Added test checking notifications are not editable through API

refs https://github.com/TryGhost/Team/issues/754 - `notifications` settings are part of a "core" group and should not be editable through non-internal API calls
2025-01-06 22:40:14 -05:00 · 2021-06-28 11:59:38 +04:00 · 2021-06-28 11:59:38 +04:00 · 23367ee0bb
commit 23367ee0bb
parent 3f2327c4d1
1 changed files with 15 additions and 0 deletions
--- a/test/regression/api/canary/admin/settings_spec.js
+++ b/test/regression/api/canary/admin/settings_spec.js
@ -1226,6 +1226,21 @@ describe('Settings API (canary)', function () {
            dbSettings.should.have.property('og_image', '__GHOST_URL__/content/images/og_image.png');
            dbSettings.should.have.property('twitter_image', '__GHOST_URL__/content/images/twitter_image.png');
        });
+
+        it('Cannot edit notifications key through API', async function () {
+            const settingsToChange = {
+                settings: [
+                    {key: 'notifications', value: `anything`}
+                ]
+            };
+
+            await request.put(localUtils.API.getApiQuery('settings/'))
+                .set('Origin', config.get('url'))
+                .send(settingsToChange)
+                .expect('Content-Type', /json/)
+                .expect('Cache-Control', testUtils.cacheRules.private)
+                .expect(403);
+        });
    });

    describe('As Admin', function () {