Commit Graph

275 Commits

Author SHA1 Message Date
Fabian Becker
1d1f24d3d4 Properly server shared files
refs #3992
- Don't use path.join for URLs
- Cache robots.txt for 1h instead of 1y
2014-09-25 14:14:20 +02:00
Hannah Wolfe
e5e7488d4d Fix cache-control header for API routes
closes #4157

- adds cache-control header back to api routes
- moves cache rules object into testUtils
- adds cache-control header test to every existing API test
2014-09-25 11:06:28 +01:00
Fabian Becker
2c3abeee03 Naming cleanup
closes #4069
- Rename everything from camelCase to lowercase + dashes
- Remove usage of `server`, `app` and `instance`
2014-09-20 21:09:16 +02:00
Jason Williams
12957b1918 Adjust morgan call to avoid deprecation warning
No Issue
- Change the invocation of the morgan logging package to
  conform to the new function signature introduced in
  morgan 1.2.0.
2014-09-19 16:31:22 +00:00
Fabian Becker
9394fad6aa Have /ghost use its own express instance
closes #1961
- Refactor admin to use its own express instance
- Refactor middlewares to work with /ghost mounted admin express instance
2014-09-19 08:57:13 +00:00
Matt Enlow
a5f4fca7b2 Merge pull request #3992 from halfdan/favicon
Let Ghost serve favicon instead of using dependency
2014-09-18 18:40:22 -06:00
Fabian Becker
f2fcb5b62b Let Ghost serve favicon instead of using dependency
no ref
- Remove static-favicon dependency
- Refactor robots.txt middleware to also serve favicon
- Add ETag
2014-09-18 13:51:41 +02:00
Hannah Wolfe
aad595de7d Updating express to 4.9.2 & related packages
ref #3795

- express updated to 4.9.2
- express 4.9.0 introduced res.sendStatus() to replace res.status().end()
- we no longer need express-session, connect or cookie-parser
- body-parser, busboy, compression, express-hbs, morgan, all bumped to
  latest versions as well - there doesn't seem to be any breaking changes
2014-09-18 11:50:28 +01:00
Harry Wolff
469aaa398c Add jscs task to grunt file and clean up files to adhere to jscs rules.
resolves #1920

- updates all files to conform to style settings.
2014-09-17 21:44:29 -04:00
Hannah Wolfe
b7fdf7d872 Merge pull request #3947 from hswolff/goodbye-config-theme
Removes config.theme and restructures how theme variables are cached
2014-09-15 21:30:44 +01:00
Harry Wolff
66845def85 Moves storage module to use prototypes for inheritance and structure.
addresses #2852

- Moves storage modules to use prototypes and to create prototypes
that inherit from the base storage ctor.

- Makes storage/base conform to an all Promise interface.
2014-09-12 21:41:29 -04:00
Matt Enlow
9c0b203dce Merge pull request #3867 from hswolff/middleware-work
Makes the Ghost application more express middleware friendly.
2014-09-08 13:43:48 -06:00
Harry Wolff
2bb1b14ebd Removes config.theme and restructures how theme variables are cached
resolves #1789

- removes config/theme.js
- moves caching of theme variables to api/settings.js which is where the
rest of the settings cache occurs.  this removes the requirement of having
to push changes to cache, now it simply occurs alongside when settings
are changed.
- updates relevant tests.
2014-09-02 23:15:15 -04:00
Fabian Becker
5ab8c661ec Fix regex from #3898
refs #3898
2014-09-01 15:39:53 +02:00
Fabian Becker
a0b7941439 Restrict uncapitalise middleware for API
no ref
- Do not lowercase anything after /api/v0.1/<resource>/ to protect :key/:slug
2014-09-01 12:38:06 +00:00
Harry Wolff
8bc6a6e633 Makes the Ghost application more express middleware friendly.
refs #827

- Moves ./index to use Ghost in a similar manner to how someone uses
Ghost as an npm module.
- Allows Ghost to be cleanly mounted on another express application
on any arbitrary endpoint, all you need to customize is the mount path.
2014-08-29 17:30:16 -04:00
Hannah Wolfe
25ad4b39fd Uncapitalise middleware should not affect tokens
no issue

- Whilst testing on next, I noticed trying to signup didn't prepopulate email addresses any more, and this is why
2014-08-26 22:30:33 +01:00
Sebastian Gierlinger
cab8254539 Merge pull request #3860 from ErisDS/issue-3857
Redirect uppercase routes to lowercase version
2014-08-26 12:19:52 +02:00
Jason Williams
07ad400ee0 Replace the when promise library with bluebird.
Closes #968
2014-08-23 17:15:40 +00:00
Hannah Wolfe
6a52fc8ace Redirect uppercase routes to lowercase version
fixes #3857

