From 15446766bf1741eba08dad9577d3aade5c0fc636 Mon Sep 17 00:00:00 2001
From: Katharina Irrgang <katharina.irrgang@googlemail.com>
Date: Tue, 3 Oct 2017 14:00:33 +0200
Subject: [PATCH] Protected internal tags visibility (#9076)

closes https://github.com/TryGhost/Ghost/issues/8943

- if you send a tag name with a hash, it's an internal tag
- ensure that the visibility property is forced to `internal`
- add a proper test
---
 core/server/models/tag.js                  | 13 ++++++++++++-
 core/test/integration/api/api_tags_spec.js | 17 +++++++++++++++--
 2 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/core/server/models/tag.js b/core/server/models/tag.js
index 11e7343199..83d1cf98d7 100644
--- a/core/server/models/tag.js
+++ b/core/server/models/tag.js
@@ -8,6 +8,12 @@ Tag = ghostBookshelf.Model.extend({
 
     tableName: 'tags',
 
+    defaults: function defaults() {
+        return {
+            visibility: 'public'
+        };
+    },
+
     emitChange: function emitChange(event) {
         events.emit('tag' + '.' + event, this);
     },
@@ -24,12 +30,17 @@ Tag = ghostBookshelf.Model.extend({
         model.emitChange('deleted');
     },
 
-    onSaving: function onSaving(newPage, attr, options) {
+    onSaving: function onSaving(newTag, attr, options) {
         /*jshint unused:false*/
         var self = this;
 
         ghostBookshelf.Model.prototype.onSaving.apply(this, arguments);
 
+        // name: #later slug: hash-later
+        if (/^#/.test(newTag.get('name'))) {
+            this.set('visibility', 'internal');
+        }
+
         if (this.hasChanged('slug') || !this.get('slug')) {
             // Pass the new slug through the generator to strip illegal characters, detect duplicates
             return ghostBookshelf.Model.generateSlug(Tag, this.get('slug') || this.get('name'),
diff --git a/core/test/integration/api/api_tags_spec.js b/core/test/integration/api/api_tags_spec.js
index 0fe8515862..c8355d7c42 100644
--- a/core/test/integration/api/api_tags_spec.js
+++ b/core/test/integration/api/api_tags_spec.js
@@ -1,6 +1,5 @@
 var should = require('should'),
     testUtils = require('../../utils'),
-    Promise = require('bluebird'),
     _ = require('lodash'),
     // Stuff we are testing
     context = testUtils.context,
@@ -28,7 +27,6 @@ describe('Tags API', function () {
 
         beforeEach(function () {
             newTag = _.clone(_.omit(testUtils.DataGenerator.forKnex.createTag(testUtils.DataGenerator.Content.tags[0]), 'id'));
-            Promise.resolve(newTag);
         });
 
         it('can add a tag (admin)', function (done) {
@@ -47,6 +45,21 @@ describe('Tags API', function () {
                     should.exist(results);
                     should.exist(results.tags);
                     results.tags.length.should.be.above(0);
+                    results.tags[0].visibility.should.eql('public');
+                    done();
+                }).catch(done);
+        });
+
+        it('add internal tag', function (done) {
+            TagAPI
+                .add({tags: [{name: '#test'}]}, testUtils.context.editor)
+                .then(function (results) {
+                    should.exist(results);
+                    should.exist(results.tags);
+                    results.tags.length.should.be.above(0);
+                    results.tags[0].visibility.should.eql('internal');
+                    results.tags[0].name.should.eql('#test');
+                    results.tags[0].slug.should.eql('hash-test');
                     done();
                 }).catch(done);
         });