Commit Graph

7793 Commits

Author SHA1 Message Date
Katharina Irrgang
d87fbeca49 🐛 Fixed error handling for html response (#9280)
refs https://github.com/TryGhost/Team/issues/41

- if you add invalid handlebars logic e.g. {{if condition condition}}, handlebars throws an error
- in case of having invalid hbs in an amp page, the amp component throwed another syntax error (which is fixed in this PR)
- furthermore the `setTemplate` helper function had a logic bug, which did not handle errors correctly
  - if there is an error and a template is set (e.g. amp), we have to still render the error page and not the amp page
- this fix only ensures that the error handling is correct, we still see the error of the "ugly" handlebars message
  - e.g. [amp.hbs] Cannot read property 'includeZero' of undefined
  - but no longer -> Cannot read property 'html' of undefined (which was a syntax error in Ghost)
2017-11-28 12:00:43 +00:00
Katharina Irrgang
3004e03bc6 🐛 Fixed throwing 500 for invalid encoded urls (#9279)
refs https://github.com/TryGhost/Team/issues/41

- if you send invalid encoded url components in the path, the server tried to decode the url
- if it contains invalid characters like /AF%, it throwed a 500
- we return a page not found error instead
2017-11-28 11:39:38 +00:00
Guillem Andreu
860b38a1a7 🐛 Fixed Sitemap when permalink contains Primary Tag (#9273)
closes #9272

- included tags in sitemap post-generator
2017-11-27 12:38:56 +01:00
Kevin Ansfield
94360c8a32
🐛 Fixed import and redirect uploads for Win10/Edge (#9267)
closes https://github.com/TryGhost/Ghost/issues/9236
- added `text/plain` to the allowed mime types for db and redirect uploads
2017-11-22 17:30:53 +00:00
Aileen Nowak
9190857e71 Version bump to 1.18.0 2017-11-21 23:48:02 +08:00
Aileen Nowak
f64e395eb3 Updated Ghost-Admin to 1.18.0 2017-11-21 23:48:02 +08:00
Kevin Ansfield
bffb3dbd90
Webhooks support for subscriber events (#9230)
no issue

Support for http://resthooks.org style webhooks that can be used with Zapier triggers. This can currently be used in two ways:

a) adding a webhook record to the DB manually
b) using the API with password auth and POSTing to /webhooks/ (this is private API so not documented)

⚠️ only _https_ URLs are supported in the webhook `target_url` field 🚨

- add `webhooks` table to store event names and target urls
- add `POST` and `DELETE` endpoints for `/webhooks/`
- configure `subscribers.added` and `subscribers.deleted` events to trigger registered webhooks
2017-11-21 15:43:14 +00:00
Aileen Nowak
9e60ac639b Upgrading Casper to 2.1.7 2017-11-21 22:09:35 +08:00
Aileen Nowak
a4cf29dc7d Bump amperize to version 0.3.6 (#9264)
no issue

New version contains
- dependency updates
- Node v8 support
- Eslint refactoring
2017-11-21 15:00:04 +01:00
Katharina Irrgang
dfd4afea19 Add bookshelf-relations (#9252)
no issue

- added https://github.com/TryGhost/bookshelf-relations as dependency
- remove existing tag handling

--- 

* Important: Ensure we trigger parent initialize function

- otherwise the plugin is unable to listen on model events
- important: event order for listeners is Ghost -> Plugin
- Ghost should be able to listen on the events as first instance
- e.g. be able to modify/validate relationships

* Fix tag validation

- we detect lower/update case slugs for tags manually
- this can't be taken over from the plugin obviously
- ensure we update the target model e.g. this.set('tags', ...)

* override base fn: `permittedAttributes`

- ensure we call the base
- put relations on top
- each relation is allowed to be passed
- the plugin will auto-unset any relations to it does not reach the database

* Ensure we run add/edit/delete within a transaction

- updating nested relationships requires sql queries
- all sql statements have to run in a single transaction to ensure we rollback everything if an error occurs
- use es6
2017-11-21 13:28:05 +00:00
Aileen Nowak
982a75d6be 🐛 Fixed slugs from exceeding db limit (#9251)
closes #8143

Fixed a potential issue (edge-case), where our generated and validated (in terms of check for existance and add a counter) would return a slug, that will exceed the maximum length of the slug fields (191 chars).

This is mostly possible for the post title, which can be 255 chars long and would generate a slug with the same length. This would prevent the user from actually saving a post.

I tried first to determine the expected length for a slug that already exists, but decided that the **easier** and simplyfied implementation is to always cut a slug to **185 chars** (+ counter). This makes it easier to find duplicates and includes a possible high number of counts (edge-edge-case).

