ghost 5.128.0 → 5.129.0

package/core/server/api/endpoints/comments.js

@@ -1,5 +1,6 @@
 const models = require('../../models');
 const commentsService = require('../../services/comments');
+const errors = require('@tryghost/errors');
 function handleCacheHeaders(model, frame) {
     if (model) {
         const postId = model.get('post_id');
@@ -12,6 +13,33 @@ function handleCacheHeaders(model, frame) {
     }
 }
 
+function validateCommentData(data) {
+    if (!data.post_id && !data.parent_id) {
+        throw new errors.ValidationError({
+            message: 'Either post_id (for top-level comments) or parent_id (for replies) must be provided'
+        });
+    }
+}
+
+function validateCreatedAt(createdAt) {
+    if (!createdAt) {
+        return undefined;
+    }
+    
+    // Only accept string or Date objects, reject other types like numbers
+    if (typeof createdAt !== 'string' && !(createdAt instanceof Date)) {
+        return undefined;
+    }
+    
+    const date = new Date(createdAt);
+    // Check if the date is valid and not in the future
+    if (!isNaN(date.getTime()) && date <= new Date()) {
+        return date;
+    }
+    
+    return undefined;
+}
+
 /** @type {import('@tryghost/api-framework').Controller} */
 const controller = {
     docName: 'comments',
@@ -67,6 +95,64 @@ const controller = {
         permissions: true,
         async query(frame) {
             const result = await commentsService.controller.adminBrowse(frame);
+            return result;
+        }
+    },
+    add: {
+        statusCode: 201,
+        headers: {
+            cacheInvalidate: false
+        },
+        options: [
+            'include'
+        ],
+        validation: {
+            options: {
+                include: {
+                    values: ['post', 'member', 'replies', 'replies.member']
+                }
+            },
+            data: {
+                member_id: {
+                    required: true
+                },
+                html: {
+                    required: true
+                }
+            }
+        },
+        permissions: true,
+        async query(frame) {
+            const data = frame.data.comments[0];
+            
+            validateCommentData(data);
+            const validatedCreatedAt = validateCreatedAt(data.created_at);
+            
+            // Set internal context to prevent notifications
+            if (!frame.options.context) {
+                frame.options.context = {};
+            }
+            frame.options.context.internal = true;
+            
+            const result = data.parent_id
+                ? await commentsService.api.replyToComment(
+                    data.parent_id,
+                    data.in_reply_to_id,
+                    data.member_id,
+                    data.html,
+                    frame.options,
+                    validatedCreatedAt
+                )
+                : await commentsService.api.commentOnPost(
+                    data.post_id,
+                    data.member_id,
+                    data.html,
+                    frame.options,
+                    validatedCreatedAt
+                );
+            
+            handleCacheHeaders(result, frame);
+            
             return result;
         }
     }

package/core/server/api/endpoints/index.js

@@ -217,6 +217,10 @@ module.exports = {
         return apiFramework.pipeline(require('./incoming-recommendations'), localUtils);
     },
 
+    get searchIndex() {
+        return apiFramework.pipeline(require('./search-index'), localUtils);
+    },
+
     /**
      * Content API Controllers
      *
@@ -269,7 +273,7 @@ module.exports = {
         return apiFramework.pipeline(require('./recommendations-public'), localUtils, 'content');
     },
 
-    get searchIndex() {
+    get searchIndexPublic() {
         return apiFramework.pipeline(require('./search-index-public'), localUtils, 'content');
     }
 };

package/core/server/api/endpoints/search-index-public.js

@@ -1,4 +1,6 @@
-const searchIndexService = require('../../services/search-index');
+const models = require('../../models');
+const getPostServiceInstance = require('../../services/posts/posts-service');
+const postsService = getPostServiceInstance();
 
 /** @type {import('@tryghost/api-framework').Controller} */
 const controller = {
@@ -9,7 +11,14 @@ const controller = {
         },
         permissions: true,
         query() {
-            return searchIndexService.fetchPosts();
+            const options = {
+                filter: 'type:post',
+                limit: '10000',
+                order: 'updated_at DESC',
+                columns: ['id', 'slug', 'title', 'excerpt', 'url', 'updated_at', 'visibility']
+            };
+
+            return postsService.browsePosts(options);
         }
     },
     fetchAuthors: {
@@ -18,7 +27,13 @@ const controller = {
         },
         permissions: true,
         query() {
-            return searchIndexService.fetchAuthors();
+            const options = {
+                limit: '10000',
+                order: 'updated_at DESC',
+                columns: ['id', 'slug', 'name', 'url', 'profile_image']
+            };
+
+            return models.Author.findPage(options);
         }
     },
     fetchTags: {
@@ -27,7 +42,14 @@ const controller = {
         },
         permissions: true,
         query() {
-            return searchIndexService.fetchTags();
+            const options = {
+                limit: '10000',
+                order: 'updated_at DESC',
+                columns: ['id', 'slug', 'name', 'url'],
+                filter: 'visibility:public'
+            };
+
+            return models.Tag.findPage(options);
         }
     }
 };

package/core/server/api/endpoints/search-index.js

@@ -0,0 +1,84 @@
+const models = require('../../models');
+const getPostServiceInstance = require('../../services/posts/posts-service');
+const postsService = getPostServiceInstance();
+
+/** @type {import('@tryghost/api-framework').Controller} */
+const controller = {
+    docName: 'search_index',
+    fetchPosts: {
+        headers: {
+            cacheInvalidate: false
+        },
+        permissions: {
+            docName: 'posts',
+            method: 'browse'
+        },
+        query() {
+            const options = {
+                filter: 'type:post',
+                limit: '10000',
+                order: 'updated_at DESC',
+                columns: ['id', 'url', 'title', 'status', 'published_at', 'visibility']
+            };
+
+            return postsService.browsePosts(options);
+        }
+    },
+    fetchPages: {
+        headers: {
+            cacheInvalidate: false
+        },
+        permissions: {
+            docName: 'posts',
+            method: 'browse'
+        },
+        query() {
+            const options = {
+                filter: 'type:page',
+                limit: '10000',
+                order: 'updated_at DESC',
+                columns: ['id', 'url', 'title', 'status', 'published_at', 'visibility']
+            };
+
+            return postsService.browsePosts(options);
+        }
+    },
+    fetchTags: {
+        headers: {
+            cacheInvalidate: false
+        },
+        permissions: {
+            docName: 'tags',
+            method: 'browse'
+        },
+        query() {
+            const options = {
+                limit: '10000',
+                order: 'updated_at DESC',
+                columns: ['id', 'slug', 'name', 'url']
+            };
+
+            return models.Tag.findPage(options);
+        }
+    },
+    fetchUsers: {
+        headers: {
+            cacheInvalidate: false
+        },
+        permissions: {
+            docName: 'users',
+            method: 'browse'
+        },
+        query() {
+            const options = {
+                limit: '10000',
+                order: 'updated_at DESC',
+                columns: ['id', 'slug', 'url', 'name', 'profile_image']
+            };
+
+            return models.User.findPage(options);
+        }
+    }
+};
+
+module.exports = controller;

package/core/server/api/endpoints/utils/serializers/output/search-index.js

@@ -1,33 +1,93 @@
 const debug = require('@tryghost/debug')('api:endpoints:utils:serializers:output:search-index');
-const mappers = require('./mappers');
 const _ = require('lodash');
 
+const mappers = require('./mappers');
+const utils = require('../../index');
+
 module.exports = {
     async fetchPosts(models, apiConfig, frame) {
         debug('fetchPosts');
 
         let posts = [];
+        let keys = [];
+
+        if (utils.isContentAPI(frame)) {
+            keys.push(
+                'id',
+                'slug',
+                'title',
+                'excerpt',
+                'url',
+                'updated_at',
+                'visibility'
+            );
+        } else {
+            keys.push(
+                'id',
+                'url',
+                'title',
+                'status',
+                'published_at',
+                'visibility'
+            );
+        }
+
+        for (let model of models.data) {
+            let post = await mappers.posts(model, frame, {});
+            post = _.pick(post, keys);
+            posts.push(post);
+        }
+
+        frame.response = {
+            posts
+        };
+    },
+
+    async fetchPages(models, apiConfig, frame) {
+        debug('fetchPages');
+
+        let pages = [];
 
         const keys = [
             'id',
-            'slug',
-            'title',
-            'excerpt',
             'url',
-            'created_at',
-            'updated_at',
+            'title',
+            'status',
             'published_at',
             'visibility'
         ];
 
         for (let model of models.data) {
-            let post = await mappers.posts(model, frame, {});
-            post = _.pick(post, keys);
-            posts.push(post);
+            let page = await mappers.pages(model, frame, {});
+            page = _.pick(page, keys);
+            pages.push(page);
         }
 
         frame.response = {
-            posts
+            pages
+        };
+    },
+
+    async fetchTags(models, apiConfig, frame) {
+        debug('fetchTags');
+
+        let tags = [];
+
+        const keys = [
+            'id',
+            'slug',
+            'name',
+            'url'
+        ];
+
+        for (let model of models.data) {
+            let tag = await mappers.tags(model, frame);
+            tag = _.pick(tag, keys);
+            tags.push(tag);
+        }
+
+        frame.response = {
+            tags
         };
     },
 
@@ -55,26 +115,27 @@ module.exports = {
         };
     },
 
-    async fetchTags(models, apiConfig, frame) {
-        debug('fetchTags');
+    async fetchUsers(models, apiConfig, frame) {
+        debug('fetchUsers');
 
-        let tags = [];
+        let users = [];
 
         const keys = [
             'id',
             'slug',
             'name',
-            'url'
+            'url',
+            'profile_image'
         ];
 
         for (let model of models.data) {
-            let tag = await mappers.tags(model, frame);
-            tag = _.pick(tag, keys);
-            tags.push(tag);
+            let user = await mappers.users(model, frame);
+            user = _.pick(user, keys);
+            users.push(user);
         }
 
         frame.response = {
-            tags
+            users
         };
     }
 };

package/core/server/data/schema/schema.js

@@ -135,7 +135,7 @@ module.exports = {
         email: {type: 'string', maxlength: 191, nullable: false, unique: true, validations: {isEmail: true}},
         profile_image: {type: 'string', maxlength: 2000, nullable: true},
         cover_image: {type: 'string', maxlength: 2000, nullable: true},
-        bio: {type: 'text', maxlength: 65535, nullable: true, validations: {isLength: {max: 200}}},
+        bio: {type: 'text', maxlength: 65535, nullable: true, validations: {isLength: {max: 250}}},
         website: {type: 'string', maxlength: 2000, nullable: true, validations: {isEmptyOrURL: true}},
         location: {type: 'text', maxlength: 65535, nullable: true, validations: {isLength: {max: 150}}},
         facebook: {type: 'string', maxlength: 2000, nullable: true},

package/core/server/data/seeders/importers/TagsImporter.js

@@ -21,7 +21,7 @@ class TagsImporter extends TableImporter {
     }
 
     generate() {
-        let name = `${faker.color.human()} ${faker.name.jobType()}`;
+        let name = `${faker.color.human()} ${faker.name.jobType()} ${faker.random.numeric(3)}`;
         name = `${name[0].toUpperCase()}${name.slice(1)}`;
         const threeYearsAgo = new Date();
         threeYearsAgo.setFullYear(threeYearsAgo.getFullYear() - 3);
@@ -30,7 +30,7 @@ class TagsImporter extends TableImporter {
         return {
             id: this.fastFakeObjectId(),
             name: name,
-            slug: `${slugify(name)}-${faker.random.numeric(3)}`,
+            slug: slugify(name),
             description: faker.lorem.sentence(),
             created_at: dateToDatabaseString(faker.date.between(threeYearsAgo, twoYearsAgo)),
             created_by: this.users[faker.datatype.number(this.users.length - 1)].id

package/core/server/services/comments/CommentsService.js

@@ -204,7 +204,7 @@ class CommentsService {
 
         if (!model) {
             throw new errors.NotFoundError({
-                messages: tpl(messages.commentNotFound)
+                message: tpl(messages.commentNotFound)
             });
         }
 
@@ -216,8 +216,9 @@ class CommentsService {
      * @param {string} member - The ID of the Member to comment as
      * @param {string} comment - The HTML content of the Comment
      * @param {any} options
+     * @param {Date} [createdAt] - Optional custom created_at timestamp
      */
-    async commentOnPost(post, member, comment, options) {
+    async commentOnPost(post, member, comment, options, createdAt) {
         this.checkEnabled();
         const memberModel = await this.models.Member.findOne({
             id: member
@@ -239,13 +240,19 @@ class CommentsService {
 
         this.checkPostAccess(postModel, memberModel);
 
