closes#6272
- curly braces and back-tick should also be replaced with a dash
- other symbols and chars in ascii table are either removed or replace
- not all the replacements are sensible, but better than having odd chars in the slug for now
fixes#6247
- GQL has a bug where literals starting with numbers are incorrectly parsed
- Using strings instead of literals is a workaround, but is probably safer anyway
closes#6226
- adds calls to oauth middleware on PUT /authentication/setup/
- prevent setup/two from trying to log in again if user is already logged in
refs #5942, #6150
There were a few key problems I was looking to solve with this:
- Introduce a single point of truth for what the URL for accessing the API should be
- Provide a simple way to configure the utility (much like a true SDK)
As of this commit, this utility is still automatically available in a Ghost theme.
To use it on an external site, the code would look like:
```
<script type="text/javascript" src="http://my-ghost-blog.com/shared/ghost-url.min.js"></script>
<script type="text/javascript">
ghost.init({
clientId: "<your-client-id>",
clientSecret: "<your-client-secret>"
});
</script>
```
To achieve this, there have been a number of changes:
- A new `apiUrl` function has been added to config, which calculates the correct URL. This needs to be unified with the other url generation functions as a separate piece of work.
- The serveSharedFile middleware has been updated, so that it can serve files from / or /shared and to substitute `{{api-url}}` as it does `{{blog-url}}`.
- ghost-url.js and ghost-url.min.js have been updated to be served via the serveSharedFile middleware
- ghost-url.js has been changed slightly, to take the url from an inline variable which is substituted the first time it is served
- `{{ghost_head}}` has been updated, removing the api url handling which is now in config/url.js and removing the configuration of the utility in favour of calling `init()` after the script is required
- `{{ghost_head}}` has also had the meta tags for client id and secret removed
- tests have been updated
no issue
- provide a single point for accessing config in unit tests
- create a single way to set and restore config
- ensure that restore deletes top level optional keys that are now undefined
- use this._config in check deprecations, otherwise the config gets cached
- solves issues with interdependent tests
no issue
- If client credentials are missing, or not valid, output a clear message in the server console
- Still defaults to sending the 'access denied to url' error to the frontend
no issue
- Cache the permalinks & postsPerPage settings on the config.theme object
- Use the config.theme cache to reference these items throughout the frontend of a blog
- Removes the need for workarounds and extra code to handle async fetches
- Makes these values accessible to all themes, which is very useful now we have the API stuff
closes#6150
- clean up ghost.url.api script
- switch to inlining config and making the ghost-url.js file an external request
- add minification in production
closes#5850
- filters were added so that apps could change the output of the helpers, but as async helpers are a hack, this led to issues
- apps aren't currently a working part of Ghost, so for now, lets remove the filters
- we'll add these back when we have a better implementation of async helpers & this style of app is back on the cards
refs #5091, #6166
- fetch channel config via an internal function
- prevents channel config from being statically cached at runtime
- means that labs & other settings can be used to change these values
refs #6122
- restore original options after delete
- this is a fix for one use case, long term we should aim to leave
options untouched and execute special queries with temporary data
refs #6009
- This is a straight rename, no functionality is added
- The dot syntax requires pre/post processing to convert the name
- This PR also includes several updates to the tests, as they weren't being run as part of Travis!
Pagination arrows seem to be an appropriate place to use aria-hidden. That is the use-case for bootstrap (http://getbootstrap.com/components/#aligned-links) and based upon my understanding of area seems to be correct.
- pass debug: true to the API to get some useful debug output
- does not work in production mode
Note: I have added these lines back in so many times in the past month or so so that I could
figure out what was happening, I figured everyone else might find them useful.
