refs #7204
- Adds a new ThemeValidationError class
- This error has a top level message, but will also contain all the individual errors within the `errorDetails` property
- Updated the API error handling to return `errorDetails` if it is present
no issue
Double slashes are treated as a HTTP calls as specified in [RFC1801](http://www.ietf.org/rfc/rfc1808.txt). Because of this behaviour the uncapitalise created an open redirect. By removing double slashes in the path we ensure open redirects cannot be created.
As an example, please click the following URL: https://dev.ghost.org///Google.com/.
This issue has been reported by pentesters of our product [LearningSpaces.io](http://learningspaces.io).
closes#6588, #7095
* `ImageObject` with image dimensions (#7152, #7151, #7153)
- Returns meta data as promise
- returns a new Promise from meta data
- uses `Promise.props()` to resolve `getClient()` and `getMetaData()`
- Adds 'image-size' util
The util returns an object like this
```
{
height: 50,
url: 'http://myblog.com/images/cat.jpg',
width: 50
};
```
if the dimensions can be fetched and rejects with error, if not.
In case we get a locally stored image or a not complete url (like `//www.gravatar.com/andsoon`), we add the protocol to the incomplete one and use `urlFor()` to get the absolute URL. If the request fails or `image-size` is not able to read the file, we reject with error.
- adds 'image-size' module to dependencies
- adds `getImageSizeFromUrl` function that returns image dimensions
- In preparation of AMP support and to improve our schema.org JSON-LD and structured data, I made the following changes:
- Changes the following properties to be `Objects`, which have a `url` property by default and a `dimensions` property, if `width` and `height` are available:
- `metaData.coverImage`
- `metaData.authorImage`
- `metaData.blog.logo`
- Checks cache by calling `getCachedImageSizeFromUrl`. If image dimensions were fetched already, returns them from cache instead of fetching them again.
- If we have image dimensions on hand, the output in our JSON-LD changes from normal urls to be full `ImageObjects`. Applies to all images and logos.
- Special case for `publisher.logo` as it has size restrictions: if the image doesn't fulfil the restrictions (<=600 width and <=60 height), we simply output the url instead, so like before.
- Adds new property for schema.org JSON-LD: `mainEntityOfPage` as an Object.
- Adds additional Open Graph data (if we have the image size): `og:image:width` and `og:image:height`
- Adds/updates tests
* AMP router and controller (#7171, #7157)
Implements AMP in `/apps/`:
- renders `amp.hbs` if route is `/:slug/amp/`
- updates `setResponseContext` to set context to `['amp', 'post']` for a amp post and `['amp', 'page']` for a page, but will not render amp template for a page
- updates `context_spec`
- registers 'amp' as new internal app
- adds the `amp.hbs` template to `core/server/apps/amp` which will be the default template for AMP posts.
- adds `isAmpURL` to `post-lookup`
* 🎨 Use `context` in meta as array (#7205)
Instead of reading the first value of the context array, we're checking if it includes certain context values.
This is a preparation change for AMP, where the context will be delivered as `['amp', 'post']`.
* ✨ AMP helpers (#7174, #7216, #7215, #7223)
- Adds AMP helpers `{{amp_content}}`, `{{amp_component}}` and `{{amp_ghost_head}}` to support AMP:
- `{{amp_content}}`:
- Adds `Amperize` as dependency
- AMP app uses new helper `{{amp_content}}` to render AMP HTML
- `Amperize` transforms regular HTML into AMP HTML
- Adds test for `{{amp_content}}` helper
- Adds 'Sanitize-HTML` as dependendy
- After the HTML get 'amperized' we still might have some HTML tags, which are prohibited in AMP HTML, so we use `sanitize-html` to remove those. With every update, `Amperize` gets and it is able to transform more HTML tags, they valid AMP HTML tags (e. g. `video` and `amp-video`) and will therefore not be removed.
