npm - ghost - Versions diffs - 5.110.4 → 5.112.0 - Mend

ghost 5.110.4 → 5.112.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (202) hide show

package/core/built/admin/index.html CHANGED Viewed

@@ -8,7 +8,7 @@
     <title>Ghost Admin</title>
-<meta name="ghost-admin/config/environment" content="%7B%22modulePrefix%22%3A%22ghost-admin%22%2C%22environment%22%3A%22production%22%2C%22cdnUrl%22%3A%22%22%2C%22editorUrl%22%3A%22%22%2C%22rootURL%22%3A%22%22%2C%22locationType%22%3A%22trailing-hash%22%2C%22EmberENV%22%3A%7B%22FEATURES%22%3A%7B%7D%2C%22EXTEND_PROTOTYPES%22%3A%7B%22Date%22%3Afalse%2C%22Array%22%3Atrue%2C%22String%22%3Atrue%2C%22Function%22%3Afalse%7D%2C%22_APPLICATION_TEMPLATE_WRAPPER%22%3Afalse%2C%22_JQUERY_INTEGRATION%22%3Atrue%2C%22_TEMPLATE_ONLY_GLIMMER_COMPONENTS%22%3Atrue%7D%2C%22APP%22%3A%7B%22version%22%3A%225.110%22%2C%22name%22%3A%22ghost-admin%22%7D%2C%22ember-simple-auth%22%3A%7B%7D%2C%22%40sentry%2Fember%22%3A%7B%22disablePerformance%22%3Atrue%2C%22sentry%22%3A%7B%7D%7D%2C%22ember-cli-mirage%22%3A%7B%22usingProxy%22%3Afalse%2C%22useDefaultPassthroughs%22%3Atrue%7D%2C%22exportApplicationGlobal%22%3Afalse%2C%22ember-load%22%3A%7B%22loadingIndicatorClass%22%3A%22ember-load-indicator%22%7D%2C%22editorFilename%22%3A%22koenig-lexical.umd.js%22%2C%22editorHash%22%3A%22936e008b28%22%2C%22adminXDemoFilename%22%3A%22admin-x-demo.js%22%2C%22adminXDemoHash%22%3A%22c0d9975d75%22%2C%22adminXSettingsFilename%22%3A%22admin-x-settings.js%22%2C%22adminXSettingsHash%22%3A%227b1858c545%22%2C%22adminXActivitypubFilename%22%3A%22admin-x-activitypub.js%22%2C%22adminXActivitypubHash%22%3A%227f25cf5ec5%22%2C%22postsFilename%22%3A%22posts.js%22%2C%22postsHash%22%3A%22a276e5a86b%22%2C%22adminXActivitypubCustomUrl%22%3A%22https%3A%2F%2Fcdn.jsdelivr.net%2Fghost%2Fadmin-x-activitypub%400%2Fdist%2Fadmin-x-activitypub.js%22%7D" />
+<meta name="ghost-admin/config/environment" content="%7B%22modulePrefix%22%3A%22ghost-admin%22%2C%22environment%22%3A%22production%22%2C%22cdnUrl%22%3A%22%22%2C%22editorUrl%22%3A%22%22%2C%22rootURL%22%3A%22%22%2C%22locationType%22%3A%22trailing-hash%22%2C%22EmberENV%22%3A%7B%22FEATURES%22%3A%7B%7D%2C%22EXTEND_PROTOTYPES%22%3A%7B%22Date%22%3Afalse%2C%22Array%22%3Atrue%2C%22String%22%3Atrue%2C%22Function%22%3Afalse%7D%2C%22_APPLICATION_TEMPLATE_WRAPPER%22%3Afalse%2C%22_JQUERY_INTEGRATION%22%3Atrue%2C%22_TEMPLATE_ONLY_GLIMMER_COMPONENTS%22%3Atrue%7D%2C%22APP%22%3A%7B%22version%22%3A%225.112%22%2C%22name%22%3A%22ghost-admin%22%7D%2C%22ember-simple-auth%22%3A%7B%7D%2C%22%40sentry%2Fember%22%3A%7B%22disablePerformance%22%3Atrue%2C%22sentry%22%3A%7B%7D%7D%2C%22ember-cli-mirage%22%3A%7B%22usingProxy%22%3Afalse%2C%22useDefaultPassthroughs%22%3Atrue%7D%2C%22exportApplicationGlobal%22%3Afalse%2C%22ember-load%22%3A%7B%22loadingIndicatorClass%22%3A%22ember-load-indicator%22%7D%2C%22editorFilename%22%3A%22koenig-lexical.umd.js%22%2C%22editorHash%22%3A%225ea6a6e0ae%22%2C%22adminXDemoFilename%22%3A%22admin-x-demo.js%22%2C%22adminXDemoHash%22%3A%2215e68d0314%22%2C%22adminXSettingsFilename%22%3A%22admin-x-settings.js%22%2C%22adminXSettingsHash%22%3A%22b89b845936%22%2C%22adminXActivitypubFilename%22%3A%22admin-x-activitypub.js%22%2C%22adminXActivitypubHash%22%3A%228b10f84a3e%22%2C%22postsFilename%22%3A%22posts.js%22%2C%22postsHash%22%3A%22cb54d87657%22%2C%22adminXActivitypubCustomUrl%22%3A%22https%3A%2F%2Fcdn.jsdelivr.net%2Fghost%2Fadmin-x-activitypub%400%2Fdist%2Fadmin-x-activitypub.js%22%7D" />
     <meta name="HandheldFriendly" content="True" />
     <meta name="MobileOptimized" content="320" />
@@ -58,7 +58,7 @@
     <script src="assets/vendor-fca15534b8426c0567400113c63a3e21.js"></script>
 <script src="assets/chunk.874.461cb3cf5b6b36915f8c.js"></script>
-<script src="assets/chunk.524.3096e68df5b51dacf872.js"></script>
-    <script src="assets/ghost-98d002d50a5e01d2100b2c387a849249.js"></script>
+<script src="assets/chunk.524.db49da6fd8ae155205a4.js"></script>
+    <script src="assets/ghost-62bd4d4c837d453e1038808dc1cd1e4c.js"></script>
 </body>
 </html>

