Commit Graph

3218 Commits

Author SHA1 Message Date
Nazar Gargol
d0d299285c Fixed tests for post input serialization
refs #10472

- Moved config related variable into function scope, so it can be reset by unit tests
- e47d1e275f broke the build and is being fixed by this commit
2019-02-12 12:04:18 +00:00
Nazar Gargol
e47d1e275f Fixed image URL to be stored as relative in mobiledoc
refs #10477
closes #10472

- Adds transformation for any asset absolute URL's into relative used in mobiledoc
2019-02-11 19:20:16 +00:00
Fabien O'Carroll
8e75267bbb
🐛 Allowed data to be read from root of specified key for static pages (#10449)
refs #10434
2019-02-11 12:43:01 +01:00
Nazar Gargol
d299e8676f Fixed JSON Schema validation error message format
refs #10438
2019-02-08 12:17:39 +00:00
Nazar Gargol
28986b3b77 Fixed post.tags validation schema
refs #10438

- Change oneOf to anyOf to allow any of the required fields
2019-02-08 11:29:42 +00:00
Nazar Gargol
96cdde80b9 Fixed validation error when creating new tag from PSM
refs #10438

- Expanded required fields for related tags to have either one of 'id', 'slug' or a 'name' field
2019-02-08 11:02:18 +00:00
Naz Gargol
19643c75dd
Added JSON Schema validation for /posts endpoint (#10468)
refs #10438

- Added  validation helper based on JSON schema
- Added schema validation for POST/PUT in /posts endpoints
- Refactored existing authors validation test suite
- Extended test coverage with a minimally required structure of post.add validator
2019-02-08 10:40:58 +00:00
kirrg001
e1436e2985 Required "event" & "target_url" for webhook creation
refs #10461
2019-02-07 23:21:59 +01:00
kirrg001
f8a286869a Allowed POST & DELETE webhooks endpoints for integrations
refs #9865

- was not sure about allowing to edit webhooks
2019-02-07 23:14:27 +01:00
kirrg001
b83232bf0c Added more webhooks & changed payload
refs #10461

- do not break the existing webhooks by keeping both payload formats for subscribers events
- refactored webhooks service to run models through target API version
- added new events described in the target issue reference
- this refactoring & enhancement is undocumented, further breaking changes will happen because we are actively working on: https://github.com/TryGhost/Ghost/issues/10438
2019-02-07 23:14:27 +01:00
kirrg001
a83aa6e184 Added ability to receive toJSON format of previous attributes
refs #9248

- e.g. model.toJSON({previous: true})
- includes previous relations
2019-02-07 23:14:27 +01:00
kirrg001
50da5d9bab Corrected debug in base model
no issue
2019-02-07 22:08:52 +01:00
kirrg001
7810140f15 Avoided site.changed event if nothing has changed
refs #10461
2019-02-07 22:08:36 +01:00
kirrg001
82c5fc7f5a Ensured API can ask model.wasChanged
refs #10461

- the model layer (only post & user) fetches the model after update
- i assume it was added to ensure a response with all fields
- quick fixing it for now to ensure API layer can access ".wasChanged" to be able to decide if a request modified a resource or not

@NOTE: Bookshelf does not physically update a resource if nothing has changed.
2019-02-07 22:07:13 +01:00
kirrg001
4fca28e643 Made use of model.wasChanged
refs #10461
2019-02-07 22:06:13 +01:00
kirrg001
a157c147af Added model.wasChanged helper
refs #10461

- helpful if you need to ask if the model was changed
- Bookshelf does not support this feature yet
- https://github.com/bookshelf/bookshelf/issues/1943
2019-02-07 22:05:07 +01:00
kirrg001
2eb1f2a507 Avoided inserting actions if nothing has changed
refs #10431

- I thought i have added this protection, but got removed via the simplification in cca3317a11
2019-02-07 20:49:35 +01:00
kirrg001
b25da62cca Ensured defaults when creating resources
no issue

- the model & api layer suffered from missing fields when creating resources
- usually there is only a handful of fields which are required to insert a resource
- the other fields are nullable and/or get defaults assigned
- the API only returned the configured default fields and the fields you have sent to the API
  - this resulted in a response with missing fields
- if you have listend on "created" event, the same happend
  - you received a model with missing fields
- we now set the undefined fields to null on purpose to ensure a full model for both cases

@NOTE:
There is no endpoint to serve webhooks (not for v0.1, not for v2).
Exposing the secret is required if an integration fetches it's api keys and it's webhooks.
The secret is currently un-used and not implemented.
2019-02-07 20:20:10 +01:00
John O'Nolan
ae5ed03488
Update admin redirects
Refs https://github.com/TryGhost/Ghost/pull/10079
2019-02-07 17:59:35 +07:00
kirrg001
1e90126760 Remembered changed fields on destroy
refs #9248
2019-02-07 11:35:00 +01:00
kirrg001
865366c7c8 Ensured consistency for event handlers in the model layer
no issue

- the event chain works like this:
  - if a model registers an event, it get's triggered, because it's stronger than the base model
- but you have to call the base model to agree on a contract, because base model implements generic logic in event handlers
- this was inconsistently used
2019-02-07 11:02:35 +01:00
Fabien O'Carroll
46bf5270df
Added initial subscription support with stripe to Members API (#10460)
These changes introduce a new "service" to the members api, which handles getting and creating subscriptions.

