Ghost Release: 5.111.0

TL;DR

Ghost 5.111.0 introduces important security and user experience improvements, focusing on email validation and internationalization. The update fixes critical issues with the member error display system in Portal and extends email domain blocklist validation to member email updates, not just signups. This release also includes updated German and Turkish translations, enhancing the platform's multilingual support. These changes primarily affect site administrators managing member accounts and international users.

Highlight of the Release

• Fixed Portal not displaying error messages properly when issues occur
• Extended email domain blocklist validation to member email updates, not just new signups
• Updated German translations throughout the platform
• Added missing Turkish translations in the Portal interface

Migration Guide

No migration steps are required for this update. The changes are backward compatible and will be applied automatically after updating to Ghost 5.111.0.

Upgrade Recommendations

This update is recommended for all Ghost installations, especially those that use the email domain blocklist feature to prevent spam signups. The security enhancement for email domain validation during profile updates closes an important security gap, and the fixes to error display in Portal improve the user experience. There are no breaking changes, making this a safe upgrade for all users.

Bug Fixes

Error Display in Portal

• Fixed an issue where Portal wasn't properly firing member-error DOM updates when errors occurred
• Improved error handling and readability in the formSubmitHandler function
• Introduced displayErrorIfElementExists to centralize error message updates
• Enhanced test coverage for various error scenarios including network failures, missing error elements, and non-existent email addresses

Email Domain Validation

• Fixed a security gap where the email domain blocklist was only being checked during member signup but not when members updated their email addresses
• Added logic in MemberController.js to validate email domains against the blocklist from settingsCache before allowing updates
• Enhanced error messaging in Portal's API and actions to return specific errors when a blocked domain is detected
• Added new E2E tests to verify proper blocking of disallowed domains during email updates

New Features

No significant new features were introduced in this release. The changes focus on bug fixes, security improvements, and translation updates.

Security Updates

Email Domain Blocklist Enhancement

• Extended the email domain blocklist validation to member email updates, not just during initial signup
• This closes a security gap where users could potentially bypass domain restrictions by first signing up with an allowed domain and then changing to a blocked domain
• Added comprehensive error handling to ensure users receive clear feedback when attempting to use blocked email domains
• Implemented E2E tests to verify the security of this feature

Performance Improvements

No specific performance improvements were included in this release.

Impact Summary

Ghost 5.111.0 delivers important security and user experience improvements. The extension of email domain blocklist validation to member email updates closes a security gap where users could potentially bypass domain restrictions after signup. The fix for Portal's error display system ensures that users receive proper feedback when errors occur during form submissions. These changes, combined with updated German and Turkish translations, create a more secure, user-friendly, and internationally accessible platform. The update is particularly valuable for administrators who rely on domain blocklists to prevent spam accounts and for sites with international audiences.

Full Release Notes