npm - ghost - Versions diffs - 4.43.0 → 4.45.0 - Mend

ghost 4.43.0 → 4.45.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (69) hide show

package/core/frontend/apps/amp/lib/helpers/amp_content.js CHANGED Viewed

@@ -187,9 +187,8 @@ function ampContent() {
         // Use cheerio to traverse through HTML and make little clean-ups
         $ = cheerio.load(ampHTML);
-        // We have to remove source children in video, as source
-        // is whitelisted for audio, but causes validation
-        // errors in video, because video will be stripped out.
+        // We have to remove source children in video, as source is allowed for audio,
+        // but causes validation errors in video, because video will be stripped out.
         // @TODO: remove this, when Amperize support video transform
         $('video').children('source').remove();
         $('video').children('track').remove();

package/core/frontend/web/middleware/cors.js ADDED Viewed

@@ -0,0 +1,56 @@
+const {URL} = require('url');
+const cors = require('cors');
+const errors = require('@tryghost/errors');
+const config = require('../../../shared/config');
+/**
+ * Dynamically configures the expressjs/cors middleware
+ *
+ * @param {import('express').Request} req
+ * @param {Function} callback
+ */
+function corsOptionsDelegate(req, callback) {
+    const origin = req.header('Origin');
+    const corsOptions = {
+        origin: false, // disallow cross-origin requests by default
+        credentials: true // required to allow admin-client to login to private sites
+    };
+    if (!origin || origin === 'null') {
+        return callback(null, corsOptions);
+    }
+    let originUrl;
+    try {
+        originUrl = new URL(origin);
+    } catch (err) {
+        return callback(new errors.BadRequestError({err}));
+    }
+    // originUrl will definitely exist here because according to WHATWG URL spec
+    // The class constructor will either throw a TypeError or return a URL object
+    // https://url.spec.whatwg.org/#url-class
+    // allow all localhost and 127.0.0.1 requests no matter the port
+    if (originUrl.hostname === 'localhost' || originUrl.hostname === '127.0.0.1') {
+        corsOptions.origin = true;
+    }
+    // allow the configured host through on any protocol
+    const siteUrl = new URL(config.get('url'));
+    if (originUrl.host === siteUrl.host) {
+        corsOptions.origin = true;
+    }
+    // allow the configured admin:url host through on any protocol
+    if (config.get('admin:url')) {
+        const adminUrl = new URL(config.get('admin:url'));
+        if (originUrl.host === adminUrl.host) {
+            corsOptions.origin = true;
+        }
+    }
+    callback(null, corsOptions);
+}
+module.exports = cors(corsOptionsDelegate);

package/core/frontend/web/middleware/index.js CHANGED Viewed

@@ -1,4 +1,5 @@
 module.exports = {
+    cors: require('./cors'),
     errorHandler: require('./error-handler'),
     handleImageSizes: require('./handle-image-sizes'),
     redirectGhostToAdmin: require('./redirect-ghost-to-admin'),

package/core/frontend/web/middleware/static-theme.js CHANGED Viewed

@@ -4,18 +4,18 @@ const constants = require('@tryghost/constants');
 const themeEngine = require('../../services/theme-engine');
 const express = require('../../../shared/express');
-function isBlackListedFileType(file) {
-    const blackListedFileTypes = ['.hbs', '.md', '.json'];
+function isDeniedFile(file) {
+    const deniedFileTypes = ['.hbs', '.md', '.json'];
     const ext = path.extname(file);
-    return blackListedFileTypes.includes(ext);
+    return deniedFileTypes.includes(ext);
 }
-function isWhiteListedFile(file) {
-    const whiteListedFiles = ['manifest.json'];
+function isAllowedFile(file) {
+    const allowedFiles = ['manifest.json'];
     const base = path.basename(file);
-    return whiteListedFiles.includes(base);
+    return allowedFiles.includes(base);
 }
 function forwardToExpressStatic(req, res, next) {
@@ -31,8 +31,8 @@ function forwardToExpressStatic(req, res, next) {
 }
 function staticTheme() {
-    return function blackListStatic(req, res, next) {
-        if (!isWhiteListedFile(req.path) && isBlackListedFileType(req.path)) {
+    return function denyStatic(req, res, next) {
+        if (!isAllowedFile(req.path) && isDeniedFile(req.path)) {
             return next();
         }

