npm - ghost - Versions diffs - 5.12.0 → 5.12.3 - Mend

ghost 5.12.0 → 5.12.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (83) hide show

package/core/built/admin/index.html CHANGED Viewed

@@ -37,7 +37,7 @@
     </style>
     <link integrity="" rel="stylesheet" href="assets/vendor-bc9d2c9e5c8a33f0c92e81189d48e04c.css">
-    <link integrity="" rel="stylesheet" href="assets/ghost-f62b0e78ddcd947273873bdeba4abc3c.css" title="light">
+    <link integrity="" rel="stylesheet" href="assets/ghost-0bbbef127e5dc0c0651fc442c4fdba8e.css" title="light">
 </head>
@@ -55,7 +55,7 @@
     <script src="assets/vendor-52613f40d62355e9ac64cbfa211169bb.js"></script>
 <script src="assets/chunk.579.65e09dd89eec70d059a0.js"></script>
-<script src="assets/chunk.143.da85cf08f47cfe520bf6.js"></script>
+<script src="assets/chunk.143.926fba90e07af88ce0ed.js"></script>
     <script src="assets/ghost-0526c96b20843697927c1d06a9010197.js"></script>
 </body>
 </html>

package/core/server/api/endpoints/settings.js CHANGED Viewed

@@ -1,4 +1,3 @@
-const Promise = require('bluebird');
 const _ = require('lodash');
 const models = require('../../models');
 const routeSettings = require('../../services/route-settings');
@@ -6,13 +5,8 @@ const {BadRequestError} = require('@tryghost/errors');
 const settingsService = require('../../services/settings/settings-service');
 const membersService = require('../../services/members');
 const stripeService = require('../../services/stripe');
-const tpl = require('@tryghost/tpl');
 const settingsBREADService = settingsService.getSettingsBREADServiceInstance();
-const messages = {
-    failedSendingEmail: 'Failed Sending Email'
-};
 async function getStripeConnectData(frame) {
     const stripeConnectIntegrationToken = frame.data.settings.find(setting => setting.key === 'stripe_connect_integration_token');
@@ -77,94 +71,6 @@ module.exports = {
         }
     },
-    /**
-     * @deprecated
-     */
-    updateMembersEmail: {
-        statusCode: 204,
-        permissions: {
-            method: 'edit'
-        },
-        data: [
-            'email',
-            'type'
-        ],
-        async query(frame) {
-            const {email, type} = frame.data;
-            try {
-                // Mapped internally to the newer method of changing emails
-                const actionToKeyMapping = {
-                    supportAddressUpdate: 'members_support_address'
-                };
-                const edit = {
-                    key: actionToKeyMapping[type],
-                    value: email
-                };
-                await settingsBREADService.edit([edit], frame.options, null);
-            } catch (err) {
-                throw new BadRequestError({
-                    err,
-                    message: tpl(messages.failedSendingEmail)
-                });
-            }
-        }
-    },
-    /**
-     * @todo can get removed, since this is moved to verifyKeyUpdate
-     * @deprecated: keep to not break existing email verification links, but remove after 1 - 2 releases
-     */
-    validateMembersEmailUpdate: {
-        options: [
-            'token',
-            'action'
-        ],
-        permissions: false,
-        validation: {
-            options: {
-                token: {
-                    required: true
-                },
-                action: {
-                    values: ['supportaddressupdate']
-                }
-            }
-        },
-        async query(frame) {
-            // This is something you have to do if you want to use the "framework" with access to the raw req/res
-            frame.response = async function (req, res) {
-                try {
-                    const {token, action} = frame.options;
-                    const updatedEmailAddress = await membersService.settings.getEmailFromToken({token});
-                    const actionToKeyMapping = {
-                        supportAddressUpdate: 'members_support_address'
-                    };
-                    if (updatedEmailAddress) {
-                        return models.Settings.edit({
-                            key: actionToKeyMapping[action],
-                            value: updatedEmailAddress
-                        }).then(() => {
-                            // Redirect to Ghost-Admin settings page
-                            const adminLink = membersService.settings.getAdminRedirectLink({type: action});
-                            res.redirect(adminLink);
-                        });
-                    } else {
-                        return Promise.reject(new BadRequestError({
-                            message: 'Invalid token!'
-                        }));
-                    }
-                } catch (err) {
-                    return Promise.reject(new BadRequestError({
-                        err,
-                        message: 'Invalid token!'
-                    }));
-                }
-            };
-        }
-    },
     disconnectStripeConnectIntegration: {
         statusCode: 204,
         permissions: {

