2.x #1
Open
2.x #1
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
no-issue When installing new packages yarn sorts them alphabetically, this meant that installing/updating packages would have extra changes which would be noisy either to developers or the git history.
no-issue * Installed @tryghost/members-ssr@0.4.0 This now supports caching of the data returned by the members-api * Renamed cookies set by members-ssr As discussed with @ErisDS I have prefixed these cookies with `ghost`
refs #10496 - currently {{asset this/is/not/a.string}} would throw a 500 error - this commit changes that to make it throw a sensible 400 + incorrect usage error
refs #10496 - handlebars if and unless helpers throw weird, unhelpful syntax errors - for now, catch these errors and do something helpful with them
no issue - @tryghost/url-utils was bumped to 0.3.1 which fixed admin redirects returning relative rather than absolute URLs - updates tests that were expecting relative URLs rather than absolute URLs
no issue - 1.3.1 is breaking the oembed regression tests
no issue - when too many login attempts were detected for the `/private/` form we were throwing 500 errors instead of the more appropriate 429 error that we use everywhere else for "too many request" type errors
…min url (#11098) closes #11078 Problem: - the admin client makes an XHR request to the `/private/` endpoint when a private site is configured - when a separate admin URL is configured this was causing 500 errors in the admin client because missing CORS headers on the endpoint was causing browsers to abort the request - browsers will also look at the CORS headers on any resources that are the result of a redirect and abort the request if they do not allow cross-origin requests, this means allowing all requests on `/private/` is not enough Solution: - uses the `cors` middleware with a dynamic options function for the whole of the front-end site app - dynamic options function allows the following requests through: - same-origin (browsers and non-browser agents will not send an `Origin` header) - origin is `localhost` or `127.0.0.1` with any protocol and port - origin matches the configured `url` hostname+port on any protocol - origin matches the configured `admin:url` hostname+port on any protocol
no-issue This is so that developers can confitionally render state based on if the request is currently in progress
no-issue
no-issue This fixes a problem where the click event is fired from a child of the element
no-issue This now allows for an element with the data-members-error to be added as the child of a data-members-form or data-members-plan and will be populated with the error message when appropriate.
no-issue This will cause the session to be destroyed when clicking on element with data-members-signout attr
no-issue This _should_ stop double firing of API requests
no-issue This simplifies the @member prop in themes, and includes a subscribed property
no-issue This improves the logging of errors when sending magic link.
no-issue This makes it easier to test locally when mail config hasn't been setup
no issue - This allows to bump gscan version in the future without breaking changes. The rule set will stay the same across versions
no-issue Our function for determining cors options created a new instance of URL without wrapping it in a try/catch which meant any failures to parse the URL bubbled down as a 500 error. 500 errors are commonly used for alerting at the infrastructure level, and this error is definitely one caused by a badly configured client, so we wrap the construction and crap out with a Bad Request Error (HTTP 400) if it fails.
no-issue This was a local change that got forgotten in the previous cherrypick
refs #10679 - this was a regression introduced after extracting our url-utils package - `urlUtils.htmlRelativeToAbsolute(html)` will return `null` rather than an empty string if `html` is explicitly passed in as `null`
refs #10471 - Allow page resource endpoints to accept HTML source. This behavior is the same as the post's resource introduced with e9ecf70ff7372f395b8917340805148bc764e2ef - The functionality was most likely missed when post split into posts & pages was happening. - Added symmetric changes to API v2.
…oint no issue - backports security fixes implemented in 477393967 from v3 endpoint in Ghost 3.x to the v2 and v0.1 endpoints
refs 5efef45 - v0.1 oembed endpoint supported schemaless URLs according to the tests so support was added to the endpoint - updated the tests to use a valid oembed response - updated the tests to expect a validation error rather than an internal server error when the remote endpoint is not available
no issue - we were using the `Ghost` user agent when making the initial page request but not when making a subsequent rel="alternate" oembed request - added a 2sec timeout to the rel="alternate" oembed request to match the initial page request
back-ported from 64ed246 - added an `externalRequest` lib - uses same underlying `got` module as our `request` lib - uses `got`'s `beforeRequest` and `beforeRedirect` hooks to perform it's own dns resolution for each url that's encountered and aborts with an error if it resolves to a private IP address block - includes a bypass for Ghost's configured url so that requests to it's own hostname+port are not blocked - updated v0.1, v2 and canary oembed controllers to use the `externalRequest` lib
no issue - removed unused environment variables - hardcoded Node v10 as this is what 2.x supports - removed extra git line that is now a feature of the checkout Action
no refs - prevents redirect to external sites after providing private site password Credits: https://github.com/max-schaefer
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Got some code for us? Awesome 🎊!
Please include a description of your change & check your PR 8000 against this list, thanks!
yarn testandyarn lint)More info can be found by clicking the "guidelines for contributing" link above.