This is wired up to get subscription information when creating tokens, and attaching information to the token, so that the Content API can allow/deny access. 

Behind the subscription service we have a Stripe "payment processor", this holds the logic for creating subscriptions etc... in Stripe.

The logic for getting items out of stripe uses a hash of the relevant data as the id to search for, this allows us to forgo keeping stripe data in a db, so that this feature can get out quicker.
2019-02-07 10:41:39 +01:00
Fabien O'Carroll
5f66026647
Refactored auth pages for future flows (#10458)
no-issue

* Used camelCase for gateway method calls
* Added some components for building blocks of forms
* Added input specific components
* Added Form component
    This handles collecting the data to submit and sharing state between forms
* Added Pages component to handle urls
* Added the pages for the popup
* Added MembersProvider component
    This is designed to give its children access to gateway methods
* Added Modal component
    This wraps the pages and handles dispatching form submissions to the members gateway
* Refactored index.js to use new components/pages
* Fixed default page from Signup -> Signin
2019-02-07 10:39:55 +01:00
kirrg001
cca3317a11 Simplfied action trigger in base model
refs #10431

- the model layer triggers a couple of events on resource update
  e.g. post to page -> post.deleted, post.added
- the resource_type must be always "post", because "page" is not an official model (Bookshelf won't be able to resolve the resource anymore)
- the action streams looks very confusion if you see deleted and added actions when toggling the post to a static page
- therefor the easiest approach for now is to only store actions for: added, edited, deleted
- and we will add the context information asap
  - e.g. you will see that status was changed from "draft" to "published"
- we can also introduce extra published actions if we want
- relying on the internal event system right now makes things just more complicated and we want to keep it simple
2019-02-06 22:21:06 +01:00
kirrg001
dbd3832967 Allowed browse actions for integrations
refs #9865
2019-02-06 21:36:09 +01:00
kirrg001
5f4cf42c14 Fixed tests
no issue
2019-02-06 21:36:09 +01:00
kirrg001
a8e0a173c2 Redefined context.integration
no issue

- we only have access to the ID at the moment
- we really don't want to end up in the same situation as with "context.user"
2019-02-06 21:36:09 +01:00
kirrg001
68bdcfc753 Fixed model._changed for creating resources
no issue

- discovered while testing
- the events are still triggered though for posts because .authors are added on creation
2019-02-06 21:36:09 +01:00
kirrg001
2fd4cbb93b Added v2 actions endpoint
refs #10431

- added v2 endpoint with browse permissions
- context.integration was never accessible in the model layer
  - why? https://github.com/TryGhost/Ghost/issues/10099
2019-02-06 21:36:09 +01:00
kirrg001
8bb2c7d3d5 Added model implementation for actions
refs #10431

- added actions model
- added logic in event emiiter to insert actions if supported
2019-02-06 21:36:09 +01:00
kirrg001
fde31b31ba Added permissions for actions including migration
refs #10431

- migration script to add permissions for actions
- restricted to owner & admin & integration role for now
- we will add permissions for other rules too, but we need add more granular restrictions
  - e.g. contributors can only read actions for posts which he created
2019-02-06 18:59:09 +01:00
kirrg001
c127b406fc Added actions table including migration
refs 10431

- add actions table
- add migration
2019-02-06 18:59:09 +01:00
Kevin Ansfield
c9d6ffa5ab Allowed GET /configuration/about/ for Admin API v2 with API Key auth
refs https://github.com/TryGhost/Ghost/issues/9865
- needed for Zapier
2019-02-06 14:00:29 +00:00
ShumailAhmed123
24e96dcabf Updated default-routes.yaml syntax to single template (#10459)
closes #10456
2019-02-06 14:34:57 +01:00
Aileen Nowak
93b936d2fb Added back "theme.uploaded" analytics event (#10450)
no issue

- With the changes in 79ca6c575c we removed old unused events
- The theme upload event is still used and needed to be put back
- Added the event emit right after the successful upload of the theme
- Renamed analytics events for more consistency
- We need to add the same event emitter to the v0.1 API as it's not deprecated
- emits a `theme.uploaded` event after the theme was successfully uploaded and saved
2019-02-05 17:38:40 +01:00
Hannah Wolfe
426c122ed1 Updated messaging around {{get}} helper access
closes #10447

- Get helper message talks about the old API, but upgrading is the best way to solve the problem
- Had to create a way to add a custom message to a labs enabled helper to achieve this
2019-02-04 17:58:35 +00:00
Hannah Wolfe
5365094dfc 🐛 Provided get helper filters access to globals
closes #10448