package/core/frontend/helpers/get.js CHANGED Viewed

@@ -338,11 +338,10 @@ module.exports = async function get(resource, options) {
                     errorDetails: {
                         api: `${controllerName}.${action}`,
                         apiOptions,
+                        time: totalMs,
                         returnedRows: returnedRowsCount
                     }
-                }), {
-                    time: totalMs
-                });
+                }));
             }
         }
     }

package/core/frontend/services/sitemap/SiteMapManager.js CHANGED Viewed

@@ -1,5 +1,5 @@
 const DomainEvents = require('@tryghost/domain-events');
-const {URLResourceUpdatedEvent} = require('@tryghost/dynamic-routing-events');
+const URLResourceUpdatedEvent = require('../../../shared/events/URLResourceUpdatedEvent');
 const IndexMapGenerator = require('./SiteMapIndexGenerator');
 const PagesMapGenerator = require('./PageMapGenerator');
 const PostsMapGenerator = require('./PostMapGenerator');

package/core/frontend/src/cards/css/cta.css CHANGED Viewed

@@ -42,31 +42,38 @@
     background: rgba(135, 85, 236, 0.12);
 }
-.kg-cta-sponsor-label {
-    margin: 0 2.4rem;
-    padding: 1.2rem 0;
+.kg-cta-sponsor-label-wrapper {
+    margin: 0 1.5em;
+    padding: .7em 0;
     border-bottom: 1px solid rgba(124, 139, 154, 0.2);
-    font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", "Roboto", "Oxygen", "Ubuntu", "Cantarell", "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif;
-    font-size: 12px;
-    font-weight: 600;
-    text-transform: uppercase;
-    text-wrap: pretty;
 }
 @media (max-width: 600px) {
-    .kg-cta-sponsor-label {
-        margin: 0 2rem;
-        padding: 1rem 0;
+    .kg-cta-sponsor-label-wrapper {
+        margin: 0 1.25em;
+        padding: .5em 0;
     }
 }
-.kg-cta-bg-none .kg-cta-sponsor-label {
+.kg-cta-bg-none .kg-cta-sponsor-label-wrapper {
     margin: 0;
+    padding-top: 0;
 }
+.kg-cta-has-img .kg-cta-sponsor-label-wrapper:not(.kg-cta-bg-none .kg-cta-sponsor-label-wrapper):not(.kg-cta-minimal .kg-cta-sponsor-label-wrapper) {
+    border-bottom: 0;
+}
+.kg-cta-sponsor-label {
+    font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", "Roboto", "Oxygen", "Ubuntu", "Cantarell", "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif;
+    font-size: 12px;
+    font-weight: 600;
+    text-transform: uppercase;
+    text-wrap: pretty;
+}
 .kg-cta-sponsor-label p span:not(a span) {
-    color: color-mix(in srgb, currentColor 40%, transparent);
+    color: color-mix(in srgb, currentColor 45%, transparent);
 }
 .kg-cta-sponsor-label a {
@@ -75,29 +82,33 @@
 .kg-cta-content {
     display: flex;
-    padding: 2.4rem;
-    gap: 2.4rem;
+    padding: 1.5em;
+    gap: 1.5em;
 }
 @media (max-width: 600px) {
     .kg-cta-content {