- `{{amp_ghost_head}}`:
- registers `{{amp_ghost_head}}` helper, but uses `{{ghost_head}}` code
- uses `{{amp_ghost_head}}` in `amp.hbs` instead of `{{ghost_head}}`
- `{{ghost_head}}`:
- Render `amphtml` link in metadata for post, which links to the amp post (`getAmpUrl`)
- Updates all test in metadata to support `amp` context
- Changes context conditionals to work with full array instead of first array value
- Adds conditionals, so no additional javascript gets rendered in `{{ghost_head}}`
- Removes trailing `/amp/` in URLs, so only `amphtml` link on regular post renders it
- Adds a conditional, so no code injection will be included, for an `amp` context.
- `{{amp_components}}`:
- AMP app uses new helper `{{amp_components}}` to render necessary script tags for AMP extended components as `amp-iframe`, `amp-anime` and `amp-form`
- Adds test for `{{amp_components}}`
no issue
- Source out validation logic into a upload validation middleware for all upload types (csv, image, subscribers). This unit can be later used for Ghost 1.0 as a pre validation core unit.
- More usage of route tests than controller tests. These are use case tests, a use case only changes if the product changes
refs #6413
- PUT endpoint to publish a post/page for the scheduler
- fn endpoint to get all scheduled posts (with from/to query params) for the scheduler
- hardcoded permission handling for scheduler client
- fix event bug: unscheduled
- basic structure for scheduling
- post scheduling basics
- offer easy option to change adapter
- integrate the default scheduler adapter
- update scheduled posts when blog TZ changes
- safety check before scheduler can publish a post (not allowed to publish in the future or past)
- add force flag to allow publishing in the past
- invalidate cache header for /schedules/posts/:id
refs #6949
- Adds a new VersionMismatchError with status 400 (bad request)
- Adds middleware that checks the X-Ghost-Version header if it is provided
- If it is not provided, the middleware does nothing
- If it is provided, and the versions match, the middleware does nothing
- If it is provided, and the versions don't match, the middleware returns a VersionMismatchError
- Includes both unit and a functional test to prove the middleware works alone and as part of the whole system
issues #6406#6399
- all dates are stored as UTC with this commit
- use moment.tz.setDefault('UTC')
- add migration file to recalculate local datetimes to UTC
- store all dates in same format into our three supported databases
- add option to remeber migrations inside settings (core)
- support DST offset for migration
- ensure we force UTC in test env
- run whole migration as transaction
- extend: Settings.findOne function
- remove old casper.js tests
- cleanup mochacli groups that are less useful than `grunt test:path`
- improve inline Gruntfile.js docs
- fixup coverage for new internal apps
- add new coverage-all task which works for all our tests
- reverse order of master-warn messages to make this clearer
- remove bluebird from greenkeeper ignores
Refs #6642
- Do not send CORS headers on an invalid "origin"
header, but otherwise allow the response to
proceed normally. This enforces CORS for the browser
but does not blow up non-CORS requests.
refs #6354, #6495 & #6599
- don't allow config.database to be merged, instead, override it always
- make sure that route tests call done even when they error
closes#5887
- make use of the new 'fallthrough' option which landed in express-static 1.10.0
- change local-file-store and middleware serving `/public/` and `/shared/` files to use the new `fallthrough: false` option
- 404s are now served directly, without slashes or uncapitalise getting triggered
closes#6505
-Removed all of the /*jshint expr:true*/ comments from the tests
-Removed all of the should.equal(true, true) statements from the tests
-Removed should from the greenkeeper ignores
refs #5091
- Move renderChannel to own file
- Update channel config to have get/list methods
- Move main routes to be generated based on the list of channels
- Move RSS routes to be subroutes of channels
- Move redirect301 to be a shared util
- Add full test coverage
- Split frontend route tests into frontend & channels
closes#6448
-upgraded should.js to the latest version (8.2.1)
-Changed the tests so that they comply with the breaking changes introduced in the new version of should.js
-Installs the package should-http so should.be.json() can be used
-Installs the package should-sinon so that should.be.calledOnce() can be used
issue #6270
- Exposed getBaseUrl on the config class.