- using @site.lang to read posts is a valid use case for the get helper filters
- get helper filters have special treatment of anything wrapped in {{}}, in the form of resolvePaths
- resolvePaths uses some custom logic + jsonpath to find the right bit of data to inject
- this function had no handling for globals starting with `@`, and also didn't have access to them
2019-02-04 15:26:45 +00:00
kirrg001
8b3336c84d Added condition to not trigger events if nothing has changed
refs #9248

- we no longer trigger events if the db was not changed
2019-02-03 13:02:31 +01:00
kirrg001
3289dc7619 Introduced model._changed
refs #9248

- Bookshelf gives access to ".changed" before the update
  - Discussion: https://github.com/bookshelf/bookshelf/issues/1943
- We also need to know what has changed after the update to be able to decide if we should trigger events
- Furthermore: Bookshelf cannot handle relation updates, it always marks relations as changed even though they did not change
- Bumped bookshelf-relations to be able to
  - know if relations were updated
  - ensure we unset relations on bookshelf's ".changed"
2019-02-03 13:02:26 +01:00
kirrg001
d44d93a19d Correct event debug logs in base model
no issue
2019-02-01 19:48:27 +01:00
Nazar Gargol
3274138ff3 Added a note on secret transformation before token verification
refs #9865

- Added some clarificatoin around why secret used for token verification has to be transformed binary decoded from hex
2019-02-01 14:04:25 +00:00
kirrg001
11c910ec8c Avoided to store empty plaintext if html does not contain any text
no issue
2019-01-31 23:14:12 +01:00
kirrg001
01419ef8b3 Added base model debug log for events
no issue
2019-01-31 23:02:48 +01:00
kirrg001
a45f76c574 Allowed subscribers for admin api v2 with api key authentication
refs #9865

- needed for Zapier
2019-01-31 22:09:14 +01:00
kirrg001
93092c8f20 Removed author from Admin API v2 output
refs #10438

- single author is deprecated and get's completely dropped in v3
2019-01-31 16:27:56 +01:00
kirrg001
7f7b477ce9 Fixed error message being unclear when admin api keys create posts without authors
refs #10438

- integrations != users
- Ghost's assumption is: if you create a post, the primary author becomes the logged in user
- we have to require authors for integrations
- short fix and needs some more thoughts later
2019-01-31 16:27:56 +01:00
Nazar Gargol
a463a56971 Changed path returned for uploads to absolute
refs #10438

- This change affects all /uploads/* and /images/* endpoints in Admin API
2019-01-31 15:02:33 +00:00
kirrg001
24a2208625 Fixed 500 when sending wrong mobiledoc structure
refs #10438
2019-01-31 13:33:05 +01:00
kirrg001
23f705d556 Added /images/ endpoints to Admin API v2
refs #10438

- make /images/ available
- we want to document this endpoint notiation, because it is more specific and fits better, because you can only upload images
- either we drop /uploads/ by the end of the project cycle or we keep both for now
- the Admin API v2 is currently undocumented and allows breaking changes in theory
2019-01-31 13:22:49 +01:00
kirrg001
0a4645ab09 Fixed key_authentication_spec.js
no issue

- pretty-urls only redirects GET requests currently
2019-01-31 12:24:09 +01:00
Nazar Gargol
59036577af Enabled Admin API key authentication
refs #9865
2019-01-30 19:17:25 +00:00
kirrg001
eafbaaeba5 Added v2 theme controller
refs #10060
2019-01-30 19:45:02 +01:00
kirrg001
7d05cbba1d Added notImplemented middleware for integrations
refs #9865
2019-01-30 14:15:12 +01:00
Rishabh Garg
8fd4b3f09f
Added new admin API for members (#10435)
no issue

- Added read and browse admin API for members
2019-01-30 17:06:09 +05:30
notanengineercom
5bd509c873 🐛 Fixed removal of temp files left behind by importer
refs #10174

- Improved importer cleanUp method usage, so the cleanup is called in cases when there is an error during an import stage
- Simplified files to clean up tracking as removal of files is now partially handled in uploader middleware
2019-01-30 09:24:29 +00:00
notanengineercom
631716053a 🐛 Fixed files staying in temp directory after upload is done
closes #10174

- Introduced upload middleware that cleans up temporary files stored by mutler after the request is finished
- Removed redundant fs.remove calls as this work is now handled in newly introduced middleware
2019-01-30 09:24:29 +00:00
kirrg001
d20bdfd9c1 Moved more allowed options for findPage to base model
no issue

- no need to define these options in each model
2019-01-29 23:29:06 +01:00
kirrg001
87bb3052a8 Moved allowed filter option to base model
no issue

