From 15897096b030ed6260106b0763a568e6403c1bf2 Mon Sep 17 00:00:00 2001
From: Kevin Ansfield <kevin@ghost.org>
Date: Mon, 22 Jan 2024 14:20:50 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=90=9B=20Fixed=20broken=20access=20to=20p?=
 =?UTF-8?q?review=20of=20scheduled=20email-only=20posts=20(#19539)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

no issue

- we recently added a redirect to disable access to the preview endpoint for sent email-only posts but the condition was too broad and also disabled access to scheduled email-only posts
- adjusted so we only apply the /p/ -> /email/ redirect for sent posts
---
 .../services/routing/controllers/previews.js   |  5 +++--
 .../test/e2e-frontend/preview_routes.test.js   | 18 +++++++++++++++++-
 2 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/ghost/core/core/frontend/services/routing/controllers/previews.js b/ghost/core/core/frontend/services/routing/controllers/previews.js
index 0afa021472..d42f0efd25 100644
--- a/ghost/core/core/frontend/services/routing/controllers/previews.js
+++ b/ghost/core/core/frontend/services/routing/controllers/previews.js
@@ -49,12 +49,13 @@ module.exports = function previewController(req, res, next) {
                 return next();
             }
 
+            // published content should only resolve to /:slug - /p/:uuid is for drafts only in lieu of an actual preview api
             if (post.status === 'published') {
                 return urlUtils.redirect301(res, routerManager.getUrlByResourceId(post.id, {withSubdirectory: true}));
             }
 
-            // published content should only resolve to /:slug or /email/:uuid - /p/:uuid is for drafts only in lieu of an actual preview api
-            if (post.status !== 'published' && post.email_only === true) {
+            // once an email-only post has been sent it shouldn't be available via /p/ to avoid leaking members-only content
+            if (post.status === 'sent') {
                 return urlUtils.redirect301(res, urlUtils.urlJoin('/email', post.uuid, '/'));
             }
 
diff --git a/ghost/core/test/e2e-frontend/preview_routes.test.js b/ghost/core/test/e2e-frontend/preview_routes.test.js
index a6e56ec5e2..7333cac3ba 100644
--- a/ghost/core/test/e2e-frontend/preview_routes.test.js
+++ b/ghost/core/test/e2e-frontend/preview_routes.test.js
@@ -9,6 +9,7 @@ const supertest = require('supertest');
 const cheerio = require('cheerio');
 const testUtils = require('../utils');
 const config = require('../../core/shared/config');
+const {DateTime} = require('luxon');
 let request;
 
 function assertCorrectFrontendHeaders(res) {
@@ -90,8 +91,23 @@ describe('Frontend Routing: Preview Routes', function () {
             .expect(assertCorrectFrontendHeaders);
     });
 
+    it('should render scheduled email-only posts', async function () {
+        const scheduledEmail = await testUtils.fixtures.insertPosts([{
+            title: 'test newsletter',
+            status: 'scheduled',
+            published_at: DateTime.now().plus({days: 1}).toISODate(),
+            posts_meta: {
+                email_only: true
+            }
+        }]);
+
+        await request.get(`/p/${scheduledEmail[0].get('uuid')}/`)
+            .expect('Content-Type', /html/)
+            .expect(200)
+            .expect(assertCorrectFrontendHeaders);
+    });
+
     it('should redirect sent email-only posts to /email/:uuid from /p/:uuid', async function () {
-        // difficult to build a sent newsletter using the data generator
         const emailedPost = await testUtils.fixtures.insertPosts([{
             title: 'test newsletter',
             status: 'sent',