package/core/frontend/web/site.js CHANGED Viewed

@@ -1,9 +1,6 @@
 const debug = require('@tryghost/debug')('frontend');
 const path = require('path');
 const express = require('../../shared/express');
-const cors = require('cors');
-const {URL} = require('url');
-const errors = require('@tryghost/errors');
 const DomainEvents = require('@tryghost/domain-events');
 const {MemberPageViewEvent} = require('@tryghost/member-events');
@@ -31,50 +28,6 @@ const STATIC_FILES_URL_PREFIX = `/${constants.STATIC_FILES_URL_PREFIX}`;
 let router;
-const corsOptionsDelegate = function corsOptionsDelegate(req, callback) {
-    const origin = req.header('Origin');
-    const corsOptions = {
-        origin: false, // disallow cross-origin requests by default
-        credentials: true // required to allow admin-client to login to private sites
-    };
-    if (!origin || origin === 'null') {
-        return callback(null, corsOptions);
-    }
-    let originUrl;
-    try {
-        originUrl = new URL(origin);
-    } catch (err) {
-        return callback(new errors.BadRequestError({err}));
-    }
-    // originUrl will definitely exist here because according to WHATWG URL spec
-    // The class constructor will either throw a TypeError or return a URL object
-    // https://url.spec.whatwg.org/#url-class
-    // allow all localhost and 127.0.0.1 requests no matter the port
-    if (originUrl.hostname === 'localhost' || originUrl.hostname === '127.0.0.1') {
-        corsOptions.origin = true;
-    }
-    // allow the configured host through on any protocol
-    const siteUrl = new URL(config.get('url'));
-    if (originUrl.host === siteUrl.host) {
-        corsOptions.origin = true;
-    }
-    // allow the configured admin:url host through on any protocol
-    if (config.get('admin:url')) {
-        const adminUrl = new URL(config.get('admin:url'));
-        if (originUrl.host === adminUrl.host) {
-            corsOptions.origin = true;
-        }
-    }
-    callback(null, corsOptions);
-};
 function SiteRouter(req, res, next) {
     router(req, res, next);
 }
@@ -89,7 +42,7 @@ module.exports = function setupSiteApp(options = {}) {
     siteApp.set('view engine', 'hbs');
     // enable CORS headers (allows admin client to hit front-end when configured on separate URLs)
-    siteApp.use(cors(corsOptionsDelegate));
+    siteApp.use(mw.cors);
     siteApp.use(offersService.middleware);

package/core/server/api/canary/authentication.js CHANGED Viewed

@@ -51,14 +51,14 @@ module.exports = {
                 })
                 .then((data) => {
                     try {
-                        return auth.setup.doFixtures(data, api.products);
+                        return auth.setup.doFixtures(data);
                     } catch (e) {
                         return data;
                     }
                 })
                 .then((data) => {
                     try {
-                        return auth.setup.doProduct(data, api.products);
+                        return auth.setup.doProductAndNewsletter(data, api);
                     } catch (e) {
                         return data;
                     }

package/core/server/api/canary/newsletters.js CHANGED Viewed

@@ -1,4 +1,10 @@
 const models = require('../../models');
+const tpl = require('@tryghost/tpl');
+const errors = require('@tryghost/errors');
+const messages = {
+    newsletterNotFound: 'Newsletter not found.'
+};
 module.exports = {
     docName: 'newsletters',
@@ -17,6 +23,32 @@ module.exports = {
         }
     },
+    read: {
+        options: [
+            'fields',
+            'debug',
+            // NOTE: only for internal context
+            'forUpdate',
+            'transacting'
+        ],
+        data: [
+            'id',
+            'slug',
+            'uuid'
+        ],
+        permissions: true,
+        async query(frame) {
+            const newsletter = models.Newsletter.findOne(frame.data, frame.options);
+            if (!newsletter) {
+                throw new errors.NotFoundError({
+                    message: tpl(messages.newsletterNotFound)
+                });
+            }
+            return newsletter;
+        }
+    },
     add: {
         statusCode: 201,
         permissions: true,