package/core/server/api/endpoints/utils/validators/input/settings.js CHANGED Viewed

@@ -1,6 +1,6 @@
 const Promise = require('bluebird');
 const _ = require('lodash');
-const {ValidationError, BadRequestError} = require('@tryghost/errors');
+const {ValidationError} = require('@tryghost/errors');
 const validator = require('@tryghost/validator');
 const tpl = require('@tryghost/tpl');
@@ -71,24 +71,5 @@ module.exports = {
         if (errors.length) {
             return Promise.reject(errors[0]);
         }
-    },
-    /**
-     * @deprecated
-     */
-    updateMembersEmail(apiConfig, frame) {
-        const {email, type} = frame.data;
-        if (typeof email !== 'string' || !validator.isEmail(email)) {
-            throw new BadRequestError({
-                message: messages.invalidEmailReceived
-            });
-        }
-        if (!type || !['supportAddressUpdate'].includes(type)) {
-            throw new BadRequestError({
-                message: messages.invalidEmailTypeReceived
-            });
-        }
     }
 };

package/core/server/services/comments/service.js CHANGED Viewed

@@ -160,7 +160,8 @@ class CommentsService {
             id: member
         }, {
             require: true,
-            ...options
+            ...options,
+            withRelated: ['products']
         });
         this.checkCommentAccess(memberModel);
@@ -169,7 +170,8 @@ class CommentsService {
             id: post
         }, {
             require: true,
-            ...options
+            ...options,
+            withRelated: ['tiers']
         });
         this.checkPostAccess(postModel, memberModel);
@@ -208,7 +210,8 @@ class CommentsService {
             id: member
         }, {
             require: true,
-            ...options
+            ...options,
+            withRelated: ['products']
         });
         this.checkCommentAccess(memberModel);
@@ -229,7 +232,8 @@ class CommentsService {
             id: parentComment.get('post_id')
         }, {
             require: true,
-            ...options
+            ...options,
+            withRelated: ['tiers']
         });
         this.checkPostAccess(postModel, memberModel);

package/core/server/services/mega/mega.js CHANGED Viewed

@@ -306,10 +306,11 @@ async function sendEmailJob({emailModel, options}) {
         const existingBatchCount = await emailModel.related('emailBatches').count('id');
         if (existingBatchCount === 0) {
-            let newBatchCount;
+            let newBatchCount = 0;
             await models.Base.transaction(async (transacting) => {
-                newBatchCount = await createSegmentedEmailBatches({emailModel, options: {transacting}});
+                const emailBatches = await createSegmentedEmailBatches({emailModel, options: {transacting}});
+                newBatchCount = emailBatches.length;
             });
             if (newBatchCount === 0) {
@@ -423,6 +424,8 @@ function partitionMembersBySegment(memberRows, segments) {
  * @param {Object} options
  * @param {Object} options.emailModel - instance of Email model
  * @param {Object} options.options - knex options
+ *
+ * @returns {Promise<string[]>}
  */
 async function createSegmentedEmailBatches({emailModel, options}) {
     let memberRows = await getEmailMemberRows({emailModel, options});
@@ -444,11 +447,11 @@ async function createSegmentedEmailBatches({emailModel, options}) {
                 memberSegment: partition === 'unsegmented' ? null : partition,
                 options
             });
-            batchIds.push(emailBatchIds);
+            batchIds.push(...emailBatchIds);
         }
     } else {
         const emailBatchIds = await createEmailBatches({emailModel, memberRows, options});
-        batchIds.push(emailBatchIds);
+        batchIds.push(...emailBatchIds);
     }
     return batchIds;

