Restricted content gating filter to status & tiers

refs https://github.com/TryGhost/Arch/issues/83 As we've only used the status and tiers in the cache key generation (as those are currently the only ones that are present in DB's) we want to make sure that content gating doesn't use any other properties, which means the cache behaviour will match the content gating behaviour
2024-11-28 14:03:48 +03:00 · 2023-09-13 16:23:09 +07:00 · 2023-09-13 16:23:09 +07:00 · cbea9e8948
commit cbea9e8948
parent e865f57e88
1 changed files with 11 additions and 7 deletions
--- a/ghost/core/core/server/services/members/content-gating.js
+++ b/ghost/core/core/server/services/members/content-gating.js
@ -8,12 +8,6 @@ const BLOCK_ACCESS = false;

 // TODO: better place to store this?
 const MEMBER_NQL_EXPANSIONS = [{
-    key: 'labels',
-    replacement: 'labels.slug'
-}, {
-    key: 'label',
-    replacement: 'labels.slug'
-}, {
    key: 'products',
    replacement: 'products.slug'
 }, {
@ -21,6 +15,16 @@ const MEMBER_NQL_EXPANSIONS = [{
    replacement: 'products.slug'
 }];

+const rejectUnknownKeys = input => nql.utils.mapQuery(input, function (value, key) {
+    if (!['product', 'products', 'status'].includes(key.toLowerCase())) {
+        return;
+    }
+
+    return {
+        [key]: value
+    };
+});
+
 /**
 * @param {object} post - A post object to check access to
 * @param {object} member - The member whos access should be checked
@ -50,7 +54,7 @@ function checkPostAccess(post, member) {
        }).join(',');
    }

-    if (visibility && member.status && nql(visibility, {expansions: MEMBER_NQL_EXPANSIONS}).queryJSON(member)) {
+    if (visibility && member.status && nql(visibility, {expansions: MEMBER_NQL_EXPANSIONS, transformer: rejectUnknownKeys}).queryJSON(member)) {
        return PERMIT_ACCESS;
    }