publify_core 9.2.5 → 9.2.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8598a2b44749716a7bf3f75ab494ff6ba4ef327f29d6606ed3fd21ccce7df918
-  data.tar.gz: b3f58570a4180cb07bfa2852d3bf0c10160feb9f14039875d6e5182fbb56a368
+  metadata.gz: ceb79c67a3eab641f5515e427d022de68e365fa219c18dd686127063669f1d09
+  data.tar.gz: 1d2916a5932b8f0797ddf5af93359d593829d91c5509f7e64490d9250f3de71e
 SHA512:
-  metadata.gz: 5ceafbc0b711d3c0d113e61e9339c9175b6cf18afb08fded9321148d2b3b7ddf1809a9de8de0428f5364820d15de19a58a4b0a811018e6cc210357ccb49e868f
-  data.tar.gz: 7e476032ad37744aee63a7f746c81f020684857fedd43ff6468648ce1133280fd3efc7b78bea560ffd69d34b250dc120e05c767a44361eb376d91de54ecd2c35
+  metadata.gz: 9460c12c7a912eed0462b0e8769af2d23419bc0f7132ea7a071eb72c2e544d437b1f5ab2cdd89ec5ab28445e63cc42bb0628a39892d31baf3d82f8437d3fefb2
+  data.tar.gz: 32cfcbade0b7fe6573daaf6fbe37c6f416e8e8a33b0a43b072c7678ec4b484c7a62fcf1eab76bf779b7f7141cf986a1094ed8c1be9ca10adad3c2a77deaac154

data/CHANGELOG.md

@@ -1,5 +1,24 @@
 # Changelog
 
+## 9.2.8 / 2022-05-14
+
+* Fix password protected article reveal [#1049](https://github.com/publify/publify/pull/1049)
+* Disallow comments on draft articles [#1048](https://github.com/publify/publify/pull/1048)
+* Clean up Feedback validation [#1051](https://github.com/publify/publify/pull/1051)
+* Disallow images in comments [#1054](https://github.com/publify/publify/pull/1054)
+* Fix password reset process [#1055](https://github.com/publify/publify/pull/1055)
+* Hide bodies of password-protected articles in search results [#1057](https://github.com/publify/publify/pull/1057)
+* Provide correct `article_id` input in bulkops form [#1058](https://github.com/publify/publify/pull/1058)
+* Do not create article meta description for password-protected articles [#1061](https://github.com/publify/publify/pull/1061)
+
+## 9.2.7 / 2022-02-07
+
+* Fix setting the article password from the Admin [#1044](https://github.com/publify/publify/pull/1044)
+
+## 9.2.6 / 2022-01-07
+
+* Add documentation about use of the media library
+
 ## 9.2.5 / 2021-10-11
 
 This release fixes several security issues:

data/app/assets/javascripts/check_password.js

@@ -0,0 +1,9 @@
+// Show and hide spinners on Ajax requests.
+$(document).ready(function() {
+  $('form.check_password').on('ajax:complete',
+    function(evt, xhr, stat) {
+      var form = evt.currentTarget;
+      var elem = document.getElementById(form.dataset["update"]);
+      elem.outerHTML = xhr.responseText;
+    })
+});

data/app/assets/javascripts/publify.js

@@ -7,5 +7,6 @@
 //= require jquery_ujs
 //= require lightbox
 //= require observe
+//= require check_password
 //
 //= require_self

data/app/controllers/admin/content_controller.rb

@@ -131,7 +131,7 @@ class Admin::ContentController < Admin::BaseController
     end
   end
 