The slug will not be cut down to 185 chars if it's an import.
2017-11-21 14:21:22 +01:00
kirrg001
eba100d965 Bump dependencies
no issue

- bluebird@3.5.1
- csv-parser@1.12.0
- gscan@1.2.2
- moment@2.19.2
- nconf@0.9.1
- oauth2orize@1.11.0
- superagent@3.8.1
- eslint@4.11.0
- nock@9.1.0
2017-11-17 17:33:29 +01:00
kirrg001
2e521791b8 Optimised dependency tree
no issue
2017-11-17 17:33:29 +01:00
kirrg001
48cffb409e Version bump to 1.17.3 2017-11-16 16:01:51 +01:00
kirrg001
c5155575fd Updated Ghost-Admin to 1.17.3 2017-11-16 16:01:51 +01:00
Hannah Wolfe
5e5b90ac29
Added Url Service to track all URLs in the system (#9247)
refs #9192

- Introduces a url service that can be initialised
- Added a concept of Resources and resource config.json that contains details about the resources in the system that we may want to make customisable 
- Note that individual resources know how to create their own Urls... this is important for later
- Url Service loads all of the resources, and stores their URLs
- The UrlService binds to all events, so that when a resource changes its url and related data can be updated if needed
- There is a temporary config guard so that this can be turned off easily
2017-11-16 13:03:24 +00:00
Aileen Nowak
1bb9d4ff00 Set soft limits for blog title and description (#9250)
refs #8143

Add max length validations to settings:
- `blog.title`: 150 chars
- `blog.description`: 200 chars

The `validateSettings` fn in our validations checks for existing `validations` properties in our `default-settings.json` file, similar to other tables in our `schema.js`.
2017-11-16 13:58:22 +01:00
Kevin Ansfield
31ee7bb4e1 Clean the core/built dir often to avoid numerous duplicate files (#9245)
closes #8162

- remove `core/client/dist` from the `clean` task, Ghost-Admin takes care of this automatically
- run `clean:built` any time the following are run so that the built dir doesn't get _huge_ and cutting a release doesn't accidentally include tons of unused built files:
	- `grunt dev`
	- `grunt dev --client`
	- `grunt release`
2017-11-16 11:44:15 +01:00
kirrg001
7ab725540c Version bump to 1.17.2 2017-11-14 14:09:36 +01:00
kirrg001
3a9608c087 Updated Ghost-Admin to 1.17.2 2017-11-14 14:09:36 +01:00
kirrg001
d33ce1f2ed Fixed moment warnings for listeners_spec
no issue

- .offset is deprecated for zones
- use .utfOffset instead
2017-11-14 14:07:07 +01:00
kirrg001
c4044aa498 Do not log error if i18n.doesTranslationKeyExist is called
no issue

- when calling `doesTranslationKeyExist`, we want to know if a key exists, we don't want to log if the key was not found
- this can mess up the server log
2017-11-14 14:03:48 +01:00
Katharina Irrgang
76689ecbee 🐛 Fixed pagination error (#9243)
no issue

- see explanation https://github.com/TryGhost/Ghost/pull/8129#issuecomment-286061529
- we catch the db error if it occurs, we can't simply check the length of the page param, because sqlite/mysql behaves differently
2017-11-14 12:47:58 +00:00
Kevin Ansfield
bcc98e5536 Added GET/DELETE /subscribers/email/:email/ endpoints (#9238)
no issue

- useful for managing subscribers via external systems/API calls where it's likely only the e-mail address will be known
- adds `GET /subscribers/email/:email/`
- adds `DELETE /subscribers/email/:email/`
2017-11-14 12:09:41 +01:00
John O'Nolan
0d54326121 Give default Ghost user fixture a helpful bio (#9241)
no issue

Had a couple of people ask about how to delete welcome posts easily, so adding a bio to the default user to draw a little more attention to it
2017-11-14 10:23:38 +00:00
kirrg001
0eb84d7f8a 🐛 Fixed concurrent renew of access tokens
no issue

- it can happen that concurrent requests try to renew access tokens with the same refresh token
- in this case it could happen that you received a token deletion error
- add propert locking
- ensure we don't run into deadlocks
- manual testing with async.times for parallel requests (was able to reproduce the error)
2017-11-14 10:22:09 +00:00
kirrg001
4b21fc1d59 Allow forUpdate for any model
no issue