-        const model = await this.models.Comment.add({
+        const commentData = {
             post_id: post,
             member_id: member,
             parent_id: null,
             html: comment,
             status: 'published'
-        }, options);
+        };
+
+        if (createdAt) {
+            commentData.created_at = createdAt;
+        }
+
+        const model = await this.models.Comment.add(commentData, options);
 
         if (!options.context.internal) {
             await this.sendNewCommentNotifications(model);
@@ -267,8 +274,9 @@ class CommentsService {
      * @param {string} member - The ID of the Member to comment as
      * @param {string} comment - The HTML content of the Comment
      * @param {any} options
+     * @param {Date} [createdAt] - Optional custom created_at timestamp
      */
-    async replyToComment(parent, inReplyTo, member, comment, options) {
+    async replyToComment(parent, inReplyTo, member, comment, options, createdAt) {
         this.checkEnabled();
         const memberModel = await this.models.Member.findOne({
             id: member
@@ -319,14 +327,20 @@ class CommentsService {
             }
         }
 
-        const model = await this.models.Comment.add({
+        const commentData = {
             post_id: parentComment.get('post_id'),
             member_id: member,
             parent_id: parentComment.id,
             in_reply_to_id: inReplyToComment && inReplyToComment.get('id'),
             html: comment,
             status: 'published'
-        }, options);
+        };
+
+        if (createdAt) {
+            commentData.created_at = createdAt;
+        }
+
+        const model = await this.models.Comment.add(commentData, options);
 
         if (!options.context.internal) {
             await this.sendNewCommentNotifications(model);

package/core/server/services/email-service/email-templates/partials/styles.hbs

@@ -169,6 +169,7 @@ li {
     margin: 0.5em 0;
     padding-left: 0.3em;
     line-height: 1.6em;
+    color: {{#if backgroundIsDark}}#ffffff{{else}}#15212A{{/if}};
 }
 
 dt {

package/core/server/services/media-inliner/ExternalMediaInliner.js

@@ -5,6 +5,7 @@ const errors = require('@tryghost/errors');
 const logging = require('@tryghost/logging');
 const string = require('@tryghost/string');
 const path = require('path');
+const convert = require('heic-convert');
 
 class ExternalMediaInliner {
     /** @type {object} */
@@ -76,11 +77,12 @@ class ExternalMediaInliner {
      */
     async extractFileDataFromResponse(requestURL, response) {
         let extension;
+        let body = response.body;
 
         // Attempt to get the file extension from the file itself
         // If that fails, or if `.ext` is undefined, get the extension from the file path in the catch
         try {
-            const fileInfo = await FileType.fromBuffer(response.body);
+            const fileInfo = await FileType.fromBuffer(body);
             extension = fileInfo.ext;
         } catch {
             const headers = response.headers;
@@ -89,6 +91,23 @@ class ExternalMediaInliner {
             extension = mime.extension(contentType) || extensionFromPath;
         }
 
+        // If the file is heic or heif, attempt to convert it to jpeg
+        try {
+            if (extension === 'heic' || extension === 'heif') {
+                body = await convert({
+                    buffer: body,
+                    format: 'JPEG'
+                });
+
+                extension = 'jpg';
+            }
+        } catch (error) {
+            logging.error(`Error converting file to JPEG: ${requestURL}`);
+            logging.error(new errors.DataImportError({
+                err: error
+            }));
+        }
+
         const removeExtRegExp = new RegExp(`.${extension}`, '');
         const fileNameNoExt = path.parse(requestURL).base.replace(removeExtRegExp, '');
 
@@ -100,7 +119,7 @@ class ExternalMediaInliner {
         }).slice(-248).replace(/^-|-$/, '');
 
         return {
-            fileBuffer: response.body,
+            fileBuffer: body,
             filename: `${fileName}.${extension}`,
             extension: `.${extension}`
         };

package/core/server/services/permissions/can-this.js

@@ -81,9 +81,16 @@ class CanThisResult {
                     // Check api key permissions if they were passed
                     hasApiKeyPermission = true;
                     if (!_.isNull(apiKeyPermissions)) {
-                        // api key request have no user, but we want the user permissions checks to pass
-                        hasUserPermission = true;
-                        hasApiKeyPermission = _.some(apiKeyPermissions, checkPermission);
+                        if (loadedPermissions.user) {
+                            // Staff API key scenario: both user and API key present
+                            // Use USER permissions and ignore API key permissions
+                            hasApiKeyPermission = true; // Allow API key check to pass
+                        } else {
+                            // Traditional API key scenario: API key only, no user
+                            // Use API key permissions as before
+                            hasUserPermission = true;
+                            hasApiKeyPermission = _.some(apiKeyPermissions, checkPermission);
+                        }
                     }
 
