Commit Graph

6365 Commits

Author SHA1 Message Date
Katharina Irrgang
d0687da3a3
Bumped major test dependencies (#10403)
refs #9389

- eslint@5.12.1, eslint-plugin-ghost@0.1.0, grunt-contrib-clean@2.0.0, grunt-contrib-uglify@4.0.0, grunt-eslint@21.0.0, grunt-mocha-cli@4.0.0, grunt-shell@3.0.1, mocha@5.2
.0, nock@10.0.6, rewire@4.0.1

All of them dropped Node v4. I was not able to find any other big breaking changes, which affect us right now.
2019-01-21 18:28:44 +01:00
Katharina Irrgang
fb044e6d88
Bumped sinon from 4.4.6 to 7.3.2 (#10400)
refs #9389

- https://github.com/sinonjs/sinon/blob/master/CHANGELOG.md

Breaking changes for Ghost:

- no need to create a sandbox anymore, each file get's it's own sandbox
- just require sinon and use this sandbox
- you can still create separate sandboxes with .createSandbox
- reset single stubs: use .resetHistory instead of .reset

This is a global replace for any sandbox creation.

---

From https://sinonjs.org/releases/v7.2.3/sandbox/

> Default sandbox
> Since sinon@5.0.0, the sinon object is a default sandbox. Unless you have a very advanced setup or need a special configuration, you probably want to just use that one.
2019-01-21 17:53:44 +01:00
Nazar Gargol
c3e22b6ab9 🐛 Fixed forced page filter not being respected in Content API
closes https://github.com/TryGhost/Ghost/issues/10395, https://github.com/TryGhost/Ghost/issues/10390

- The grouping was introduced due to a flasy conjunction of last filter in 'or' group with enforced page filter, due to this the rest of filters in the 'or' group were bypassed
- Additional grouping added here increases the possiblity of https://github.com/NexesJS/NQL-Lang/issues/7 bug happening
2019-01-21 13:26:45 +00:00
Katharina Irrgang
3df763009e
Added quick fix to handle integration upserts for x_by columns (#10295)
refs #10286

- this is just a hotfix for v0.1
- we keep the x_by fields for now and deprecate them
- as soon as an integration updates/inserts a resource, we just store the owner ID
- we currently work on a new concept for v2
- v2 no longer exposes or uses x_by, see https://github.com/TryGhost/Ghost/pull/10294
- we need to iterate on this change, because we currently use the naming `context.api_key_id` in the auth/API layer
2019-01-21 12:41:45 +01:00
Dexter Leng
da71b61bcf 🐛Deleted associated roles_users rows when user is destroyed (#10243)
closes #8843
2019-01-21 12:36:13 +01:00
Katharina Irrgang
a927aecc3f
🐛 Fixed prev_next helper when using Content API v2 (#10397)
closes #10389
2019-01-21 11:48:18 +01:00
Fabien O'Carroll
6f87f2af93 Fixed img_url to work with protocol relative urls
closes #10391

- We use "relative protocol" urls for gravatar images, which were
  incorrectly getting treated as relative path urls.

- Refactored getBlogUrl calls into const
2019-01-21 11:41:23 +01:00
kirrg001
26d0f48561 Renamed getValidAdminKey to getValidAdminToken for admin api v2 test area
no issue
2019-01-18 19:11:51 +01:00
kirrg001
1126997244 Added easy way to enable admin api key authentication
refs #9865

- small refactoring to make both session and admin api key handling similar
- admin api key authentication is still disabled, but easy to enable
- added proof test how to authenticate using admin api keys
2019-01-18 18:57:58 +01:00
kirrg001
4f7783939d Fixed lint
no issue
2019-01-18 18:03:15 +01:00
kirrg001
e90148e7c3 Switched to use new implementation of authorizeAdminApi
refs #9865

- see code comments
2019-01-18 17:54:08 +01:00
kirrg001
de7ba3cd85 Corrected content api test key
no issue

- we reduced the key length
2019-01-18 17:54:08 +01:00
kirrg001
fbe2829b93 Added test helper for admin api v2: getValidAdminKey
no issue
2019-01-18 17:54:08 +01:00
kirrg001
f82bb07534 Added empty lines and reduces line length in auth authorize
no issue

- improves readability
2019-01-18 17:54:08 +01:00
kirrg001
3f758c6a0a Protected against empty admin api key
refs #9865
2019-01-18 17:54:04 +01:00
kirrg001
1b5b95e198 Renamed authenticateAdminApiKey to authenticate for admin api key auth
refs #9865