- adds uncapitalise middleware which detects uppercase in req.path and
  redirects to the lowercase equivalent
- change the ghost route to a regex, just so it's consistent with other
  routes in the file
2014-08-23 17:59:58 +01:00
Sebastian Gierlinger
f0da28abb3 Fix broken status code
closes #3779
- added custom error classes for OAuth errors (bug was caused by
oauth2orize error classes)
- added basic tests for `/authentication/token` endpoints
2014-08-20 11:28:55 +02:00
Jason Williams
8fb3cddcf6 Update express and body-parser dependencies.
No Issue
- Upgrade to versions of these packages that use qs >= 1.0.0.
2014-08-11 05:20:31 +00:00
Hannah Wolfe
7d37a829c3 Switch middleware order to result in proper error
fixes #3694

- Split the res.isAdmin check out into it's own thing because we need to detect whether we are in the admin, before everything else
2014-08-08 17:17:07 +01:00
Hannah Wolfe
c95c9b45cb Merge pull request #3621 from sebgie/fix-refresh-token
Fix token refresh
2014-08-06 10:34:20 +01:00
Sebastian Gierlinger
b2e9d21018 Fix token refresh
no issue
- spam prevention causes token refresh to return an error
2014-08-06 11:11:44 +02:00
Hannah Wolfe
e315148cc5 Cleaner spam prevention error messages
closes #3589

- Full error messages appear in stderr
- Clean error messages for user
2014-08-06 10:00:21 +01:00
Sebastian Gierlinger
c62d7ba43e Improve spam prevention
closes #3544
- limit forgotten password requests to five requests per IP per hour
for different email addresses
- limit forgotten password requests to five requests per email address
- limit signin requests to ten failed requests per IP per hour
- removed special treatment for tests
2014-08-05 12:58:58 +02:00
Sebastian Gierlinger
3792598a31 Update spam prevention
closes #3468
- added rate limit to deny more than 5 attempt every hour
- updated spam prevention to be configurable
- added config values spamTimeout, ratePeriod, rateAttempts
- added ratePeriod:1 to config.example.js to prevent functional tests
from hitting the rate limit
- commented spam test, I’ll fix it tomorrow
2014-08-01 00:58:32 +02:00
Sebastian Gierlinger
e1c0c5ce98 Change refresh token expiry
no issue
- acquiring a new access token using a refresh token sets the
expiration time of the refresh token to now + 24 hrs.
- moved all occurrences of ONE_HOUR, ONE_DAY and ONE_YEAR to
`core/server/utils`
2014-07-28 15:19:49 +02:00
Sebastian Gierlinger
17589a1afe Merge pull request #2306 from mscdex/update-busboy 2014-07-23 15:52:41 +02:00
Harry Wolff
be37070fb6 This aims to speed up both the ghost application and tests by
migration from usage of config() to just an object of config.

no relevant issue

- Change 'loadConfig' task to 'ensureConfig' to more accurately reflect
what it is actually doing.  Its sole purpose is to make sure a `config.js`
 file exists, and as such the name now reflects that purpose.

- Update config/index.js to export the ghostConfig object directly
so that it can be accessed from other modules

- Update all references of config(). to config.
This was a blind global find all and replace, treat it as such.

- Fixes to tests to support new config access method

- Allow each test to still work when invoked invidually
2014-07-22 22:37:44 -04:00
Hannah Wolfe
487844122d Merge pull request #3312 from ErisDS/issue-2739-2
Wire permmissions for notifications, mail and tags
2014-07-17 18:04:38 +01:00
Hannah Wolfe
cfaa6f058a Wire permmissions for notifications, mail and tags
closes #2739

- wraps the api endpoints for mail, notifications, and tags in a canThis
  check
- add internal context to internal calls
- updates tests
2014-07-17 16:44:09 +01:00
Sebastian Gierlinger
ab456638c1 Fix tests failing because of spam protection
closes #3128 (now really)
- added express variable disableLoginLimiter
- added disableLoginLimiter to all tests that use Ghost as module and
do authentication
- fixed isSetup not working for status other than active
- removed ‚Ensure a User is Registered‘ test as this is covered by the
new setup test
2014-07-17 14:22:32 +02:00
Sebastian Gierlinger
42f461cb6d Restored spam prevention
closes #3128
- added spam prevention middleware
- restored tests
2014-07-17 14:22:07 +02:00
Hannah Wolfe
5c1a7a7349 Revert "Restore spam prevention" 2014-07-17 12:11:23 +01:00
Sebastian Gierlinger
e4e027d17b Restored spam prevention
closes #3128
- added spam prevention middleware
- restored tests
2014-07-16 10:00:49 +02:00
Hannah Wolfe
3ff9146d9e Server side cleanup
- remove sessions
- remove all references to csrf
- create a shared base model for the 2 types of token
2014-07-14 21:50:12 +01:00
Sebastian Gierlinger
8c2258dc4c Move setup to API
closes #3136
- moved setup to authentication API
- added `POST /ghost/api/v0.1/authentication/setup` to execute the
setup process
- added `GET /ghost/api/v0.1/authentication/setup` to check if blog is
already set up (needed for #3145)
- removed unused methods from api/users.js
2014-07-11 14:17:09 +02:00
Hannah Wolfe
a593cbfb53 Move post slug endpoint & add endpoints for users
closes #3187