-        padding: 2rem;
-        gap: 2rem;
+        padding: 1.25em;
+        gap: 1.25em;
     }
 }
+.kg-cta-has-img .kg-cta-sponsor-label-wrapper + .kg-cta-content:not(.kg-cta-bg-none .kg-cta-content):not(.kg-cta-minimal .kg-cta-content) {
+    padding-top: 0;
+}
 .kg-cta-bg-none .kg-cta-content {
-    padding: 2.4rem 0;
+    padding: 1.5em 0;
     border-bottom: 1px solid rgba(124, 139, 154, 0.2);
 }
-.kg-cta-bg-none .kg-cta-content:not(.kg-cta-sponsor-label + .kg-cta-content) {
+.kg-cta-bg-none .kg-cta-content:not(.kg-cta-sponsor-label-wrapper + .kg-cta-content) {
     border-top: 1px solid rgba(124, 139, 154, 0.2);
 }
 @media (max-width: 600px) {
     .kg-cta-bg-none .kg-cta-content {
-        padding: 2rem 0;
+        padding: 1.25em 0;
     }
 }
@@ -119,12 +130,12 @@
 .kg-cta-content-inner {
     display: flex;
     flex-direction: column;
-    gap: 2.4rem;
+    gap: 1.5em;
 }
 @media (max-width: 600px) {
     .kg-cta-content-inner {
-        gap: 2rem;
+        gap: 1.25em;
     }
 }
@@ -133,6 +144,7 @@
 }
 .kg-cta-image-container img {
+    margin: 0;
     object-fit: cover;
     border-radius: 6px;
 }
@@ -150,16 +162,13 @@
     }
 }
-.kg-cta-immersive .kg-cta-text {
-    text-align: center;
-}
 .kg-cta-text p {
+    margin: 0;
     text-wrap: pretty;
 }
 .kg-cta-text p + p {
-    margin-top: 2rem;
+    margin-top: 1.25em;
 }
 .kg-cta-text a {
@@ -170,12 +179,13 @@ a.kg-cta-button {
     display: flex;
     position: static;
     align-items: center;
-    padding: 0 2rem;
-    height: 2.4em;
     justify-content: center;
+    padding: 0 1em;
+    height: 2.5em;
     font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", "Roboto", "Oxygen", "Ubuntu", "Cantarell", "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif;
     font-size: 0.95em;
-    font-weight: 600;
+    font-weight: 500;
+    line-height: 1.65;
     text-decoration: none;
     border-radius: 6px;
     transition: opacity 0.2s ease-in-out;

package/core/frontend/src/cards/css/video.css CHANGED Viewed

@@ -85,6 +85,7 @@
     width: 100%;
     z-index: 9999;
     padding: 12px 16px;
+    font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", "Roboto", "Oxygen", "Ubuntu", "Cantarell", "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif;
 }
 .kg-video-current-time {

package/core/server/api/endpoints/settings-public.js CHANGED Viewed

@@ -7,11 +7,12 @@ const labs = require('../../../shared/labs');
 const getCaptchaSettings = () => {
     if (labs.isSet('captcha')) {
         return {
-            captcha_enabled: config.get('captcha:enabled'),
             captcha_sitekey: config.get('captcha:siteKey')
         };
     } else {
-        return {};
+        return {
+            captcha_enabled: false
+        };
     }
 };

package/core/server/api/endpoints/utils/serializers/input/settings.js CHANGED Viewed

