-
-
Notifications
You must be signed in to change notification settings - Fork 10.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Assets & Resources URL rules #10477
Comments
refs TryGhost#10477 closes TryGhost#10472 - Adds transformation for any asset absolute URL's into relative used in mobiledoc
We had two bug reports in the last months because we've suddenly stored absolute asset urls in our database. It was caused by transforming incoming absolute asset urls on API layer into relative urls on API layer. We have just forgotten to add a protection for that. It happened once for posts and now for settings (#10590).
The model layer does not protect against storing absolute paths. This needs sorting out asap @gargol |
Regarding Audit: Are there any other resources which have url fields, which could potentially get stored absolute? |
Results of an audit for URL related fields we currently use. Fields without any comments do input/output serialization and transform local absolute URLs into relative ones:
Non DB resources:
Would suggest moving transformation handling for non virtual url-containing fields (marked in bold) into model layer to keep the logic more central. The rest of fields needs discussion/feeback. cc @kirrg001 |
Let's discuss on Monday 👍 |
@kirrg001 think you meant some other issue as the above is linking back to here 😅 |
From #10069 we can see there is not detail in our URL types: When we talk about assets, we mostly mean images served from Ghost, e.g. they start with /content/images/. These are served from Ghost/belong to Ghost, we therefore "own" this URL, and should serve it as relative. When we look at URLs inside of content (and also code injection!): There are also theme assets, which may have a relative path, and be referenced in content. Ghost also owns these assets, but it may be too hard to detect them right now. If possible, they should be served absolute. Additionally, there are external assets, which may have a relative path, and be nothing to do with Ghost. We don't own these URLs, we should not change them. This rule guide needs to take into account what happens:
I know this is an active concern, but reinforcing that I am hitting my head against the lack of clarity in these rules again today. It looks to me like the Once we have the rules set, then I can at least document the rules as they are meant to be, and we can look for places where we are not following it. |
refs TryGhost#10620, refs TryGhost#10477 - editor uploads an image - receives absolute path - inserts into mobiledoc - updates post - server stores relative asset paths - we need to serve absolute asset paths, otherwise editor could mark content as "dirty"
Summary from today:
We tried fixing:
Both did not work 😈 We need a whole new plan! |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Not stale. In progress by @kevinansfield 😉 |
refs TryGhost#10477 The unsaved changes modal is displaying even when the post has been saved if images have been uploaded because the server is transforming absolute image urls to relative during input of the `mobiledoc` field but not transforming them back to absolute during output. The editor then thinks it's out of sync and shows the warning when trying to leave. - `@tryghost/url-utils` has been updated with new methods for transforming URLs in mobiledoc content - moves absolute->relative transformation from the API input serializers into the Post model - transforms URLs in more fields for a more comprehensive transformation and fewer issues when re-configuring a site's domain - previously there could be problems with internal links between posts not being transformed so you could change the url config to newdomain.com but links in post content would still be pointing to olddomain.com - updates the API post output serializers to transform all modified fields - drops the `?absolute_urls=true` param switch from the `canary` API post output serializer so that all URLs are output as absolute - we're transforming more urls to relative when saving so this is necessary to ensure the unsaved changes modal is not triggered - the query param isn't documented and will disappear in v3
refs #10477 The unsaved changes modal is displaying even when the post has been saved if images have been uploaded because the server is transforming absolute image urls to relative during input of the `mobiledoc` field but not transforming them back to absolute during output. The editor then thinks it's out of sync and shows the warning when trying to leave. - `@tryghost/url-utils` has been updated with new methods for transforming URLs in mobiledoc content - moves absolute->relative transformation from the API input serializers into the Post model - transforms URLs in more fields for a more comprehensive transformation and fewer issues when re-configuring a site's domain - previously there could be problems with internal links between posts not being transformed so you could change the url config to newdomain.com but links in post content would still be pointing to olddomain.com - updates the API post output serializers to transform all modified fields - drops the `?absolute_urls=true` param switch from the `canary` API post output serializer so that all URLs are output as absolute - we're transforming more urls to relative when saving so this is necessary to ensure the unsaved changes modal is not triggered - the query param isn't documented and will disappear in v3
Sorry for random rambling, but I don't understand why Ghost must serve assets as absolute urls? Themes serve their internal assets (js/css/images) relative, and it works just fine. I can see many issues referred in this issue being caused by transforming between relative and absolute urls. What would be the issue, if everything served by Ghost would be relative, and there were zero transformations between layers? Thanks for your good work, eagerly waiting 3️⃣.0️⃣ to arrive 🚚 |
@sampumon Relative URLs won't work if the content is being served under completely different domain. To give one example of why: Ghost is a headless CMS. It should support a very basic case for static site generators being pure consumers of data from whatever domain the static site is running on 😃 |
@kevinansfield do you think we need to keep this issue around or want to reuse it for future work when optimizing how the relative->absolute->relative transformations work? |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
This is actually the other way around in many cases. In a production environment, you surely do not want any of the admin sections available, Absolute URLs, as a result, will point to a protected or non-existing domain and return a 404 or timeout. I want to use static generators so we don't have to expose the back end. It is bad practice to force URLs in relative or absolute mode. |
Context
Ghost deals with different types of URL:
At the moment Ghost treats all 4 of these the same. They are all returned as absolute by default sinse API v2.
Assets
Assets that are served by Ghost, i.e. anything that has a path that starts with {subdir}/content/images/... needs to always be an absolute URL. The file was uploaded to Ghost, it will be served from Ghost. All assets MUST always be served as an absolute URL from any API. This means that any content/images url should appear absolute anywhere other than in the DB.
Long term, we should either use a separate API endpoint, or treat
/content/images
as an API endpoint. URLs for assets shouldn’t change.Resource URLs & Relative Paths
Resource URLs also need to appear absolute via the API by default. Right now the url helper in Ghost takes care of changing this back for the one case (Ghost themes).
Paths in content should not be manipulated unless specifically requested. The
absolute_urls=true
flag should be reinstated to cover just this case.Fixes needed to conform to rules above
mobiledoc
/html
Absolute paths inhtml
field #10472The text was updated successfully, but these errors were encountered: