refs https://github.com/TryGhost/Ghost/security/advisories/GHSA-r97q-ghch-82j9
Because our filtering layer is so coupled to the DB and we don't generally
apply restrictions, it was possible to fetch authors and filter by their
password or email field. Coupled with the "starts with" operator this can be
used to brute force the first character of these fields by trying random
combinations until an author is included in the filter. After which the next
character can be brute forced, and so on until the data has been leaked
completely.
refs TryGhost/Team#3122
- Fixed that preview takes data from user input before saving on
backend.
---
<!-- Leave the line below if you'd like GitHub Copilot to generate a
summary from your commit -->
<!--
copilot:summary
-->
### <samp>🤖 Generated by Copilot at 54d5b2d</samp>
This pull request adds the ability to preview the announcement bar in
the Ghost admin panel and the theme settings. It also adds a
confirmation dialog to discard or save unsaved changes before leaving
the announcement bar settings. It refactors some components and methods
to remove unnecessary or redundant calls to save the settings. It
modifies the `ghost_head` helper, the `theme-management` service, and
the `announcement-bar/src` files to support the preview feature.
https://github.com/TryGhost/Team/issues/3121
- Because the announcement data has to be available with member's context, it's only possible to have it in cross-origin requests in the Members API.
- Exposed the announcement bar data through `GET /members/api/announcement` endpoint
no issue.
- In dark mode the text and the text selection color in the announcement bar's input field were the same. This made the selected text unreadable
refs. https://github.com/TryGhost/Team/issues/3112
- the font color in the announcement input field was not prepared for dark mode
- the first background swatch had an unwanted border setting
no issue
After making a change to a post via the bulk action menu, the filter checks if the post should still be included on the page. If not, it is removed.
There were two bugs here:
- Expansions were not applied
- Relation checks were not working because the model was not serialized
Now the posts correctly stay on the page if needed, or are removed if not.
refs https://github.com/TryGhost/Team/issues/3112
- When members features are disabled on the site, there is no point to show member-specific filters for the announcement bar. The only option available should be to show or not to show the announcement.
refs https://github.com/TryGhost/Team/issues/3010
- Having all possible values in within single packages will make it easier to look for "source of truth" and is more maintainable rather than having values scattered all over the codebase
refs https://github.com/TryGhost/Team/issues/2887
Images could sometimes be pasted into the editor (noticed especially with Google Docs) with `data:` URLs rather than typical `https:` URLs. That causes problems because data URLs are large binary blobs that get stored in the `posts` table and passed through many areas of the system that doesn't expect large binary blobs, causing knock-on effects.
- added handling to our editor's image card to detect when the card is displayed in the editor with a `data:` URL and if it was then it converts it to a file and uploads it so the image can be stored and displayed the same way as any other image
- handles uploads on both paste and opening a post in the editor that was previously saved with a `data:` URL
We no longer need a reference to the previous version, instead we can use the
latest revision, this makes it easier to compare "off table" data such as the
feature image caption stored in posts_meta.