Commit Graph

83 Commits

Author SHA1 Message Date
Sebastian Gierlinger
c62d7ba43e Improve spam prevention
closes #3544
- limit forgotten password requests to five requests per IP per hour
for different email addresses
- limit forgotten password requests to five requests per email address
- limit signin requests to ten failed requests per IP per hour
- removed special treatment for tests
2014-08-05 12:58:58 +02:00
Sebastian Gierlinger
3792598a31 Update spam prevention
closes #3468
- added rate limit to deny more than 5 attempt every hour
- updated spam prevention to be configurable
- added config values spamTimeout, ratePeriod, rateAttempts
- added ratePeriod:1 to config.example.js to prevent functional tests
from hitting the rate limit
- commented spam test, I’ll fix it tomorrow
2014-08-01 00:58:32 +02:00
Sebastian Gierlinger
ded6aa6ac0 Transfer ownership end point
closes #3426
- added transfer ownership endpoint
- added owner to roles.permissible
- manually removed owner from roles.browse
- removed hard coded author role
- fixed tests that were passing due to hard coded author role
- added testUtils.setup(‚roles‘)
2014-07-30 17:40:30 +02:00
Sebastian Gierlinger
e1c0c5ce98 Change refresh token expiry
no issue
- acquiring a new access token using a refresh token sets the
expiration time of the refresh token to now + 24 hrs.
- moved all occurrences of ONE_HOUR, ONE_DAY and ONE_YEAR to
`core/server/utils`
2014-07-28 15:19:49 +02:00
Harry Wolff
be37070fb6 This aims to speed up both the ghost application and tests by
migration from usage of config() to just an object of config.

no relevant issue

- Change 'loadConfig' task to 'ensureConfig' to more accurately reflect
what it is actually doing.  Its sole purpose is to make sure a `config.js`
 file exists, and as such the name now reflects that purpose.

- Update config/index.js to export the ghostConfig object directly
so that it can be accessed from other modules

- Update all references of config(). to config.
This was a blind global find all and replace, treat it as such.

- Fixes to tests to support new config access method

- Allow each test to still work when invoked invidually
2014-07-22 22:37:44 -04:00
Hannah Wolfe
c0732292ac Merge pull request #3331 from ErisDS/issue-3076
Author pages
2014-07-21 20:57:06 +01:00
Gabor Javorszky
80f9023020 Added /roles/ API endpoint
Closes #3196

* adds `/roles/` endpoint
* is given the current user as context
* wraps everything in a canthis.browse.role
* gets all the available roles (should "Owner" be filtered out?)
* optional parameter: `permission=assign`. Gets all roles authenticated user could assign
* if we're not signed in, gives a "please sign in" (standard) error
* if we're signed in, but user is not in the context, gives a "there was no user in the context" error
* if the user is an "Author", gives a "there are no available roles to assign" error
* implemented hacky filter because when.js produces heisenbugs past 3.2.3 (when.filter not available)
* added extra fixtures to `permissions.json`. Might need a migration.

Caveats:

* there are no tests
* for some reason the setup functional test was failing for me locally
2014-07-21 15:02:25 +01:00
Hannah Wolfe
2d01e15a18 Author pages
refs #3076