-  protected
+  private
 
   def fetch_fresh_or_existing_draft_for_article
     return unless @article.published? && @article.id
@@ -146,8 +146,6 @@ class Admin::ContentController < Admin::BaseController
 
   attr_accessor :resources, :resource
 
-  private
-
   def load_resources
     @post_types = PostType.all
     @macros = TextFilterPlugin.macro_filters
@@ -180,6 +178,7 @@ class Admin::ContentController < Admin::BaseController
              :body_and_extended,
              :draft,
              :extended,
+             :password,
              :permalink,
              :published_at,
              :text_filter_name,

data/app/controllers/articles_controller.rb

@@ -166,7 +166,10 @@ class ArticlesController < ContentController
       format.html do
         @comment = Comment.new
         @page_title = this_blog.article_title_template.to_title(@article, this_blog, params)
-        @description = this_blog.article_desc_template.to_title(@article, this_blog, params)
+        if @article.password.blank?
+          @description = this_blog.article_desc_template.
+            to_title(@article, this_blog, params)
+        end
 
         @keywords = @article.tags.map(&:name).join(", ")
         render "articles/#{@article.post_type}"

data/app/controllers/comments_controller.rb

@@ -7,11 +7,6 @@ class CommentsController < BaseController
     options = new_comment_defaults.merge comment_params.to_h
     @comment = @article.add_comment(options)
 
-    unless current_user.nil? || session[:user_id].nil?
-      # maybe useless, but who knows ?
-      @comment.user_id = current_user.id if current_user.id == session[:user_id]
-    end
-
     remember_author_info_for @comment
 
     partial = "/articles/comment_failed"
@@ -33,7 +28,7 @@ class CommentsController < BaseController
     @comment = @article.comments.build(comment_params)
   end
 
-  protected
+  private
 
   def recaptcha_ok_for?(comment)
     use_recaptcha = comment.blog.use_recaptcha
@@ -43,7 +38,7 @@ class CommentsController < BaseController
   def new_comment_defaults
     { ip: request.remote_ip,
       author: "Anonymous",
-      user: @current_user,
+      user: current_user,
       user_agent: request.env["HTTP_USER_AGENT"],
       referrer: request.env["HTTP_REFERER"],
       permalink: @article.permalink_url }.stringify_keys

data/app/models/article.rb

@@ -204,7 +204,7 @@ class Article < Content
   end
 
   def comments_closed?
-    !(allow_comments? && in_feedback_window?)
+    !(allow_comments? && published? && in_feedback_window?)
   end
 
   def html_urls
@@ -216,7 +216,7 @@ class Article < Content
   end
 
   def pings_closed?
-    !(allow_pings? && in_feedback_window?)
+    !(allow_pings? && published? && in_feedback_window?)
   end
 
   # check if time to comment is open or not

data/app/models/comment.rb

@@ -38,7 +38,7 @@ class Comment < Feedback
     really_send_notifications
   end
 
-  protected
+  private
 
   def article_allows_feedback?
     return true if article.allow_comments?
@@ -47,6 +47,14 @@ class Comment < Feedback
     false
   end
 
+  def blog_allows_feedback?
+    true
+  end
+
+  def check_article_closed_for_feedback
+    errors.add(:article, "Comment are closed") if article.comments_closed?
+  end
+
   def originator
     author
   end

data/app/models/feedback.rb

@@ -11,11 +11,12 @@ class Feedback < ApplicationRecord
   include PublifyGuid
   include ContentBase
 
+  validate :article_allows_this_feedback, on: :create
   validate :feedback_not_closed, on: :create
   validates :article, presence: true
 
   before_save :correct_url, :classify_content
-  before_create :create_guid, :article_allows_this_feedback
+  before_create :create_guid
 
   # TODO: Rename so it doesn't sound like only approved ham
   scope :ham, -> { where(state: %w(presumed_ham ham)) }
@@ -66,6 +67,10 @@ class Feedback < ApplicationRecord
     page(page).per(per_page)
   end
 