@@ -75,7 +75,9 @@ const EDITABLE_SETTINGS = [
     'recommendations_enabled',
     'body_font',
     'heading_font',
-    'blocked_email_domains'
+    'blocked_email_domains',
+    'captcha_enabled',
+    'require_email_mfa'
 ];
 module.exports = {

package/core/server/api/endpoints/utils/serializers/input/utils/settings-key-group-mapper.js CHANGED Viewed

@@ -47,7 +47,8 @@ const keyGroupMapping = {
     stripe_connect_integration: 'members',
     portal_name: 'portal',
     portal_button: 'portal',
-    portal_plans: 'portal'
+    portal_plans: 'portal',
+    require_email_mfa: 'security'
 };
 const mapKeyToGroup = (key) => {

package/core/server/api/endpoints/utils/serializers/input/utils/settings-key-type-mapper.js CHANGED Viewed

@@ -54,7 +54,8 @@ const keyTypeMapping = {
     stripe_connect_livemode: 'boolean',
     labs: 'object',
     unsplash: 'object',
-    bulk_email_settings: 'object'
+    bulk_email_settings: 'object',
+    require_email_mfa: 'boolean'
 };
 const mapKeyToType = (key) => {

package/core/server/data/migrations/versions/5.111/2025-03-05-16-36-39-add-captcha-setting.js ADDED Viewed

@@ -0,0 +1,8 @@
+const {addSetting} = require('../../utils');
+module.exports = addSetting({
+    key: 'captcha_enabled',
+    value: 'false',
+    type: 'boolean',
+    group: 'members'
+});

package/core/server/data/migrations/versions/5.112/2025-03-10-10-01-01-add-require-mfa-setting.js ADDED Viewed

@@ -0,0 +1,8 @@
+const {addSetting} = require('../../utils');
+module.exports = addSetting({
+    key: 'require_email_mfa',
+    value: 'false',
+    type: 'boolean',
+    group: 'security'
+});

package/core/server/data/schema/default-settings/default-settings.json CHANGED Viewed

@@ -319,6 +319,14 @@
         "blocked_email_domains": {
             "defaultValue": "[]",
             "type": "array"
+        },
+        "captcha_enabled": {
+            "defaultValue": "false",
+            "validations": {
+                "isEmpty": false,
+                "isIn": [["true", "false"]]
+            },
+            "type": "boolean"
         }
     },
     "portal": {
@@ -595,5 +603,11 @@
             },
             "type": "boolean"
         }
+    },
+    "security": {
+        "require_email_mfa": {
+            "defaultValue": false,
+            "type": "boolean"
+        }
     }
 }

package/core/server/models/invite.js CHANGED Viewed

@@ -1,4 +1,3 @@
-const _ = require('lodash');
 const tpl = require('@tryghost/tpl');
 const errors = require('@tryghost/errors');
 const constants = require('@tryghost/constants');
@@ -6,7 +5,7 @@ const security = require('@tryghost/security');
 const settingsCache = require('../../shared/settings-cache');
 const limitService = require('../services/limits');
 const ghostBookshelf = require('./base');
+const {setIsRoles} = require('./role-utils');
 const messages = {
     notEnoughPermission: 'You do not have permission to perform this action',
     roleNotFound: 'Role not found',
@@ -86,10 +85,10 @@ Invite = ghostBookshelf.Model.extend({
                 let allowed = [];
                 if (loadedPermissions.user) {
-                    if (_.some(loadedPermissions.user.roles, {name: 'Owner'}) ||
-                        _.some(loadedPermissions.user.roles, {name: 'Administrator'})) {
+                    const {isOwner, isAdmin, isEitherEditor} = setIsRoles(loadedPermissions);
+                    if (isOwner || isAdmin) {
                         allowed = ['Administrator', 'Editor', 'Author', 'Contributor'];
-                    } else if (_.some(loadedPermissions.user.roles, {name: 'Editor'})) {
+                    } else if (isEitherEditor) {
                         allowed = ['Author', 'Contributor'];
                     }
                 } else if (loadedPermissions.apiKey) {