package/core/server/services/mega/template.js CHANGED Viewed

@@ -1,15 +1,43 @@
 /* eslint indent: warn, no-irregular-whitespace: warn */
 const iff = (cond, yes, no) => (cond ? yes : no);
+const sanitizeHtml = require('sanitize-html');
+/**
+ * @template {Object.<string, any>} Input
+ * @param {Input} obj
+ * @param {string[]} [keys]
+ * @returns {Input}
+ */
+const sanitizeKeys = (obj, keys) => {
+    const sanitized = Object.assign({}, obj);
+    const keysToSanitize = keys || Object.keys(obj);
+    for (const key of keysToSanitize) {
+        if (typeof sanitized[key] === 'string') {
+            // @ts-ignore
+            sanitized[key] = sanitizeHtml(sanitized[key], {
+                allowedTags: false,
+                allowedAttributes: false
+            });
+        }
+    }
+    return sanitized;
+};
 module.exports = ({post, site, newsletter, templateSettings}) => {
     const date = new Date();
     const hasFeatureImageCaption = templateSettings.showFeatureImage && post.feature_image && post.feature_image_caption;
+    const cleanPost = sanitizeKeys(post, ['title', 'excerpt', 'html', 'feature_image_alt', 'feature_image_caption']);
+    const cleanSite = sanitizeKeys(site, ['title']);
+    const cleanNewsletter = sanitizeKeys(newsletter, ['name']);
     return `<!doctype html>
 <html>
 <head>
 <meta name="viewport" content="width=device-width" />
 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
-<title>${post.title}</title>
+<title>${cleanPost.title}</title>
 <style>
 /* -------------------------------------
     GLOBAL RESETS
@@ -1137,7 +1165,7 @@ ${ templateSettings.showBadge ? `
 </head>
 <body>
-    <span class="preheader">${ post.excerpt ? post.excerpt : `${post.title} – ` }</span>
+    <span class="preheader">${ cleanPost.excerpt ? cleanPost.excerpt : `${cleanPost.title} – ` }</span>
     <table role="presentation" border="0" cellpadding="0" cellspacing="0" class="body" width="100%">
         <!-- Outlook doesn't respect max-width so we need an extra centered table -->
@@ -1172,24 +1200,24 @@ ${ templateSettings.showBadge ? `
                                     <tr>
                                         <td class="${templateSettings.showHeaderTitle ? `site-info-bordered` : `site-info`}" width="100%" align="center">
                                             <table role="presentation" border="0" cellpadding="0" cellspacing="0">
-                                                ${ templateSettings.showHeaderIcon && site.iconUrl ? `
+                                                ${ templateSettings.showHeaderIcon && cleanSite.iconUrl ? `
                                                 <tr>
-                                                    <td class="site-icon"><a href="${site.url}"><img src="${site.iconUrl}" alt="${site.title}" border="0"></a></td>
+                                                    <td class="site-icon"><a href="${cleanSite.url}"><img src="${cleanSite.iconUrl}" alt="${cleanSite.title}" border="0"></a></td>
                                                 </tr>
                                                 ` : ``}
                                                 ${ templateSettings.showHeaderTitle ? `
                                                 <tr>
-                                                    <td class="site-url ${!templateSettings.showHeaderName ? 'site-url-bottom-padding' : ''}"><div style="width: 100% !important;"><a href="${site.url}" class="site-title">${site.title}</a></div></td>
+                                                    <td class="site-url ${!templateSettings.showHeaderName ? 'site-url-bottom-padding' : ''}"><div style="width: 100% !important;"><a href="${cleanSite.url}" class="site-title">${cleanSite.title}</a></div></td>
                                                 </tr>
                                                 ` : ``}
                                                 ${ templateSettings.showHeaderName && templateSettings.showHeaderTitle ? `
                                                 <tr>
-                                                    <td class="site-url site-url-bottom-padding"><div style="width: 100% !important;"><a href="${site.url}" class="site-subtitle">${newsletter.name}</a></div></td>
+                                                    <td class="site-url site-url-bottom-padding"><div style="width: 100% !important;"><a href="${cleanSite.url}" class="site-subtitle">${cleanNewsletter.name}</a></div></td>
                                                 </tr>
                                                 ` : ``}
                                                 ${ templateSettings.showHeaderName && !templateSettings.showHeaderTitle ? `
                                                 <tr>
-                                                    <td class="site-url site-url-bottom-padding"><div style="width: 100% !important;"><a href="${site.url}" class="site-title">${newsletter.name}</a></div></td>