- this was only supported for the Post Model until now
- locking should be possible for every resource depending on the use case
2017-11-14 10:22:09 +00:00
Kevin Ansfield
90d6ac5a0e Fixed naming of Subscribers API integration spec 2017-11-13 13:20:52 +00:00
Hannah Wolfe
1445678035 Fixed channel path to work with Ghost-CLI
- Just, DERP 🙈
2017-11-10 20:52:50 +00:00
Kevin Ansfield
a63ce07050 Updated Ghost-Admin: fix yarn install issues 2017-11-10 16:55:24 +00:00
Hannah Wolfe
98f5ae00fc
Introduced renderer to DRY up controllers (#9235)
refs #5091, #9192

- Renderer figures out templates, contexts, and does a render call
- Templating is now handled with a single function
- Context call is made in the renderer

Note:  to make this work, all controllers now define a little bit of config, currently stored in res._route. (That's a totally temporary location, as is res._template... when a sensible naming convention reveals itself I'll get rid of the weird _). This exposes a type and for custom routes a template name & default.
2017-11-10 12:44:29 +00:00
Hannah Wolfe
e41d0c76fb
RSS service + controller improved for consistency (#9233)
refs #9192, refs #5091 

- Moved all url generation into generate-feed.js, so we can see as much data processing as possible in a single place.
- Refactored the way res.locals were used, to be more like how express uses them prior to rendering
- Removed a bunch of code & tests todo with context for RSS - I can't see any way that'd be used, unless we switched the rendering to use a template.
- moved the RSS rendering to be part of the service, not controller
- updated the tests significantly 

Note: RSS generate-feed has a complete duplication of the code used in the excerpt helper in order to create an item description
2017-11-10 07:36:39 +00:00
Kevin Ansfield
8ad64e3e8a Version bump to 1.17.1 2017-11-09 14:37:42 +00:00
Kevin Ansfield
4a3fcd6429 Updated Ghost-Admin to 1.17.1 2017-11-09 14:37:42 +00:00
Aileen Nowak
a35c0c29e0 Added more database soft limits (#9225)
refs #8143

Sets soft limits for certain db fields:

- `posts`:
	- `title`: 255 chars (current hard limit: 2,000 chars)
	- `meta_title`: 300 chars (current hard limit: 2,000 chars)
	- `meta_description`: 500 chars (current hard limit: 2,000 chars)
- `users`:
	- `bio`: 200 chars (current hard limit: 65,535 chars)
	- `location`: 150 chars (current hard limit: 65,535 chars)
	- `meta_description`: 500 chars (current hard limit: 2,000 chars)
	- `meta_title`: 300 chars (current hard limit: 2,000 chars)
- `tags`:
	- `description`: 500 chars (current hard limit: 65,535 chars)
	- `meta_title`: 300 chars (current hard limit: 2,000 chars)
	- `meta_description`: 500 chars (current hard limit: 2,000 chars)

- same error message for isLength validator as for hard limits (more improvements are comming with https://github.com/TryGhost/Ghost/issues/6050)
- added more tests for importer
- added dynamic translation key handling for validators errors (isLength is only supported atm)
2017-11-09 15:22:20 +01:00
Katharina Irrgang
f22a2784f7 🐛 Fixed error for password authentication with Bearer Token (#9227)
refs #8613, refs #9228

- if you send a request to /authentication/token with `grant_type:password` and a Bearer token, Ghost was not able to handle this combination
- because it skipped the client authentication, see https://github.com/TryGhost/Ghost/blob/1.17.0/core/server/auth/authenticate.js#L13
- and OAuth detects the `grant_type: password` and jumps in the target implementation
- the target implementation for password authentication **again** tried to fetch the client and failed, because it relied on the previous client authentication
- see https://github.com/TryGhost/Ghost/blob/1.17.0/core/server/auth/oauth.js#L40 (client.slug is undefined if client authentication is skipped)
- ^ so this is the bug
- we **can** skip client authentication for requests to the API to fetch data for example e.g. GET /posts (including Bearer)
- so when is a client authentication required?
- RFC (https://tools.ietf.org/html/rfc6749#page-38) differentiates between confidential and public clients, Ghost has no implementation for this at the moment
  - so in theory, public clients don't have to be authenticated, only if the credentials are included
- to not invent a breaking change, i decided to only make the client authentication required for password authentication
- we could change this in Ghost 2.0

I have removed the extra client request to the database for the password authentication, this is not needed. We already do client password authentication [here](https://github.com/TryGhost/Ghost/blob/1.17.0/core/server/auth/auth-strategies.js#L19);
If a Bearer token is present and you have not send a `grant_type` (which signalises OAuth to do authentication), you can skip the client authentication.
2017-11-09 14:11:29 +00:00
Hannah Wolfe
016ee17ebb
Rework route service to prevent circular dependencies (#9229)
refs #9192, refs #9178  

After trying to progress with current implementation, it became clear that the route service can't control the boot sequence, because then we end up with circular dependencies between the route service and the channel service.