+  def self.allowed_tags
+    @allowed_tags ||= Rails::Html::SafeListSanitizer.allowed_tags - ["img"]
+  end
+
   def parent
     article
   end
@@ -85,7 +90,7 @@ class Feedback < ApplicationRecord
 
   def html_postprocess(_field, html)
     helper = ContentTextHelpers.new
-    helper.sanitize(helper.auto_link(html))
+    helper.sanitize(helper.auto_link(html), tags: self.class.allowed_tags)
   end
 
   def correct_url
@@ -98,10 +103,6 @@ class Feedback < ApplicationRecord
     article && blog_allows_feedback? && article_allows_feedback?
   end
 
-  def blog_allows_feedback?
-    true
-  end
-
   def akismet_options
     { type: self.class.to_s.downcase,
       author: originator,
@@ -200,7 +201,7 @@ class Feedback < ApplicationRecord
   end
 
   def feedback_not_closed
-    errors.add(:article_id, "Comment are closed") if article.comments_closed?
+    check_article_closed_for_feedback
   end
 
   def send_notifications

data/app/models/trackback.rb

@@ -24,10 +24,14 @@ class Trackback < Feedback
   def blog_allows_feedback?
     return true unless blog.global_pings_disable
 
-    errors.add(:article, "Pings are disabled")
+    errors.add(:base, "Pings are disabled")
     false
   end
 
+  def check_article_closed_for_feedback
+    errors.add(:article, "Pings are closed") if article.pings_closed?
+  end
+
   def originator
     blog_name
   end

data/app/views/admin/feedback/article.html.erb

@@ -1,12 +1,13 @@
 <% content_for :page_heading do %>
-<h2 class="page-title">
-  <%= t('.comments_for_html', title: @article.title) %>
-</h2>
+  <h2 class="page-title">
+    <%= t('.comments_for_html', title: @article.title) %>
+  </h2>
 <% end %>
 
 <%= form_tag({ action: 'bulkops' }, { class: 'form-inline' }) do %>
 
-  <%= hidden_field 'article_id', @article.id %>
+  <%= hidden_field_tag 'article_id', @article.id %>
+
   <%= render 'button', position: 'top' %>
 
   <br class='clear' />

data/app/views/admin/feedback/index.html.erb

@@ -40,6 +40,7 @@
         </td>
       </tr>
     <% end %>
+
     <% @feedback.each do |comment| %>
       <%= render 'feedback', comment: comment %>
     <% end %>

data/app/views/admin/resources/index.html.erb

@@ -2,6 +2,9 @@
   <h2>
     <%= t('.media_library') %>
   </h2>
+  <p>
+    <%= t('.explain_media_library_html') %>
+  </p>
 <% end %>
 
 <%= form_tag({ action: 'upload' }, { enctype: 'multipart/form-data', class: 'form-inline' }) do %>

data/app/views/articles/_password_form.html.erb

@@ -1,10 +1,8 @@
 <div id='content-<%= article.id %>'>
   <p>This post is password protected. Please fill in your password or login to view the content</p>
-  <%= form_for(article, remote: true,
-                        url: { controller: 'articles', action: 'check_password' },
-                        update: "content-#{article.id}") do |f| %>
+  <%= form_tag(check_password_url, remote: true, class: "check_password", data: { update: "content-#{article.id}" }) do %>
     <%= password_field(:article, :password) %>
-    <input type='hidden' name='article[id]' value='<%= article.id %>' />
+    <%= hidden_field(:article, :id) %>
     <%= submit_tag(t('.submit') + '!', name: 'check_password') %>
   <% end %>
 </div>

data/app/views/articles/search.html.erb

@@ -1,7 +1,9 @@
 <% for article in @articles %>
  <div class="post">
    <h2><%= link_to_permalink article, article.title %></h2>
-   <%= article.html(:body).gsub(%r{</?[^>]*>}, '').slice(0..300) %>...
+   <% if article.password.blank? %>
+     <%= article.html(:body).gsub(%r{</?[^>]*>}, '').slice(0..300) %>...
+   <% end %>
   </div>
 <% end %>
 

data/app/views/devise/mailer/reset_password_instructions.html.erb

@@ -1,6 +1,6 @@
 <% require 'devise/version' %>
-<%# TODO: Link user to blog so we can do @resource.blog
-  blog = Blog.first %>
+<%# TODO: Link user to blog so we can do @resource.blog %>
+<% blog = Blog.first %>
 <p><%= t('.greeting', recipient: @resource.login, default: "Hello #{@resource.login}!") %></p>
 
