Commit Graph

150 Commits

Author SHA1 Message Date
cotko
002a135962 🐛Fixed order being ignored in routes.yaml file (#10146)
no issue
2018-11-12 20:24:12 +01:00
Sumedh Nimkarde
f3e9218ee3 🎨 Modified slack webhook payload, added info about published post (#9850)
closes #8936

- Modified the slack webhook payload to provide more info about a published post
2018-11-12 13:04:50 +01:00
Rishabh Garg
f2b44322a3
Enabled members lab setting for developer experiment flag (#10132)
closes #10114
 
* Members lab enabled to be always true behind developer experiments flag

* Members lab set to true for themes behind developer experiments flag

Note: This change uses hard-coded labs value for members based on enableDeveloperExperiments flag, ideal implementation for later is to pick those value from settings.
2018-11-09 17:12:21 +05:30
Fabien O'Carroll
f660b6a77b
Wired up Members auth to the Content API auth (#10129)
closes #10113
2018-11-08 16:57:42 +07:00
Fabien O'Carroll
93781a0e78 🚧 Authorized Content API requests with req.member
closes #10111

The members labs setting is required to be set for req.member to be
considered valid authorization
2018-11-08 13:34:29 +07:00
Fabien O'Carroll
2e922808e8 ♻ Updated naming for Content API specific middleware
no-issue

This is because the Content API will eventually be accessed not just
from Content API keys. The addition of a Content API specific
authorization middleware is because:
1. content api should not authorize based on req.user
2. content api will need separate authorization than admin api
2018-11-08 13:34:29 +07:00
Fabien O'Carroll
2a6e9aac55 🚧 Created members auth middleware
closes #10110
2018-11-08 13:32:09 +07:00
Katharina Irrgang
ff6bf5f318 Renamed /users to /authors for Content API V2 (#10096)
refs #10061

- Made /authors endpoint available in Content API V2
2018-11-07 15:29:37 +01:00
kirrg001
514eb22077 Removed TODO in CollectionRouter
no issue

- this is an old TODO
2018-11-05 21:21:19 +01:00
Katharina Irrgang
1b9c61eed1
Returned relative paths in html for Content API V2 by default (#10091)
refs #10083

- you can send `?absolute_urls=true` and Ghost will also transform the paths in the content (this is optional/conditional)
2018-11-05 18:07:45 +01:00
Fabien O'Carroll
b4096f412c
Handled error from express-session middleware (#10084)
no-issue
2018-10-30 16:16:33 +07:00
Rishabh Garg
e2d0b2e543 Updated webhook request header and last triggered error mssg (#10035)
refs #9942

- Added error message if unknown status code on request failure
- Added event to payload
2018-10-19 14:11:03 +01:00
Rishabh Garg
8ad951d7f3
Added new site.changed event and webhook trigger service (#10019)
refs #9942

* Added new middleware to trigger events

* Refactored webhooks service
- added new trigger service, moved listen service to its own file
- started listening to new site.changed event
- cleaned up trigger service to work with new webhook fields
- cleaned up tests
- removed redundant trigger method in v0.1 controller
2018-10-19 00:01:30 +05:30
kirrg001
45b8e6b66a Added TODO to controllers/entry.js
refs #9866
2018-10-18 19:41:07 +02:00
kirrg001
e302be2749 Changed preview controller to support v0.1 and v2
refs #9866

- invent preview api, but only used internally
  - the idea of a preview api is definitiely reaslistic and came up in the past a couple of times
- by that we don't have to differentiate between pages or posts controller
- still support v0.1
- preview controller is not registered for http, only internal handling
2018-10-18 19:41:07 +02:00
kirrg001
12ff70497f Changed entry lookup helper to respect the resource type
refs #9866

- the entry helper is used for static pages and post lookups
- now that we support changing the api version, we have to respect the resource type
- for v2: we ask the pages controller for static pages
- in v0.1: pages and posts lived on the same route
- we are talking about the content API (!) - not admin api
2018-10-18 19:41:07 +02:00
kirrg001
803a325ade Renamed post-lookup to entry-lookup
refs #9866

