From 83d25f71f48f10efef68fbfb733a6d0c1cff6c83 Mon Sep 17 00:00:00 2001 From: Fabien O'Carroll Date: Wed, 16 Jun 2021 11:33:21 +0100 Subject: [PATCH] Restricted Members to only one Product refs https://github.com/TryGhost/Team/issues/748 This ensures that you cannot add more than one product to a Member. However it does allow a Member which already exists with more than one Product to continue using the API. This is to account for edgecases such as a Member going through the Stripe flow twice and ending up with multiple subscriptions for multiple products --- ghost/members-api/lib/repositories/member/index.js | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/ghost/members-api/lib/repositories/member/index.js b/ghost/members-api/lib/repositories/member/index.js index 98134f86c3..bd276779ab 100644 --- a/ghost/members-api/lib/repositories/member/index.js +++ b/ghost/members-api/lib/repositories/member/index.js @@ -80,6 +80,10 @@ module.exports = class MemberRepository { const memberData = _.pick(data, ['email', 'name', 'note', 'subscribed', 'geolocation', 'created_at', 'products']); + if (memberData.products && memberData.products.length > 1) { + throw new errors.BadRequestError(tpl(messages.moreThanOneProduct)); + } + const member = await this._Member.add({ ...memberData, labels @@ -128,6 +132,10 @@ module.exports = class MemberRepository { const existingProductIds = existingProducts.map(product => product.id); const incomingProductIds = data.products.map(product => product.id); + if (incomingProductIds.length > 1 && incomingProductIds.length > existingProductIds.length) { + throw new errors.BadRequestError(tpl(messages.moreThanOneProduct)); + } + const productsToAdd = _.differenceWith(incomingProductIds, existingProductIds); const productsToRemove = _.differenceWith(existingProductIds, incomingProductIds); const productsToModify = productsToAdd.concat(productsToRemove);