 <p><%= t('.instruction', default: 'Someone has requested a link to change your password, and you can do this through the link below.') %></p>

data/app/views/devise/passwords/edit.html.erb

@@ -3,7 +3,7 @@
 <% end %>
 
 <%= form_for(resource, as: resource_name, url: password_path(resource_name), html: { method: :put }) do |f| %>
-  <%= devise_error_messages! %>
+  <%= render "devise/shared/error_messages", resource: resource %>
   <fieldset>
   <%= f.hidden_field :reset_password_token %>
 

data/app/views/devise/passwords/new.html.erb

@@ -3,7 +3,7 @@
 <% end %>
 
 <%= form_for(resource, as: resource_name, url: password_path(resource_name), html: { method: :post }) do |f| %>
-  <%= devise_error_messages! %>
+  <%= render "devise/shared/error_messages", resource: resource %>
   <fieldset>
 
     <div class='form-group'>

data/config/locales/da.yml

@@ -334,6 +334,9 @@ da:
         content_type: Indholdstype (Content Type)
         date: Dato
         delete: Slet
+        explain_media_library_html: Upload images, video and audio here for use in
+          your blog posts and pages. Please note that <strong>all uploaded files will
+          be publicly accessible even if they're not used in blog posts or pages</strong>.
         file_size: Filstørrelse
         filename: Filnavn
         media_library: Media Library

data/config/locales/de.yml

@@ -334,6 +334,9 @@ de:
         content_type: Content Type
         date: Date
         delete: Löschen
+        explain_media_library_html: Upload images, video and audio here for use in
+          your blog posts and pages. Please note that <strong>all uploaded files will
+          be publicly accessible even if they're not used in blog posts or pages</strong>.
         file_size: Dateigröße
         filename: Dateiname
         media_library: Media Library

data/config/locales/en.yml

@@ -334,6 +334,9 @@ en:
         content_type: Content Type
         date: Date
         delete: Delete
+        explain_media_library_html: Upload images, video and audio here for use in
+          your blog posts and pages. Please note that <strong>all uploaded files will
+          be publicly accessible even if they're not used in blog posts or pages</strong>.
         file_size: File Size
         filename: Filename
         media_library: Media Library

data/config/locales/es-MX.yml

@@ -334,6 +334,9 @@ es-MX:
         content_type: Content Type
         date: Date
         delete: Eliminar
+        explain_media_library_html: Upload images, video and audio here for use in
+          your blog posts and pages. Please note that <strong>all uploaded files will
+          be publicly accessible even if they're not used in blog posts or pages</strong>.
         file_size: Tama&ntilde;o del Archivo
         filename: Nombre del archivo
         media_library: Media Library

data/config/locales/fr.yml

@@ -338,6 +338,9 @@ fr:
         content_type: Type de contenu
         date: Date
         delete: Supprimer
+        explain_media_library_html: Upload images, video and audio here for use in
+          your blog posts and pages. Please note that <strong>all uploaded files will
+          be publicly accessible even if they're not used in blog posts or pages</strong>.
         file_size: Taille du fichier
         filename: Fichier
         media_library: Bibliothèque de médias

data/config/locales/he.yml

@@ -333,6 +333,9 @@ he:
         content_type: סוג התוכן
         date: תאריך
         delete: מחק
+        explain_media_library_html: Upload images, video and audio here for use in
+          your blog posts and pages. Please note that <strong>all uploaded files will
+          be publicly accessible even if they're not used in blog posts or pages</strong>.
         file_size: גודל הקובץ
         filename: שם הקובץ
         media_library: Media Library