- the static pages router uses the entry controller
- and the entry controller uses the lookup helper
- the lookup helper needs to either fetch static pages or posts
- v2 uses pages and posts controller
2018-10-18 19:41:07 +02:00
kirrg001
d8a7edd9aa Added TODO's for entry and preview controller
refs #9866
2018-10-18 19:41:07 +02:00
kirrg001
15f6c2421c Fixed entry controller to handle v2 and v0.1 url response
refs #9866

- v2 returns absolute urls
- v0.1 returns relative urls
- this is a little ugly, but don't know how else to solve currently
2018-10-18 19:41:07 +02:00
kirrg001
640290c31b Updated blog site components to respect the api version
refs #9866

- the api call must be dynamic based on the api version information
2018-10-18 19:41:07 +02:00
kirrg001
3f9d0f51f5 Changed how we determine if a resource is owned by an url generator
refs #9601

- api v2 returns absolute urls
- api v0.1 returns relative urls
- it's easier if we compare by id
2018-10-18 19:41:07 +02:00
kirrg001
1f55c90037 Supported reading ghost api engine
refs #9866

- we fallback to v0.1 by default
- we support different formats
- this opens the box to switch the ghost api version for the whole blog site
- i had to add a different notation for overrides.json, because the structure is not optimal (i only want the versions, not the shortcuts)
2018-10-18 19:41:07 +02:00
Rishabh Garg
915d5612a1 🐛 Fixed relative image URLs becoming absolute URLs on save (#10025)
closes #10024

- Updated input serializers for posts/tags/users to handle absolute urls conversion

-------
1. Ghost stores relative images urls
2. API V2 returns images with absolute urls
3. Ghost-Admin sends absolute urls back on any save e.g. update user

**Current behavior**: This will override the relative image path in db to absolute, which in turn won't get updated in future if domain or protocol changes for e.g.
**Fix**: On save/update, input serializers converts any absolute image url paths back to relative if the base URL from image fields matches the configured URL
2018-10-18 12:18:47 +01:00
Rishabh Garg
51dde1e38c
Refactored config to handle direct calls for specific version (#10012)
refs #9866

- Refactored overrides config to include direct version configs(v0.1, v2), supported versions map to direct version
- Refactored `getApiPath` to handle direct versions as well as mappings of supported version
2018-10-16 15:20:51 +05:30
Fabien O'Carroll
3db102a776
Added API Key auth middleware to v2 content API (#10005)
* Added API Key auth middleware to v2 content API

refs #9865

- add `auth.authenticate.authenticateContentApiKey` middleware
  - accepts `?key=` query param, sets `req.api_key` if it's a known Content API key
- add `requiresAuthorizedUserOrApiKey` authorization middleware
  - passes if either `req.user` or `req.api_key` exists
- update `authenticatePublic` middleware stack for v2 content routes

* Fixed functional content api tests

no-issue

This fixes the functional content api tests so they use the content api
auth.

* Fixed context check and removed skip

* Updated cors middleware for content api

* Removed client_id from frame.context

no-issue

The v2 api doesn't have a notion of clients as we do not use oauth for it

* Fixed tests for posts input serializer
2018-10-15 16:23:34 +07:00
Fabien O'Carroll
71160da3b5
🐛 Fixed session auth for blogs running on sub dir (#9986)
closes #9982

This adds the subdirectory to the path for the session cookie, enabling
cookies to be sent/set/parsed for the session authentication to work.
2018-10-11 14:11:24 +07:00
Fabien O'Carroll
3516b15f9e
Updated session middleware to support node v6 (#9980)
closes #9972

* Added breaking test for node v6 session auth
* Updated session middleware to support node v6

This uses the legacy url to obtain the origin rather than the WHATWG
URL class in order to support node <6.14.4
2018-10-10 20:07:31 +07:00
Fabien O'Carroll
f9c8f2d0da
Included expected and actual origin in csrf error (#9974)
refs #9865
refs #9972