- no need to define the filter option in each model
2019-01-29 22:57:11 +01:00
Fabien O'Carroll
e9c3040786 💡Reverted "empty-string to NULL" db migration (#10430)
no-issue
- revert the migration because migrations that (potentially) touch every row should be kept to major releases where possible
  - the migration was safe to run and won't cause any problems for anyone who has already upgraded
- reversion keeps the migration file but changes the contents to a no-op so that `migrations` table state is the same for all users whether they migrated with the full migration or the no-op version
2019-01-29 14:41:04 +00:00
Fabien O'Carroll
9fd9ad3fbb 🐛 Returned 0 for word/image count when html is null
refs #10429
2019-01-29 13:35:00 +01:00
Nazar Gargol
bc90b8ec27 🐛 Fixed plaintext attribute error when it is empty
refs #10388

- Issue was caused by migration of empty strings to null 0edacf3fc1
2019-01-29 12:12:10 +00:00
Rish
85fdb9a4f2 Fixed console getting cleared on dev start
closes https://github.com/TryGhost/Ghost/issues/10409

- Removed `clearConsole` on preact cli
2019-01-29 11:02:43 +05:30
Fabien O'Carroll
0edacf3fc1
🐛 Added migration to update empty strings to null (#10428)
closes #10388

This migration finds all tables with nullable columns, it then loops through the tables and their nullable columns, updating each column to a null when its current value is an empty string.
2019-01-28 19:00:29 +01:00
Rishabh Garg
3200ede8b1
🐛 Fixed crash on startup when no active theme (#10426)
closes #10416

- Updated to use default theme engine values when no active theme is found
2019-01-28 22:36:47 +05:30
Tim Birkett
2e21618290 Set Ghost user-agent header for got requests (#10424)
no-issue

Currently the `user-agent` header is the for outgoing webhook calls is the `got` default: `User-Agent: got/8.3.2 (https://github.com/sindresorhus/got)`.

This is pretty unfriendly to the receiver of the webhook who may wish to perform analytics on calling systems, implement security features based on calling system or take action based on different versions of a client.

This PR sets the header to: `User-Agent: Ghost/2.12.0 (https://github.com/TryGhost/Ghost)` which is much more descriptive.
2019-01-28 17:01:34 +01:00
Fabien O'Carroll
95880dddeb
🐛 Updated base model to store null instead of empty string (#10425)
refs #10388 

This updates the base model to retrieve column information, and explicitly set every property whose column is `nullable` and content is the empty string (`""`) to `null`
2019-01-28 16:58:28 +01:00
kirrg001
d8ac582426 🐛 Fixed 404 for locked or suspended users
closes #10410
2019-01-28 10:14:07 +01:00
Nazar Gargol
6318b65cab Changed context.api_key_id to an object containing key type information
refs #9865

- Changed id passed for api_key to an object to be able to differenciate between admin and content api requests
- Added integration id to frame context
- Small refactoring of frame context initialization
2019-01-24 17:22:58 +00:00
Naz Gargol
a0712d23e8
Shortened admin key length (#10418)
refs #10156

- Updated ApiKey model to use shorter secrets for admin keys
2019-01-24 13:46:33 +00:00
Nazar Gargol
5fbad09a56 Modified Admin API key output format
refs #9865

- Changed key format to {id}:{secret} so API consumer only has to worry about copying a single value during setup
- Updated key expiration time in getValidAdminToken test helper to match server side expiration check
2019-01-23 17:18:50 +00:00
Nazar Gargol
776e23696d Added audience check in Admin API key authentication
refs #9865

- Extracted tests related to Admin API key authenticatoin into separate
acceptance test suite
2019-01-23 15:01:22 +00:00
Fabien O'Carroll
3af0110bcc
Refactored members for management api (#10408)
no-issue
2019-01-22 15:29:44 +01:00
Rish
e972483f6c Fixed error handling for members reset password
no-issue

- Both input and form error was shown on submitting reset-password form
- Does not submit form anymore in case of validation errors
2019-01-22 11:46:48 +05:30
Katharina Irrgang
4acc375fb6
Bumped knex & bookshelf dependencies (#10404)
refs #9389, refs #9248

- https://github.com/bookshelf/bookshelf/releases/tag/0.14.0
- Bookshelf has fixed it's previous attr handling, see https://github.com/bookshelf/bookshelf/pull/1848
- SQlite3 double slashes was merged into knex and released 👻tgriesser/knex@c746dea
2019-01-21 21:53:11 +01:00
Katharina Irrgang
d0687da3a3
Bumped major test dependencies (#10403)
refs #9389

- eslint@5.12.1, eslint-plugin-ghost@0.1.0, grunt-contrib-clean@2.0.0, grunt-contrib-uglify@4.0.0, grunt-eslint@21.0.0, grunt-mocha-cli@4.0.0, grunt-shell@3.0.1, mocha@5.2
.0, nock@10.0.6, rewire@4.0.1

All of them dropped Node v4. I was not able to find any other big breaking changes, which affect us right now.
2019-01-21 18:28:44 +01:00
Nazar Gargol
c3e22b6ab9 🐛 Fixed forced page filter not being respected in Content API
closes https://github.com/TryGhost/Ghost/issues/10395, https://github.com/TryGhost/Ghost/issues/10390