data/config/locales/it.yml

@@ -334,6 +334,9 @@ it:
         content_type: Tipo di contenuto
         date: Date
         delete: Elimina
+        explain_media_library_html: Upload images, video and audio here for use in
+          your blog posts and pages. Please note that <strong>all uploaded files will
+          be publicly accessible even if they're not used in blog posts or pages</strong>.
         file_size: Dimensione
         filename: Nome del file
         media_library: Media Library

data/config/locales/ja.yml

@@ -333,6 +333,9 @@ ja:
         content_type: コンテンツタイプ
         date: 日付
         delete: 削除
+        explain_media_library_html: Upload images, video and audio here for use in
+          your blog posts and pages. Please note that <strong>all uploaded files will
+          be publicly accessible even if they're not used in blog posts or pages</strong>.
         file_size: ファイルサイズ
         filename: ファイル名
         media_library: Media Library

data/config/locales/lt.yml

@@ -346,6 +346,9 @@ lt:
         content_type: Content Type
         date: Date
         delete: Trinti
+        explain_media_library_html: Upload images, video and audio here for use in
+          your blog posts and pages. Please note that <strong>all uploaded files will
+          be publicly accessible even if they're not used in blog posts or pages</strong>.
         file_size: Dateigröße
         filename: Dateiname
         media_library: Media Library

data/config/locales/nb-NO.yml

@@ -333,6 +333,9 @@ nb-NO:
         content_type: Innholdstype (MIME Content Type)
         date: Dato
         delete: Slett
+        explain_media_library_html: Upload images, video and audio here for use in
+          your blog posts and pages. Please note that <strong>all uploaded files will
+          be publicly accessible even if they're not used in blog posts or pages</strong>.
         file_size: Filstørrelse
         filename: Filnavn
         media_library: Media-bibliotek

data/config/locales/nl.yml

@@ -334,9 +334,13 @@ nl:
         content_type: Content Type
         date: Datum
         delete: Verwijderen
+        explain_media_library_html: Upload hier plaatjes, video en audio om te gebruiken
+          in blog posts en pagina's. Let op dat <strong>alle geüploade bestanden openbaar
+          toegankelijk zijn, zelfs als ze niet gebruikt worden in een blog post of
+          pagina.</strong>.
         file_size: Bestandsgrootte
         filename: Bestandsnaam
-        media_library: Media Library
+        media_library: Mediabibliotheek
         medium_size: Medium size
         no_resources: Er zijn nog geen media. Waarom begin je er niet een te maken?
         original_size: Original size
@@ -556,7 +560,7 @@ nl:
         logged_in_as: Logged in as %{login}
         logout_html: Log out &raquo;
         manage_users: Manage Users
-        media_library: Media Library
+        media_library: Mediabibliotheek
         new: Nieuw
         new_article: Nieuw artikel
         new_media: New Media

data/config/locales/pl.yml

@@ -358,6 +358,9 @@ pl:
         content_type: Typ treści
         date: Data
         delete: Usuń
+        explain_media_library_html: Upload images, video and audio here for use in
+          your blog posts and pages. Please note that <strong>all uploaded files will
+          be publicly accessible even if they're not used in blog posts or pages</strong>.
         file_size: Rozmiar pliku
         filename: Nazwa pliku
         media_library: Biblioteka multimediów

data/config/locales/pt-BR.yml

@@ -335,6 +335,9 @@ pt-BR:
         content_type: Tipo de conteúdo
         date: Data
         delete: Remover
+        explain_media_library_html: Upload images, video and audio here for use in
+          your blog posts and pages. Please note that <strong>all uploaded files will
+          be publicly accessible even if they're not used in blog posts or pages</strong>.
         file_size: Tamanho do arquivo
         filename: Nome do arquivo
         media_library: Biblioteca