package/core/server/api/canary/posts.js CHANGED Viewed

@@ -129,6 +129,7 @@ module.exports = {
             'formats',
             'source',
             'email_recipient_filter',
+            'newsletter_id',
             'send_email_when_published',
             'force_rerender',
             // NOTE: only for internal context

package/core/server/api/canary/stats.js CHANGED Viewed

@@ -8,7 +8,7 @@ module.exports = {
             method: 'browse'
         },
         async query() {
-            return await statsService.members.getCountHistory();
+            return await statsService.getMemberCountHistory();
         }
     },
     mrr: {
@@ -17,7 +17,7 @@ module.exports = {
             method: 'browse'
         },
         async query() {
-            return await statsService.mrr.getHistory();
+            return await statsService.getMRRHistory();
         }
     }
 };

package/core/server/api/canary/utils/serializers/output/members.js CHANGED Viewed

@@ -133,6 +133,9 @@ function serializeMember(member, options) {
     }
     if (json.newsletters && labsService.isSet('multipleNewsletters')) {
+        json.newsletters.sort((a, b) => {
+            return a.sort_order - b.sort_order;
+        });
         serialized.newsletters = json.newsletters;
     }

package/core/server/api/shared/http.js CHANGED Viewed

@@ -83,7 +83,7 @@ const http = (apiImpl) => {
             // CASE: generate headers based on the api ctrl configuration
             if (req && req.headers && req.headers['accept-version'] && res.locals) {
-                headers['content-version'] = `v${res.locals.safeVersion}`;
+                headers['Content-Version'] = `v${res.locals.safeVersion}`;
             }
             res.set(headers);

package/core/server/data/importer/importers/data/settings.js CHANGED Viewed

@@ -80,9 +80,6 @@ class SettingsImporter extends BaseImporter {
         };
     }
-    /**
-     * - 'core' and 'theme' are blacklisted
-     */
     beforeImport() {
         debug('beforeImport');

package/core/server/data/migrations/versions/4.43/2022-03-28-19-26-recreate-newsletter-table.js CHANGED Viewed

@@ -7,7 +7,7 @@ module.exports = recreateTable('newsletters', {
     slug: {type: 'string', maxlength: 191, nullable: false, unique: true},
     sender_name: {type: 'string', maxlength: 191, nullable: false},
     sender_email: {type: 'string', maxlength: 191, nullable: true},
-    sender_reply_to: {type: 'string', maxlength: 191, nullable: false, defaultTo: 'newsletter', validations: {isIn: ['newsletter', 'support']}},
+    sender_reply_to: {type: 'string', maxlength: 191, nullable: false, defaultTo: 'newsletter', validations: {isIn: [['newsletter', 'support']]}},
     status: {type: 'string', maxlength: 50, nullable: false, defaultTo: 'active'},
     visibility: {
         type: 'string',
@@ -20,10 +20,10 @@ module.exports = recreateTable('newsletters', {
     header_image: {type: 'string', maxlength: 2000, nullable: true},
     show_header_icon: {type: 'bool', nullable: false, defaultTo: true},
     show_header_title: {type: 'bool', nullable: false, defaultTo: true},
-    title_font_category: {type: 'string', maxlength: 191, nullable: false, defaultTo: 'sans_serif', validations: {isIn: ['serif', 'sans_serif']}},
-    title_alignment: {type: 'string', maxlength: 191, nullable: false, defaultTo: 'center', validations: {isIn: ['center', 'left']}},
+    title_font_category: {type: 'string', maxlength: 191, nullable: false, defaultTo: 'sans_serif', validations: {isIn: [['serif', 'sans_serif']]}},
+    title_alignment: {type: 'string', maxlength: 191, nullable: false, defaultTo: 'center', validations: {isIn: [['center', 'left']]}},
     show_feature_image: {type: 'bool', nullable: false, defaultTo: true},
-    body_font_category: {type: 'string', maxlength: 191, nullable: false, defaultTo: 'sans_serif', validations: {isIn: ['serif', 'sans_serif']}},
+    body_font_category: {type: 'string', maxlength: 191, nullable: false, defaultTo: 'sans_serif', validations: {isIn: [['serif', 'sans_serif']]}},
     footer_content: {type: 'text', maxlength: 1000000000, nullable: true},
     show_badge: {type: 'bool', nullable: false, defaultTo: true}
 });

package/core/server/data/migrations/versions/4.44/2022-04-06-15-22-populate-type-column-for-paid-subscription-events.js ADDED Viewed