- the outer authentication layer wants a consistent interface of each authentication package
  - admin.authenticate
  - session.authenticate

- furthermore, there is no need to put the full feature into the exposed function name
2019-01-18 17:30:07 +01:00
kirrg001
462865981e Updated admin api key authentication to expect api key id in payload
refs #9865

- see https://github.com/TryGhost/Ghost/blob/2.11.1/core/server/lib/members/index.js#L52
- consistency
2019-01-18 17:22:19 +01:00
Fabien O'Carroll
1c56221d80 Added API Key auth middleware to v2 Admin API (#10006)
refs #9865

- Added `auth.authenticate.authenticateAdminApiKey` middleware
  - accepts signed JWT in an `Authorization: Ghost [token]` header
  - sets `req.api_key` if the token is valid
- Updated `authenticatePrivate` middleware stack for v2 admin routes
2019-01-18 12:45:06 +00:00
Fabien O'Carroll
809a167a55 Updated permissible methods for hasApiKeyPermissions (#9970)
refs #9865

This updates all current permissible methods to use the new function
signature which includes the hasApiKeyPermissions parameter. It also
makes sure that the hasApiKeyPermissions argument is taken into account
whenever checking before returning a resolved promise.

To be continued. This is just a tiny part of the big picture. None of these changes are fully committed to stay as they are.
2019-01-18 13:39:53 +01:00
kirrg001
873d63dc5d Fixed unit test: services/permissions/parse-context_spec.js
no issue
2019-01-18 13:16:28 +01:00
kirrg001
2c7c72cd9f Fixed travis
no issue

- caused by fc73cd71bb
- breaks the content API access
2019-01-18 13:05:39 +01:00
Fabien O'Carroll
fc73cd71bb Updated permissions service to handle api keys (#9967)
refs #9865

- Enabled the permissions module to lookup permissions based on an api_key id.
- Updated the "can this" part of the permissions service to load permissions for any api key in the context, and correctly use that to determine whether an action is permissible. It also updates the permissible interface that models can implement to pass in the hasApiKeyPermissions param.
2019-01-18 11:17:11 +00:00
Fabien O'Carroll
42a1313bff
Removed members internal app (#10379)
no-issue

* Mounted members static router directly to parentApp

* Removed members internal app
2019-01-17 12:03:40 +01:00
Hannah Wolfe
909f9012ed
Updated docs links to best equivalents (#10386)
* Updated docs links to best equivalents
   - Our documentation has been overhauled, this updates the all the old links sprinkled through Ghost
* Update integrity hash
2019-01-17 06:57:37 +00:00
Fabien O'Carroll
0204245869 Updated Ghost-Admin to 2.11.1 2019-01-16 09:58:53 +01:00
Greg Hart
418e958c69 🐛Fixed custom redirects to forward hashes correctly (#10319)
closes #10290
2019-01-15 23:26:18 +01:00
Hannah Wolfe
a1f0169edf 🐛 Fixed 500 error for content with no collection
no issue

- Fixes a case where a post that doesn't belong to a collection throws a 500 Resource Not Found Error
- This should be a 404 Resource Not Found error
- 500 suggests something went very wrong and is our fault,
-  but this is a user error where the collections or posts are misconfigured, and some content doesn't have a home
2019-01-15 22:00:46 +00:00
Hannah Wolfe
846a94728f
🐛 Fixed uncaught exceptions from image fetches
closes #10383

- Upgrades got to 8.3.2, which contains better error handling and resolves the issue with uncaught exceptions
- Note: Got 9.x stream doesn't support Node v6
- Requires us to hardcode http:// for xmlrpc because there is a breaking change where got now defaults to https instead of http
2019-01-15 20:35:46 +00:00
Hannah Wolfe
d58ecda9a9 🐛 Fixed responsive images for .icos
closes #10301

- we allow .ico files for icons, but we cannot resize these specialist files at present
2019-01-15 17:41:25 +00:00
Fabien O'Carroll
ac923e4073 Updated Ghost-Admin to 2.11.0 2019-01-15 14:10:52 +01:00
Fabien O'Carroll
4eb324cf4d Updated Ghost-Admin to 2.10.2 2019-01-15 13:42:13 +01:00
Rishabh Garg
9d9690987a
🐛 Updated v2 content API output to return null instead of “” for empty fields (#10378)
refs #10345

- We are standardising on returning null from the Content API for any empty values
- Updated `post`, `tag` and `author` APIs
2019-01-15 17:58:51 +05:30
Naz Gargol
1a4497fc9a
🐛 Fixed default resource ordering in Content API (#10371)
refs https://github.com/TryGhost/Ghost/issues/10354