package/core/server/models/post.js CHANGED Viewed

@@ -21,6 +21,7 @@ const {BadRequestError} = require('@tryghost/errors');
 const {PostRevisions} = require('@tryghost/post-revisions');
 const {mobiledocToLexical} = require('@tryghost/kg-converters');
 const labs = require('../../shared/labs');
+const {setIsRoles} = require('./role-utils');
 const messages = {
     isAlreadyPublished: 'Your post is already published, please reload your page.',
@@ -1478,10 +1479,7 @@ Post = ghostBookshelf.Model.extend({
     // NOTE: the `authors` extension is the parent of the post model. It also has a permissible function.
     permissible: async function permissible(postModel, action, context, unsafeAttrs, loadedPermissions, hasUserPermission, hasApiKeyPermission) {
-        let isContributor;
-        let isOwner;
-        let isAdmin;
-        let isEditor;
+        let {isContributor, isOwner, isAdmin, isEitherEditor} = setIsRoles(loadedPermissions);
         let isIntegration;
         let isEdit;
         let isAdd;
@@ -1499,10 +1497,6 @@ Post = ghostBookshelf.Model.extend({
             return postModel.get('status') === 'draft';
         }
-        isContributor = loadedPermissions.user && _.some(loadedPermissions.user.roles, {name: 'Contributor'});
-        isOwner = loadedPermissions.user && _.some(loadedPermissions.user.roles, {name: 'Owner'});
-        isAdmin = loadedPermissions.user && _.some(loadedPermissions.user.roles, {name: 'Administrator'});
-        isEditor = loadedPermissions.user && _.some(loadedPermissions.user.roles, {name: 'Editor'});
         isIntegration = loadedPermissions.apiKey && _.some(loadedPermissions.apiKey.roles, {name: 'Admin Integration'});
         isEdit = (action === 'edit');
@@ -1525,7 +1519,7 @@ Post = ghostBookshelf.Model.extend({
         } else if (isContributor && isDestroy) {
             // If destroying, only allow contributor to destroy their own draft posts
             hasUserPermission = isDraft();
-        } else if (!(isOwner || isAdmin || isEditor || isIntegration)) {
+        } else if (!(isOwner || isAdmin || isEitherEditor || isIntegration)) {
             hasUserPermission = !isChanging('visibility');
         }

package/core/server/models/relations/authors.js CHANGED Viewed

@@ -2,6 +2,7 @@ const _ = require('lodash');
 const tpl = require('@tryghost/tpl');
 const errors = require('@tryghost/errors');
 const {sequence} = require('@tryghost/promise');
+const {setIsRoles} = require('../role-utils');
 const messages = {
     noUserFound: 'No user found',
@@ -305,8 +306,7 @@ module.exports.extendModel = function extendModel(Post, Posts, ghostBookshelf) {
             const self = this;
             const postModel = postModelOrId;
             let origArgs;
-            let isContributor;
-            let isAuthor;
+            const {isContributor, isAuthor} = setIsRoles(loadedPermissions);
             let isEdit;
             let isAdd;
             let isDestroy;
@@ -332,8 +332,6 @@ module.exports.extendModel = function extendModel(Post, Posts, ghostBookshelf) {
                     });
             }
-            isContributor = loadedPermissions.user && _.some(loadedPermissions.user.roles, {name: 'Contributor'});
-            isAuthor = loadedPermissions.user && _.some(loadedPermissions.user.roles, {name: 'Author'});
             isEdit = (action === 'edit');
             isAdd = (action === 'add');
             isDestroy = (action === 'destroy');

package/core/server/models/role-utils.js ADDED Viewed

@@ -0,0 +1,38 @@
+// check if the user has an assigned role
+// so that we can stop writing this everywhere:
+//_.some(loadedPermissions.user.roles, {name: 'Administrator'})
+function checkUserPermissionsForRole(loadedPermissions, roleName) {
+    if (!loadedPermissions?.user?.roles) {
+        return false;
+    }
+    return loadedPermissions.user.roles.some(role => role.name === roleName);
+}
+function setIsRoles(loadedPermissions) {
+    // utility function to parse the permissions object and set up all the "is" variables.
+    let resultsObject = {
+        isOwner: false,
+        isAdmin: false,
+        isEditor: false,
+        isAuthor: false,
+        isContributor: false,
+        isSuperEditor: false,
+        isEitherEditor: false
+    };
+    if (!loadedPermissions?.user?.roles) {
+        return resultsObject;
+    }
+    resultsObject.isOwner = checkUserPermissionsForRole(loadedPermissions, 'Owner');
+    resultsObject.isAdmin = checkUserPermissionsForRole(loadedPermissions, 'Administrator');
+    resultsObject.isEditor = checkUserPermissionsForRole(loadedPermissions, 'Editor');
+    resultsObject.isAuthor = checkUserPermissionsForRole(loadedPermissions, 'Author');
+    resultsObject.isContributor = checkUserPermissionsForRole(loadedPermissions, 'Contributor');
+    resultsObject.isSuperEditor = checkUserPermissionsForRole(loadedPermissions, 'Super Editor');
+    resultsObject.isEitherEditor = resultsObject.isEditor || resultsObject.isSuperEditor;
+    return resultsObject;
+}
+exports.setIsRoles = setIsRoles;
+exports.checkUserPermissionsForRole = checkUserPermissionsForRole;