The route service now exposes:
-  a siteRouter 
- a way for apps to register routes.
- ParentRouter base class for other modules to use
- the registry

...

- moved the default route setup back to site/routes.js 🙈
- moved the parent channel router back to the channel service (this makes way more sense imo)
- this structure prevents circular dependencies
- split the registry out into it's own thing
- fixed-up various bits of tests and comments
- DEBUG will print a list of routes 🎉
2017-11-09 13:58:22 +00:00
Hannah Wolfe
27b4688cea Changed channelsRouter to use new base class
refs #9192, #5091

- changed channels to use our new base class
- keep the flexible structure, so that channels can be reloaded
- I had to move the router into the route service otherwise we get circular dependencies
- Don't _really_ want to keep it like this - need a way to define base classes as shared
2017-11-09 10:47:20 +00:00
Aileen Nowak
6a41104969 Moved isLocalFile fn to storage utils (#8985)
no issue

- moved isLocalImage fn to storage utils used the RegExp of getLocalFileStoragePath to detect also relative image paths and added tests.
- Added test for independent protocol request (skip, because not supported/implemented)
2017-11-09 11:11:54 +01:00
Hannah Wolfe
7656d0bdda
Wrapped express router & expose from route service (#9206)
refs #9192

- Moving towards a centralised concept of routing / routes
- The base router now wraps express router, and offers us the features we need
- Site Router is the parent router, it gets initialised with all of our default routing
- App Router is a sub router for apps - apps register their routes/routers onto it.
- TODO: refactor channels subrouter to work this same way
- MAYBE: move the app router to the apps service
2017-11-09 10:08:11 +00:00
Hannah Wolfe
90cfdbe7a6 Moved Channels module -> services
refs #9192, refs #5091, refs #9178

- moved channels from controllers to a service
- split out the parent router from the remaining individual router logic
- moved the tests to match
2017-11-08 15:45:23 +00:00
Hannah Wolfe
f0f0735437 Renamed single / post -> entry
refs #9192

- an entry is a post or a page, represented by a post model
2017-11-08 10:07:52 +00:00
Hannah Wolfe
187c38991e Move admin redirects out of site router
refs #9192

- Admin redirects should really happen first, up with custom redirects
- Later we can package this up, maybe
- For now, let's focus the site router on site-related things
2017-11-08 09:45:34 +00:00
Hannah Wolfe
abaf0461cf Highlighted routes, controllers & renderers
refs #5091, refs #9192

- There are several theme template "renderers" all over the codebase
- Some are in apps, and were called "controllers"
- One is in error handling
- All of them now have comments marking out how they share logic/steps
- Other comments describe routes & controllers where they live
2017-11-08 09:45:12 +00:00
Hannah Wolfe
474e9234a6 Simplified AMP internal app
refs #9192

- The AMP app is nothing more than a custom controller - this will come clear soon
- Moved enabled/disabled logic into router
- Removed error-related code, as this wasn't used
- Changed logic for static pages to be based on req.body, not context
- Improved the tests to match
2017-11-08 08:25:25 +00:00
Hannah Wolfe
86c6cec433 Moved RSS module -> services & controllers
refs #5091, #9192, #9178

- Get the RSS module into a much better shape
- Controller -> /controllers/rss
- Remainder -> /services/rss
- Moved tests to match & updated requires
2017-11-08 08:09:44 +00:00
Aaron Kau
be1d46a1fd Fixed comment about node version changes (#9223)
no issue
2017-11-08 00:27:47 +01:00
David Wolfe
f44a495cfc Added rescheduleOnBoot option for post scheduling (#9196)
no issue

- allows custom scheduling adapters with persistent data to not reschedule posts when Ghost is restarted
2017-11-08 00:24:34 +01:00
Hannah Wolfe
60fd98679f
Split RSS module into controller + other (#9224)
refs #5091, refs #9192

- This is similar to #9218, in that I'm revealing bits of code that are "controllers" in our codebase. As opposed to routes, services, renderers etc.
- This also reveals some code which is identical to the channels controller
- There is more to do here, but for now I've got the module split up, and the tests split and improved.
- Next I'll split RSS into controller + service, DRY up the controller code, etc
2017-11-07 20:00:03 +00:00
Kevin Ansfield
f06270acb5 Version bump to 1.17.0 2017-11-07 13:41:35 +00:00