- The grouping was introduced due to a flasy conjunction of last filter in 'or' group with enforced page filter, due to this the rest of filters in the 'or' group were bypassed
- Additional grouping added here increases the possiblity of https://github.com/NexesJS/NQL-Lang/issues/7 bug happening
2019-01-21 13:26:45 +00:00
Katharina Irrgang
3df763009e
Added quick fix to handle integration upserts for x_by columns (#10295)
refs #10286

- this is just a hotfix for v0.1
- we keep the x_by fields for now and deprecate them
- as soon as an integration updates/inserts a resource, we just store the owner ID
- we currently work on a new concept for v2
- v2 no longer exposes or uses x_by, see https://github.com/TryGhost/Ghost/pull/10294
- we need to iterate on this change, because we currently use the naming `context.api_key_id` in the auth/API layer
2019-01-21 12:41:45 +01:00
Dexter Leng
da71b61bcf 🐛Deleted associated roles_users rows when user is destroyed (#10243)
closes #8843
2019-01-21 12:36:13 +01:00
Katharina Irrgang
a927aecc3f
🐛 Fixed prev_next helper when using Content API v2 (#10397)
closes #10389
2019-01-21 11:48:18 +01:00
Fabien O'Carroll
6f87f2af93 Fixed img_url to work with protocol relative urls
closes #10391

- We use "relative protocol" urls for gravatar images, which were
  incorrectly getting treated as relative path urls.

- Refactored getBlogUrl calls into const
2019-01-21 11:41:23 +01:00
kirrg001
1126997244 Added easy way to enable admin api key authentication
refs #9865

- small refactoring to make both session and admin api key handling similar
- admin api key authentication is still disabled, but easy to enable
- added proof test how to authenticate using admin api keys
2019-01-18 18:57:58 +01:00
kirrg001
4f7783939d Fixed lint
no issue
2019-01-18 18:03:15 +01:00
kirrg001
e90148e7c3 Switched to use new implementation of authorizeAdminApi
refs #9865

- see code comments
2019-01-18 17:54:08 +01:00
kirrg001
f82bb07534 Added empty lines and reduces line length in auth authorize
no issue

- improves readability
2019-01-18 17:54:08 +01:00
kirrg001
3f758c6a0a Protected against empty admin api key
refs #9865
2019-01-18 17:54:04 +01:00
kirrg001
1b5b95e198 Renamed authenticateAdminApiKey to authenticate for admin api key auth
refs #9865

- the outer authentication layer wants a consistent interface of each authentication package
  - admin.authenticate
  - session.authenticate

- furthermore, there is no need to put the full feature into the exposed function name
2019-01-18 17:30:07 +01:00
kirrg001
462865981e Updated admin api key authentication to expect api key id in payload
refs #9865

- see https://github.com/TryGhost/Ghost/blob/2.11.1/core/server/lib/members/index.js#L52
- consistency
2019-01-18 17:22:19 +01:00
Fabien O'Carroll
1c56221d80 Added API Key auth middleware to v2 Admin API (#10006)
refs #9865

- Added `auth.authenticate.authenticateAdminApiKey` middleware
  - accepts signed JWT in an `Authorization: Ghost [token]` header
  - sets `req.api_key` if the token is valid
- Updated `authenticatePrivate` middleware stack for v2 admin routes
2019-01-18 12:45:06 +00:00
Fabien O'Carroll
809a167a55 Updated permissible methods for hasApiKeyPermissions (#9970)
refs #9865

This updates all current permissible methods to use the new function
signature which includes the hasApiKeyPermissions parameter. It also
makes sure that the hasApiKeyPermissions argument is taken into account
whenever checking before returning a resolved promise.

To be continued. This is just a tiny part of the big picture. None of these changes are fully committed to stay as they are.
2019-01-18 13:39:53 +01:00
kirrg001
2c7c72cd9f Fixed travis
no issue

- caused by fc73cd71bb
- breaks the content API access
2019-01-18 13:05:39 +01:00
Fabien O'Carroll
fc73cd71bb Updated permissions service to handle api keys (#9967)
refs #9865

- Enabled the permissions module to lookup permissions based on an api_key id.
- Updated the "can this" part of the permissions service to load permissions for any api key in the context, and correctly use that to determine whether an action is permissible. It also updates the permissible interface that models can implement to pass in the hasApiKeyPermissions param.
2019-01-18 11:17:11 +00:00
Fabien O'Carroll
42a1313bff
Removed members internal app (#10379)
no-issue

* Mounted members static router directly to parentApp

* Removed members internal app
2019-01-17 12:03:40 +01:00
Hannah Wolfe
909f9012ed
Updated docs links to best equivalents (#10386)
* Updated docs links to best equivalents
   - Our documentation has been overhauled, this updates the all the old links sprinkled through Ghost
* Update integrity hash
2019-01-17 06:57:37 +00:00
Greg Hart
418e958c69 🐛Fixed custom redirects to forward hashes correctly (#10319)
closes #10290
2019-01-15 23:26:18 +01:00
Hannah Wolfe
a1f0169edf 🐛 Fixed 500 error for content with no collection
no issue