The previous error message did not have enough information for a user to
self diagnose issues on their blog.
2018-10-10 14:36:45 +07:00
Katharina Irrgang
d699daeb35 🐛Fixed sitemap duplicates after routes.yaml upload (#9957)
closes #9956

- sitemap reset was missing
2018-10-08 10:29:21 +07:00
Katharina Irrgang
db1d2f62dd
Removed api integration tests (#9940)
refs #9866 

- moved the tests either to unit tests or routing tests
- or removed test case (a lot)
- this commit is very big 🤪, it was not rly possible to create clean commits for this
- it only changes the test env, no real code is touched

Next steps:
- optimise folder structure + make v2 testing possible
- reduce some more tests from routing and model integeration tests
2018-10-06 22:13:52 +02:00
Fabien O'Carroll
9be9531ef8
Wired up {GET,POST,DELETE} /session to v2 admin api
* Added admin specific auth{enticate,orize} middleware

refs #9865

This middleware will be used by the admin api to authenticate and
authorize requests

* Update v2/admin to use authAdminApi middleware

refs #9865

This changes thh auth middleware to use the adminApi authenticate and
authorize middlewares underneath, it also renames the middleware to be
consistent with the naming of the api.

* Removed oauth specific endpoints from /v2/admin

refs #9865

These are not to be used in v2/admin

* Wired up the session controller to the admin api

refs #9865

These endpoints will be used by ghost admin to login, confirm logged in status and logout
2018-10-05 17:45:17 +07:00
kirrg001
bd42ea33b5 Removed /index from requires
no issue

- this sometimes happen if you move files with your IDE
- e.g. intellij adds /index at the end of the require
- removed 2 places
2018-10-04 17:39:04 +02:00
Rish
dd151f3713 Refactored method urlFor to use versionType instead of admin: true
no issue

- Updated urlFor to work with versionType instead of admin:true
- Updated tests to use the correct method call
2018-10-04 16:49:55 +05:30
Rish
a49bbfb9d6 Updated method getApiPath to take options as param
Refs #9936

- Updated method to take single options param with version and admin instead of separate values
- Updated urlFor method to use the updated syntax
- Updated parent-app to use updated syntax
2018-10-04 16:49:55 +05:30
Rishabh Garg
c795920cac Updated web/ to use API config (#9936)
refs #9866

- exports `getApiPath` method from service/url/utils
- uses `getApiPath` in web/parent-app to configure API paths for supported versions
2018-10-02 13:25:34 +02:00
Fabien O'Carroll
cb0c5dc582
Session auth service (#9910)
refs #9865

* This service handles the session store and exporting middleware to be
used for creating and managing sessions

* Updates the auth service index.js file in line with how we do things elsewhere

* After wrapping the exports in a getter, the usage of rewire had broken
the authenticate tests, this commit _removes_ rewire from the tests, calls `init` on
the models before the tests (needed because rewire isn't there) and also
cleans up the use of var.
2018-10-02 15:35:23 +07:00
Fabien O'Carroll
6cd1dc8005 🐛Fixed blog not responding when uploading routes.yaml with unknown taxonomy (#9926)
closes #9870

Instead of 500'ing when uploading a routes.yaml with an invalid taxonomy
we will now send back an error saying it's invalid.
2018-10-01 20:40:29 +02:00
Rishabh Garg
6163d1f128 Updated overrides config for api versions with v0.1 to deprecated (#9921)
refs #9866

- v0.1 == deprecated
- v2 == active
2018-09-27 19:34:12 +02:00
Rishabh Garg
9624c88f3e Refactored url utility to generate multiple API version URLs (#9897)
refs #9866

- added api version config to overrides, which makes it possible to have a centralized api versioning configuration
- the next PR will use this config in the web folder
- make api url generation in url service flexible and dynamic
- remove hardcoded API_PATH
- updated all places which used `urlFor('api'..)` -> we now ask for explicit api version
2018-09-24 21:49:20 +02:00
Katharina Irrgang
727ff183f4 Normalised how we require models
refs #9866