package/core/server/models/role.js CHANGED Viewed

@@ -2,6 +2,7 @@ const _ = require('lodash');
 const ghostBookshelf = require('./base');
 const tpl = require('@tryghost/tpl');
 const errors = require('@tryghost/errors');
+const {setIsRoles} = require('./role-utils');
 const messages = {
     roleNotFound: 'Role not found',
@@ -78,12 +79,13 @@ Role = ghostBookshelf.Model.extend({
         const roleModel = roleModelOrId;
         if (action === 'assign' && loadedPermissions.user) {
+            const {isOwner, isAdmin, isEitherEditor} = setIsRoles(loadedPermissions);
             let checkAgainst;
-            if (_.some(loadedPermissions.user.roles, {name: 'Owner'})) {
+            if (isOwner) {
                 checkAgainst = ['Owner', 'Administrator', 'Editor', 'Author', 'Contributor'];
-            } else if (_.some(loadedPermissions.user.roles, {name: 'Administrator'})) {
+            } else if (isAdmin) {
                 checkAgainst = ['Administrator', 'Editor', 'Author', 'Contributor'];
-            } else if (_.some(loadedPermissions.user.roles, {name: 'Editor'})) {
+            } else if (isEitherEditor) {
                 checkAgainst = ['Author', 'Contributor'];
             }

package/core/server/models/user.js CHANGED Viewed

@@ -13,6 +13,7 @@ const permissions = require('../services/permissions');
 const urlUtils = require('../../shared/url-utils');
 const activeStates = ['active', 'warn-1', 'warn-2', 'warn-3', 'warn-4'];
 const ASSIGNABLE_ROLES = ['Administrator', 'Editor', 'Author', 'Contributor'];
+const {setIsRoles} = require('./role-utils');
 const messages = {
     valueCannotBeBlank: 'Value in [{tableName}.{columnKey}] cannot be blank.',
@@ -784,6 +785,7 @@ User = ghostBookshelf.Model.extend({
         const self = this;
         const userModel = userModelOrId;
         let origArgs;
+        const {isOwner, isEitherEditor} = setIsRoles(loadedPermissions);
         // If we passed in a model without its related roles, we need to fetch it again
         if (_.isObject(userModelOrId) && !_.isObject(userModelOrId.related('roles'))) {
@@ -826,10 +828,10 @@ User = ghostBookshelf.Model.extend({
             if (context.user === userModel.get('id')) {
                 // If this is the same user that requests the operation allow it.
                 hasUserPermission = true;
-            } else if (loadedPermissions.user && userModel.hasRole('Owner')) {
+            } else if (isOwner) {
                 // Owner can only be edited by owner
                 hasUserPermission = loadedPermissions.user && _.some(loadedPermissions.user.roles, {name: 'Owner'});
-            } else if (loadedPermissions.user && _.some(loadedPermissions.user.roles, {name: 'Editor'})) {
+            } else if (isEitherEditor) {
                 // If the user we are trying to edit is an Author or Contributor, allow it
                 hasUserPermission = userModel.hasRole('Author') || userModel.hasRole('Contributor');
             }
@@ -844,7 +846,7 @@ User = ghostBookshelf.Model.extend({
             }
             // Users with the role 'Editor' have complex permissions when the action === 'destroy'
-            if (loadedPermissions.user && _.some(loadedPermissions.user.roles, {name: 'Editor'})) {
+            if (isEitherEditor) {
                 // Alternatively, if the user we are trying to edit is an Author, allow it
                 hasUserPermission = context.user === userModel.get('id') || userModel.hasRole('Author') || userModel.hasRole('Contributor');
             }

