Removed email related fields from API v2 responses

refs https://github.com/TryGhost/Ghost/issues/11461 - The email feature was introduced in API v3 and is not back compatible with API v2. These fields should not appear in any v2 responses. - Added regression tests for API v2 so that cases like this are spotted easier in the future.
2025-04-01 02:41:39 -05:00 · 2019-12-16 19:19:08 +07:00 · 2019-12-16 19:19:08 +07:00 · e25e847f47
commit e25e847f47
parent 2d9963fbd8
5 changed files with 100 additions and 2 deletions
--- a/core/server/api/v2/utils/serializers/output/utils/mapper.js
+++ b/core/server/api/v2/utils/serializers/output/utils/mapper.js
@ -73,7 +73,10 @@ const mapPost = (model, frame) => {
    }).each((attr) => {
        jsonModel[attr] = _.get(jsonModel.posts_meta, attr) || null;
    });
+
    delete jsonModel.posts_meta;
+    delete jsonModel.send_email_when_published;
+    delete jsonModel.email_subject;

    return jsonModel;
 };
--- a/core/test/regression/api/v2/admin/utils.js
+++ b/core/test/regression/api/v2/admin/utils.js
@ -26,12 +26,17 @@ const expectedProperties = {
        .without('locale')
        .without('page')
        .without('author_id', 'author')
+        // emails are not supported in API v2
+        .without('send_email_when_published')
        // always returns computed properties
        .concat('url', 'primary_tag', 'primary_author', 'excerpt')
        .concat('authors', 'tags')
        // returns meta fields from `posts_meta` schema
        .concat(
-            ..._(schema.posts_meta).keys().without('post_id', 'id')
+            ..._(schema.posts_meta).keys()
+                .without('post_id', 'id')
+                // emails are not supported in API v2
+                .without('email_subject')
        )
    ,
    user: _(schema.users)
--- a/core/test/regression/api/v2/content/pages_spec.js
+++ b/core/test/regression/api/v2/content/pages_spec.js
@ -1,3 +1,4 @@
+const url = require('url');
 const should = require('should');
 const supertest = require('supertest');
 const testUtils = require('../../../../utils');
@ -23,6 +24,31 @@ describe('api/v2/content/pages', function () {
        configUtils.restore();
    });

+    it('Can request pages', function () {
+        const key = localUtils.getValidKey();
+        return request.get(localUtils.API.getApiQuery(`pages/?key=${key}`))
+            .set('Origin', testUtils.API.getURL())
+            .expect('Content-Type', /json/)
+            .expect('Cache-Control', testUtils.cacheRules.private)
+            .expect(200)
+            .then((res) => {
+                res.headers.vary.should.eql('Accept-Encoding');
+                should.exist(res.headers['access-control-allow-origin']);
+                should.not.exist(res.headers['x-cache-invalidate']);
+
+                const jsonResponse = res.body;
+                should.exist(jsonResponse.pages);
+                should.exist(jsonResponse.meta);
+                jsonResponse.pages.should.have.length(1);
+
+                res.body.pages[0].slug.should.eql(testUtils.DataGenerator.Content.posts[5].slug);
+
+                const urlParts = url.parse(res.body.pages[0].url);
+                should.exist(urlParts.protocol);
+                should.exist(urlParts.host);
+            });
+    });
+
    it('Can browse pages with page:false', function () {
        const key = localUtils.getValidKey();
        return request.get(localUtils.API.getApiQuery(`pages/?key=${key}&filter=page:false`))
--- a/core/test/regression/api/v2/content/posts_spec.js
+++ b/core/test/regression/api/v2/content/posts_spec.js
@ -1,6 +1,8 @@
+const url = require('url');
 const should = require('should');
 const supertest = require('supertest');
 const _ = require('lodash');
+const cheerio = require('cheerio');
 const testUtils = require('../../../../utils');
 const localUtils = require('./utils');
 const configUtils = require('../../../../utils/configUtils');
@ -28,6 +30,63 @@ describe('api/v2/content/posts', function () {

    const validKey = localUtils.getValidKey();

+    it('Can request posts', function (done) {
+        request.get(localUtils.API.getApiQuery(`posts/?key=${validKey}`))
+            .set('Origin', testUtils.API.getURL())
+            .expect('Content-Type', /json/)
+            .expect('Cache-Control', testUtils.cacheRules.private)
+            .expect(200)
+            .end(function (err, res) {
+                if (err) {
+                    return done(err);
+                }
+
+                res.headers.vary.should.eql('Accept-Encoding');
+                should.exist(res.headers['access-control-allow-origin']);
+                should.not.exist(res.headers['x-cache-invalidate']);
+
+                var jsonResponse = res.body;
+                should.exist(jsonResponse.posts);
+                localUtils.API.checkResponse(jsonResponse, 'posts');
+                jsonResponse.posts.should.have.length(11);
+                localUtils.API.checkResponse(jsonResponse.posts[0], 'post');
+                localUtils.API.checkResponse(jsonResponse.meta.pagination, 'pagination');
+                _.isBoolean(jsonResponse.posts[0].featured).should.eql(true);
+
+                // Default order 'published_at desc' check
+                jsonResponse.posts[0].slug.should.eql('welcome');
+                jsonResponse.posts[6].slug.should.eql('themes');
+
+                // check meta response for this test
+                jsonResponse.meta.pagination.page.should.eql(1);
+                jsonResponse.meta.pagination.limit.should.eql(15);
+                jsonResponse.meta.pagination.pages.should.eql(1);
+                jsonResponse.meta.pagination.total.should.eql(11);
+                jsonResponse.meta.pagination.hasOwnProperty('next').should.be.true();
+                jsonResponse.meta.pagination.hasOwnProperty('prev').should.be.true();
+                should.not.exist(jsonResponse.meta.pagination.next);
+                should.not.exist(jsonResponse.meta.pagination.prev);
+
+                // kitchen sink
+                res.body.posts[9].slug.should.eql(testUtils.DataGenerator.Content.posts[1].slug);
+
+                let urlParts = url.parse(res.body.posts[9].feature_image);
+                should.exist(urlParts.protocol);
+                should.exist(urlParts.host);
+
+                urlParts = url.parse(res.body.posts[9].url);
+                should.exist(urlParts.protocol);
+                should.exist(urlParts.host);
+
+                const $ = cheerio.load(res.body.posts[9].html);
+                urlParts = url.parse($('img').attr('src'));
+                should.exist(urlParts.protocol);
+                should.exist(urlParts.host);
+
+                done();
+            });
+    });
+
    it('browse posts with basic page filter should not return pages', function (done) {
        request.get(localUtils.API.getApiQuery(`posts/?key=${validKey}&filter=page:true`))
            .expect('Content-Type', /json/)
--- a/core/test/regression/api/v2/content/utils.js
+++ b/core/test/regression/api/v2/content/utils.js
@ -21,6 +21,8 @@ const expectedProperties = {
        .concat('url', 'primary_tag', 'primary_author')
        // v2 API doesn't return unused fields
        .without('locale', 'visibility')
+        // emails are not supported in API v2
+        .without('send_email_when_published')
        // These fields aren't useful as they always have known values
        .without('status')
        .concat('page')
@ -29,7 +31,10 @@ const expectedProperties = {
        .concat('excerpt')
        // returns meta fields from `posts_meta` schema
        .concat(
-            ..._(schema.posts_meta).keys().without('post_id', 'id')
+            ..._(schema.posts_meta).keys()
+                .without('post_id', 'id')
+                // emails are not supported in API v2
+                .without('email_subject')
        )
    ,
    author: _(schema.users)