Commit Graph

267 Commits

Author SHA1 Message Date
Tim Griesser
c9235ccb0b Escaping several fields to prevent XSS
issue #938
- escapes post's title field
- escapes settings title, description, email
- escapes user's name field
- includes test for post title
2013-10-09 19:13:13 +01:00
John O'Nolan
d1957958e3 Cleanup indentation and quotes
Aligns all requirements vertically for easier reading + adds single quote standard consistently throughout Ghost, except in long strings.
2013-09-26 15:06:31 +01:00
Hannah Wolfe
32d1076d35 Correct validation message for short passwords
closes #833
2013-09-19 08:41:04 +01:00
Hannah Wolfe
d587a845d4 Set migrations to use new 000 schema
issue #632

- removed old schemas
- updated base model to reflect all of the consistent behaviours and properties across the models
- updated all models to match the new schema

TODO

- no fixtures are currently loaded except settings
- need to rename properties across the codebase
2013-09-14 20:01:46 +01:00
Hannah Wolfe
01f6551bf2 Small model update for tags and users
- tags are now created with uuid & timestamps
- user role is no longer a model, just a join done with attach
2013-09-13 15:06:17 +01:00
Hannah Wolfe
bbbfed9921 Temporary aliasing on the User model
issue #389

- Output only aliases (saving data with these keys won't work) gives us the right names in the theme API
2013-09-09 15:25:20 +01:00
Hannah Wolfe
36874badd5 Merge pull request #587 from javorszky/iss288
Email sending with Sendgrid plus password reset
2013-09-02 15:44:48 -07:00
Hannah Wolfe
1ff9550e1f User property aliases
issue #389

 - Temporary aliases for user model, schema will be changed soon, in the meantime we want themes to be built using the right properties
2013-09-02 20:58:49 +01:00
Gabor Javorszky
5999d01b7d Repaired email sending, implement password reset
Closes #288
* I use SendGrid for sending the emails, and it works fine (provided you supply the correct credentials in `config.mail` in `config.js`)
* Generates a random 12 char long alphanumeric password, replaces user's pw, and sends an email about it.
2013-09-01 00:20:12 +02:00
Hannah Wolfe
c70dfde7e3 Agressive stripping of the model attributes
- fixes #517
- prevents this from occuring again in future with other relations
- validation function & stripping done for all models
- casper test for flow, plus validation & logged out tests
2013-08-25 18:12:27 +01:00
Hannah Wolfe
41e36cca7e Validation consistency
- introduced validation method in the post and user model
- moved signup validation onto model
- consistent use of validation & error messaging in the admin UI
- helper methods in base view moved to a utils object
2013-08-25 18:10:12 +01:00
Gabor Javorszky
be7ed2dfdc Added validation for signup and login screens
Closes #374
* Included node-validator as a package
* Implemented server side validation (the client side js is a mess, need a LOT of work)
* Validates email address both on signup and login screens, gives error message on malformed email addresses
* Requires at least 8 chars of password
* Tells user if password is too short
* Tells user if no such user on login
* Tells user if wrong password on login
* Tells user if server responds with a 404 (goes away, dies, etc)
* Added middleware between req and login / signup for validation
2013-08-20 09:42:42 +01:00
Jacob Gable
bbe5105048 Edit Post Permissions 2013-08-18 12:28:05 -05:00
Gabor Javorszky
f6d164b5d8 Current user added
Closes #340. Closes #375
* Replaced session with id of current user
* Added method to ghostlocals to always send profile picture and full name to templates (template checks if falsy)
* Modified user saving (`forge().set(new).save()` died on me, `forge().save(new)` didn't)
* If user has profile picture, that will be used
* If user has name, that will be used
* Password changing doesn't care about your email. Uses cookies. Tasty!
* User pane uses current user id. Had to set path to me, otherwise goes to `browse` instead of `read`.
* Added logic to user api to check for `id === 'me'`, and then use the cookie value
* User data saves are now correct
* There is no logout error
2013-08-17 22:02:46 +01:00
Hannah Wolfe
2f11f053ab Minor code cleanup, docs and other bits & pieces 2013-08-06 22:24:40 +01:00
Gabor Javorszky
071f9769c6 Users can change password
Closes #282
* Added a new route
* Added new methods
* Triple security!
* Passwords are actually changed
* Also added a change password button, because 'save' has too much baggage.

On security: checks whether you're logged in. Then checks whether your old password is actually the one that belongs to you (gets value from the email field for the email, see caveat no2). Checks the new passwords for === and length > 6 on client and server side as well. And THEN changes passwords.

Caveats:
* didn't add a test, as mocha fails spectacularly on my machine. SQLITE_CORRUPT: database disk image is malformed. Cute, huh?
* Because we don't have / I'm not aware of / could not find a "currentuser" variable, I need to get the email address of the user we want to change from the email field. Theoretically if they replace that with another user's email address, and supply their pw, they will change THEIR password instead of their own.
2013-08-06 00:49:06 +01:00
Hannah Wolfe
30b4eb07f7 App restructure - closes #245
- This is a first pass at getting a more logical structure. The focus is on moving from admin/frontend to client/server.
- The location of the databases is highly important, this isn't expected to change again
In the future
- client/assets should probably become public/
- more stuff should be shared (helpers etc)
- cleanup some confusion around tpl and views
2013-07-11 20:23:34 +01:00