- Fixes a case where a post that doesn't belong to a collection throws a 500 Resource Not Found Error
- This should be a 404 Resource Not Found error
- 500 suggests something went very wrong and is our fault,
-  but this is a user error where the collections or posts are misconfigured, and some content doesn't have a home
2019-01-15 22:00:46 +00:00
Hannah Wolfe
846a94728f
🐛 Fixed uncaught exceptions from image fetches
closes #10383

- Upgrades got to 8.3.2, which contains better error handling and resolves the issue with uncaught exceptions
- Note: Got 9.x stream doesn't support Node v6
- Requires us to hardcode http:// for xmlrpc because there is a breaking change where got now defaults to https instead of http
2019-01-15 20:35:46 +00:00
Hannah Wolfe
d58ecda9a9 🐛 Fixed responsive images for .icos
closes #10301

- we allow .ico files for icons, but we cannot resize these specialist files at present
2019-01-15 17:41:25 +00:00
Rishabh Garg
9d9690987a
🐛 Updated v2 content API output to return null instead of “” for empty fields (#10378)
refs #10345

- We are standardising on returning null from the Content API for any empty values
- Updated `post`, `tag` and `author` APIs
2019-01-15 17:58:51 +05:30
Naz Gargol
1a4497fc9a
🐛 Fixed default resource ordering in Content API (#10371)
refs https://github.com/TryGhost/Ghost/issues/10354

- Added ordering on input serialization layer for posts, pages, tags, and authors
- At the moment ordering is dependent on DB engine which will be resolved with https://github.com/TryGhost/Ghost/issues/6104
2019-01-15 12:21:04 +00:00
Katharina Irrgang
3924acd152
🗑Deprecated ghost_head & ghost_foot in favour of codeinjection_* for Settings API v2 (#10380)
closes #10373

- ghost_head & ghost_foot are deprecated from now on
- we want to remove them in v3
- this short fix is dirty (!)
- we return codeinjection_* for admin & content api
- this is a consistentency change e.g. posts return `post.codeinjection_*`
- need to raise a decoupling refactoring issue for the code comments
2019-01-15 13:03:17 +01:00
Fabien O'Carroll
cf1e4aa593
💡 Disabled v0.1 Public API by default (#10372)
refs #10364
2019-01-15 11:09:34 +01:00
kirrg001
95b5fb1c81 Fixed relative image paths for settings v2 admin api
refs #10363
2019-01-14 21:01:12 +01:00
Katharina Irrgang
56db4ddd75
🐛 Fixed API v2 Settings browse returns relative image path (#10370)
closes #10363
2019-01-14 20:36:41 +01:00
Katharina Irrgang
732f97a074
De-aliased api versions in codebase (#10375)
closes #10357
2019-01-14 19:49:55 +01:00
Naz Gargol
48d6e7298a
Refactored content-disposition header handling in API v2 (#10374)
closes https://github.com/TryGhost/Ghost/issues/10331

- Left only a filename part to be handled by controller configuration, the rest was extracted to more generic headers layer
2019-01-14 18:05:16 +00:00
Fabien O'Carroll
9837df0b6f
Added brute protection to content api (#10362)
* Revert "Removed brute force middleware form content api (#10353)"

This reverts commit 63c8c310fb.

* Updated content api spam prevention to use memory store

* Used TooManyRequestsError instead of InternalServer
2019-01-14 14:11:48 +01:00
Rishabh Garg
a7ba90dfa1
🐛 Fixed filtering of page attribute when fields query param is used (#10352)
closes #10351

- Updated filtering logic for `page` in output serialisers of post/page in v2
2019-01-11 22:26:34 +05:30
Naz Gargol
aa49f77504
🐛 Fixed url not being immediately available after post publish (#10361)
🐛  Fixed URL not being immediately available after post publish

closes https://github.com/TryGhost/Ghost/issues/10360

- This change makes sure posts and pages URLs are populated in
synchronous manner
- Further cleanup and restructuring of this hacky solution is planned to
be done in https://github.com/TryGhost/Ghost/issues/10360
2019-01-11 10:30:36 +00:00
Fabien O'Carroll
63c8c310fb
Removed brute force middleware form content api (#10353)
* Removed brute force middleware form content api

no-issue

This is just temporary

* Skipped brute test for content api
2019-01-09 11:38:03 +01:00
Fabien O'Carroll
76bb40b7c0
Added clause in validation for include to not error (#10350)
* Added clause in validation for include to not error

refs #10337

Here we forgo erroring when an invalid property for include is sent, and
instead remove the invalid properties.

