Refactored post resource Admin API test utils

refs https://github.com/TryGhost/Team/issues/687 - The approach of generating validation properties using `/server/data/schema` package's tables object is prone to leaking unwanted database fields into API responses - This refactor takes a tiny step into direction of relying on "allowlist" approach for properties in the API response resources. - Apart from solving the described property leak problem it also moves toward decoupling tests from `/core/server` dependencies!
2025-04-15 03:01:37 -05:00 · 2021-05-12 18:15:54 +04:00 · 2021-05-12 18:15:54 +04:00 · 06dd9bac59
commit 06dd9bac59
parent ec01c4f004
2 changed files with 87 additions and 39 deletions
--- a/test/api-acceptance/admin/utils.js
+++ b/test/api-acceptance/admin/utils.js
@ -1,7 +1,12 @@
 const url = require('url');
 const _ = require('lodash');
 const testUtils = require('../../utils');
+
+// NOTE: the dependance on the schema here is wrong! It is a design flaw which is causing problems for API maintenance and compatibility
+//       whenever you need to modify any of the below property lists using schema - rework them into an "allowlist" array like it's done in
+//       the commit introducing this comment.
 const schema = require('../../../core/server/data/schema').tables;
+
 const API_URL = '/ghost/api/canary/admin/';

 const expectedProperties = {
@ -26,26 +31,44 @@ const expectedProperties = {

    config: ['version', 'environment', 'database', 'mail', 'labs', 'clientExtensions', 'enableDeveloperExperiments', 'useGravatar', 'stripeDirect', 'emailAnalytics'],

-    post: _(schema.posts)
-        .keys()
-        .filter(key => key.indexOf('@@') === -1)
-        // by default we only return mobildoc
-        .without('html', 'plaintext')
-        .without('locale')
-        .without('page')
-        // API should not return type field
-        .without('type')
-        // deprecated
-        .without('author_id', 'author')
-        // always returns computed properties
-        .concat('url', 'primary_tag', 'primary_author', 'excerpt')
-        // returned by default
-        .concat('tags', 'authors', 'email')
-        // returns meta fields from `posts_meta` schema
-        .concat(
-            ..._(schema.posts_meta).keys().without('post_id', 'id')
-        )
-    ,
+    post: [
+        'id',
+        'uuid',
+        'title',
+        'slug',
+        'mobiledoc',
+        'comment_id',
+        'feature_image',
+        'featured',
+        'status',
+        'visibility',
+        'email_recipient_filter',
+        'created_at',
+        'updated_at',
+        'published_at',
+        'custom_excerpt',
+        'codeinjection_head',
+        'codeinjection_foot',
+        'custom_template',
+        'canonical_url',
+        'url',
+        'primary_tag',
+        'primary_author',
+        'excerpt',
+        'tags',
+        'authors',
+        'email',
+        'og_image',
+        'og_title',
+        'og_description',
+        'twitter_image',
+        'twitter_title',
+        'twitter_description',
+        'meta_title',
+        'meta_description',
+        'email_subject',
+        'frontmatter'
+    ],

    page: _(schema.posts)
        .keys()
--- a/test/regression/api/canary/admin/utils.js
+++ b/test/regression/api/canary/admin/utils.js
@ -1,7 +1,12 @@
 const url = require('url');
 const _ = require('lodash');
 const testUtils = require('../../../../utils');
+
+// NOTE: the dependance on the schema here is wrong! It is a design flaw which is causing problems for API maintenance and compatibility
+//       whenever you need to modify any of the below property lists using schema - rework them into an "allowlist" array like it's done in
+//       the commit introducing this comment.
 const schema = require('../../../../../core/server/data/schema').tables;
+
 const API_URL = '/ghost/api/canary/admin/';

 const expectedProperties = {
@ -21,25 +26,45 @@ const expectedProperties = {

    site: ['title', 'description', 'logo', 'icon', 'accent_color', 'url', 'version'],

-    post: _(schema.posts)
-        .keys()
-        .filter(key => key.indexOf('@@') === -1)
-        // by default we only return mobiledoc
-        .without('html', 'plaintext')
-        .without('locale')
-        .without('page')
-        .without('author_id', 'author')
-        .without('type')
-        // always returns computed properties
-        // primary_tag and primary_author properties are included
-        // only because authors and tags are always included
-        .concat('url', 'primary_tag', 'primary_author', 'excerpt')
-        .concat('authors', 'tags', 'email')
-        // returns meta fields from `posts_meta` schema
-        .concat(
-            ..._(schema.posts_meta).keys().without('post_id', 'id')
-        )
-    ,
+    post: [
+        'id',
+        'uuid',
+        'title',
+        'slug',
+        'mobiledoc',
+        'comment_id',
+        'feature_image',
+        'featured',
+        'status',
+        'visibility',
+        'email_recipient_filter',
+        'created_at',
+        'updated_at',
+        'published_at',
+        'custom_excerpt',
+        'codeinjection_head',
+        'codeinjection_foot',
+        'custom_template',
+        'canonical_url',
+        'url',
+        'primary_tag',
+        'primary_author',
+        'excerpt',
+        'tags',
+        'authors',
+        'email',
+        'og_image',
+        'og_title',
+        'og_description',
+        'twitter_image',
+        'twitter_title',
+        'twitter_description',
+        'meta_title',
+        'meta_description',
+        'email_subject',
+        'frontmatter'
+    ],
+
    user: _(schema.users)
        .keys()
        .without('visibility')