ref ONC-225
- Ensures newsletter preferences are hidden in the Portal when email functionality is disabled.
- Adds conditional logic in NewsletterManagement.js to check for the hasNewslettersEnabled prop.
- Updates tests in AccountEmailPage.test.js and AccountHomePage.test.js to cover scenarios where newsletters are disabled.
- Improves user experience by preventing the display of irrelevant settings when email is turned off.
ref https://linear.app/ghost/issue/AP-633/reader-view-customization-options, https://linear.app/ghost/issue/AP-631/estimated-reading-time-in-reader-view
- Improved typography, spacing and alignment.
- Improved selection of font sizes from the reader view customization popover.
- Added a button to reset reader view customization settings to default, in case user ends up in a state they’re not happy with and want to go back to a sensible default.
- Added preview to typeface selection component so it’s easier to see what you’re selecting.
- Disabled background clicks on all AP modals for a more consistent experience and to avoid accidental clicks.
- Changed the reading progress indicator increments from 1 to 5 to attract less attention while the user is reading.
no issue
- contains two edge-case bug fixes, one related to pagination when deleting a comment and another that works around issues arising from potentially unstable API sorting
closes https://linear.app/ghost/issue/PLG-305
- adds deduplication of comments when fetching top-level pages
- avoids problems where the underlying sort is unstable (e.g. "best" as likes are changing) resulting in an already loaded comment appearing on a later-loaded page
- doesn't solve for missing comments between pages but does prevent invalid local state that can lead to buggy UI
closes https://linear.app/ghost/issue/PLG-304
- added a refresh of the comments list when a top-level comment with no replies is deleted so the pagination resets and replies aren't missed when loading more due to a shift in the underlying paginated data
no issue
- contains two minor bug fixes for edit name/expertise buttons on the main form and incorrect replies-left-to-load counts after deleting replies
closes https://linear.app/ghost/issue/PLG-303
- when deleting a reply our "replies left" calculation was getting out of sync because the `count.replies` state on the parent comment wasn't being updated, the result was for each comment deleted we were displaying 1 more reply that was still to load
- updated the `deleteComment` action to also modify the parent comment's `count.replies` value when a reply was deleted ensuring our "replies left" calculation remains correct
closes https://linear.app/ghost/issue/PLG-302
- switching from `onClick` to `onMouseDown` allows the button events to fire and be picked up by the popup-opening handler before the click causes a blur event on the main form to fire which removes the expertise buttons
- we have a test for adding expertise via the main form which was giving us a false positive due to the way Playwright handles events, unfortunately I couldn't find a way to adjust that to match the real-world behaviour without ending up with a test that always fails
ref https://linear.app/ghost/issue/DES-1033/icon-implementation
The Storybook structure contained Lucide icons under "Components", but
it's an experimental component. This commit creates an Experimental
component group in Shade and updates the corresponding docs.
closes https://linear.app/ghost/issue/DES-1033/icon-implementation
In Shade right now there's no support for icons, which is a fundamental
building block in any design system. We use Streamline Icons which
unfortunately don't have an out-of-the-box React support like e.g.
Lucide Icons. This PR adds support for custom icons to be used directly
from Shade by importing SVG's from a directory and creating React
components dynamically. It also adds a grid view of all available icons
in Storybook so it's easy to get an overview of available icons and copy
their React component.
Fixes https://linear.app/ghost/issue/ENG-1855/fix-reset-password-flow-in-case-of-2fa
- User is getting stuck on reset password page and they receive a verify token on the mail and nothing happens on the UI.
- This is happening because the session is not verified in the case of the reset password flow. The backend is sending a code to verify the session, but we don't have the UI in place where the user can enter the code.
- Previously, the user would be redirected to the dashboard once they clicked on "Save new password."
- Now when 2FA is on, we should directly redirect to the dashboard as the reset password link was sent to the email address anyway. This is why we are creating an already verified session in this case.
ref DES-1012
- previously, when a member was deleted, they were displayed with an
avatar initial `NM`, the name was empty, and their list item wasn't
clickable, which led to user confusion
- now it's much clearer with a placeholder avatar and `Deleted member`
as name
ref
https://linear.app/ghost/issue/DES-1020/create-new-react-app-for-shade
Shade is our new design system that follows React best practices and
leverages third-party libraries extensively. It's built on ShadCN/UI
which is one of the most popular React UI libraries today. This commit
adds an (almost) empty React app, set up to be the a starting point of
Shade.
ref
https://linear.app/ghost/issue/CON-3/external-media-inliner-should-inline-more-file-types
The external media inliner requests each file as a buffer. Saving this
works well for images, but not media or files as the `saveRaw` method is
not available on those storage adapters.