* Fixed authors test

* Fixed validators tests
2019-01-08 12:29:15 +01:00
Kevin Ansfield
3a923c597f Remove API readme file
no issue
- it has no useful information and the content is out of date
- API docs live at https://docs.ghost.org/api/
2019-01-08 10:05:05 +00:00
Hannah Wolfe
954ca8c48f Removed unused visiiblity fields from Content API
refs #10337

- Trying to make the API output as clean as possible,
- We can add these back later if we start using them
2019-01-08 10:00:27 +00:00
Fabien O'Carroll
935b0f6d49 🎨 Use unoptimised image when possible for dynamic images (#10314)
closes #10283 

Updated middleware for dynamic image sizes to attempt to read the unoptimized image first, taking into account the `-n` suffix for duplicate image names, by using a regex.
2019-01-08 10:00:15 +00:00
Naz Gargol
df1ba8aee1
Added ability to notify and update url service about changes in related resources (#10336)
refs https://github.com/TryGhost/Ghost/issues/10124

- This PR introduced additional db calls in URL service due to the need for a model recalculation (we can't rely on the objects that come with events)
2019-01-08 09:48:53 +00:00
Hannah Wolfe
da17b2c82b Settings API should return null instead of ""
refs #10345

- We are standardising on returning null from the Content API for any empty values
2019-01-07 15:02:24 +00:00
Fabien O'Carroll
d5bf6dc1c8
Updated comment for globalBlock spam prevention (#10342)
no-issue

Just made it more clear it's not global across the entire api.
2019-01-07 20:21:26 +07:00
Fabien O'Carroll
5cecf0cd61
Added brute protection to content api (#10343)
* Added spam config for content api key

no-issue

* Created contentApiKey spam prevention method

* Added contentApiKey brute middleware

no-issue

This middleware attaches a listener for when the request has completed,
if the request ends with a successful response code, we reset any spam
prevention data for that ip.

* Added contentApiKey brute middleware to the content api

* Multipled maxWait by 24, to 24 hours
2019-01-07 20:03:46 +07:00
Naz Gargol
4177548a84
Migrated redirects controller to API v2 (#10053)
refs #9866

- Migrated redirect routes to use new redirect controller
2019-01-07 11:32:53 +00:00
kirrg001
7e944506e9 Fixed listeners not being removed for test env
no issue

- i saw lot's of event listener warnings
2019-01-05 12:41:26 +01:00
kirrg001
5548bbb2c1 Removed post.status from Content API v2 response
refs #10335

- only used for the preview feature, which does not remove the status field
2019-01-05 12:11:27 +01:00
Katharina Irrgang
6b758bda79
Refactored routing config for multiple api versions (#10333)
refs #10124

- one clean v0.1 and v2 config file for routing!
- solves one underlying bug reported in #10124
- the alias handling was just a hotfix to support v2 for the site
- but it was hard to read, ugly
- now we have two clean configs
- we'll see how useful it is
- need to do proper manual testing on Monday
2019-01-04 21:59:39 +01:00
kirrg001
62a669ac01 Fixed lint
no issue

- 😃 ✌🏻
2019-01-04 21:04:29 +01:00
kirrg001
ec29cfa1da Fixed and extended debug logs in entry-lookup helper
no issue
2019-01-04 20:45:23 +01:00
kirrg001
5e9710cf60 Removed un-used "internal" property in TaxonomyRouter
no issue

- discovered while implementing https://github.com/TryGhost/Ghost/pull/10333
2019-01-04 20:32:54 +01:00
kirrg001
a69a2d814c Added @TODO to theme middleware
no issue
2019-01-04 20:30:17 +01:00
kirrg001
a8dc29e794 Reverted page and status not being returned from Content API v2
refs https://github.com/TryGhost/Ghost/issues/10335

- temporary till Monday!!
2019-01-04 20:18:11 +01:00
Katharina Irrgang
30a0b1794a
Added calculated excerpt field to Content API v2 (#10326)
closes #10062

- return `post.excerpt` for Content API v2
- do not use `downsize`, because we might want to get rid of it if we drop v0.1 (downsize does not create good excerpts)
- simple substring of the plaintext field
2019-01-04 19:00:45 +01:00
Katharina Irrgang
6448c7bdc8
Fixed site using API v2 (#10332)
no issue

- See explanation: ef98c65040 (r31840536)
- that should not break anything, because resource consumption is based on resource type
- the alias pattern was only invented to make v2 work, it was a little dirty. i wanted to refactor that out anyway
2019-01-04 18:24:00 +01:00
Fabien O'Carroll
b6152684a8
Shortened content api key lengths (#10322)
* Lowered the min length for api keys to 26

* Updated ApiKey model to use shorter secrets for content keys
2019-01-04 19:39:54 +07:00
Hannah Wolfe
dd1cf5ffc7 Aliased {{@blog}} as {{@site}} in the theme API
- we're going to remove @blog in Ghost 3.0 in favour of @site
- @site is the theme-layer equivalent of the Content API settings endpoint
2019-01-04 12:17:32 +00:00
Hannah Wolfe
652e818cae Used settingsCache.getPublic() in theme middleware
- Use the new getPublic function which does the same thing as this code
- This removes the inclusion of the amp property, but this is undocumented and should not be there anyway!
- This also adds the ghost_head and ghost_foot property, which are public settings
2019-01-04 12:17:32 +00:00
Hannah Wolfe
5d977f23d4 Added Settings endpoint to V2 Content API
refs #10318