- This is a first draft implementation, just to make it work so that we can get casper working
2014-07-20 17:49:19 +01:00
Sebastian Gierlinger
42f461cb6d Restored spam prevention
closes #3128
- added spam prevention middleware
- restored tests
2014-07-17 14:22:07 +02:00
Hannah Wolfe
5c1a7a7349 Revert "Restore spam prevention" 2014-07-17 12:11:23 +01:00
Hannah Wolfe
ef8c280635 Merge pull request #3282 from sebgie/issue#3128
Restore spam prevention
2014-07-16 19:39:32 +01:00
Sebastian Gierlinger
e4e027d17b Restored spam prevention
closes #3128
- added spam prevention middleware
- restored tests
2014-07-16 10:00:49 +02:00
Hannah Wolfe
34a0c42834 Merge pull request #3276 from sebgie/issue#3252
Move image upload to API
2014-07-15 18:09:32 +01:00
Sebastian Gierlinger
2957b0175e Move image upload to API
closes #3252
- added `/ghost/api/v0.1/uploads/` endpoint
- removed upload method from `controller/admin.js`
- moved removal of temporary files from storage to endpoint (needed to
account for failed uploads)
- changed and moved tests
- Oversight: I think that we use `.otherwise()` and `.catch()` a bit
too extensive and mask the real error objects. We probably need an
error handling strategy at some point in the future.
2014-07-15 12:40:14 +02:00
Hannah Wolfe
3ff9146d9e Server side cleanup
- remove sessions
- remove all references to csrf
- create a shared base model for the 2 types of token
2014-07-14 21:50:12 +01:00
Sebastian Gierlinger
8c2258dc4c Move setup to API
closes #3136
- moved setup to authentication API
- added `POST /ghost/api/v0.1/authentication/setup` to execute the
setup process
- added `GET /ghost/api/v0.1/authentication/setup` to check if blog is
already set up (needed for #3145)
- removed unused methods from api/users.js
2014-07-11 14:17:09 +02:00
Sebastian Gierlinger
215badc663 Setup hijacks owner user
closes #3074
- user generated by fixture is hijacked
- user is updated with name, email, password, slug and status
- creates new user if db is migrated but no user exists
- previously removed tests are back
2014-07-10 19:29:51 +02:00
Jordan Sexton
66ae7e5669 Removed duplicative and unreferenced resources section 2014-07-09 18:48:00 -05:00
Hannah Wolfe
a593cbfb53 Move post slug endpoint & add endpoints for users
closes #3187

- move slug endpoint to post/slug/:slug
- create similar  slug and email endpoint for users
- add/update tests
2014-07-09 16:55:34 +01:00
Sebastian Gierlinger
84cfd529ed Allow user to accept invitation
closes #3081
- added route `/ghost/api/v0.1/authentication/invitation`
- added accept invitation
- added signup with token
- removed check() from users api
- fixed promise in resetPassword()
2014-07-03 17:06:07 +02:00
Sebastian Gierlinger
79a80b67ac Invite user API
closes #3080
- added users.invite() to add user from email with random password
- added `GET /ghost/api/v0.1/users/` to invite users and resend
invitations
- removed one user limit
- added global utils for uid generation
- changed some „“ to ‚‘
2014-07-02 16:22:18 +02:00
Hannah Wolfe
f70f99b5cf Replace the old admin with the ember admin
closes #3056

- Remove clientold
- Remove clientold tests
- Cleanup old admin helpers
- Remove old routes from admin and controllers from admin controller
- Comment out / remove old and broken tests
- Cleanup Gruntfile.js, bower.js, package.json etc

Still TODO:

- cleanup / add removed tests
- do we still need countable?
2014-07-01 08:33:17 +01:00
Sebastian Gierlinger
c8e8da4780 oAuth
closes #2759
closes #3027

- added oauth2orize library for server side oAuth handling
- added ember-simple-auth library for admin oAuth handling
- added tables for client, accesstoken and refreshtoken
- implemented RFC6749 4.3 Ressouce Owner Password Credentials Grant
- updated api tests with oAuth
- removed session, authentication is now token based

Known issues:
- Restore spam prevention #3128
- Signin after Signup #3125
- Signin validation #3125

**Attention**
- oldClient doesn't work with this PR anymore, session authentication
was
removed
2014-06-30 14:58:10 +02:00
Jason Williams
2356692fe3 Fix mail test send endpoint
Closes #3071
-Refactor api.mail.sendTest to take a "to:" parameter.
-Inject recipient address into the mail api's sendTest method
 from the route handler.
2014-06-26 22:00:31 +00:00
Fabian Becker
72156c7f89 New setup screen for blog installation.
fixes #3072
- Change router to handle /ember/setup/
- Adjust doSignup to also handle setup
- Adjust tests and add new where necessary
- Add setup controller, setup validation, setup route
- Adjust casper emberSetup to handle new setup
2014-06-26 15:31:44 +02:00
Sebastian Gierlinger
1db0431e4d User API changes
closes #2822
- added destroy user method
- added remove user permission
- added API end point for get reset token
- added API end point for reset password
- added API end point for change password
2014-06-20 11:15:01 +02:00
Harry Wolff
5d028b72fb Upgrade to Express 4.0
no related issue

- Updates package.json packages, adding express middleware packages
 that have been broken into their own modules

- Updates controllers/frontend.js to use the new Layer object that Express 4.0
 has.  Requires some monkey-patching as the Layer object isn't explicitly
 surfaced, however it should be safe to do.

- Moved the setup of routes into middleware/index.js because they need to
 be added as a middleware function before the 404 and 500 handlers. This is
 no longer possible with the old app.use(app.router) as that has been removed.