@@ -0,0 +1,21 @@
+const logging = require('@tryghost/logging');
+const {createTransactionalMigration} = require('../../utils');
+module.exports = createTransactionalMigration(
+    async function up(knex) {
+        logging.info('Setting "type" to "updated" for events with different to_plan & from_plan');
+        await knex('members_paid_subscription_events').update('type', 'updated').whereNotNull('from_plan').whereNotNull('to_plan').whereRaw('to_plan != from_plan');
+        logging.info('Setting "type" to "expired" for events with null to_plan or the same to_plan & from_plan');
+        await knex('members_paid_subscription_events').update('type', 'expired').whereNull('to_plan').whereNotNull('from_plan');
+        await knex('members_paid_subscription_events').update('type', 'expired').whereRaw('from_plan = to_plan');
+        logging.info('Setting "type" to "created" for events with null from_plan');
+        await knex('members_paid_subscription_events').update('type', 'created').whereNull('from_plan').whereNotNull('to_plan');
+    },
+    async function down(knex) {
+        logging.info('Setting "type" to null for all rows in "members_paid_subscriptions events"');
+        await knex('members_paid_subscription_events').update('type', null);
+    }
+);

package/core/server/data/migrations/versions/4.44/2022-04-08-11-54-add-cancelled-events.js ADDED Viewed

@@ -0,0 +1,51 @@
+const ObjectID = require('bson-objectid').default;
+const logging = require('@tryghost/logging');
+const {createTransactionalMigration} = require('../../utils');
+module.exports = createTransactionalMigration(
+    async function up(knex) {
+        const cancelledSubscriptions = await knex
+            .select(
+                'members.id as member_id',
+                'members_stripe_customers_subscriptions.id',
+                'members_stripe_customers_subscriptions.stripe_price_id',
+                'members_stripe_customers_subscriptions.plan_currency',
+                'members_stripe_customers_subscriptions.updated_at'
+            )
+            .from('members_stripe_customers_subscriptions')
+            .join('members_stripe_customers', 'members_stripe_customers.customer_id', '=', 'members_stripe_customers_subscriptions.customer_id')
+            .join('members', 'members_stripe_customers.member_id', '=', 'members.id')
+            .where('members_stripe_customers_subscriptions.cancel_at_period_end', true)
+            .whereNot('members_stripe_customers_subscriptions.status', 'canceled');
+        if (cancelledSubscriptions.length === 0) {
+            logging.info('No missing cancelled events - skipping migration');
+            return;
+        }
+        const eventsToInsert = cancelledSubscriptions.map((subscription) => {
+            const event = {
+                id: (new ObjectID()).toHexString(),
+                type: 'canceled',
+                member_id: subscription.member_id,
+                subscription_id: subscription.id,
+                from_plan: subscription.stripe_price_id,
+                to_plan: subscription.stripe_price_id,
+                currency: subscription.plan_currency,
+                source: 'migration',
+                mrr_delta: 0,
+                created_at: subscription.updated_at
+            };
+            return event;
+        });
+        logging.info(`Found ${eventsToInsert.length} missing cancellation events`);
+        await knex('members_paid_subscription_events').insert(eventsToInsert);
+    },
+    async function down(knex) {
+        logging.info('Deleting all members_paid_subscription_events with a "type" of "cancelled"');
+        await knex('members_paid_subscription_events').where({type: 'canceled', source: 'migration'}).del();
+    }
+);

package/core/server/data/migrations/versions/4.44/2022-04-11-08-24-add-newsletter-permissions.js ADDED Viewed