- move slug endpoint to post/slug/:slug
- create similar  slug and email endpoint for users
- add/update tests
2014-07-09 16:55:34 +01:00
Sebastian Gierlinger
84cfd529ed Allow user to accept invitation
closes #3081
- added route `/ghost/api/v0.1/authentication/invitation`
- added accept invitation
- added signup with token
- removed check() from users api
- fixed promise in resetPassword()
2014-07-03 17:06:07 +02:00
Sebastian Gierlinger
79a80b67ac Invite user API
closes #3080
- added users.invite() to add user from email with random password
- added `GET /ghost/api/v0.1/users/` to invite users and resend
invitations
- removed one user limit
- added global utils for uid generation
- changed some „“ to ‚‘
2014-07-02 16:22:18 +02:00
Hannah Wolfe
f70f99b5cf Replace the old admin with the ember admin
closes #3056

- Remove clientold
- Remove clientold tests
- Cleanup old admin helpers
- Remove old routes from admin and controllers from admin controller
- Comment out / remove old and broken tests
- Cleanup Gruntfile.js, bower.js, package.json etc

Still TODO:

- cleanup / add removed tests
- do we still need countable?
2014-07-01 08:33:17 +01:00
Sebastian Gierlinger
c8e8da4780 oAuth
closes #2759
closes #3027

- added oauth2orize library for server side oAuth handling
- added ember-simple-auth library for admin oAuth handling
- added tables for client, accesstoken and refreshtoken
- implemented RFC6749 4.3 Ressouce Owner Password Credentials Grant
- updated api tests with oAuth
- removed session, authentication is now token based

Known issues:
- Restore spam prevention #3128
- Signin after Signup #3125
- Signin validation #3125

**Attention**
- oldClient doesn't work with this PR anymore, session authentication
was
removed
2014-06-30 14:58:10 +02:00
Fabian Becker
72156c7f89 New setup screen for blog installation.
fixes #3072
- Change router to handle /ember/setup/
- Adjust doSignup to also handle setup
- Adjust tests and add new where necessary
- Add setup controller, setup validation, setup route
- Adjust casper emberSetup to handle new setup
2014-06-26 15:31:44 +02:00
Sebastian Gierlinger
1db0431e4d User API changes
closes #2822
- added destroy user method
- added remove user permission
- added API end point for get reset token
- added API end point for reset password
- added API end point for change password
2014-06-20 11:15:01 +02:00
Fabian Becker
2bff35bcc2 Complete moveover to new Notification API format
fixes #2775
- Fix all occurences of notifications.add to use proper API format
2014-06-16 08:07:29 +00:00
Harry Wolff
5d028b72fb Upgrade to Express 4.0
no related issue

- Updates package.json packages, adding express middleware packages
 that have been broken into their own modules

- Updates controllers/frontend.js to use the new Layer object that Express 4.0
 has.  Requires some monkey-patching as the Layer object isn't explicitly
 surfaced, however it should be safe to do.

- Moved the setup of routes into middleware/index.js because they need to
 be added as a middleware function before the 404 and 500 handlers. This is
 no longer possible with the old app.use(app.router) as that has been removed.

- Cleaned up middleware/index.js to make it compatible with Express 4.0.

- Simplified the way themes are activated and enabled when they are activated.
 The new handling is simpler, yet should still cover all the use cases that
 previously existed.

- The entire flow of activating a theme through middleware should be a little
 more centralized, letting it be easier to read and maintain.

- Moved every routes/*.js file to use an individual express.Router() instance.
2014-06-08 17:41:25 -04:00
Hannah Wolfe
9e8e1fa37d Ember redirect to signup
closes #2779

- adds temporary code to redirect the ember admin to signup if a user doesn't exist.
- done serverside as this makes most sense?
2014-06-03 19:21:45 +01:00
Jacob Gable
5abeadf80d Ember Data with Posts
Ref #2699

- Introduce ember data dependency
- Add loadInitializers and refactor most initializers into one combined
- Add Post ember data model
- Refactor generateSlug to use title of post and ghostPaths
- Refactor post controller to not reference model.property everywhere
- Use RESTAdapter for posts, users and tags
- Setup author and tag relations in Post model
- Fix broken API calls by adding CSRF header
- Add initiaizer for csrf value
- Use actual User model for current user initializer
- Add action for setting featured post, test with actual api call
- Fix the sending of UUID's up to the server
- Refactor current-user to use ember-data store
- If a user is preloaded in the application, use pushPayload to put it
in the store
- Do a lookup on the store to get an actual User model for injection
- Fix posts/post controllerName in route/new.js
- Alter signup process to push user into ember data store
2014-05-29 07:42:51 -05:00
Jacob Gable
006aedfb84 Implement signup in Ember
Closes #2410

