publify_core 9.2.6 → 9.2.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: da6da95f7716a807eb81fc3c6684945b4afeb75dae12256d6e8e0341dacc8108
-  data.tar.gz: 16590e78cb4f249017cad7df86fb72fb6ebfc90eb3c9a55d9fdac017a708c203
+  metadata.gz: 72e8560336bbbbfd2c517840b744e34509782d0f4d6db7cde5ee607230770b65
+  data.tar.gz: 886335b6900c26cfc579bf4197304b0e30cb8eedbe4c362a5394d153cb746487
 SHA512:
-  metadata.gz: 9ba6b4fb3315f76bb3ffba8f2c423fe4d0a2a57fda992a1bf0ce92df49dad52f78e0d72955a75dfcac58ab2a693ecc46f419dbb1c59678ceb86ed8f0c280140d
-  data.tar.gz: 4704c65615d660a2a10f8827970710baeb5438917adeb8d37e7a10a1534626b08b1a45049486398163739c23929d5629d71a41198d28dd46572e5aa3d6260f4d
+  metadata.gz: 695ae9d70e7cb24e7b10b4c2efaaff9d13e32bdcde17e5fcc4be6aab288f5d8d1a0b74465b54f79dd28cf1fbc55a3c7f0e80d02074e8706e863bbba15ddd0368
+  data.tar.gz: 3044549f33cfe4db50562be0d0441e3fc952b433181eefc861768cbeb3072b11be25780c40b2977572ce69d38df945af520c09343d294920eccdf17198b9d143

data/CHANGELOG.md

@@ -1,5 +1,25 @@
 # Changelog
 
+## 9.2.9 / 2022-05-22
+
+* Fix admin article access control [#1065](https://github.com/publify/publify/pull/1065)
+* Refuse html files as resources even if declared to be plain text [#1066](https://github.com/publify/publify/pull/1066)
+
+## 9.2.8 / 2022-05-14
+
+* Fix password protected article reveal [#1049](https://github.com/publify/publify/pull/1049)
+* Disallow comments on draft articles [#1048](https://github.com/publify/publify/pull/1048)
+* Clean up Feedback validation [#1051](https://github.com/publify/publify/pull/1051)
+* Disallow images in comments [#1054](https://github.com/publify/publify/pull/1054)
+* Fix password reset process [#1055](https://github.com/publify/publify/pull/1055)
+* Hide bodies of password-protected articles in search results [#1057](https://github.com/publify/publify/pull/1057)
+* Provide correct `article_id` input in bulkops form [#1058](https://github.com/publify/publify/pull/1058)
+* Do not create article meta description for password-protected articles [#1061](https://github.com/publify/publify/pull/1061)
+
+## 9.2.7 / 2022-02-07
+
+* Fix setting the article password from the Admin [#1044](https://github.com/publify/publify/pull/1044)
+
 ## 9.2.6 / 2022-01-07
 
 * Add documentation about use of the media library

data/app/assets/javascripts/check_password.js

@@ -0,0 +1,9 @@
+// Show and hide spinners on Ajax requests.
+$(document).ready(function() {
+  $('form.check_password').on('ajax:complete',
+    function(evt, xhr, stat) {
+      var form = evt.currentTarget;
+      var elem = document.getElementById(form.dataset["update"]);
+      elem.outerHTML = xhr.responseText;
+    })
+});

data/app/assets/javascripts/publify.js

@@ -7,5 +7,6 @@
 //= require jquery_ujs
 //= require lightbox
 //= require observe
+//= require check_password
 //
 //= require_self

data/app/controllers/admin/content_controller.rb

@@ -58,9 +58,9 @@ class Admin::ContentController < Admin::BaseController
   end
 
   def update
-    return unless access_granted?(params[:id])
+    id = params[:id]
+    return unless access_granted?(id)
 
-    id = params[:article][:id] || params[:id]
     @article = Article.find(id)
 
     if params[:article][:draft]
@@ -101,6 +101,7 @@ class Admin::ContentController < Admin::BaseController
     return false unless request.xhr?
 
     id = params[:article][:id] || params[:id]
+    return if id && !access_granted?(id)
 
     article_factory = Article::Factory.new(this_blog, current_user)
     @article = article_factory.get_or_build_from(id)
@@ -131,7 +132,7 @@ class Admin::ContentController < Admin::BaseController
     end
   end
 
