang
0201c431d7 🔥 do not store settings in config (#7924)
* 🎨  🔥  do not store settings in config and make settings cache easier available

- remove remembering settings value in theme config
- if we need a cache value, we are asking the settings cache directly
- instead of settings.getSettingSync we use settings.cache.get

- added TODO:
  - think about moving the settings cache out of api/settings
  - we could create a folder named cache cache/settings
  - this settings cache listens on model changes for settings
  - decoupling

* 🔥  remove timezone from config

- no need to store in overrides config and in defaults settings

* 🎨  context object helper

- replace config.get('theme') by settings cache

* 🎨  replace config.get('theme') by settings.cache.get

* 🎨  adapt tests

* fixes from comments
2017-02-03 13:15:11 +00:00
Katharina Irrgang
16f5d1fdaf 🎨 add urlFor('admin') and increase usage of urlFor helper (#7935)
refs #7488

- to be able to refactor the url configuration in ghost, we need to go step by step making this possible
- reduce the usage of forceAdminSSL
- add a urlFor('admin') helper, which returns the admin url + path e.g. http://my-blog.com/blog/ghost
- increase usage of urlFor helper
- do not expose getBaseUrl, use urlFor('home') (home === blog)
2017-02-02 18:51:35 +00:00
Katharina Irrgang
85c0913d70 🎨 config optimisations (#7921)
refs #7488

- rename file keys for config files, see https://github.com/TryGhost/Ghost/pull/7493/files
- add tests to avoid running into config hierarchy problems again
- overrides.json is the strongest!
- argv/env can override any default
- custom config can override defaults
- reorganise util functions for config again
2017-02-02 12:46:30 +00:00
Vivek Kannan
5507adadf1 Import from LTS blogs now properly adds tags to posts. (#7926)
closes #7866

- Importer now uses Javascript's Map instead of the normal object to ensure that tags are properly associated with their corresponding posts.
2017-01-31 17:50:44 +01:00
Katharina Irrgang
eebdfab7b0 🎨 validate ghost profile/token response (#7761)
no issue

- check if profile or access token exists when receiving the response from Ghost Auth server
2017-01-31 11:04:09 +01:00
Aileen Nowak
89d40133a0 💄 Clean up ghost_head test (#7918)
refs #7688

Update the `ghost_head_spec` to reflect the current changes (we're not having a default `icon` setting in our config anymore). Render the link to the default favicon to be relative.
2017-01-30 09:54:40 +01:00
Aileen Nowak
d2f2888da0 Favicon URI (#7700)
closes #7688

- Use `/favicon.ico` and `/favicon.png` in blog app. Depending on type of storage (custom upload = local file storage), serves either from storage adapter with `read()` method or reads the bytes via `fs`.
- Redirects requests for `favicon.ico` to `favicon.png` if custom `png` icon is uploaded and vice versa.
- Redirect requests for `favicon.png` to `favicon.ico` if default icon is used (in `core/shared`).
- Changes the `{{asset}}` helper for favicon to not serve from theme assets anymore. It will either be served the custom blog-icon or the default one.
- The `{{@blog.icon}}` helper renders the url of the **uploaded** blog icon. It won't render the default icon.
2017-01-26 18:01:19 +00:00
Katharina Irrgang
584bd15b76 🔥 remove database version (#7894)
refs #7489

- as we are now using a different migration approach (knex-migrator), we don't need to remember the database version anymore
- it was once used to check the state of a database and based on it we decided to migrate or not
- with knex-migrator everything depends on the migration table entries and the current ghost version you are on
- on current master the leftover usage is to add the db version when exporting the database, which can be replaced by reading the ghost version
- removing this solves also an interesting migration case with knex-migrator:
  - you are on 1.0
  - you update to 1.1, but 1.1 has no migrations
  - the db version would remain in 1.0
  - because the db version was only updated when knex migrator executed a migration
2017-01-26 12:12:00 +00:00
Aileen Nowak
5c94151e14 Blog icon validations (#7893)
refs #7688

Adds an `uploads/icon/` endpoint to the api route to get a seperate entry point for blog icon validations. The blog icon validation will specifically check for images which have icon extensions (`.ico` & `.png`) and throw errors if:

- the icon file size is too big (>100kb)
- the icon is not a squaer
- the icon size is smaller than 32px
- the icon size is larger than 1000px
- the icon is not `.ico` or `.png` extension

TODOs for this PR:
- [X] get image dimensions
- [X] validate for image
	- [X] size
	- [X] form (must be square)
	- [X] type
	- [X] dimenstion (min 32px and max 1,000px)
- [X] return appropriate error messages
- [X] write tests

--------------------

TODOs for #7688:
- [X] Figure out, which favicon should be used (uploaded or default) -> #7713
- [ ] Serve and redirect the favicon for any browser requests, incl. redirects -> #7700 [WIP]
- [X] Upload favicon via `general/settings` and implement basic admin validations -> TryGhost/Ghost-Admin#397
- [X] Build server side validations -> this PR
2017-01-26 10:01:52 +01:00
Katharina Irrgang
c070c9722d 🐛 re-run init migrations protection (#7899)
no issue

- if re-running the init scripts (for example: you lost the init rows in the migrations table), then it was throwing errors
- 1. the owner slug and email can change -> no match and it tried to reinsert the user with id 1, which failed
- 2. querying an inactive user is not allowed, because the user model protects against it
2017-01-25 22:08:09 +01:00
Katharina Irrgang
0424c6675c 🐛 fix backup database (#7898)
refs #7489