@@ -0,0 +1,33 @@
+const {
+    addPermissionWithRoles,
+    combineTransactionalMigrations
+} = require('../../utils');
+/**
+ * This is similar to core/server/data/migrations/versions/4.42/2022-03-30-15-44-add-newsletter-permissions.js
+ * as the permissions were not added in the fixture file at the time of the migration.
+ * This means the new Ghost installs do not have the newsletter permission and we need this migration.
+*/
+module.exports = combineTransactionalMigrations(
+    addPermissionWithRoles({
+        name: 'Browse newsletters',
+        action: 'browse',
+        object: 'newsletter'
+    }, [
+        'Administrator'
+    ]),
+    addPermissionWithRoles({
+        name: 'Add newsletters',
+        action: 'add',
+        object: 'newsletter'
+    }, [
+        'Administrator'
+    ]),
+    addPermissionWithRoles({
+        name: 'Edit newsletters',
+        action: 'edit',
+        object: 'newsletter'
+    }, [
+        'Administrator'
+    ])
+);

package/core/server/data/migrations/versions/4.44/2022-04-11-10-54-add-mrr-to-subscriptions.js ADDED Viewed

@@ -0,0 +1,8 @@
+const {createAddColumnMigration} = require('../../utils');
+module.exports = createAddColumnMigration('members_stripe_customers_subscriptions', 'mrr', {
+    type: 'integer',
+    unsigned: true,
+    nullable: false,
+    defaultTo: 0
+});

package/core/server/data/migrations/versions/4.44/2022-04-12-07-33-fill-mrr.js ADDED Viewed

@@ -0,0 +1,29 @@
+const logging = require('@tryghost/logging');
+const {createTransactionalMigration} = require('../../utils');
+module.exports = createTransactionalMigration(
+    async function up(knex) {
+        logging.info('Setting "mrr" for active subscriptions in "members_stripe_customers_subscriptions"');
+        // Note that we also set the MRR for 'canceled' subscriptions (cancel_at_period_end === true)
+        // A different migration will make that change in 5.0
+        await knex('members_stripe_customers_subscriptions')
+            .update('mrr', knex.raw(`
+                CASE WHEN plan_interval = 'year' THEN
+                    FLOOR(plan_amount / 12)
+                WHEN plan_interval = 'week' THEN
+                    plan_amount * 4
+                WHEN plan_interval = 'day' THEN
+                    plan_amount * 30
+                ELSE
+                    plan_amount
+                END
+            `))
+            .whereNotIn('status', ['trialing', 'incomplete', 'incomplete_expired', 'canceled']);
+    },
+    async function down(knex) {
+        logging.info('Setting "mrr" to 0 for all rows in "members_stripe_customers_subscriptions"');
+        await knex('members_stripe_customers_subscriptions').update('mrr', 0);
+    }
+);

package/core/server/data/migrations/versions/4.44/2022-04-13-12-00-remove-newsletter-sender-name-not-null-constraint.js ADDED Viewed

@@ -0,0 +1,33 @@
+const logging = require('@tryghost/logging');
+const {createNonTransactionalMigration} = require('../../utils');
+/**
+ * Note: This doesn't use knex.alterTable as it doesn't work for down migration.
+ * It tries to insert a `null` into non `nullable` column while altering column
+ */
+module.exports = createNonTransactionalMigration(
+    async function up(knex) {
+        logging.info('Dropping NOT NULL constraint for: sender_name in table: newsletters');
+        await knex.schema.table('newsletters', function (table) {
+            table.dropColumn('sender_name');
+        });
+        await knex.schema.table('newsletters', function (table) {
+            table.string('sender_name', 191).nullable();
+        });
+    },
+    async function down(knex) {
+        logging.info('Adding NOT NULL constraint for: sender_name in table: newsletters');
+        await knex.schema.table('newsletters', function (table) {
+            table.dropColumn('sender_name');
+        });
+        await knex.schema.table('newsletters', function (table) {
+            // SQLite doesn't allow adding a non nullable column without any default
+            table.string('sender_name', 191).notNullable().defaultTo('Ghost');
+        });
+    }
+);

package/core/server/data/migrations/versions/4.44/2022-04-15-07-53-add-offer-id-to-subscriptions.js ADDED Viewed