- Add signup action that posts to signup endpoint
- Fix nav bar showing on signup page
- Fix image link when a user hasn't set their image yet
- Redirect to the ember/signin page if requesting an ember page
2014-05-23 12:17:28 -05:00
Steve
5f7182b7a2 Make cache max-age on theme assets one year.
closes #2790
- Added one year in ms var.
- refs: #2447
2014-05-22 07:55:38 -07:00
Hannah Wolfe
c02ebb0dcf Refactor API arguments
closes #2610, refs #2697

- cleanup API index.js, and add docs
- all API methods take consistent arguments: object & options
- browse, read, destroy take options, edit and add take object and options
- the context is passed as part of options, meaning no more .call
  everywhere
- destroy expects an object, rather than an id all the way down to the model layer
- route params such as :id, :slug, and :key are passed as an option & used
  to perform reads, updates and deletes where possible - settings / themes
  may need work here still
- HTTP posts api can find a post by slug
- Add API utils for checkData
2014-05-15 10:41:05 +01:00
Sebastian Gierlinger
fd0f5a5028 Add distinct error classes
closes #2690
- added new error classes
- moved errorhandling.js to /errors/index.js
- changed API errors to use new classes
- updated tests
2014-05-09 12:11:29 +02:00
Hannah Wolfe
d1f57a2569 Merge branch 'ember'
Conflicts:
	Gruntfile.js
	core/client/models/post.js
	core/client/models/settings.js
	core/client/models/user.js
	core/client/router.js
	package.json
2014-05-07 22:28:29 +01:00
Jacob Gable
298077582b ACL and strict rules for Settings API
Ref #2061

- Add canThis permission checks to settings api calls
- Add strict rules about accessing core settings without internal: true
- Omit core settings in browse() call unless internal: true
- Update unit tests to call api.settings with contexts
- Add a couple unit tests for new scenarios
- Update all api.settings calls in the app to call with internal context
- Re-arrange permissions.init in server startup so config.theme.update
can access settings without permissions error
2014-05-07 10:56:03 -05:00
Fabian Becker
2a803aecdd Proper endpoints for persistent notifications
closes #2637
- Add new get API route for all notifications
- Wrap API responses to comply with JSON-API
- Add new tests / adjust fixtures
- Adjust all occurences of passive notifications
2014-05-06 00:05:14 +02:00
Sebastian Gierlinger
39e654e9c3 Change error message response
closes #2643
- added error type
- added error property for validations
- wrapped errors in an array
- returns multiple errors for validation
- updated tests and admin
2014-05-05 15:51:21 +02:00
Hannah Wolfe
f2071eedb2 Move user API to primary document format
closes #2593

- added new format to user API methods
- changed all places where the user api was used
- updated tests and added more coverage
- little bit of cleanup in utils/api
2014-05-02 20:50:44 +01:00
Jacob Gable
7e9880ce8d Settings API Primary Document refactor
Closes #2606

- Refactor settings api responses to { settings: [ ] } format
- Update all code using api.settings to handle new response format
- Update test stubs to return new format
- Update client site settings model to parse new format into one object of key/value pairs
- Refactor to include all setting values
- Remove unused settingsCollection method
- Update settingsCache to store all attributes
- Update settingsResult to send all attributes
- Remove unnecessary when() wraps
- Reject if editing a setting that doesn't exist
- Reject earlier if setting key is empty
- Update tests with new error messages
- Use setting.add instead of edit that was incorrectly adding
- Update importer to properly import activePlugins and installedPlugins
- Update expected setting result fields
- Fix a weird situation where hasOwnProperty didn't exist 🤷
2014-04-30 23:15:27 -05:00
Lev Gimelfarb
a013840503 Support for urlSSL config option and forceAdminSSL 403 response
closes #1838
- adding `forceAdminSSL: {redirect: true/false}` option to allow 403 over non-SSL rather than redirect
- adding `urlSSL` option to specify SSL variant of `url`
- using `urlSSL` when redirecting to SSL (forceAdminSSL), if specified
- dynamically patching `.url` property for view engine templates to use SSL variant over HTTPS connections (pass `.secure` property as view engine data)
- using `urlSSL` in a "reset password" email, if specified
- adding unit tests to test `forceAdminSSL` and `urlSSL` options
- created a unit test utility function to dynamically fork a new instance of Ghost during the test, with different configuration options
2014-04-27 17:01:49 -04:00
Hannah Wolfe
16c8080636 Merge branch 'master' into ember
Conflicts:
	core/client/models/post.js
2014-04-21 18:35:38 +01:00
Sebastian Gierlinger
e47e9c62d0 Add permissions to API
closes #2264
- added permissions check to db, users and posts
- added register method to users
- added doesUserExist method to users
- added user from session to internal calls
- changed permissible to overwrite canThis
- removed action map and action type from permissable method
2014-04-16 18:22:22 +02:00
Hannah Wolfe
c746a88b2e Merge branch 'master' into ember
Conflicts:
	Gruntfile.js
	core/client/assets/lib/showdown/extensions/ghostdown.js
	core/client/views/editor.js
	core/clientold/assets/lib/showdown/extensions/ghostdown.js
	core/shared/lib/showdown/extensions/ghostimagepreview.js
	core/test/unit/showdown_client_integrated_spec.js
	core/test/unit/showdown_ghostimagepreview_spec.js
2014-04-07 22:26:53 +01:00
Matt Enlow
345fe1a6d4 Fixed check for a theme's custom error.hbs:
Closes #2513
- Checks for property `error.hbs` on active theme
- Added unit test to ensure `error` view is rendered when activeTheme has
  a custom error template.
- Removed unused variable, `userErrorTemplatePath` from errorHandler
- Refactored errorHandler.`updateActiveTheme` to take one argument, the new active theme, and to then check if the active theme has an error.hbs
- Changed errorHandler unit test to use rewire for mocking config.
2014-03-29 08:19:51 -06:00
Hannah Wolfe
79a333b480 Merge branch 'master' into ember
Conflicts:
	bower.json
	core/client/views/editor.js
2014-03-16 20:52:44 +00:00
Manuel Mitasch
ca9a23f2d6 Ember.js: Add assets img + css (ember-hacks.css) to ember admin
Closes #2276

