ref https://linear.app/ghost/issue/PLG-267
- updated delete comment action so it removes comments rather than just updating their status to `'deleted'`
- deleted comments that still have replies have their status updated so the replies remain visible
- matches updated API behaviour where deleted comments are not shown at all
closes https://linear.app/ghost/issue/ENG-1561
- problem: When a free member upgraded to paid, we sometimes did not
capture the subscription attribution data
- cause:
- after checkout, Stripe sends `customer.subscription.created`,
`customer.subscription.updated` and `checkout.session.completed` webhook
events
- we want to create a subscription in our database based on the
`checkout.session.completed` event, as it contains additional data (e.g.
subscription attribution data)
- but, we were sometimes creating a subscription based on a
`customer.subscription.*` event during free → paid upgrades, which did
not contain subscription attribution data
- solution: we now ignore `customer.subscription.*` events until a
member and its related subscription have been created in the database
first, by the `checkout.session.completed` event
ref https://linear.app/ghost/issue/ENG-1851/
- added handling so that jobs run by the job queue can emit events on
completion
- added tests
Events (both node and our DomainEvents lib) must be emitted on the
primary process, so we can't emit these within the worker threads.
Instead, we'll return the necessary data with the job's completion in
the thread message such that the JobQueueManager can emit whatever
events may be needed.
closes https://linear.app/ghost/issue/PLG-297
- we were setting the comment count Admin API browse comments response meta pagination data which will never be correct because it only counts top-level comments for pagination purposes
- we have a public comment counts endpoint that is already fetched, there's no need to override that when using the Admin API because the overall count doesn't change across API's, even when the Admin API includes hidden comments because those don't impact the visible count
- updated test setup so the title and count is shown so it can be asserted against
- updated mocked api to correctly return count of all published comments+replies
https://linear.app/ghost/issue/ENG-1850/
- added cache/memoized the member uuid lookup within the
LinkClickRepository (used by the LinkClickTrackingService)
- added repository tests for the save method which were absent
This one one of a series of options we're testing out in order to smooth
out the surge in requests following a newsletter send. Most of this
activity is due to link checkers, but Ghost still needs to spend time
processing the member lookup to know whether or not it is a valid id,
and memoizing this lookup could significantly improve throughput by
reducing DB contention.
closes https://linear.app/ghost/issue/PLG-273
- removed previous fix which only worked on last comment but not last reply
- keeping track of last comment/reply spread a lot of domain knowledge around for a UI-only concern and wouldn't scale if we have other dropdowns in the future
- added `useOutOfViewportClasses` hook
- accepts an object with top/bottom/right/left containing default and outOfViewPort classes
- applies the correct classes using the DOM rather than React so that we avoid re-renders and associated flickering or broken rendering
no ref
This isn't needed at this time. We're doing some load testing to better
assess what piece is doing the most work, and this config flag lets us
shut off pieces of the redirect flow.
ref https://linear.app/ghost/issue/PLG-296/
When logged in as an Admin, comments-ui switches comment reads from the Members API over to the Admin API so that hidden comments can be displayed to allow moderation activities. However, the Admin API not using member authentication and CORS preventing the front-end members auth cookie being passed over to the Admin API domain meant that the logged-in member's likes were missing when fetching via the Admin API as there is no available reference to the logged in member.
This change works around the problem by introducing an `impersonate_member_uuid` param to the comments read/browse endpoints of the Admin API. When passed, the provided uuid is used to simulate that member being logged in so that likes are correctly shown.
- Introduced `impersonation_member_id` parameter to resolve issues with admin API not returning correct "liked" status for comments when an admin is logged in.
- Updated API endpoints in `comment-replies.js` and `comments.js` to handle `impersonation_member_id`.
- Adjusted `CommentsController` to validate and process the `impersonation_member_id` parameter before passing it to database queries.
- Enhanced test coverage to ensure proper handling of the new parameter and accurate "liked" status behavior.
ref https://github.com/TryGhost/Ghost/pull/21794
- We've now added versioning to all of our endpoints as of pr/21794
- This change updates the stats page to use the new versioned endpoints
- Currently, it's set to a global as all endpoints are on the same
version
- In future we may need this to be an array of versions for each
endpoint, but for now we're keeping it simple
ref https://github.com/TryGhost/Ghost/pull/21794
- This was missed in the PR to add versioning to all the resources - the
endpoints are now different, and the tests don't run
- I've been struggling to deploy out my changes, and part of it is
because this is a wholesale change to having versions, where previously
we didn't
- This change brings the tests into line, so we can be certain that the
new endpoints with the versions work the same as the old
- TODO: really must get CI working for tinybird!
- Previously the script would error out if a resource was missing e.g.
if a deploy had gone wrong
- That meant I frequently had to make further, manual changes
- These updates mean the script only attempts to delete a resource if it
is present
- Each type of resource is listed in an array and iterated over
- note there is no real difference between data and endpoint pipes, but
we need to manage them in order
- This should make the script much much more robust!
Fixes
https://linear.app/ghost/issue/ENG-1010/uploaded-file-permission-security-improvement
- This commit ensures all files uploaded to Ghost via importer are set
with 0644 permissions to improve security.
- Uploaded files previously retained their original permissions, which
could leave them executable.
- This commit prevents files from being inadvertently executable.
REF https://linear.app/ghost/issue/PLG-298/
- When you're typing a comment, and exit the input field, it collapses into a non-editable state; you first have to click on it again to "open" the form. This means you can't select the text or instantly start typing again. When the input has a value, we should stop it from closing.