The require path for the db backup was wrong. The before hook could not execute db backup.
Furthermore, i have replaced the logging in the backup script.
2017-01-25 20:34:31 +01:00
Vivek Kannan
ada528d386 Fixed caching of theme in development mode. (#7812) (#7857)
refs #7812

- replaced hard-coded maxAge value in static-theme middleware with dynamic value based on env
2017-01-25 15:10:46 +01:00
Katharina Irrgang
2d19ae2c6c 🔥 😎 remove old migrations (#7887)
refs #7489

- remove old migration code
- this logic was sourced out to knex-migrator
2017-01-25 13:47:49 +00:00
Katharina Irrgang
042750f4cf 🐛 fix invite permissions for editor (#7889)
refs #7724

- we already fixed the permissions for the editor
- see 3d3101ad0e
- but as we are inside of a refactoring process, we had two fixtures.json files
- we fixed the fixtures.json in the wrong place
- now that the permissions are used, we can see failing tests
- i have added the correct permissions handling
2017-01-25 12:07:31 +00:00
Aileen Nowak
ca521e234f 🐷 Rename 'favicon' to 'icon' (#7888)
refs TryGhost/Ghost#7688

Just renames `favicon` to `icon` as our usage for it will not be for favicon purposes only.
2017-01-25 11:02:02 +01:00
Katharina Irrgang
a2edc09762 🎨 optimisations for brute (#7867)
closes #7766, refs #7579

- ensure we are using the correct brute keys
- ensure we are using req.ip as Ghost is configured  with trust proxy option
- tidy up a little
2017-01-23 22:44:39 +01:00
Katharina Irrgang
78eacb19e9 🛠 use Ignition for logging/errors (#7869)
no issue

- we started implementing logging and error handling in Ghost
- later we outsourced both into a module
- use the module now in Ghost
- this commit basically just removes the logging and error implementation and uses Ignition
2017-01-23 11:04:01 +00:00
Aileen Nowak
7cb57bff3d Find favicon in Ghost (#7713)
refs #7688

Adds logic in theme settings api to either serve an uploaded favicon and give it the type `upload` or use the default settings `default`, which will serve the favicon from our shared directory.

TODOs for #7688:
- [X] Figure out, which favicon should be used (uploaded or default) -> this PR
- [ ] Serve and redirect the favicon for any browser requests, incl. redirects
- [ ] Upload favicon via `general/settings` and implement basic admin validations -> [WIP] TryGhost/Ghost-Admin#397
- [ ] Built server side validations
2017-01-23 10:13:52 +01:00
Aileen Nowak
503148058c More consistant usage of urlFor('home') (#7689)
refs #7666 

Using `urlFor('home')` instead `config.get('url')` in Ghost.
When `urlFor('home', true)` returns the absolute adress of the blog as defined in the config.
Will always return a trailing `/`.
2017-01-23 09:22:37 +01:00
Katharina Irrgang
4a4b2f62cc 🐛 re-order api middlewares: cors middleware before connect-slashes (#7861)
closes #7839

- when a browser sends a request to the API without a trailing slash, we are using connect-slashes to redirect permanently
- but because the CORS middleware was registered after the redirect, the CORS headers got lost
2017-01-18 17:36:47 +00:00
Aileen Nowak
2f3081fa9f Make AMP optional (#7830)
closes #7769

Because Google AMP is bitching around and shows errors in Googles' webmaster tools for missing post images and blog icons, we decided to make AMP optional. It will be enabled by default, but can be disabled in general settings. Once disabled, the `amp` route doesn't work anymore.

This PR contains the back end changes for Ghost-alpha:
- Adds `amp` to settings table incl default setting `true`
- Adds `amp` value to our settings cache
- Changes the route handling of AMP app to check for the `amp` setting first.
- Adds tests to check the route handling and ghost_head output
- Includes changes to `post-lookup.js` as done by @kirrg001 in #7842
2017-01-17 16:40:06 +01:00
Kevin Ansfield
8d88f5b6a5 urlencode navigation URLs rather than HTML escape (#7836)
closes #7826

- expose raw url value inside `{{navigation}}` helper
- modify `{{url}}` helper to urlencode values and mark as HTML-safe to avoid Handlebars additional HTML-escaping
2017-01-17 15:55:19 +01:00
John O'Mahoney
47933c9949 Shows help message for broken require in scheduler adapter (#7706)
closes #7584

- added help message to assist in debugging broken require
2017-01-16 21:49:41 +01:00
Katharina Irrgang
5210271474 🐛 import subscribers (#7834)
closes #7748

- logic for import of subscribers was just missing
2017-01-10 19:38:20 +00:00
Katharina Irrgang
8031102596 🎨 escape sameAs for structured data (#7833)
closes #7832

- escape output for json-ld
2017-01-10 12:21:37 +00:00
Aileen Nowak
7cd13e6122 🔑 Update Validator to 6.2.1 (#7823)
no issue

Uses new version of [validator](https://github.com/chriso/validator.js) which checks also for in URL embedded script tags.
2017-01-10 13:05:25 +01:00
Vivek Kannan
8993eb937f Fixed incorrect promise fulfilled callback in ghost-server restart function. (#7831)
closes #7760

- replaced bound start callback with anonymous callback
2017-01-10 00:18:23 +01:00
Marc Bachmann
353330bb8a chore(package): update uuid to version 3.0.0 (#7742) 2017-01-04 17:10:29 +01:00