- Adds the images to `core/client/assets/img`
- Adds css with ember hacks to `core/client/assets/css`
- Configures middleware to provide assets as static files at url `/ghost/ember`
- Adds ember option to assets helper
- Modifies default-ember.hbs to use ember option on asset helper
- Remove inline style definition in editor.hbs
- Modifies .gitignore to include ember-hacks.css (in ignored `core/client/assets/css` folder)
2014-03-15 00:08:15 +01:00
Fabian Becker
c3417fe090 Serve default robots.txt
closes #2062
- Server robots.txt from theme if available
- Serve default robots.txt from /core/shared/ otherwise
- Added tests for default robots.txt
2014-03-13 21:31:41 +01:00
Hannah Wolfe
31f41822e0 Merge branch 'master' into ember
Conflicts:
	.gitignore
	Gruntfile.js
	bower.json
	core/client/assets/lib/showdown/extensions/ghostdown.js
	core/client/assets/vendor/showdown/extensions/ghostdown.js
	core/client/router.js
	core/clientold/assets/vendor/chart.min.js
	core/clientold/assets/vendor/codemirror/addon/mode/overlay.js
	core/clientold/assets/vendor/codemirror/codemirror.js
	core/clientold/assets/vendor/codemirror/mode/gfm/gfm.js
	core/clientold/assets/vendor/codemirror/mode/gfm/index.html
	core/clientold/assets/vendor/codemirror/mode/gfm/test.js
	core/clientold/assets/vendor/codemirror/mode/markdown/index.html
	core/clientold/assets/vendor/codemirror/mode/markdown/markdown.js
	core/clientold/assets/vendor/codemirror/mode/markdown/test.js
	core/clientold/assets/vendor/countable.js
	core/clientold/assets/vendor/fastclick.js
	core/clientold/assets/vendor/icheck/jquery.icheck.min.js
	core/clientold/assets/vendor/jquery.hammer.min.js
	core/clientold/assets/vendor/nprogress.js
	core/clientold/assets/vendor/packery.pkgd.min.js
	core/clientold/assets/vendor/showdown/extensions/ghostdown.js
	core/clientold/assets/vendor/showdown/showdown.js
	core/clientold/assets/vendor/validator-client.js
	core/test/unit/client_ghostdown_spec.js
	core/test/unit/client_showdown_int_spec.js
2014-03-05 23:10:44 +00:00
Fabian Becker
cd74b0e232 Switch to bower for client assets.
fixes #2272
- Remove libraries from shared/vendor
- Remove libraries from client/assets/vendor
- Add bower to package.json and postinstall
- Add bower.json with dependencies
- Add scripts from bower_components to concat/uglify
- Fix tests
- Serve jquery from /ghost/built/theme/
2014-03-04 20:09:26 +00:00
Fabian Becker
1a9e91f120 Replace JSLint with JSHint.
closes #2277
- Added ES6 linting to core/client/
- Fix typeof array comparison
2014-03-04 15:47:39 +00:00
Brian White
a2074d310c Update busboy to v0.2.3 2014-03-01 20:37:15 -05:00
Sebastian Gierlinger
7155d95f9d Add JSON API tests & cleanup
first 10 % of #2124
- added initial version of JSON API tests
- renamed error.errorCode to error.code
- renamed tags.all to tags.browse for consistency
2014-02-28 22:26:03 +00:00
Hannah Wolfe
bee58922b2 Rename client -> clientold
issue #2271

