diff --git a/ghost/core/core/server/services/members/content-gating.js b/ghost/core/core/server/services/members/content-gating.js index 69e153475e..206a71fc19 100644 --- a/ghost/core/core/server/services/members/content-gating.js +++ b/ghost/core/core/server/services/members/content-gating.js @@ -8,12 +8,6 @@ const BLOCK_ACCESS = false; // TODO: better place to store this? const MEMBER_NQL_EXPANSIONS = [{ - key: 'labels', - replacement: 'labels.slug' -}, { - key: 'label', - replacement: 'labels.slug' -}, { key: 'products', replacement: 'products.slug' }, { @@ -21,6 +15,16 @@ const MEMBER_NQL_EXPANSIONS = [{ replacement: 'products.slug' }]; +const rejectUnknownKeys = input => nql.utils.mapQuery(input, function (value, key) { + if (!['product', 'products', 'status'].includes(key.toLowerCase())) { + return; + } + + return { + [key]: value + }; +}); + /** * @param {object} post - A post object to check access to * @param {object} member - The member whos access should be checked @@ -50,7 +54,7 @@ function checkPostAccess(post, member) { }).join(','); } - if (visibility && member.status && nql(visibility, {expansions: MEMBER_NQL_EXPANSIONS}).queryJSON(member)) { + if (visibility && member.status && nql(visibility, {expansions: MEMBER_NQL_EXPANSIONS, transformer: rejectUnknownKeys}).queryJSON(member)) { return PERMIT_ACCESS; }