- Fix formatting config index as array was more then 140 characters long.
- Updated getBaseUrl to handle secure by replacing http with https if true.
- Fixed ghost_head helper to output canonical base url no https.
- Fixed ghost_head helper to set secure correctly for the rss link.
- Fixed navigation helper to pass secure in each nav item, so that urlFor can u$
- Fixed {{url}} to pass secure correctly to config.urlFor.
- Fixed test to use urlSSL over https besides for canonical.
- Add tests for {{url}} and to make sure they output https for absolute and secure.
- Update twitter and og url to use the canonical url.
refs #5845
- adds custom adapter for tags so that `store.queryRecord('tag', {slug: 'tag-slug'})` hits the `/tags/slug/tag-slug` endpoint instead of `/tags/?slug=tag-slug`
- updates tag management screens to use tag slugs instead of IDs
- adds `/tag/:slug/edit` redirect to front-end
closes#5941
- added UI to labs page
- added method to determine if full authentication is required
- updated public_api tests to enable public api first
refs #5845
- Updates tag settings screen to match content screen behaviour. Each now tag has it's own route that is link-able from other areas of the app
- Updates a number of places where jQuery event handler code was not wrapped in Ember's run loop
refs #5943
- removed featured, tag and author parameters from posts API
- featured was only used in tests
- removed role filter from users API
- role was only used in tests
- fixed up the tests, skipping those that don't quite work yet
refs #5943, #5091
- updated fetch-data to handle multiple api queries
- using named keys for queries so that the names of items in the result are correct (tag instead of tags etc)
- updated channel configs in frontend controller
- removed old filter code from frontend controller
- added test coverage for fetch-data and format-response
- fixes / removes tests which are broken by the refactor
no issue
- update grunt-jscs dependency
- fix deprecated `validateJSDoc` configuration
- fix numerous linting errors, including:
- use of future-reserved `public` and `private` variable names
- use of `[]` instead of dot-notation (especially `express['static']` and `cacheRules['x']`)
- extra spaces in `const { run } = Ember` style constructs
One issue that did become apparent is that there are conflicting rules that prevent the use of object function shorthand such that both of these:
```
{ myFunc() {} }
{ myFunc () {} }
```
are called out due to either the missing or the extra space before the `(`
fixes#5905
- update context patterns to correctly match author & tag pages
- remove 'tag' and 'tags' from reserved slugs - we'll handle this in terms of overrides in future
closes#5917
- fixes duplication of dropzone event handlers by filtering for an added data-attribute
- avoid running dropzone code if only scrollPosition attr changes
- fix scroll position jump when adding/removing images by only adjusting preview scroll position when editor scroll position changes
refs #5808
- Fix the API to return a single 422 error when an invalid value is passed
- Only affects Browse, and not Read at present due to differences in how they are handled
- Frontend was changed to always 404 in #5851
- Adds tests to ensure all cases are covered
no issue
- Uncapitalise was dropping the subdirectory when redirecting - so the base url has been added where present
- Uncapitalise was also working differently in node 0.10 and 0.12 - so the path is decoded before testing for uppercase
- Adds some test coverage
closes#5804, supersedes and closes#5820
- adds a fixed width that flexbox can expand from to prevent flexbox content dictating the width (see https://github.com/TryGhost/Ghost/issues/5804#issuecomment-141416812)
- adds a hack to the casperjs tests reverting the CSS change because phantomjs and flexbox don't get along
closes#5808
refs #5816
- adds additional filtering any 'slug' containing content in `renderChannel` for frontend
- adds test for invalid characters in tag slug
no issue
- added ghost-admin client_id to admin
- added ghost-admin client_secret to admin
- added client.read() api endpoint
- added random generation of client_secret to migration
- removed addClientSecret method
- updated tests
refs #5343, #5652
- implements basic post and user search using selectize input
- queries minimal API endpoint and refreshes results on search input focus if results are older than 60 seconds
refs #5652, #5719