- should allow development of new admin UI whilst still having access to the old ui
2014-02-27 00:52:04 +00:00
Hannah Wolfe
aa15b464c8 /ghost/reset/* should not redirect to signin
fixes #2257
2014-02-25 10:44:16 +00:00
Michael Bradshaw
b410f5833b Respect subdirectory in authenticate middleware 2014-02-20 09:46:20 -07:00
Sebastian Gierlinger
ea6c601b01 Improvements for models
#closes #1655
- removed models as parameter for bookshelf-session
- changed to read permittedAttributes from schema.js
- changed updateTags to be executed at saved event
- added validate to execute after saving event
- added test for published_at = null (see #2015)
- fixed typo in general.hbs
2014-02-19 14:57:26 +01:00
Hannah Wolfe
e81924282c Merge pull request #2190 from sebgie/issue#2171
Make session expiry less arsey
2014-02-18 22:05:44 +00:00
Sebastian Gierlinger
d3c641ea31 Make session expiry less arsey
closes #2171
- added authentication middleware
- removed authentication from routes
- moved authentication before CSRF validation
- moved caching rules before authentication
- changed/added test
2014-02-14 11:00:11 +01:00
Fabian Becker
691e9e773b Add logging config option
closes #2103
- Deactivate logging for testing environments
- Override logging with settings from config
2014-02-10 21:07:11 +00:00
Harry Wolff
f16dc290b7 Improve bootstrap flow of a Ghost application
addresses #1789, #1364

- Moves ./core/server/loader -> ./core/bootstrap.
The bootstrap file is only accessed once during startup,
and it’s sole job is to ensure a config.js file exists
(creating one if it doesn’t) and then validates
the contents of the config file.

Since this is directly related to the initializing 
the application is is appropriate to have 
it in the ./core folder, named bootstrap as that
is what it does.

This also improves the dependency graph, as now
the bootstrap file require’s the ./core/server/config
module and is responsible for passing in the validated
config file.

Whereas before we had ./core/server/config
require’ing ./core/server/loader and running its
init code and then passing that value back to itself,
the flow is now more straight forward of
./core/bootstrap handling initialization and then
instatiation of config module

- Merges ./core/server/config/paths into 
./core/server/config
This flow was always confusing me to that some config
options were on the config object, and some were on
the paths object.

This change now incorporates all of the variables
previously defined in config/paths directly
into the config module, and in extension,
the config.js file.

This means that you now have the option of deciding
at startup where the content directory for ghost
should reside.

- broke out loader tests in config_spec to bootstrap_spec

- updated all relevant files to now use config().paths

- moved urlFor and urlForPost function into 
 ./server/config/url.js
2014-02-07 17:34:21 -05:00
John-David Dalton
6eab7b3f92 Replace underscore with lodash. 2014-02-06 14:08:34 +00:00
Hannah Wolfe
be9afc439c Merge branch '0.4-maintenance' 2014-01-28 09:25:38 +00:00
Lev Gimelfarb
6cf586aae6 Fix error page resources loading when forceAdminSSL is true
closes #1837
- moved admin theme static resource service above 'checkSSL', otherwise
  when forceAdminSSL is true it will try to redirect them to HTTPS, and
  error pages will be unstyled
2014-01-27 21:57:58 +00:00
Lev Gimelfarb
1df6ac3b94 Detect SSL connection whether or not behind a proxy
closes #1836
- adding server.enable('trust proxy') to let connect framework do the work
  of detecting X-Forwarded-Proto header
- replacing explicit checking for the X-Forwarded-Proto header with just
  'req.secure' boolean check
2014-01-27 21:55:32 +00:00
Hannah Wolfe
199a92d9cb Merge branch '0.4-maintenance'
Conflicts:
	core/server/config/paths.js
	core/test/unit/config_spec.js
2014-01-26 16:11:02 +00:00
Hannah Wolfe
6ec7c42947 Start up safely when the activeTheme is not present
fixes #2000

- resolves errors when attempting to start Ghost without the active theme present
- the frontend will render a 500 error page safely
- issues with themes that have an error template are resolved separately in #2018
2014-01-24 22:14:56 +00:00
Hannah Wolfe
f185a5d616 General cleanup
- Cleanup some todos, comments, and unused variables
2014-01-19 21:08:39 +00:00
Joel Rosenberg
6437f343c1 Including theme partials in a way that supports symbolically linked directories
closes #1937
 - using fs.stat() instead of hasOwnProperty() to test for directory existence
2014-01-14 11:43:23 -08:00
Hannah Wolfe
3dea6431df Ensure cookies are only ever set for admin
fixes #1901