-  protected
+  private
 
   def fetch_fresh_or_existing_draft_for_article
     return unless @article.published? && @article.id
@@ -146,8 +147,6 @@ class Admin::ContentController < Admin::BaseController
 
   attr_accessor :resources, :resource
 
-  private
-
   def load_resources
     @post_types = PostType.all
     @macros = TextFilterPlugin.macro_filters
@@ -180,6 +179,7 @@ class Admin::ContentController < Admin::BaseController
              :body_and_extended,
              :draft,
              :extended,
+             :password,
              :permalink,
              :published_at,
              :text_filter_name,

data/app/controllers/articles_controller.rb

@@ -166,7 +166,10 @@ class ArticlesController < ContentController
       format.html do
         @comment = Comment.new
         @page_title = this_blog.article_title_template.to_title(@article, this_blog, params)
-        @description = this_blog.article_desc_template.to_title(@article, this_blog, params)
+        if @article.password.blank?
+          @description = this_blog.article_desc_template.
+            to_title(@article, this_blog, params)
+        end
 
         @keywords = @article.tags.map(&:name).join(", ")
         render "articles/#{@article.post_type}"

data/app/controllers/comments_controller.rb

@@ -7,11 +7,6 @@ class CommentsController < BaseController
     options = new_comment_defaults.merge comment_params.to_h
     @comment = @article.add_comment(options)
 
-    unless current_user.nil? || session[:user_id].nil?
-      # maybe useless, but who knows ?
-      @comment.user_id = current_user.id if current_user.id == session[:user_id]
-    end
-
     remember_author_info_for @comment
 
     partial = "/articles/comment_failed"
@@ -33,7 +28,7 @@ class CommentsController < BaseController
     @comment = @article.comments.build(comment_params)
   end
 
-  protected
+  private
 
   def recaptcha_ok_for?(comment)
     use_recaptcha = comment.blog.use_recaptcha
@@ -43,7 +38,7 @@ class CommentsController < BaseController
   def new_comment_defaults
     { ip: request.remote_ip,
       author: "Anonymous",
-      user: @current_user,
+      user: current_user,
       user_agent: request.env["HTTP_USER_AGENT"],
       referrer: request.env["HTTP_REFERER"],
       permalink: @article.permalink_url }.stringify_keys

data/app/models/article.rb

@@ -204,7 +204,7 @@ class Article < Content
   end
 
   def comments_closed?
-    !(allow_comments? && in_feedback_window?)
+    !(allow_comments? && published? && in_feedback_window?)
   end
 
   def html_urls
@@ -216,7 +216,7 @@ class Article < Content
   end
 
   def pings_closed?
-    !(allow_pings? && in_feedback_window?)
+    !(allow_pings? && published? && in_feedback_window?)
   end
 
   # check if time to comment is open or not

data/app/models/comment.rb

@@ -38,7 +38,7 @@ class Comment < Feedback
     really_send_notifications
   end
 
-  protected
+  private
 
   def article_allows_feedback?
     return true if article.allow_comments?
@@ -47,6 +47,14 @@ class Comment < Feedback
     false
   end
 
+  def blog_allows_feedback?
+    true
+  end
+
+  def check_article_closed_for_feedback
+    errors.add(:article, "Comment are closed") if article.comments_closed?
+  end
+
   def originator
     author
   end

data/app/models/feedback.rb

@@ -11,11 +11,12 @@ class Feedback < ApplicationRecord
   include PublifyGuid
   include ContentBase
 
+  validate :article_allows_this_feedback, on: :create
   validate :feedback_not_closed, on: :create
   validates :article, presence: true
 
   before_save :correct_url, :classify_content
-  before_create :create_guid, :article_allows_this_feedback
+  before_create :create_guid
 
   # TODO: Rename so it doesn't sound like only approved ham
   scope :ham, -> { where(state: %w(presumed_ham ham)) }
@@ -66,6 +67,10 @@ class Feedback < ApplicationRecord
     page(page).per(per_page)
   end
 
