Merge pull request TryGhost#6042 from sebgie/disable-pages

Disallow staticPages from public API
ErisDS · Nov 4, 2015 · eb3cce0 · eb3cce0
2 parents 63d353d + ddf9874
commit eb3cce0
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 2 deletions.
diff --git a/core/server/api/posts.js b/core/server/api/posts.js
@@ -36,10 +36,17 @@ posts = {
      * @returns {Promise<Posts>} Posts Collection with Meta
      */
     browse: function browse(options) {
-        var extraOptions = ['status', 'staticPages'],
-            permittedOptions = utils.browseDefaultOptions.concat(extraOptions),
+        var extraOptions = ['status'],
+            permittedOptions,
             tasks;
 
+        // Workaround to remove static pages from results
+        // TODO: rework after https://github.com/TryGhost/Ghost/issues/5151
+        if (options && options.context && (options.context.user || options.context.internal)) {
+            extraOptions.push('staticPages');
+        }
+        permittedOptions = utils.browseDefaultOptions.concat(extraOptions);
+
         /**
          * ### Model Query
          *  Make the call to the Model layer

diff --git a/core/test/functional/routes/api/public_api_spec.js b/core/test/functional/routes/api/public_api_spec.js
@@ -70,6 +70,31 @@ describe('Public API', function () {
             });
     });
 
+    it('browse posts, ignores staticPages', function (done) {
+        request.get(testUtils.API.getApiQuery('posts/?client_id=ghost-admin&client_secret=not_available&staticPages=true'))
+            .set('Origin', testUtils.API.getURL())
+            .expect('Content-Type', /json/)
+            .expect('Cache-Control', testUtils.cacheRules.private)
+            .expect(200)
+            .end(function (err, res) {
+                console.log(res.body);
+                if (err) {
+                    return done(err);
+                }
+
+                should.not.exist(res.headers['x-cache-invalidate']);
+                var jsonResponse = res.body;
+                jsonResponse.posts.should.exist;
+                testUtils.API.checkResponse(jsonResponse, 'posts');
+                jsonResponse.posts.should.have.length(5);
+                testUtils.API.checkResponse(jsonResponse.posts[0], 'post');
+                testUtils.API.checkResponse(jsonResponse.meta.pagination, 'pagination');
+                _.isBoolean(jsonResponse.posts[0].featured).should.eql(true);
+                _.isBoolean(jsonResponse.posts[0].page).should.eql(true);
+                done();
+            });
+    });
+
     it('browse tags without limit defaults to 15', function (done) {
         request.get(testUtils.API.getApiQuery('tags/?client_id=ghost-admin&client_secret=not_available'))
             .set('Origin', testUtils.API.getURL())