Ghost Release: 0.5.0 RC1

TL;DR

Ghost 0.5.0-rc1 introduces a major multi-user system with roles and permissions, allowing teams to collaborate on content creation with different access levels. This release transforms Ghost from a single-user blogging platform to a full-featured publishing platform with author pages, role-based access controls, and improved user management. The update also includes significant performance improvements, security enhancements, and a more robust admin interface.

This release candidate is for testing purposes only and should not be used in production environments.

Highlight of the Release

• Introduction of multi-user system with roles (Owner, Administrator, Editor, Author)
• Role-based permissions controlling access to content and settings
• Author pages on the frontend with dedicated URLs and RSS feeds
• User management interface with invitation system
• Ability to transfer blog ownership
• Improved admin UI with keyboard navigation for posts
• Enhanced security with XSS prevention and spam protection

Migration Guide

Upgrading to Ghost 0.5.0

1. Backup your data: Before upgrading, create a full backup of your Ghost installation, including the database.

2. Database Migration: This version includes schema changes that will be automatically applied when you first run the new version:

   • New columns added to tags table
   • New active field added to app_fields
   • Changes to user roles and permissions tables

3. Template Changes: If you're using a custom theme, be aware of these changes:

   • Author pages are now available at /author/:slug/
   • Author information is now accessible in templates
   • Email addresses are no longer exposed in the frontend
   • New helpers available: {{title}} and {{plural}}
   • Optional home.hbs template support

4. API Changes:

   • The user API now supports filtering by role and status
   • New endpoints for roles and ownership transfer
   • Changes to how user roles are handled in requests

5. Production Mode: This release candidate only works in production mode. Use:

   npm install --production
   npm start --production
   

6. Multi-User Setup: After upgrading, the original user will become the Owner. You can then invite additional users with different roles through the user management interface.

Upgrade Recommendations

This is a release candidate intended for testing purposes only. It should not be used in production environments.

For those wanting to test the new multi-user functionality:

1. Create a separate test installation rather than upgrading your production site
2. Test thoroughly, especially if you rely on custom themes or plugins
3. Report any issues on the GitHub issue tracker

When the final 0.5.0 release is available, a full upgrade will be recommended for all Ghost users as it contains significant improvements to functionality, security, and performance.

If you do test this release candidate, pay special attention to:

• User role permissions and access controls
• Author pages and frontend display
• Custom theme compatibility with new author features
• Invitation system and user management

Bug Fixes

User Experience

• Fixed duplicate slug requests when saving new posts
• Fixed validation error notifications from stacking
• Corrected meta_title for author pages
• Fixed issues with user invitations and resending invitations
• Prevented duplicate notifications after setup
• Fixed incorrect error messages during signin

API and Data

• Fixed editing author in posts
• Fixed file validation for importer
• Made importer more robust for tags with empty data
• Fixed check for using default cover image
• Corrected parent_id/parent field inconsistency
• Fixed lazy loading of settings

Authentication

• Fixed session handling when OAuth token expires
• Improved error handling for forgotten password
• Enhanced spam prevention with configurable rate limiting

New Features

Multi-User System

• Implemented role-based permissions with four roles: Owner, Administrator, Editor, and Author
• Added user invitation system with email notifications
• Created author pages with dedicated URLs and RSS feeds
• Implemented role-specific access controls throughout the admin interface

User Management

• New user invitation system with HTML email templates
• Ability to transfer blog ownership to another user
• Role assignment dropdown in user settings
• Filtering users by role in the admin interface
• Deletion of users and their associated content

Admin Interface Improvements

• Keyboard navigation for posts (up/down arrows)
• Post author selection dropdown in post settings
• Pagination for users management screen
• Role labels for users in the admin interface
• Automatic redirects based on user role permissions

Template Enhancements

• New {{title}} helper for generating page titles
• New {{plural}} helper for handling singular/plural text
• Support for home.hbs template file
• Author helpers for generating author links and pages

Security Updates

Authentication and Authorization

• Added XSS prevention with Google-Caja sanitizer
• Enhanced spam prevention with configurable rate limiting
• Improved access token handling for exports
• Hidden access tokens in admin interface using iFrames
• Updated refresh token expiry handling

User Permissions

• Implemented proper permission checks for user management actions
• Added role-based access controls throughout the application
• Restricted access to settings pages based on user role
• Prevented authors from accessing debug page and other restricted areas

Performance Improvements

Admin Interface

• Optimized Ember admin interface for production use
• Bundled third-party libraries into vendor.min.js
• Bundled Ghost's Ember app and templates into ghost.min.js
• Removed all fixture data and code from the client
• Prevented duplicate API calls when loading posts

Database and API

• Improved handling of database configuration
• Refactored fixture use in tests for faster test execution
• Added caching for database configuration in migration utilities
• Optimized API responses with automatic includes for related data

Impact Summary

Ghost 0.5.0-rc1 represents a transformative update that evolves Ghost from a single-user blogging platform to a collaborative publishing platform. The introduction of a comprehensive multi-user system with role-based permissions (Owner, Administrator, Editor, Author) enables teams to work together with appropriate access controls.

The most significant impact is the new ability to have multiple contributors with different permission levels. Owners and Administrators have full access, Editors can manage all content but have limited settings access, and Authors can only manage their own content. This role-based system extends throughout the application, affecting what users can see and do in the admin interface.

On the frontend, author pages provide dedicated spaces for each contributor, complete with their own URLs and RSS feeds. This enhances content discovery and attribution while maintaining privacy by removing email addresses from the frontend.

The admin interface has been optimized for production use with bundled JavaScript files and improved performance. New features like keyboard navigation for posts, pagination for user management, and enhanced error handling improve the overall user experience.

Security has been strengthened with XSS prevention, improved token handling, and configurable spam protection. The codebase has undergone significant refactoring to support these new features while maintaining performance.

This release candidate marks a major milestone in Ghost's evolution as a publishing platform suitable for teams and organizations.

Full Release Notes