+  def self.allowed_tags
+    @allowed_tags ||= Rails::Html::SafeListSanitizer.allowed_tags - ["img"]
+  end
+
   def parent
     article
   end
@@ -85,7 +90,7 @@ class Feedback < ApplicationRecord
 
   def html_postprocess(_field, html)
     helper = ContentTextHelpers.new
-    helper.sanitize(helper.auto_link(html))
+    helper.sanitize(helper.auto_link(html), tags: self.class.allowed_tags)
   end
 
   def correct_url
@@ -98,10 +103,6 @@ class Feedback < ApplicationRecord
     article && blog_allows_feedback? && article_allows_feedback?
   end
 
-  def blog_allows_feedback?
-    true
-  end
-
   def akismet_options
     { type: self.class.to_s.downcase,
       author: originator,
@@ -200,7 +201,7 @@ class Feedback < ApplicationRecord
   end
 
   def feedback_not_closed
-    errors.add(:article_id, "Comment are closed") if article.comments_closed?
+    check_article_closed_for_feedback
   end
 
   def send_notifications

data/app/models/trackback.rb

@@ -24,10 +24,14 @@ class Trackback < Feedback
   def blog_allows_feedback?
     return true unless blog.global_pings_disable
 
-    errors.add(:article, "Pings are disabled")
+    errors.add(:base, "Pings are disabled")
     false
   end
 
+  def check_article_closed_for_feedback
+    errors.add(:article, "Pings are closed") if article.pings_closed?
+  end
+
   def originator
     blog_name
   end

data/app/uploaders/resource_uploader.rb

@@ -4,7 +4,7 @@ require "marcel"
 
 class ResourceUploader < CarrierWave::Uploader::Base
   include CarrierWave::MiniMagick
-  before :cache, :check_image_content_type!
+  before :cache, :check_content_type!
 
   def content_type_allowlist
     [%r{image/}, %r{audio/}, %r{video/}, "text/plain"]
@@ -37,26 +37,24 @@ class ResourceUploader < CarrierWave::Uploader::Base
     content_type&.include?("image")
   end
 
-  def check_image_content_type!(new_file)
-    if image?(new_file)
-      magic_type = mime_magic_content_type(new_file)
-      if magic_type != new_file.content_type
-        raise CarrierWave::IntegrityError, "has MIME type mismatch"
-      end
+  def check_content_type!(new_file)
+    detected_type = if image? new_file
+                      file_content_content_type(new_file)
+                    else
+                      file_content_type(new_file)
+                    end
+    if detected_type != new_file.content_type
+      raise CarrierWave::IntegrityError, "has MIME type mismatch"
     end
   end
 
   private
 
-  # NOTE: This method was adapted from MagicMimeBlacklist#extract_content_type
-  # from CarrierWave 1.0.0 and SanitizedFile#mime_magic_content_type from CarrierWave 0.11.2
-  def mime_magic_content_type(new_file)
-    content_type = nil
-
-    File.open(new_file.path) do |fd|
-      content_type = Marcel::MimeType.for(fd)
-    end
+  def file_content_content_type(new_file)
+    Marcel::MimeType.for Pathname.new(new_file.path)
+  end
 
-    content_type
+  def file_content_type(new_file)
+    Marcel::MimeType.for Pathname.new(new_file.path), name: new_file.filename
   end
 end

data/app/views/admin/feedback/article.html.erb

@@ -1,12 +1,13 @@
 <% content_for :page_heading do %>
-<h2 class="page-title">
-  <%= t('.comments_for_html', title: @article.title) %>
-</h2>
+  <h2 class="page-title">
+    <%= t('.comments_for_html', title: @article.title) %>
+  </h2>
 <% end %>
 
 <%= form_tag({ action: 'bulkops' }, { class: 'form-inline' }) do %>
 
-  <%= hidden_field 'article_id', @article.id %>
+  <%= hidden_field_tag 'article_id', @article.id %>
+
   <%= render 'button', position: 'top' %>
 