- Adds a trailing slash to the cookie path
- Resolves random log-outs
- Adds a test which proves the case
2014-01-12 17:08:48 +00:00
Sebastian Gierlinger
6220bd19f5 Use ajax for import
closes #1854
- added blueimp file upload to debug.js
- changed POST /ghost/api/v0.1/db to be used with AJAX
- cache invalidation header should now work for import
- moved busboy middleware invocation to routes/api and routes/admin
- moved api.db.import to api.db.importContent (I hated the [] notation)
- moved api.db.export to api.db.exportContent (see above)
2014-01-06 22:55:43 +00:00
Hannah Wolfe
f17b320a7b ghost-busboy improvements
- use hex instead of base64 as this can cause errors when trying to reopen the file due to characters like '/' appearing
- added basic console log to errors.
2014-01-06 22:39:03 +00:00
Sean Hellwig
1640d9bc35 Unique filenames for tmp files in ghost-busboy
fixes #1843

- uses a timestamp and an md5 hash of the filename for the tmp file
  instead of the user-provided filename
2014-01-06 16:03:29 +00:00
Hannah Wolfe
af6137248d New URL helper - URL consistency fixes
fixes #1765
fixes #1811
issue #1833

New UrlFor functions

- moved body of url helper to config.path.urlFor, which can generate a URL for various scenarios
- urlFor can take a string (name) or object (relativeUrl: '/') as the first
  argument - this is the first step towards issue #1833
- also added config.path.urlForPost which is async and handles getting
  permalink setting
- frontend controller, ghost_head helper, cache invalidation all now use
  urlFor or urlForPost all urls should be correct and consistent

URL Consistency Improvements

- refactored invalidateCache into cacheInvalidationHeader which returns a
  promise so that url can be generated properly by urlForPost
- moved isPost from models to schema, and refactored schema to have a tables object
- deleted posts now return the whole object, not just id and slug,
  ensuring cache invalidation header can be set on delete
- frontend controller rss and archive page redirects work properly with subdirectory
- removes {{url}} helper from admin and client, and replaced with adminUrl
  helper which also uses urlFor
- in res.locals ghostRoot becomes relativeUrl, and path is removed
2014-01-06 15:15:48 +00:00
Hannah Wolfe
495b7b7f05 Error handling simplification & test improvements
fixes #1266

- simplifies the check for if a theme has an error template
- adds more / better tests for error handling
2014-01-02 21:03:37 +00:00
Hannah Wolfe
1925fa0196 Cache control headers & query string asset management
closes #1470
issue #1405

- added cache control middleware
- added defaults for all routes, assets, etc
- updated asset helper to add a query string with a timestamp hash to all assets
- added unit tests for asset and ghostScriptTags helpers
- added cache-control checks to route tests
2014-01-02 12:14:33 +00:00
remixz
14750e0d2a Fix live theme switching not working on subdirectories
Closes #1770
- Previously, the middleware would check that the route on the stack was an empty string, which worked when there was no subdirectories
- When subdirectories were added, the proper route was only set when
  updating the theme
- Because it was only set when updating, this explains themes working on
  initial load, since the stack location was looking for an empty
  string, which is what the middleware was initialized with
- However, once a new theme was set, it was still look for an empty
  string, which would never exist, which caused the issue
- Now, the route is properly set on initialization of the middleware,
  and then the `config.paths().subdir` property is used for the check
2013-12-28 15:08:57 -08:00
Hannah Wolfe
755ad934bf Path, url and subdir cleanup & test
issue #1754

- remove path (it was only used once, and not needed)
- change webroot to subdir
- add unit tests for config.paths
- various other cleanup
- renamed client-side ghostRoot to subdir
- added url helper for client
2013-12-28 16:09:56 +00:00
Sebastian Gierlinger
691c8cd5a9 Delete all content (posts and tags)
closes #1445
- added delete button to ‚ugly debug tools‘
- added api call to delete all content
- added /db to cache invalidation routes
2013-12-25 01:05:20 +01:00
Michael Bradshaw
7ee3235a68 Don't use unnecessary (and unescaped) regex
closes #1731
2013-12-21 16:32:57 -07:00
Sebastian Gierlinger
17225d4928 Set cookie secure flag
closes #1680
- added secure flag for cookies if SSL is forced
2013-12-21 20:18:13 +00:00
Fabian Becker
c81c43a96a Complete subdir support.
fixes #527
- Fix image upload in backend
- Use config.paths().webroot where necessary
2013-12-21 19:43:58 +00:00
William Dibbern
bf7692b151 Switch from multipart to busboy
Fixes #1227