data/config/locales/ro.yml

@@ -346,6 +346,9 @@ ro:
         content_type: Tip de conținut (content type)
         date: Date
         delete: Delete
+        explain_media_library_html: Upload images, video and audio here for use in
+          your blog posts and pages. Please note that <strong>all uploaded files will
+          be publicly accessible even if they're not used in blog posts or pages</strong>.
         file_size: Dimensiunea fișierului
         filename: Nume de fișier
         media_library: Media Library

data/config/locales/ru.yml

@@ -358,6 +358,9 @@ ru:
         content_type: Content Type
         date: Дата
         delete: Удалить
+        explain_media_library_html: Upload images, video and audio here for use in
+          your blog posts and pages. Please note that <strong>all uploaded files will
+          be publicly accessible even if they're not used in blog posts or pages</strong>.
         file_size: Размер Файла
         filename: Имя Файла
         media_library: Медиатека
@@ -579,7 +582,7 @@ ru:
         logged_in_as: Вы вошли как %{login}
         logout_html: Выйти »
         manage_users: Управление пользователями
-        media_library: Файлы
+        media_library: Медиатека
         new: Добавить...
         new_article: Новый пост
         new_media: Новый файл

data/config/locales/zh-CN.yml

@@ -330,6 +330,9 @@ zh-CN:
         content_type: 內容類型
         date: 日期
         delete: 删除
+        explain_media_library_html: Upload images, video and audio here for use in
+          your blog posts and pages. Please note that <strong>all uploaded files will
+          be publicly accessible even if they're not used in blog posts or pages</strong>.
         file_size: 檔案大小
         filename: 檔案名稱
         media_library: Media Library

data/config/locales/zh-TW.yml

@@ -331,6 +331,9 @@ zh-TW:
         content_type: 內容類型
         date: Date
         delete: 刪除
+        explain_media_library_html: Upload images, video and audio here for use in
+          your blog posts and pages. Please note that <strong>all uploaded files will
+          be publicly accessible even if they're not used in blog posts or pages</strong>.
         file_size: 檔案大小
         filename: 檔案名稱
         media_library: Media Library

data/config/routes.rb

@@ -36,10 +36,11 @@ Rails.application.routes.draw do
   get "/pages/*name", to: "articles#view_page", format: false
   get "previews(/:id)", to: "articles#preview", format: false
   get "previews_pages(/:id)", to: "articles#preview_page", format: false
-  get "check_password", to: "articles#check_password", format: false
   get "articles/markup_help/:id", to: "articles#markup_help", format: false
   get "articles/tag", to: "articles#tag", format: false
 
+  post "check_password", to: "articles#check_password", format: false
+
   # SetupController
   get "/setup", to: "setup#index", format: false
   post "/setup", to: "setup#create", format: false

data/lib/publify_core/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module PublifyCore
-  VERSION = "9.2.5"
+  VERSION = "9.2.8"
 end

data/lib/spam_protection.rb

@@ -31,7 +31,7 @@ class SpamProtection
     end
   end
 
-  protected
+  private
 
   def scan_ip(ip_address)
     logger.info("[SP] Scanning IP #{ip_address}")

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: publify_core
 version: !ruby/object:Gem::Version
-  version: 9.2.5
+  version: 9.2.8
 platform: ruby
 authors:
 - Matijs van Zuijlen
@@ -11,7 +11,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-10-11 00:00:00.000000000 Z
+date: 2022-05-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aasm
@@ -579,6 +579,7 @@ files:
 - app/assets/javascripts/bootstrap/modal.js
 - app/assets/javascripts/bootstrap/tab.js
 - app/assets/javascripts/bootstrap/transition.js
+- app/assets/javascripts/check_password.js
 - app/assets/javascripts/cookies.js
 - app/assets/javascripts/datetimepicker.js
 - app/assets/javascripts/lang/da_DK.js