@@ -0,0 +1,9 @@
+const {createAddColumnMigration} = require('../../utils');
+module.exports = createAddColumnMigration('members_stripe_customers_subscriptions', 'offer_id', {
+    type: 'string',
+    maxlength: 24,
+    nullable: true,
+    unique: false,
+    references: 'offers.id'
+});

package/core/server/data/migrations/versions/4.45/2022-04-19-12-23-backfill-subscriptions-offers.js ADDED Viewed

@@ -0,0 +1,60 @@
+const logging = require('@tryghost/logging');
+const DatabaseInfo = require('@tryghost/database-info');
+const {createTransactionalMigration} = require('../../utils');
+module.exports = createTransactionalMigration(
+    async function up(knex) {
+        logging.info('Backfilling "offer_id" column in "members_stripe_customers_subscriptions" by matching tier and cadence');
+        const subquery = `
+            SELECT
+                members_stripe_customers_subscriptions.id as subscription_id,
+                offer_redemptions.offer_id as offer_id
+            FROM
+                members_stripe_customers_subscriptions
+                JOIN offer_redemptions ON offer_redemptions.subscription_id = members_stripe_customers_subscriptions.id
+                JOIN offers ON offers.id = offer_redemptions.offer_id
+                JOIN stripe_prices ON members_stripe_customers_subscriptions.stripe_price_id = stripe_prices.stripe_price_id
+                JOIN stripe_products ON stripe_prices.stripe_product_id = stripe_products.stripe_product_id
+            WHERE
+                offers.product_id = stripe_products.product_id
+                AND offers.interval = stripe_prices.interval
+                AND members_stripe_customers_subscriptions.offer_id is null
+        `;
+        if (DatabaseInfo.isSQLite(knex)) {
+            // Less optimized for SQLite
+            const result = await knex.raw(subquery);
+            const updatedRows = result.length;
+            const subscriptionsToUpdate = result;
+            logging.info(`Setting the offer_id for ${updatedRows} members_stripe_customers_subscriptions`);
+            // eslint-disable-next-line no-restricted-syntax
+            for (const u of subscriptionsToUpdate) {
+                // eslint-disable-next-line no-restricted-syntax
+                await knex('members_stripe_customers_subscriptions')
+                    .update('offer_id', u.offer_id)
+                    .where('id', u.subscription_id);
+            }
+        } else {
+            // Single update query
+            const query = `
+                UPDATE
+                    members_stripe_customers_subscriptions,
+                    (${subquery}) as c
+                SET members_stripe_customers_subscriptions.offer_id = c.offer_id
+                WHERE c.subscription_id = members_stripe_customers_subscriptions.id
+            `;
+            const result = await knex.raw(query);
+            const updatedRows = result[0].affectedRows;
+            logging.info(`Updated ${updatedRows} members_stripe_customers_subscriptions with an offer_id`);
+        }
+    },
+    async function down() {
+        // We risk losing data if we would reset offer_id here
+    }
+);

package/core/server/data/migrations/versions/4.45/2022-04-20-11-25-add-newsletter-read-permission.js ADDED Viewed

@@ -0,0 +1,9 @@
+const {addPermissionWithRoles} = require('../../utils');
+module.exports = addPermissionWithRoles({
+    name: 'Read newsletters',
+    action: 'read',
+    object: 'newsletter'
+}, [
+    'Administrator'
+]);

package/core/server/data/migrations/versions/4.45/2022-04-21-02-55-add-notifications-key-entry-to-settings-table.js ADDED Viewed

@@ -0,0 +1,8 @@
+const {addSetting} = require('../../utils.js');
+module.exports = addSetting({
+    key: 'version_notifications',
+    value: '[]',
+    type: 'array',
+    group: 'core'
+});

package/core/server/data/schema/default-settings/default-settings.json CHANGED Viewed

@@ -16,6 +16,10 @@
             "defaultValue": "[]",
             "type": "array"
         },
+        "version_notifications": {
+            "defaultValue": "[]",
+            "type": "array"
+        },
         "session_secret": {
             "defaultValue": null,
             "type": "string"