Ghost Release: 2.25.9

TL;DR

Ghost 2.25.9: CORS Error Handling & User Management Fixes

This minor release addresses critical CORS issues in both Admin and Content APIs, ensuring proper error handling for cross-origin requests. It also fixes a bug that prevented site owners from changing other users' passwords. Additionally, the release includes improvements to the members service, adds global site SEO fields to the Admin API, and updates several dependencies for better security and performance.

Highlight of the Release

• Fixed CORS error handling in both Admin and Content APIs
• Restored ability for owners to change passwords of other users
• Added global site SEO fields to Admin API and Content API
• Refactored members service for better logging and error handling
• Updated several dependencies including archiver, gscan, and lodash

Migration Guide

No specific migration steps are required for this update. The changes are backward compatible and should not affect existing installations.

For developers working with custom implementations that interact with the members service, note that the service has been refactored to use a getter pattern for accessing the membersApi. This change should be transparent to most implementations but might require adjustments if you're directly accessing the members service internals.

Upgrade Recommendations

This release contains important bug fixes for CORS handling and user management, along with security updates through dependency upgrades.

Recommendation: All Ghost installations should be updated to version 2.25.9, especially if you:

• Use the Admin or Content APIs from external domains (CORS)
• Have multiple administrators and need to manage user passwords
• Utilize the members functionality
• Need global SEO settings management

The update process follows the standard Ghost upgrade procedure and should be straightforward with no breaking changes.

Bug Fixes

CORS Error Handling

Previously, CORS headers were only applied to preflight requests in both the Admin and Content APIs. This meant that when an error occurred during a request, the CORS headers would not be applied to the error response. As a result, client applications couldn't read the error details due to browser security restrictions.

This release fixes this issue by applying CORS middleware to all requests to both APIs, ensuring that proper CORS headers are always included, even in error responses.

Owner Password Management

A previous fix for allowing owners to change other users' passwords wasn't working correctly due to validation issues. The validation layer in the "frame" wasn't considering the required property of the controller. This release properly fixes the issue by removing the entire required key/value pair, allowing site owners to change passwords for other users as intended.

New Features

Global Site SEO Fields

Ghost now provides global SEO fields through both the Admin and Content APIs. These fields follow the same structure as post SEO fields and are accessible via:

• Admin API: /settings endpoint now includes SEO-related fields
• Content API: /settings endpoint now includes the SEO data
• Theme templates: The {{@site.*}} helper now exposes these SEO fields

This enhancement allows for better site-wide SEO management and customization.

Improved Members Service

The members service has been refactored to provide:

• Better logging through integration with Ghost's common logging system
• Dynamic access to the membersApi instance
• Ability to reconfigure settings and create new instances when needed
• Improved error handling and reporting

Security Updates

Dependency Updates

Several dependencies have been updated to their latest versions, addressing potential security vulnerabilities:

• Updated lodash to v4.17.15
• Updated archiver to v3.0.3
• Updated multer to v1.4.2
• Updated gscan to v2.6.4

These updates ensure that Ghost remains secure against known vulnerabilities in these dependencies.

Performance Improvements

Development Workflow Improvements

• Added the frontend folder to the watch task, ensuring that grunt dev properly restarts when changes are made to the frontend
• Removed unused documentation-related Grunt tasks
• Deleted the unused PostgreSQL module, reducing the codebase size

These changes help streamline the development workflow and reduce unnecessary code.

Impact Summary

Ghost 2.25.9 is a maintenance release that addresses several important issues while adding useful enhancements. The CORS fixes ensure that client applications can properly handle errors from both APIs, which is critical for frontend applications that interact with Ghost. The fix for owner password management restores an important administrative capability.

The addition of global SEO fields enhances Ghost's SEO capabilities, allowing for better site-wide optimization. The members service refactoring improves error handling and logging, which will help diagnose issues more effectively.

This release also includes several dependency updates that address potential security vulnerabilities, ensuring that Ghost remains secure against known threats.

Overall, this is a recommended update for all Ghost installations, providing important fixes and enhancements with minimal risk of disruption.

Full Release Notes