                     // Offer a chance for the TargetModel to override the results

package/core/server/services/stats/PostsStatsService.js

@@ -1193,6 +1193,7 @@ class PostsStatsService {
                     'p.title',
                     'p.published_at',
                     'p.feature_image',
+                    'p.status',
                     'emails.email_count',
                     'emails.opened_count'
                 )
@@ -1203,6 +1204,29 @@ class PostsStatsService {
                 .orderBy('p.published_at', 'desc')
                 .limit(limit);
 
+            // Get authors for all posts
+            const postIds = posts.map(p => p.post_id);
+            const authorsData = postIds.length > 0 ? await this.knex('posts_authors as pa')
+                .select('pa.post_id', 'u.name', 'pa.sort_order')
+                .leftJoin('users as u', 'u.id', 'pa.author_id')
+                .whereIn('pa.post_id', postIds)
+                .whereNotNull('u.name')
+                .orderBy(['pa.post_id', 'pa.sort_order']) : [];
+
+            // Group authors by post_id
+            const authorsByPost = {};
+            authorsData.forEach((author) => {
+                if (!authorsByPost[author.post_id]) {
+                    authorsByPost[author.post_id] = [];
+                }
+                authorsByPost[author.post_id].push(author.name);
+            });
+
+            // Add authors to posts
+            posts.forEach((post) => {
+                post.authors = (authorsByPost[post.post_id] || []).join(', ');
+            });
+
             // Get member attribution counts and click counts for these posts
             const [memberAttributionCounts, clickCounts] = await Promise.all([
                 this._getMemberAttributionCounts(posts.map(p => p.post_id), options),
@@ -1227,6 +1251,8 @@ class PostsStatsService {
                     title: post.title,
                     published_at: post.published_at,
                     feature_image: post.feature_image ? urlUtils.transformReadyToAbsolute(post.feature_image) : post.feature_image,
+                    status: post.status,
+                    authors: post.authors,
                     views: row.visits,
                     sent_count: post.email_count || null,
                     opened_count: post.opened_count || null,
@@ -1257,6 +1283,7 @@ class PostsStatsService {
                         'p.title',
                         'p.published_at',
                         'p.feature_image',
+                        'p.status',
                         'emails.email_count',
                         'emails.opened_count'
                     )
@@ -1268,6 +1295,29 @@ class PostsStatsService {
                     .orderBy('p.published_at', 'desc')
                     .limit(remainingCount);
 
+                // Get authors for additional posts
+                const additionalPostIds = additionalPosts.map(p => p.post_id);
+                const additionalAuthorsData = additionalPostIds.length > 0 ? await this.knex('posts_authors as pa')
+                    .select('pa.post_id', 'u.name', 'pa.sort_order')
+                    .leftJoin('users as u', 'u.id', 'pa.author_id')
+                    .whereIn('pa.post_id', additionalPostIds)
+                    .whereNotNull('u.name')
+                    .orderBy(['pa.post_id', 'pa.sort_order']) : [];
+
+                // Group authors by post_id for additional posts
+                const additionalAuthorsByPost = {};
+                additionalAuthorsData.forEach((author) => {
+                    if (!additionalAuthorsByPost[author.post_id]) {
+                        additionalAuthorsByPost[author.post_id] = [];
+                    }
+                    additionalAuthorsByPost[author.post_id].push(author.name);
+                });
+
+                // Add authors to additional posts
+                additionalPosts.forEach((post) => {
+                    post.authors = (additionalAuthorsByPost[post.post_id] || []).join(', ');
+                });
+
                 // Get member attribution counts and click counts for additional posts
                 if (additionalPosts.length > 0) {
                     [additionalMemberAttributionCounts, additionalClickCounts] = await Promise.all([
@@ -1289,6 +1339,8 @@ class PostsStatsService {
                     title: post.title,
                     published_at: post.published_at,
                     feature_image: post.feature_image ? urlUtils.transformReadyToAbsolute(post.feature_image) : post.feature_image,
+                    status: post.status,
+                    authors: post.authors,
                     views: 0,
                     sent_count: post.email_count || null,
                     opened_count: post.opened_count || null,