TODO: use a proper logging method dependent on env
refs #5614, #5943
- adds a new 'filter' bookshelf plugin which extends the model
- the filter plugin provides handling for merging/combining various filters (enforced, defaults and custom/user-provided)
- the filter plugin also handles the calls to gql
- post processing is also moved to the plugin, to be further refactored/removed in future
- adds tests showing how filter could be abused prior to this commit
refs #5614
- change isPublicContext to detectPublicContext
- behaviour now expands the context object out
- this is a bit of a sideeffect, but this is the simplest change
that makes it possible to use the context in the model layer without
significant wider changes
- add new access rules plugin
- takes a context object as part of `forge()` & caches it on the model instance
- provides helper functions for testing access rules later on
refs #5943
- no longer assume the options in processOptions are set
- set where to a new GQL JSON-like statement object
- rather than setting options, add statements which can be understood by knexify
- pass the statements through knexify to build the query
refs #5942
- refactor ghost_head to use Promise.props (settle is going away and this is easier)
- add a new call to fetch the frontend client, if it exists
- add meta tags for the client_id and client_secret on all pages
- don't include the meta tags if the client is not enabled, or if the labs flag is not set
issue #5976
- break out the labs check into a utility
- wrap the get helper in a labs check, so it only works if the checkbox is checked
- make the get helper output an error to both the server and browser console if used when not enabled
refs #6009, #5615
- minimal refactor to remove the addition of count from pagination and other various points
- create a include count plugin that overrides fetch and fetchAll
- this ensures that counts get added at the right points
no issue
- switching from using fetch to fetch all means some code can be removed from the fetchPage method
- updating tests to reflect cleaner code
- ensure coverage is at 100%
no issue
- added comments to pipeline util, inc where it came from
- added tests for pipeline util
- tests uncovered a bug with promises for args, which has been fixed
refs #5845
- adds custom adapter for tags so that `store.queryRecord('tag', {slug: 'tag-slug'})` hits the `/tags/slug/tag-slug` endpoint instead of `/tags/?slug=tag-slug`
- updates tag management screens to use tag slugs instead of IDs
- adds `/tag/:slug/edit` redirect to front-end
closes#5941
- added UI to labs page
- added method to determine if full authentication is required
- updated public_api tests to enable public api first
refs #5940, #5923
- make read-directory ignore invalid package.json files
- display a warning about invalid package.json files on startup
- add tests to ensure read-directory continues, even with invalid package.json files
refs #5602
- add "order" to default browse options
- parse order parameter in Base model
- accept "order" option in Post, User and Tag models
- add tests for posts order
- add tests for tags order
- add tests for users order
refs #5943
- removed featured, tag and author parameters from posts API
- featured was only used in tests
- removed role filter from users API
- role was only used in tests
- fixed up the tests, skipping those that don't quite work yet
refs #5943, #5091
- split out channel config
- use config.theme instead of api calls to grab title & desc
- wrap rss call in a function which sets channel config for RSS feeds
- change rss `getData` function to use the new multiple-query-handling fetchData functionality
- make sure channelConfig is set in all tests
refs #5943, #5091
- updated fetch-data to handle multiple api queries
- using named keys for queries so that the names of items in the result are correct (tag instead of tags etc)
- updated channel configs in frontend controller
- removed old filter code from frontend controller
- added test coverage for fetch-data and format-response
- fixes / removes tests which are broken by the refactor
no issue
- Split out 'getPostPage' & rename to fetchData
- Split format response methods into own files
- Split out handleError
- Split out setReqCtx and rename to setRequestIsSecure
- Split out theme paths
- Refactor tests in index_spec.js to be more robust
- Add tests to bring coverage for split file up to 100%
refs #5604, refs #5463
- deps: ghost-gql@0.0.2
- adds code to wire up the filtering to a paginated query
- updated pagination plugin count query to use 'distinct' so it's more robust
- rename paginationUtils.query to addLimitAndOffset to be more explicit and make the code clearer