package/core/server/services/activitypub/ActivityPubService.js ADDED Viewed

@@ -0,0 +1,116 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ActivityPubService = void 0;
+const bson_objectid_1 = __importDefault(require("bson-objectid"));
+const node_fetch_1 = __importDefault(require("node-fetch"));
+class ActivityPubService {
+    knex;
+    siteUrl;
+    logging;
+    identityTokenService;
+    constructor(knex, siteUrl, logging, identityTokenService) {
+        this.knex = knex;
+        this.siteUrl = siteUrl;
+        this.logging = logging;
+        this.identityTokenService = identityTokenService;
+    }
+    getExpectedWebhooks(secret) {
+        return [{
+                event: 'post.published',
+                target_url: new URL('.ghost/activitypub/webhooks/post/published', this.siteUrl),
+                api_version: 'v5.100.0',
+                secret
+            }, {
+                event: 'site.changed',
+                target_url: new URL('.ghost/activitypub/webhooks/site/changed', this.siteUrl),
+                api_version: 'v5.100.0',
+                secret
+            }];
+    }
+    async checkWebhookState(expectedWebhooks, integration) {
+        this.logging.info(`Checking ActivityPub Webhook state`);
+        const webhooks = await this.knex
+            .select('*')
+            .from('webhooks')
+            .where('integration_id', '=', integration.id);
+        if (webhooks.length !== expectedWebhooks.length) {
+            this.logging.warn(`Expected ${expectedWebhooks.length} webhooks for ActivityPub`);
+            return false;
+        }
+        for (const expectedWebhook of expectedWebhooks) {
+            const foundWebhook = webhooks.find((webhook) => {
+                return webhook.event === expectedWebhook.event && webhook.target_url === expectedWebhook.target_url.href && webhook.secret === expectedWebhook.secret;
+            });
+            if (!foundWebhook) {
+                this.logging.error(`Could not find webhook for ${expectedWebhook.event} ${expectedWebhook.target_url}`);
+                return false;
+            }
+        }
+        return true;
+    }
+    async getWebhookSecret() {
+        try {
+            const ownerUser = await this.knex.select('*').from('users').where('id', '=', '1').first();
+            const token = await this.identityTokenService.getTokenForUser(ownerUser.email, 'Owner');
+            const res = await (0, node_fetch_1.default)(new URL('.ghost/activitypub/site', this.siteUrl), {
+                headers: {
+                    Authorization: `Bearer ${token}`
+                }
+            });
+            const body = await res.json();
+            return body.webhook_secret;
+        }
+        catch (err) {
+            this.logging.error(`Could not get webhook secret for ActivityPub ${err}`);
+            return null;
+        }
+    }
+    async initialiseWebhooks() {
+        const integration = await this.knex
+            .select('*')
+            .from('integrations')
+            .where('slug', '=', 'ghost-activitypub')
+            .andWhere('type', '=', 'internal')
+            .first();
+        if (!integration) {
+            this.logging.error('No ActivityPub integration found - cannot initialise');
+            return;
+        }
+        const secret = await this.getWebhookSecret();
+        if (!secret) {
+            this.logging.error('No webhook secret found - cannot initialise');
+            return;
+        }
+        const expectedWebhooks = this.getExpectedWebhooks(secret);
+        const isInCorrectState = await this.checkWebhookState(expectedWebhooks, integration);
+        if (isInCorrectState) {
+            this.logging.info(`ActivityPub webhooks in correct state`);
+            return;
+        }
+        this.logging.info(`ActivityPub webhooks in incorrect state, deleting all of them and starting fresh`);
+        await this.knex
+            .del()
+            .from('webhooks')
+            .where('integration_id', '=', integration.id);
+        const webhooksToInsert = expectedWebhooks.map((expectedWebhook) => {
+            return {
+                id: (new bson_objectid_1.default).toHexString(),
+                event: expectedWebhook.event,
+                target_url: expectedWebhook.target_url.href,
+                api_version: expectedWebhook.api_version,
+                name: `ActivityPub ${expectedWebhook.event} Webhook`,
+                secret: secret,
+                integration_id: integration.id,
+                created_at: this.knex.raw('current_timestamp'),
+                created_by: '1'
+            };
+        });
+        await this.knex
+            .insert(webhooksToInsert)
+            .into('webhooks');
+    }
+}
+exports.ActivityPubService = ActivityPubService;