- This settings endpoint returns the commonly used, public information from our settings.
- The values are whitelisted each with a custom name for returning from the endpoint
2019-01-04 12:17:32 +00:00
Hannah Wolfe
80f9765a35 Removed deprecated settings
refs #10318

- cheap and dirty way of removing settings we don't use
- rewritten the settingsFilter function as that was unnecessarily complex
- aslo fixed the require of default-settings in the importer
2019-01-04 12:17:32 +00:00
Hannah Wolfe
ef98c65040
Clean v2 Content API (#10329)
* Removed unused fields from v2 Content API

- We want to ship the v2 Content API as clean and lean as we can
- Many fields in the DB aren't actually used, we shouldn't return these values
- Other values aren't useful outside of Admin clients, and shouldn't be returned either

Fields removed:
- tags: created_at, updated_at, parent
- authors: locale, accessibility, tour
- posts: locale, author status, page
2019-01-04 11:21:21 +00:00
Naz Gargol
d3f3b3dc20
Added plugin based author and public tag models in API v2 (#10284)
refs #10124

- Author model returns only users that have published non-page posts
- Added a public controller for tags (should be extracted to separate Content API controller https://github.com/TryGhost/Ghost/issues/10106)
- Made resource configuration dynamic based on current theme engine
- This needs a follow-up PR with fixes to the problems described in the PR
2019-01-03 20:30:35 +01:00
kirrg001
75037bcb28 Added some deprecation notes for x_by fields
closes #10286

- we will come up with a new activity stream/actions concept soon
2019-01-03 17:14:52 +01:00
kirrg001
789a3c0715 Removed x_by fields from API v2 response
refs #10286

- v2 no longer exposes x_by fields (published_by, updated_by, created_by)
- we will add a brand new concept called activity stream/actions soon
2019-01-03 16:38:52 +01:00
Fabien O'Carroll
0f32209e65
🐛 Fixed responsive images for gifs & svgs (#10315)
closes #10301

* Redirected to original image for gifs & svgs

* Created canTransformFileExtension method

* Updated image middlewares to use canTransformFileExtension
2019-01-03 16:28:37 +07:00
Nazar Gargol
6797da599b Added functional test for import endpoint in API v2
no issue

- This change is a follow up to this bugfix https://github.com/TryGhost/Ghost/pull/10299
- Added default export JSON to keep the state of db test suite intact
- Small typo fixe that noticed while debugging
2019-01-02 14:10:25 +01:00
Kevin Kuang
4a5a5acba7 🐛 Fixed broken content import in Admin API v2 (#10299)
no issue
2018-12-20 11:01:48 +01:00
Aileen Nowak
506d013f25
Ability to not send welcome email (#10293)
no issue

- We need to be able to not send the welcome email if needed
- Intruduces a new possible config setting `sendWelcomeEmail` which is set to `true` by default
2018-12-17 15:02:47 +01:00
Naz Gargol
aa8e75914d
Migrated db controller to API v2 (#10051)
refs #9866

- Migrated db import/export routes to use new db controller
2018-12-17 14:45:09 +01:00
Katharina Irrgang
5d2ab19881
Removed invitedBy from admin API: invitation endpoint (#10291)
refs #10286

- we want to deprecate all `x_by` fields
- we would like to get rid of all usages to be able to easily remove the fields in the future
- `invitedBy` is not used in the admin client
2018-12-17 14:16:39 +01:00
Katharina Irrgang
799857b77a 🐛 Fixed URL is not a constructor for Node v6 (#10289)
closes #10287
2018-12-17 17:23:45 +05:30
Naz Gargol
aca887a35d
Added async file header handling for API v2 (#10292)
refs #9866
2018-12-17 12:47:19 +01:00
Greg Hart
261a8234e9 Added Slack username option. (#10285)
refs #9735.
2018-12-14 18:57:32 +07:00
汪磊
2645ff05a0 🐛 Removed duplicate shortcut icon link (#10254)
no issue

{{amp_ghost_head}} already provides this
2018-12-14 16:59:06 +07:00
汪磊
7419566756 🐛Fixed multiple authors for amp (#10253)
no issue

- refs: gscan `GS001-DEPR-AUTHBL`
- the amp page always printed a single author only
2018-12-14 10:19:51 +01:00
Peter Zimon
42e013cfae
Members auth ui refinements (#10279)
* Update mobile modal animations
* Member popup input error and placeholder refinements
* Adding close animation to members auth popups
* Improve members auth dialog
* Refine members reset password design
2018-12-14 09:57:08 +01:00
Fabien O'Carroll
7dd2b04343 Removed ssoOriginCheck from signout endpoint (#10277)
no-issue

the ssoOriginCheck exists to ensure that we only allow signin/signup to
be called from the specified auth page, this is a very minor security
feature in that it forces signins to go via the page you've designated.
signout however does not need this protection as the call to signout
completely bypasses any UI (this is the same for the call to /token)
2018-12-14 12:26:31 +05:30