   <br class='clear' />

data/app/views/admin/feedback/index.html.erb

@@ -40,6 +40,7 @@
         </td>
       </tr>
     <% end %>
+
     <% @feedback.each do |comment| %>
       <%= render 'feedback', comment: comment %>
     <% end %>

data/app/views/articles/_password_form.html.erb

@@ -1,10 +1,8 @@
 <div id='content-<%= article.id %>'>
   <p>This post is password protected. Please fill in your password or login to view the content</p>
-  <%= form_for(article, remote: true,
-                        url: { controller: 'articles', action: 'check_password' },
-                        update: "content-#{article.id}") do |f| %>
+  <%= form_tag(check_password_url, remote: true, class: "check_password", data: { update: "content-#{article.id}" }) do %>
     <%= password_field(:article, :password) %>
-    <input type='hidden' name='article[id]' value='<%= article.id %>' />
+    <%= hidden_field(:article, :id) %>
     <%= submit_tag(t('.submit') + '!', name: 'check_password') %>
   <% end %>
 </div>

data/app/views/articles/search.html.erb

@@ -1,7 +1,9 @@
 <% for article in @articles %>
  <div class="post">
    <h2><%= link_to_permalink article, article.title %></h2>
-   <%= article.html(:body).gsub(%r{</?[^>]*>}, '').slice(0..300) %>...
+   <% if article.password.blank? %>
+     <%= article.html(:body).gsub(%r{</?[^>]*>}, '').slice(0..300) %>...
+   <% end %>
   </div>
 <% end %>
 

data/app/views/devise/mailer/reset_password_instructions.html.erb

@@ -1,6 +1,6 @@
 <% require 'devise/version' %>
-<%# TODO: Link user to blog so we can do @resource.blog
-  blog = Blog.first %>
+<%# TODO: Link user to blog so we can do @resource.blog %>
+<% blog = Blog.first %>
 <p><%= t('.greeting', recipient: @resource.login, default: "Hello #{@resource.login}!") %></p>
 
 <p><%= t('.instruction', default: 'Someone has requested a link to change your password, and you can do this through the link below.') %></p>

data/app/views/devise/passwords/edit.html.erb

@@ -3,7 +3,7 @@
 <% end %>
 
 <%= form_for(resource, as: resource_name, url: password_path(resource_name), html: { method: :put }) do |f| %>
-  <%= devise_error_messages! %>
+  <%= render "devise/shared/error_messages", resource: resource %>
   <fieldset>
   <%= f.hidden_field :reset_password_token %>
 

data/app/views/devise/passwords/new.html.erb

@@ -3,7 +3,7 @@
 <% end %>
 
 <%= form_for(resource, as: resource_name, url: password_path(resource_name), html: { method: :post }) do |f| %>
-  <%= devise_error_messages! %>
+  <%= render "devise/shared/error_messages", resource: resource %>
   <fieldset>
 
     <div class='form-group'>

data/config/routes.rb

@@ -36,10 +36,11 @@ Rails.application.routes.draw do
   get "/pages/*name", to: "articles#view_page", format: false
   get "previews(/:id)", to: "articles#preview", format: false
   get "previews_pages(/:id)", to: "articles#preview_page", format: false
-  get "check_password", to: "articles#check_password", format: false
   get "articles/markup_help/:id", to: "articles#markup_help", format: false
   get "articles/tag", to: "articles#tag", format: false
 
+  post "check_password", to: "articles#check_password", format: false
+
   # SetupController
   get "/setup", to: "setup#index", format: false
   post "/setup", to: "setup#create", format: false

data/lib/publify_core/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module PublifyCore
-  VERSION = "9.2.6"
+  VERSION = "9.2.9"
 end

data/lib/spam_protection.rb

@@ -31,7 +31,7 @@ class SpamProtection
     end
   end
 
-  protected
+  private
 
   def scan_ip(ip_address)
     logger.info("[SP] Scanning IP #{ip_address}")

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: publify_core
 version: !ruby/object:Gem::Version
-  version: 9.2.6
+  version: 9.2.9
 platform: ruby
 authors:
 - Matijs van Zuijlen
@@ -11,7 +11,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-01-07 00:00:00.000000000 Z
+date: 2022-05-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aasm
@@ -579,6 +579,7 @@ files:
 - app/assets/javascripts/bootstrap/modal.js
 - app/assets/javascripts/bootstrap/tab.js
 - app/assets/javascripts/bootstrap/transition.js
+- app/assets/javascripts/check_password.js
 - app/assets/javascripts/cookies.js
 - app/assets/javascripts/datetimepicker.js
 - app/assets/javascripts/lang/da_DK.js