- added custom `useEditor` hook that wraps TipTap and exposes both the `editor` and `hasContent` props keeping logic out of the consuming components
---------
Co-authored-by: Kevin Ansfield <kevin@lookingsideways.co.uk>
ref https://github.com/TryGhost/Ghost/pull/21788#discussion_r1869802093
- Introduced `setCommentsIsLoading` action to handle the loading state
of comments dynamically.
- Updated `setOrder` function to dispatch the `setCommentsIsLoading`
action, ensuring proper UI feedback during asynchronous operations.
ref https://linear.app/ghost/issue/AP-625/implement-notification-grouping-for-follows-and-likes
- Improved handling for notification clicks of various types: single follower notification opens that follower in the drawer, multiple followers expands the followers list, liked post opens the article in the wide drawer, liked note opens the note in the narrow drawer
- Improved hover and click states for profile names, usernames and avatars. Now it's more obvious what's clickable, and clicking on any of these elements in any context opens that profile in the drawer.
- Created a handleProfileClick utility since we're using it in a lot of places.
- Removed unnecessary types
- Made the HTML structure more semantic
no ref
I've discovered email link checkers appear to be using
falsified/scrambled uuids when testing links for a given site. It's
difficult to check against all sites, so instead we'll log to Sentry to
confirm this is the case.
I've put this behind config because I believe it will create a LOT of
entries, and may burden an already burdened workflow during peak
traffic.
ref https://linear.app/ghost/issue/AP-625/implement-notification-grouping-for-follows-and-likes
- Added basic frontend grouping for Follow and Like notifications, so the page is easier to scan through. For each loaded batch of notifications we check if they can be grouped (all follows get grouped, all likes for a certain post get grouped) and then merge those grouped pages of notifications.
- Improved UI for notifications, with notification type icons for each group.
- Added a utility for truncating text.
closes https://linear.app/ghost/issue/PLG-294
- making the `replied to: [removed]` text a link was a bit confusing because clicking it does nothing
- if the replied-to comment doesn't exist (e.g. hidden/deleted and not returned in API response) or has been unpublished we replace the `<a>` with a `<span>` to remove the link behaviour
no issue
- keeps logic inside `<CommentHeader>` single-purpose
- allows for cleaner code when adding logic to remove the link when the replied-to comment is removed
- switched `queryByText` to `getByText` in the test to make debugging easier, the latter will print the current DOM if it fails to find an element
# Conflicts:
# apps/comments-ui/src/components/content/Comment.tsx
REF https://linear.app/ghost/issue/PLG-284
When clicking on a replied-to reference, you scroll up to the parent comment. To guide the eye, the parent comment is highlighted with a yellow background.
- added `dispatchAction` to the `ActionHandler` function call arguments, allowing actions to call other actions
- added `commentIdToHighlight` app context state and associated `highlightComment` action to set it
- updated `Comment` (and related sub-components) to match `commentIdToHighlight` when rendering to determine whether to apply highlighting of comment contents
- for the highlight, `<mark>` is used to wrap any paragraphs inside the comment contents and appropriate tailwind highlight animation classes applied
- uses the inline `<mark>` element so that background highlight only applies to the text bounding boxes rather than the entire wrapping element
---------
Co-authored-by: Ronald Langeveld <hi@ronaldlangeveld.com>
ref [DES-949](https://linear.app/tryghost/issue/DES-949/177e604501
This adds custom fonts feature allowing users to select heading and body
fonts for their themes from a curated list. This allows publishers to
have more control over their brand, and allows themes to have a wider
range of styles to appeal to different audiences.
Without custom fonts support, themes will continue to work as normal,
but users won't be able to customize their typography. As for the
official themes, all of them will support custom fonts.
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [dompurify](https://redirect.github.com/cure53/DOMPurify) |
dependencies | pin | [`^3.2.2` ->
`3.2.2`](https://renovatebot.com/diffs/npm/dompurify/3.2.2/3.2.2) |
Add the preset `:preserveSemverRanges` to your config if you don't want
to pin your dependencies.
---
### Configuration
📅 **Schedule**: Branch creation - "* * * * 1-5" (UTC), Automerge - At
any time (no schedule defined).
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/TryGhost/Ghost).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS40Mi40IiwidXBkYXRlZEluVmVyIjoiMzkuNDIuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
closes https://linear.app/ghost/issue/ENG-1506
- when uploading a SVG image as staff profile picture, we previously had
a validation against malicious `<script>` tags or `on*` attributes
- this has proven to be unsufficient, as malicious scripts can be added
via other tags (e.g. `<foreignObject>`) and other attributes (e.g.
`xlink:href`)
- we now satinize SVGs using the DOMPurify library during validation
- if the file is invalid and cannot be sanitized, we show an error to
the user
- also added support for sanitizing `.svgz` files
- Currently, stale bot is configured to mark issues as stale after 120 days, and close them 7 days later
- The intent is to close anything 4 months old or more, so setting the timer to 113 days means it accounts for the extra 7
Closes https://linear.app/ghost/issue/ENG-1758/product-row-locking-in-linksubscription-causes-slowness-in-high-signup
- The method used a FOR UPDATE query when fetching the Ghost product despite never updating that row.
- In this case, we're only reading the default product to link it with a subscription - we're not actually modifying the default product itself. The operation is read-only in nature, therefore, the forUpdate lock is unnecessary
- The actual update to the product happens later in the code when we call this._productRepository.update() with the stripe price data, and that operation has its own transaction handling and locking mechanisms
ref DES-1011
- previously, we were hiding the old font settings from the official themes without checking if they support the custom fonts or not
- now we use the gscan warning info to check this — only when there's support, we hide the settings which means users with the older version will get the old settings back
- also added two new tests for this procedure