+                                                    <td class="site-url site-url-bottom-padding"><div style="width: 100% !important;"><a href="${cleanSite.url}" class="site-title">${cleanNewsletter.name}</a></div></td>
                                                 </tr>
                                                 ` : ``}
@@ -1201,7 +1229,7 @@ ${ templateSettings.showBadge ? `
                                     <tr>
                                         <td class="post-title ${templateSettings.titleFontCategory === 'serif' ? `post-title-serif` : `` } ${templateSettings.titleAlignment === 'left' ? `post-title-left` : ``}">
-                                            <a href="${post.url}" class="post-title-link ${templateSettings.titleAlignment === 'left' ? `post-title-link-left` : ``}">${post.title}</a>
+                                            <a href="${cleanPost.url}" class="post-title-link ${templateSettings.titleAlignment === 'left' ? `post-title-link-left` : ``}">${cleanPost.title}</a>
                                         </td>
                                     </tr>
                                     <tr>
@@ -1209,28 +1237,28 @@ ${ templateSettings.showBadge ? `
                                             <table role="presentation" border="0" cellpadding="0" cellspacing="0" width="100%">
                                                 <tr>
                                                     <td class="post-meta ${templateSettings.titleAlignment === 'left' ? `post-meta-left` : ``}">
-                                                        By ${post.authors} –
-                                                        ${post.published_at} –
-                                                        <a href="${post.url}" class="view-online-link">View online →</a>
+                                                        By ${cleanPost.authors} –
+                                                        ${cleanPost.published_at} –
+                                                        <a href="${cleanPost.url}" class="view-online-link">View online →</a>
                                                     </td>
                                                 </tr>
                                             </table>
                                         </td>
                                     </tr>
-                                    ${ templateSettings.showFeatureImage && post.feature_image ? `
+                                    ${ templateSettings.showFeatureImage && cleanPost.feature_image ? `
                                     <tr>
-                                        <td class="feature-image ${hasFeatureImageCaption ? 'feature-image-with-caption' : ''}"><img src="${post.feature_image}"${post.feature_image_width ? ` width="${post.feature_image_width}"` : ''}${post.feature_image_alt ? ` alt="${post.feature_image_alt}"` : ''}></td>
+                                        <td class="feature-image ${hasFeatureImageCaption ? 'feature-image-with-caption' : ''}"><img src="${cleanPost.feature_image}"${cleanPost.feature_image_width ? ` width="${cleanPost.feature_image_width}"` : ''}${cleanPost.feature_image_alt ? ` alt="${cleanPost.feature_image_alt}"` : ''}></td>
                                     </tr>
                                     ` : ``}
                                     ${ hasFeatureImageCaption ? `
                                     <tr>
-                                        <td class="feature-image-caption" align="center">${post.feature_image_caption}</td>
+                                        <td class="feature-image-caption" align="center">${cleanPost.feature_image_caption}</td>
                                     </tr>
                                     ` : ``}
                                     <tr>
                                         <td class="${(templateSettings.bodyFontCategory === 'sans_serif') ? `post-content-sans-serif` : `post-content` }">
                                             <!-- POST CONTENT START -->
-                                            ${post.html}
+                                            ${cleanPost.html}
                                             <!-- POST CONTENT END -->
                                         </td>
                                     </tr>
@@ -1245,7 +1273,7 @@ ${ templateSettings.showBadge ? `
                                 <table role="presentation" border="0" cellpadding="0" cellspacing="0" width="100%" style="padding-top: 40px; padding-bottom: 30px;">
                                     ${iff(!!templateSettings.footerContent, `<tr><td class="footer">${templateSettings.footerContent}</td></tr>`, '')}
                                     <tr>
-                                        <td class="footer">${site.title} &copy; ${date.getFullYear()} – <a href="%recipient.unsubscribe_url%">Unsubscribe</a></td>
+                                        <td class="footer">${cleanSite.title} &copy; ${date.getFullYear()} – <a href="%recipient.unsubscribe_url%">Unsubscribe</a></td>
                                     </tr>
                                     ${ templateSettings.showBadge ? `