- if I want to do a project search and looks for model usages e.g. `models.`, then I won't find these usages
- normalise how we require models -> consistency
2018-09-21 15:16:19 +02:00
Katharina Irrgang
213474835b Refactored how we require shared middlewares from web/ (#9893)
refs #9866

- use package notation
- get rid of x requires for middlewares
- improved readability
- do not refactor web/api/v0.1
2018-09-21 16:17:11 +05:30
Rishabh Garg
fcd275f6c0 Refactored web/middleware and web/utils to web/shared (#9892)
refs #9866

- Moved web/middleware to web/shared/middlewares
- Moved util file to web/shared/utils
2018-09-20 20:04:34 +02:00
kirrg001
07fee6d027 Replaced setPrototypeOf with Object.setPrototypeOf
no issue

- discovered here: https://github.com/TryGhost/Ghost/pull/9886#discussion_r219127231
- `setPrototypeOf` is a npm package and a dependency of e.g. express
- we can use `Object.setPrototypeOf` instead
2018-09-20 17:50:57 +02:00
Sumedh Nimkarde
efd1587ee9 Switched to eslint-plugin-ghost (#9835)
refs #9834

- @TODO: the test env eslint needs to use the plugin, not part of this PR
2018-09-17 20:49:30 +02:00
Vikas Potluri
2aaf4d6054 🐛Disallowed indexing of preview pages (#9762)
closes #9749

- disallow indexing of /p/ in robots.txt
- add meta robots tag to preview pages
- robots.txt wont' be applied for blogs not mounted to the root (i.e. https://example.com/blog/)
2018-09-17 11:29:47 +02:00
Denis Zhbankov
f12fd4b101 Fixed correct promise order in RSS feed generator (#9726)
no issue

- the 'rss.feed' filter used to get an empty feed as a parameter, because item generation is done via promises
- now it waits until all items have been added
2018-09-10 11:39:38 +02:00
Fabien O'Carroll
2376c614b3 Fixed RPC pings (#9816)
closes #9644

- Removed google blogsearch from pingList, because it's dead (https://plus.google.com/+GoogleWebmasters/posts/46W7ZwVrwqg)
- Updated pingomatic method weblogUpdate -> weblogUpdates
- Updated RPC response handler to check for errors, log improvement
- the pingomatic service sends back a 200 even when it errors, so we
check the xml response to see if it's good, it throws and passes of to
the catch handler already in place
- Avoid multiline XML error message strings, but
includes a catch in case our regex stops working with a fallback to
multiline XML error message
- we check for arbitrary whitespace between different XML tags,
which I haven't seen in any of the responses - but it could change I
guess. I haven't added support of whitespace between the tags, as I
believe that would be a different value with XML spec. And we wanna
match on exact values here.
2018-08-23 15:20:29 +02:00
Katharina Irrgang
cd690efad1 🐛 Dynamic Routing Beta: Disallow using author resource and author data key name (#9790)
* 🐛 Dynamic Routing Beta: Shortform `author.foo` is not allowed

refs #9601

- otherwise you get access to {{author}} in the theme, which is deprecated & causes errors
- recommend not using {{author}} as data longform name in the yaml validator
- (internal usage is still allowed)
- also warn against using reserved data key names like filter, resource, limit etc - maybe remove this restriction later but seems like a sensible validation right now.
2018-08-16 12:13:24 +02:00
kirrg001
f49073a8ec 🐛 Dynamic Routing Beta: Fixed wrong template order for static routes
refs #9601
2018-08-16 12:13:24 +02:00
kirrg001
0a4f34cdad Fixed express router reference after routes.yaml refresh
refs #9601, refs #9744

- the express router reference wasn't updated fully
- the stack was the old router stack when you have uploaded a new routes.yaml file
  - this has caused e.g. that new redirects for channels/collections didn't work after the upload
2018-08-16 12:13:24 +02:00