- adds a timeout to `gh-spin-button` so the spinner is always shown for at least 1 second
As a stopgap solution before #5719 can be implemented it was decided to keep the button spinning for a minimum time, even if the associated action completes quickly. Discussion can be found at https://ghost.slack.com/archives/dev/p1440670418004358
refs #5652
- wrap emails input in `{{gh-form-group}}` component to give element success/error classes
- pull validation messages into submit button
- clean up validation related aspects of step three controller
No Issue
- Takes the inline validation messages and displays below form
- Removes unnecessary gh-error-message components from signin and reset pages
- Returns error messages to sign-in validations
closes#5685
- Adds client and server-side validation for tag names starting with commas
- Trim tag names before adding in PSM (tag attributes are already trimmed before saving in TSM)
issue #5652, closes#5641
- removes inline errors for empty fields
- separate validation routines for sign-in and forgot password
- highlight fields with errors when trying to submit
issue #5409
- change persistent/passive notification status to alert/notification
- replace showSuccess/Info/Warn/Error with showNotification/showAlert
- fix and clean up notification/alert components
Refs #5501
- Switch role select dropdowns from gh-select based components to
gh-select-native.
- Prevent transition out of editor while there is an in-flight save.
closes#5336
- creates gh-form-group component to handle form group status
- refactors current validation methods to work on a per-property basis
- adds gh-error-message component to render error message
- removes (comments out) tests that pertain to the old notifications until the new inline validation is added
closes#5434
- remove transition away from team page to user page of authors
- hide invite button from authors
- hide invited users from authors
- adjusted gh-user-can and renamed to gh-user-can-admin
- hide password reset on owners profile from administrators
- hide input field for owner email from administrators pending api fix
- fix up tests
closes#5433
- add gh-input class to inputs
- stop the incorrect addition of trash can on url page
- fix trigger of upload success to show loading in editor
- fix duplicate url field for images outside of editor when there is no file storage
No issue
- Move editor-base-view mixin into editor/edit view
- Also deletes mobile views and modifies files that were using it
- Helps pave the way for Ember 2.0, where views do not exist
refs #1833
- move RSS tests to be in rss_spec.js
- improve RSS test coverage
- fix a bug with RSS title generation for tag RSS feeds
- replace custom code in processUrls with urlJoin
closes#5338
- moves skip link to below the submit button
- makes the submit button better represent form status
- posts notifications based on success/failure of notifications
- goes to the invite page after user creation
- actually sends invites!
functional tests passing for onboarding invitations
cleanup for linitng
remove unreachable return
access the notifications service better
use link-to instead of an anchor with an action
failed user creations get caught, and bubble as errors
a slew of other cleanup stuff via jason
No Issue
- Switch resources to routes.
- No longer nest "settings" routes so the router reflects
the way the templates are rendered.
- Remove renderTemplate override from settings routes.
- Remove unneeded routes, controllers, and views.
- Adjust users page so that infinite scroll loading of users works
and markup remains the same for Zelda styling.
No Issue
- Adds contextual classnames to Nav Bar links
- Various test updates
TODO
- Increase test coverage for new admin UI
- Fix up Caspertests for new Admin UI
closes#5288
- use the config.blogURL as the frontend URL from the admin
- we know this is given to us without a trailing slash, so it's 100% safe to hard code this
- TODO: make all of the url generation a lot nicer i.e. #1833
Refs #5097
- All drafts will show a preview link (this needs real css)
- Published posts will redirect
- prev/next post helpers only activate on published posts
- Powered by ~10 pints between the two of us (@ErisDS, @novaugust)
no issue
With the introduction of the prev/next helpers (and soon, get helper) we can no longer make any assumptions
about exactly which pages need to be cleared from the cache when a post is published/unpublished.