- Removed deprecated `multipart` references.
- Setup `busboy` to pass along file streams and do a naive parse of form
values.
- Updated logic in file storage and db import to handle file streams
instead of the temporary files created by `multipart`.
2013-12-17 17:24:30 -06:00
Hannah Wolfe
1c52e3a980 Merge pull request #1636 from hswolff/standardize-path-access
Standardize file path access throughout ghost
2013-12-15 06:42:34 -08:00
Hannah Wolfe
db362b30cd Bug fixes, undefined should not be a string 2013-12-15 11:36:01 +00:00
Patrick Garman
a914077145 Add Force SSL Configuration/Middleware
Solves #1300
- Adds forceAdminSSL bool config value
- Adds checkSSL middleware
- Adds redirectSSL helper function
2013-12-15 10:01:02 +00:00
Hannah Wolfe
409cc34c1d Merge pull request #1651 from hswolff/issue-1645
Update config.theme() after every settings edit
2013-12-13 15:05:18 -08:00
Harry Wolff
9090764052 Standardize file path access throughout ghost
resolves #1390

update all string based references to file paths
to use the ./core/server/config/paths file
so that it is the single source of truth
2013-12-12 21:27:07 -05:00
Seb Gotvitch
fef9b4be25 Bug fixes for partial views
closes #1203
- Update express-hbs module to the new version (0.5.2)
- Use two instance of hbs one for the theme and an other for the admin
- Template helpers are register as partial view
- Partial views of the theme are reload when the theme changed

Remove clear partial cache in handlebars

This code will be move in `express-hbs`.
This doesn't cause a problem to remove this line but it is not clean.

Remove unused hbs instance

Resolve conflict
2013-12-12 12:11:02 -05:00
Harry Wolff
058b82bba1 Update config.theme() after every settings edit
fixes #1645

- removes server.get('ghost root') as it is only an alias
to config.paths().path, and adds unnecessary indirection
- removes config.theme().path as its just an alias to
config.paths().path, updated all relevant references
- update config.theme.update to only require the api/settings object,
and no longer need the config object
- modify api/settings.edit to call config.theme.update so that
the themeObject is ready for next rendering of template
2013-12-12 08:25:08 -05:00
Harry Wolff
c8c02a65fa Remove ghost.js
fixes #1575
- Moves most code that was in ghost.js into ./core/server/index.js
- Creates ./core/server/config/theme.js to hold all theme configurations 
(which previously lived on ghost.blogGlobals())
- Removed ghost.server, passing it in as an argument where needed 
and allowing middleware to hold onto a reference for lazy use.
2013-12-07 10:10:02 -05:00
Sebastian Gierlinger
078f464197 remove ghost.settings and ghost.notifications
covers 90% of #755
- moved ghost.settings to api.settings
- moved ghost.notifications to api.notifications
- split up api/index.js to notifications.js, posts.js, settings.js,
tags.js and users.js
- added instance.globals as temp workaround for blogglobals (Known
issue: blog title and blog description are updated after restart only)
- added webroot to config() to remove `var root = ...`
- changed `e` and `url` helper to async
- updated tests
2013-12-06 09:51:35 +01:00
Hannah Wolfe
dedc5d9239 Update activeTheme path on theme switch
fixes #1583

- the active theme path wasn't getting updated when we were switching theme
2013-11-28 16:10:34 +00:00
Hannah Wolfe
7b2bf5b98c Merge pull request #1577 from halfdan/527-subdir-admin
Fix Admin interface with sub directories
2013-11-28 05:14:23 -08:00
Harry Wolff
89154ad997 Restore support for using ghost as a npm module fixes #1326 2013-11-27 17:39:14 +00:00
Fabian Becker
dcd3b192c1 Subdir support for admin interface
refs #527
2013-11-27 09:57:38 +00:00
Sebastian Gierlinger
e95b592028 Remove cookie from Frontend
closes #1437
closes #1472

- changed cookie to path:'/ghost'
- added conditional CSRF middleware
- added redirects for signup, signin, signout to /ghost/sign*/
2013-11-26 10:38:54 +01:00
Hannah Wolfe
330722efdc Merge pull request #1535 from hswolff/create-config-module
Create config module to standardise getting paths and abs URLs
2013-11-25 14:03:29 -08:00
Hannah Wolfe
b7a8ea5945 Merge pull request #1565 from ErisDS/redirect-fixes
Putting back relative redirects
2013-11-25 13:57:07 -08:00
Harry Wolff
b920662790 Create the config module, initially used
to standardise getting paths and absolute URLs.  Easy
to extend for other configurations we may need.
2013-11-25 16:35:16 -05:00
Hannah Wolfe
5ad2d6178b Putting back relative redirects
issue #1523

- also added some comments to indicate the difference between the two custom middleware files.
2013-11-25 21:00:27 +00:00
ali
7946431b8d Issue #1556 - Fix meta_title is undefined
Closes #1556 and #1530

This should also fix meta_description in #1530 as well as the other bug that is not
filed for body_class
2013-11-25 13:47:56 +00:00
Fabian Becker
e210e75e97 Install in sub-directory support.
refs #527
2013-11-24 21:11:34 +00:00
Sebastian Gierlinger
3f2258e95b Replace cookieSession with session
- changed cookieSession to session
- added session.regenerate for login and logout
- added bookshelf session store
- added session table to database
- added import for databaseVersion 001
- added grunt task test-api
- cleanup of gruntfile to start express when needed only
- moved api tests to functional tests
2013-11-24 15:29:36 +01:00
Harry Wolff
985a23f446 Move server middleware configuration to related file 2013-11-19 21:05:57 -05:00