This PR moves the `saveRaw` method from `LocalImagesStorage` to
the `LocalStorageBase` class so it is available to subclasses.
ref https://linear.app/ghost/issue/PLG-267
- updated delete comment action so it removes comments rather than just updating their status to `'deleted'`
- deleted comments that still have replies have their status updated so the replies remain visible
- matches updated API behaviour where deleted comments are not shown at all
closes https://linear.app/ghost/issue/ENG-1561
- problem: When a free member upgraded to paid, we sometimes did not
capture the subscription attribution data
- cause:
- after checkout, Stripe sends `customer.subscription.created`,
`customer.subscription.updated` and `checkout.session.completed` webhook
events
- we want to create a subscription in our database based on the
`checkout.session.completed` event, as it contains additional data (e.g.
subscription attribution data)
- but, we were sometimes creating a subscription based on a
`customer.subscription.*` event during free → paid upgrades, which did
not contain subscription attribution data
- solution: we now ignore `customer.subscription.*` events until a
member and its related subscription have been created in the database
first, by the `checkout.session.completed` event
ref https://linear.app/ghost/issue/ENG-1851/
- added handling so that jobs run by the job queue can emit events on
completion
- added tests
Events (both node and our DomainEvents lib) must be emitted on the
primary process, so we can't emit these within the worker threads.
Instead, we'll return the necessary data with the job's completion in
the thread message such that the JobQueueManager can emit whatever
events may be needed.
closes https://linear.app/ghost/issue/PLG-297
- we were setting the comment count Admin API browse comments response meta pagination data which will never be correct because it only counts top-level comments for pagination purposes
- we have a public comment counts endpoint that is already fetched, there's no need to override that when using the Admin API because the overall count doesn't change across API's, even when the Admin API includes hidden comments because those don't impact the visible count
- updated test setup so the title and count is shown so it can be asserted against
- updated mocked api to correctly return count of all published comments+replies
https://linear.app/ghost/issue/ENG-1850/
- added cache/memoized the member uuid lookup within the
LinkClickRepository (used by the LinkClickTrackingService)
- added repository tests for the save method which were absent
This one one of a series of options we're testing out in order to smooth
out the surge in requests following a newsletter send. Most of this
activity is due to link checkers, but Ghost still needs to spend time
processing the member lookup to know whether or not it is a valid id,
and memoizing this lookup could significantly improve throughput by
reducing DB contention.
closes https://linear.app/ghost/issue/PLG-273
- removed previous fix which only worked on last comment but not last reply
- keeping track of last comment/reply spread a lot of domain knowledge around for a UI-only concern and wouldn't scale if we have other dropdowns in the future
- added `useOutOfViewportClasses` hook
- accepts an object with top/bottom/right/left containing default and outOfViewPort classes
- applies the correct classes using the DOM rather than React so that we avoid re-renders and associated flickering or broken rendering
no ref
This isn't needed at this time. We're doing some load testing to better
assess what piece is doing the most work, and this config flag lets us
shut off pieces of the redirect flow.
ref https://linear.app/ghost/issue/PLG-296/
When logged in as an Admin, comments-ui switches comment reads from the Members API over to the Admin API so that hidden comments can be displayed to allow moderation activities. However, the Admin API not using member authentication and CORS preventing the front-end members auth cookie being passed over to the Admin API domain meant that the logged-in member's likes were missing when fetching via the Admin API as there is no available reference to the logged in member.
This change works around the problem by introducing an `impersonate_member_uuid` param to the comments read/browse endpoints of the Admin API. When passed, the provided uuid is used to simulate that member being logged in so that likes are correctly shown.
- Introduced `impersonation_member_id` parameter to resolve issues with admin API not returning correct "liked" status for comments when an admin is logged in.
- Updated API endpoints in `comment-replies.js` and `comments.js` to handle `impersonation_member_id`.
- Adjusted `CommentsController` to validate and process the `impersonation_member_id` parameter before passing it to database queries.
- Enhanced test coverage to ensure proper handling of the new parameter and accurate "liked" status behavior.
ref https://github.com/TryGhost/Ghost/pull/21794
- We've now added versioning to all of our endpoints as of pr/21794
- This change updates the stats page to use the new versioned endpoints
- Currently, it's set to a global as all endpoints are on the same
version
- In future we may need this to be an array of versions for each
endpoint, but for now we're keeping it simple
ref https://github.com/TryGhost/Ghost/pull/21794
- This was missed in the PR to add versioning to all the resources - the
endpoints are now different, and the tests don't run
- I've been struggling to deploy out my changes, and part of it is
because this is a wholesale change to having versions, where previously
we didn't
- This change brings the tests into line, so we can be certain that the
new endpoints with the versions work the same as the old
- TODO: really must get CI working for tinybird!
- Previously the script would error out if a resource was missing e.g.
if a deploy had gone wrong
- That meant I frequently had to make further, manual changes
- These updates mean the script only attempts to delete a resource if it
is present
- Each type of resource is listed in an array and iterated over
- note there is no real difference between data and endpoint pipes, but
we need to manage them in order
- This should make the script much much more robust!
Fixes
https://linear.app/ghost/issue/ENG-1010/uploaded-file-permission-security-improvement
- This commit ensures all files uploaded to Ghost via importer are set
with 0644 permissions to improve security.
- Uploaded files previously retained their original permissions, which
could leave them executable.
- This commit prevents files from being inadvertently executable.