- Cleaned up middleware/index.js to make it compatible with Express 4.0.

- Simplified the way themes are activated and enabled when they are activated.
 The new handling is simpler, yet should still cover all the use cases that
 previously existed.

- The entire flow of activating a theme through middleware should be a little
 more centralized, letting it be easier to read and maintain.

- Moved every routes/*.js file to use an individual express.Router() instance.
2014-06-08 17:41:25 -04:00
Hannah Wolfe
42af74b073 Merge pull request #2877 from jaswilli/2866-slugs
Update slug API to work with additional types
2014-06-05 13:43:46 +01:00
Jason Williams
bb4a0a3540 Update slug API to work with additional types
Closes #2866
-update slug API to handle users and apps in addition to
 posts and tags
-update existing tests
-add new functional tests for slug endpoint on http api
2014-06-04 05:54:03 +00:00
Hannah Wolfe
9e8e1fa37d Ember redirect to signup
closes #2779

- adds temporary code to redirect the ember admin to signup if a user doesn't exist.
- done serverside as this makes most sense?
2014-06-03 19:21:45 +01:00
Maurice Williams
6fda048827 refreshless user logout
fixes #2842
- new Ember route for signout
- new API route to allow async signout
2014-06-02 17:12:02 -04:00
Jason Williams
503c407090 Clean up routes. Use new slug endpoint in admin.
refs #2814
-removed route /posts/slug/:title due to API change
-changed admin to use new slug endpoint
-removed duplicate notifications routes
2014-05-28 03:59:06 +00:00
lennerd
bebafdc9a9 Refactore slug API for generating tag and post slugs.
Closes #2601
- Removed slug generation from the post API
- Added new, self-contained slug API
- Fixed slug permissions in the fixtures files
- Added a HTTP route for the new API method
- Added integrational tests
2014-05-26 10:07:05 +02:00
Hannah Wolfe
c02ebb0dcf Refactor API arguments
closes #2610, refs #2697

- cleanup API index.js, and add docs
- all API methods take consistent arguments: object & options
- browse, read, destroy take options, edit and add take object and options
- the context is passed as part of options, meaning no more .call
  everywhere
- destroy expects an object, rather than an id all the way down to the model layer
- route params such as :id, :slug, and :key are passed as an option & used
  to perform reads, updates and deletes where possible - settings / themes
  may need work here still
- HTTP posts api can find a post by slug
- Add API utils for checkData
2014-05-15 10:41:05 +01:00
Fabian Becker
628654961a Implements new Themes JSON API
closes #2592
- Add themes browse/read endpoint
- Add new permissions for themes (only admin by default)
- Add integration tests
2014-05-14 11:23:42 +02:00
Hannah Wolfe
d1f57a2569 Merge branch 'ember'
Conflicts:
	Gruntfile.js
	core/client/models/post.js
	core/client/models/settings.js
	core/client/models/user.js
	core/client/router.js
	package.json
2014-05-07 22:28:29 +01:00
Fabian Becker
2a803aecdd Proper endpoints for persistent notifications
closes #2637
- Add new get API route for all notifications
- Wrap API responses to comply with JSON-API
- Add new tests / adjust fixtures
- Adjust all occurences of passive notifications
2014-05-06 00:05:14 +02:00
Jason Williams
4b46d85c26 Redirect from admin editor to frontend post view
closes #2628
- added /view/ route to the editor. if /view/ is appended to
  the url of a post being edited a redirect to the frontend
  will occur
- updated controller to check for /view/ and built the
  correct url for the post
- added test for the new route
2014-05-01 01:50:24 +00:00
Hannah Wolfe
16c8080636 Merge branch 'master' into ember
Conflicts:
	core/client/models/post.js
2014-04-21 18:35:38 +01:00
Peter Szel
2433116cc6 Added email sending endpoint to the API.
closes #2550