- Added ordering on input serialization layer for posts, pages, tags, and authors
- At the moment ordering is dependent on DB engine which will be resolved with https://github.com/TryGhost/Ghost/issues/6104
2019-01-15 12:21:04 +00:00
Katharina Irrgang
3924acd152
🗑Deprecated ghost_head & ghost_foot in favour of codeinjection_* for Settings API v2 (#10380)
closes #10373

- ghost_head & ghost_foot are deprecated from now on
- we want to remove them in v3
- this short fix is dirty (!)
- we return codeinjection_* for admin & content api
- this is a consistentency change e.g. posts return `post.codeinjection_*`
- need to raise a decoupling refactoring issue for the code comments
2019-01-15 13:03:17 +01:00
Fabien O'Carroll
cf1e4aa593
💡 Disabled v0.1 Public API by default (#10372)
refs #10364
2019-01-15 11:09:34 +01:00
kirrg001
95b5fb1c81 Fixed relative image paths for settings v2 admin api
refs #10363
2019-01-14 21:01:12 +01:00
Katharina Irrgang
56db4ddd75
🐛 Fixed API v2 Settings browse returns relative image path (#10370)
closes #10363
2019-01-14 20:36:41 +01:00
Katharina Irrgang
732f97a074
De-aliased api versions in codebase (#10375)
closes #10357
2019-01-14 19:49:55 +01:00
Naz Gargol
48d6e7298a
Refactored content-disposition header handling in API v2 (#10374)
closes https://github.com/TryGhost/Ghost/issues/10331

- Left only a filename part to be handled by controller configuration, the rest was extracted to more generic headers layer
2019-01-14 18:05:16 +00:00
Naz Gargol
ceeb78b85b
Fixed integration test errors caused by URL service reset (#10376)
no issue

- With df1ba8aee1 landing in master, there was an error introduced in integration tests, which was caused by URL service being reset at the same time as it was populating its cache.
2019-01-14 18:04:22 +00:00
Fabien O'Carroll
9837df0b6f
Added brute protection to content api (#10362)
* Revert "Removed brute force middleware form content api (#10353)"

This reverts commit 63c8c310fb.

* Updated content api spam prevention to use memory store

* Used TooManyRequestsError instead of InternalServer
2019-01-14 14:11:48 +01:00
Rishabh Garg
a7ba90dfa1
🐛 Fixed filtering of page attribute when fields query param is used (#10352)
closes #10351

- Updated filtering logic for `page` in output serialisers of post/page in v2
2019-01-11 22:26:34 +05:30
Naz Gargol
aa49f77504
🐛 Fixed url not being immediately available after post publish (#10361)
🐛  Fixed URL not being immediately available after post publish

closes https://github.com/TryGhost/Ghost/issues/10360

- This change makes sure posts and pages URLs are populated in
synchronous manner
- Further cleanup and restructuring of this hacky solution is planned to
be done in https://github.com/TryGhost/Ghost/issues/10360
2019-01-11 10:30:36 +00:00
Fabien O'Carroll
249b935149 Updated Ghost-Admin to 2.10.1 2019-01-09 12:27:01 +01:00
Fabien O'Carroll
63c8c310fb
Removed brute force middleware form content api (#10353)
* Removed brute force middleware form content api

no-issue

This is just temporary

* Skipped brute test for content api
2019-01-09 11:38:03 +01:00
Nazar Gargol
ed2f9180b7 Updated Ghost-Admin to 2.10.0 2019-01-08 12:37:48 +00:00
Fabien O'Carroll
76bb40b7c0
Added clause in validation for include to not error (#10350)
* Added clause in validation for include to not error

refs #10337

Here we forgo erroring when an invalid property for include is sent, and
instead remove the invalid properties.

* Fixed authors test

* Fixed validators tests
2019-01-08 12:29:15 +01:00
Kevin Ansfield
3a923c597f Remove API readme file
no issue
- it has no useful information and the content is out of date
- API docs live at https://docs.ghost.org/api/
2019-01-08 10:05:05 +00:00
Hannah Wolfe
954ca8c48f Removed unused visiiblity fields from Content API
refs #10337

- Trying to make the API output as clean as possible,
- We can add these back later if we start using them
2019-01-08 10:00:27 +00:00
Fabien O'Carroll
935b0f6d49 🎨 Use unoptimised image when possible for dynamic images (#10314)
closes #10283 

Updated middleware for dynamic image sizes to attempt to read the unoptimized image first, taking into account the `-n` suffix for duplicate image names, by using a regex.
2019-01-08 10:00:15 +00:00