package/core/server/services/members/middleware.js CHANGED Viewed

@@ -36,7 +36,9 @@ const deleteSession = async function (req, res) {
         res.writeHead(204);
         res.end();
     } catch (err) {
-        res.writeHead(err.statusCode);
+        res.writeHead(err.statusCode, {
+            'Content-Type': 'text/plain;charset=UTF-8'
+        });
         res.end(err.message);
     }
 };
@@ -130,7 +132,9 @@ const updateMemberData = async function (req, res) {
             res.json(null);
         }
     } catch (err) {
-        res.writeHead(err.statusCode);
+        res.writeHead(err.statusCode, {
+            'Content-Type': 'text/plain;charset=UTF-8'
+        });
         res.end(err.message);
     }
 };

package/core/server/web/api/endpoints/admin/middleware.js CHANGED Viewed

@@ -14,15 +14,13 @@ const notImplemented = function (req, res, next) {
         return next();
     }
-    // @NOTE: integrations have limited access for now
+    // @NOTE: integrations & staff tokens have limited access to the API
     const allowlisted = {
-        // @NOTE: stable
         site: ['GET'],
         posts: ['GET', 'PUT', 'DELETE', 'POST'],
         pages: ['GET', 'PUT', 'DELETE', 'POST'],
         images: ['POST'],
         webhooks: ['POST', 'PUT', 'DELETE'],
-        // @NOTE: experimental
         actions: ['GET'],
         tags: ['GET', 'PUT', 'DELETE', 'POST'],
         labels: ['GET', 'PUT', 'DELETE', 'POST'],

package/core/server/web/api/endpoints/admin/routes.js CHANGED Viewed

@@ -65,13 +65,6 @@ module.exports = function apiRoutes() {
     router.get('/settings', mw.authAdminApi, http(api.settings.browse));
     router.put('/settings', mw.authAdminApi, http(api.settings.edit));
     router.put('/settings/verifications/', mw.authAdminApi, http(api.settings.verifyKeyUpdate));
-    /** @deprecated This endpoint is part of the old email verification flow for the support email */
-    router.get('/settings/members/email', http(api.settings.validateMembersEmailUpdate));
-    /** @deprecated This endpoint is part of the old email verification flow for the support email */
-    router.post('/settings/members/email', mw.authAdminApi, http(api.settings.updateMembersEmail));
     router.del('/settings/stripe/connect', mw.authAdminApi, http(api.settings.disconnectStripeConnectIntegration));
     // ## Users

package/core/server/web/shared/middleware/brute.js CHANGED Viewed

@@ -29,26 +29,13 @@ module.exports = {
         })(req, res, next);
     },
     /**
-     * block per user
-     * username === email!
+     * block per ip
      */
     userLogin(req, res, next) {
         return spamPrevention.userLogin().getMiddleware({
             ignoreIP: false,
             key(_req, _res, _next) {
-                if (_req.body.username) {
-                    return _next(`${_req.body.username}login`);
-                }
-                if (_req.body.authorizationCode) {
-                    return _next(`${_req.body.authorizationCode}login`);
-                }
-                if (_req.body.refresh_token) {
-                    return _next(`${_req.body.refresh_token}login`);
-                }
-                return _next();
+                return _next('user_login');
             }
         })(req, res, next);
     },