- Added new API module named 'mail'
- Added routes for the mail endpoint
- Added 'send a test email' button to the debug settigns page
- Added handler to this button which sends and AJAX request to the mail API endpoint
2014-04-09 23:56:21 +02:00
Hannah Wolfe
c746a88b2e Merge branch 'master' into ember
Conflicts:
	Gruntfile.js
	core/client/assets/lib/showdown/extensions/ghostdown.js
	core/client/views/editor.js
	core/clientold/assets/lib/showdown/extensions/ghostdown.js
	core/shared/lib/showdown/extensions/ghostimagepreview.js
	core/test/unit/showdown_client_integrated_spec.js
	core/test/unit/showdown_ghostimagepreview_spec.js
2014-04-07 22:26:53 +01:00
Hannah Wolfe
7e95b4d291 Merge pull request #2439 from sebgie/move-slug
Rename getSlug to slug
2014-03-28 17:12:55 +00:00
Hannah Wolfe
13b65cecb9 Redirect feed -> rss
closes #2261

- reserved 'feed' in the list of reserved keywords for slugs
- added a 301 redirect from /feed/ to /rss/
- added a route test, and realised that standard express redirects don't get the right headers
- fixed the headers across all 301 redirects & added tests for the admin redirects
- removed the redirect from /ghost/login/ to /ghost/signin/ as this happens automatically if you're logged out, and isn't very useful if you're logged in as it just redirects again to /ghost/
2014-03-24 09:46:39 +00:00
Sebastian Gierlinger
22bbf57830 Rename getSlug to slug
another 2 % of #2124
- renamed `/ghost/api/v0.1/posts/getSlug/ to
`/ghost/api/v0.1/posts/slug/`
- renamed method getSlug to generateSlug
2014-03-18 14:00:33 +01:00
Hannah Wolfe
79a333b480 Merge branch 'master' into ember
Conflicts:
	bower.json
	core/client/views/editor.js
2014-03-16 20:52:44 +00:00
Harry Wolff
3296a3a41c Flesh out more of the Ember admin
no issue

- this ports over screens from old admin to
 allow people to begin working on aspects of the screen

- All logged out screens have been imported: Signup, Signin,
 Forgotten password, reset password

- Those screens are now ready for behavior to be ported over

- This also updates templates to be more in line with how they were
 in the old admin

- Littered through the code are @TODO comments of functionality that is
 missing and will need to be resolved before this is production ready

- Also scaffolds out the settings screen and every tab
2014-03-16 16:01:56 -04:00
Johan Stenehall
4556e1df0a Rss support for tags
closes #2260
- added routes for /tag/:slug/rss and /tag/:slug/rss/:page
- added support for tag in the rss controller
- added route tests for each extra case
- fixing a tiny typo in some test descriptions
2014-03-13 00:12:41 +01:00
Harry Wolff
9983e05535 Add HTML5 pushState support for Ember
- also updates associated route
2014-03-09 20:57:13 -04:00
Hannah Wolfe
31f41822e0 Merge branch 'master' into ember
Conflicts:
	.gitignore
	Gruntfile.js
	bower.json
	core/client/assets/lib/showdown/extensions/ghostdown.js
	core/client/assets/vendor/showdown/extensions/ghostdown.js
	core/client/router.js
	core/clientold/assets/vendor/chart.min.js
	core/clientold/assets/vendor/codemirror/addon/mode/overlay.js
	core/clientold/assets/vendor/codemirror/codemirror.js
	core/clientold/assets/vendor/codemirror/mode/gfm/gfm.js
	core/clientold/assets/vendor/codemirror/mode/gfm/index.html
	core/clientold/assets/vendor/codemirror/mode/gfm/test.js
	core/clientold/assets/vendor/codemirror/mode/markdown/index.html
	core/clientold/assets/vendor/codemirror/mode/markdown/markdown.js
	core/clientold/assets/vendor/codemirror/mode/markdown/test.js
	core/clientold/assets/vendor/countable.js
	core/clientold/assets/vendor/fastclick.js
	core/clientold/assets/vendor/icheck/jquery.icheck.min.js
	core/clientold/assets/vendor/jquery.hammer.min.js
	core/clientold/assets/vendor/nprogress.js
	core/clientold/assets/vendor/packery.pkgd.min.js
	core/clientold/assets/vendor/showdown/extensions/ghostdown.js
	core/clientold/assets/vendor/showdown/showdown.js
	core/clientold/assets/vendor/validator-client.js
	core/test/unit/client_ghostdown_spec.js
	core/test/unit/client_showdown_int_spec.js
2014-03-05 23:10:44 +00:00
Sebastian Gierlinger
7155d95f9d Add JSON API tests & cleanup
first 10 % of #2124
- added initial version of JSON API tests
- renamed error.errorCode to error.code
- renamed tags.all to tags.browse for consistency
2014-02-28 22:26:03 +00:00