refs #2263, #4888
- Adds media:content element to Ghost Rt pSS feeds containing the post cover image if one is available
- Removes the prepending of the image to the `<description>` field
- Keeps the prepending of the image in `<content:encoded>`
refs #2263
- Switch content type back to text/xml
- Use content:encode for full content
- Use meta description or first 50 words of content for description
- if the user has filled out their email already when they hit 'forgotten password' then automatically fill out and submit the form
- this will look better when we have spinners on the buttons
closes#4368, fixes#1240 (spellcheck), fixes#4974 & fixes#4983 (caret positioning bugs)
- Drop CodeMirror in favour of a plain text area
- Use rangyinputs to handle selections cross-browser
- Create an API for interacting with the textarea
- Replace marker manager with a much simpler image manager
- Reimplement shortcuts, including some bug fixes
no issue
- It should not be possible to provide a different ID in the object being edited to that provided in the URL
- We now send the id to check object to ensure there is a match
Credits: Matteo Beccaro
closes#4262
- implementation based on #1545
- added integration test. Modified mocked posts because code requires published_at timestamps to be different.
- fixed 2 broken tests that depended on mocked posts to have "new Date()" as their timestamps
- added checks to only query db if next/previous post requested
Ember.ObjectController (and Ember.ArrayController) will be deprecated in
Ember 1.11 (and removed from core in Ember 2.0). The reasoning is
detailed in the Ember 2.0 RFC.
This PR does the following:
* Updates templates/controllers/views to explicitly reference model
properties (instead of relying on proxying behavior).
* Clearly delineate where certain properties are being set or retrieved
from (for example it was not clear exactly where `scratch` and
`titleScratch` were stored).
* Remove usage of `Ember.ObjectController`.
* Add JSCS rule to prevent future PR's from adding regressions.
No Issue
- Wait for list item element to appear before starting tests
to make sure template partial has been rendered.
- Remove test for 20 list items as it's possible that there
could be fewer than 20 contributors for during the window.
Instead just test to make sure the list has at least one item.
Closes#4508
Tests for:
- Version number is a number
- Database type is an allowed 1 of 3
- There are 20 contributors
- First contributor has an image tag and image src exists, alt tag, title tag, href to github
closes#4498
- remove toJSON code which returns only IDs from objects
- don't auto-include tags & fields in post responses
- don't auto-include roles in user responses
- fix #allthethings that made assumptions about the auto-includes, or otherwise were only working because of the auto-include
Closes#623
- Add basic init and eventing scaffold
- Add sitemap-index.xml generation
- Broke out generators to individual files, added request handler
- Add page, author and tag xml files; add index mapping
- Add SiteMapManager unit tests
- Add Generators tests
- Cache invalidation headers for sitemap-*.xml
- Redirect sitemap.xml to index and rename to sitemap-index
- Handle page convert and publish/draft changes
- Add very basic functional test for route existence
- Add cache headers to sitemap routes
- Every route can set a title token that is combined with the blog’s
title, resulting in titles like ‘Content - Test Blog’.
- Subroutes are supported (‘Settings - General - Test Blog’)
- The blog’s name is applied to and taken from the `config` object to
spare Ember a REST call via `store.find(‘settings’)`.
- Tests have been changed to test for the new titles.
- The initially proposed solution
(https://github.com/paddle8/ember-document-title) doesn’t play nice
with EAK, which is why I went with this solution
(https://gist.github.com/machty/8413411) by Ember.JS core dev @Machty.
no issue
- changes the content type for the RSS feeds from text/xml to
application/rss+xml
- changes the link rel=alternate tag to use an absolute URL for the feed
in the blog meta data
Continues on from #4401
- Reformats the Sass to match our new style (property order, comments, & white space)
- Changes the modal container to a class from an ID (and adjust tests)