- add a new 'advanced browsing spec' set of tests for tracking these features as they are built out
no issue
- Split context out of frontend controller
- Add 100% test coverage for context
- Add tests for preview & improve other bits of coverage
- Further refactors (WIP) will make it easier to reach 100% coverage on the frontend
refs #5923
- add read-themes module to get a list of themes
- replace readDirectory() usage with readThemes(), where only themes are needed
- test read-themes
- test read-directory
- test validate-themes
- test parse-package-json
- add tempfile testing utility to generate temporary paths
no issue
- update grunt-jscs dependency
- fix deprecated `validateJSDoc` configuration
- fix numerous linting errors, including:
- use of future-reserved `public` and `private` variable names
- use of `[]` instead of dot-notation (especially `express['static']` and `cacheRules['x']`)
- extra spaces in `const { run } = Ember` style constructs
One issue that did become apparent is that there are conflicting rules that prevent the use of object function shorthand such that both of these:
```
{ myFunc() {} }
{ myFunc () {} }
```
are called out due to either the missing or the extra space before the `(`
closes#5492
- remove core/server/require-tree.js and split it into modules
- add read-directory module to recursively read directories
- add validate-themes module to scan themes and return errors/warnings
- add parse-package-json module to parse json and validate requirements
- rewrite core/server/models/index.js to manually require models
closes#5913
Sitemap deletion is based on the page.unpublished event. The previous
logic was always sending post.unpublished instead. If page or post
event is triggered is based on the ‘page’ attribute of the model. When
the destroyed handler all attributes are already cleared from the model
which makes this logic always fall back to post.
The fix is to move to the destroying event which still has all the
model values in place.
closes#4439
- adds basic get helper which works with the current API
- allows theme developers to make requests against the API
- supports block params and @error message
- includes 100% test coverage using posts
----
The `{{#get}}` helper is an asynchronous block helper which allows for making
requests for data from the API. This allows theme developers to customise the
data which can be shown on a particular page of a blog.
Requests can be made to the posts, tags or users API endpoints:
```
{{#get "posts" limit="3"}}
{{#foreach posts}}
<a href="{{url}}">{{title}}</a>
{{/foreach}}
{{/get}}
```
The `{{#get}}` helper must be used as a block helper, it supports `{{else}}`
logic, for when no data matching the request is available or if an error has
occurred:
```
{{#get "posts" tag="photo"}}
...
{{else}}
{{#if @error}}
<p>Something went wrong: {{@error}}</p>
{{else}}
<p>No posts found</p>
{{/if}}
{{/get}}
```
The helper also supports block params, meaning the data it outputs can be
given a different name:
```
{{#get "posts" featured="true" as |featured|}}
{{#foreach featured}}
...
{{/foreach}}
{{/get}}
```
Please Note: At present asynchronous helpers cannot be nested.
refs #5909, #4577
- removes accidental '.only' which was hiding issues with the findAll changes
- deleteAllContent and importer still need to use a hard 'findAll' as findPage({limit: 'all'}) doesn't have the same behaviour
fixes#5905
- update context patterns to correctly match author & tag pages
- remove 'tag' and 'tags' from reserved slugs - we'll handle this in terms of overrides in future
closes#5872
- added random secret for new databases
- added temporary fix for existing databases
- secret is still static (`not_available`) during tests
- fixed fork mechanism to keep active environment (never change
NODE_ENV!!!)
- published_by should be set by business logic, rather than by users
Credits: An anonymous researcher working with Beyond Security's SecuriTeam Secure Disclosure program
refs #5808
- Fix the API to return a single 422 error when an invalid value is passed
- Only affects Browse, and not Read at present due to differences in how they are handled
- Frontend was changed to always 404 in #5851
- Adds tests to ensure all cases are covered
no issue
- Uncapitalise was dropping the subdirectory when redirecting - so the base url has been added where present
- Uncapitalise was also working differently in node 0.10 and 0.12 - so the path is decoded before testing for uppercase
- Adds some test coverage
- password changes should only be possible from the password change endpoint
Credits: An anonymous researcher working with Beyond Security's SecuriTeam Secure Disclosure program
