From ddf9874fa170f8913251f743ce059790979234e6 Mon Sep 17 00:00:00 2001
From: Sebastian Gierlinger <s.gierlinger@me.com>
Date: Wed, 4 Nov 2015 10:03:03 +0100
Subject: [PATCH] Disallow staticPages from public API

refs #5151
- disable staticPages parameter for calls without authentication
---
 core/server/api/posts.js                      | 11 ++++++--
 .../functional/routes/api/public_api_spec.js  | 25 +++++++++++++++++++
 2 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/core/server/api/posts.js b/core/server/api/posts.js
index 43898141b4..4a9db4d863 100644
--- a/core/server/api/posts.js
+++ b/core/server/api/posts.js
@@ -36,10 +36,17 @@ posts = {
      * @returns {Promise<Posts>} Posts Collection with Meta
      */
     browse: function browse(options) {
-        var extraOptions = ['status', 'staticPages'],
-            permittedOptions = utils.browseDefaultOptions.concat(extraOptions),
+        var extraOptions = ['status'],
+            permittedOptions,
             tasks;
 
+        // Workaround to remove static pages from results
+        // TODO: rework after https://github.com/TryGhost/Ghost/issues/5151
+        if (options && options.context && (options.context.user || options.context.internal)) {
+            extraOptions.push('staticPages');
+        }
+        permittedOptions = utils.browseDefaultOptions.concat(extraOptions);
+
         /**
          * ### Model Query
          *  Make the call to the Model layer
diff --git a/core/test/functional/routes/api/public_api_spec.js b/core/test/functional/routes/api/public_api_spec.js
index ff541fb68d..54ca477b8c 100644
--- a/core/test/functional/routes/api/public_api_spec.js
+++ b/core/test/functional/routes/api/public_api_spec.js
@@ -70,6 +70,31 @@ describe('Public API', function () {
             });
     });
 
+    it('browse posts, ignores staticPages', function (done) {
+        request.get(testUtils.API.getApiQuery('posts/?client_id=ghost-admin&client_secret=not_available&staticPages=true'))
+            .set('Origin', testUtils.API.getURL())
+            .expect('Content-Type', /json/)
+            .expect('Cache-Control', testUtils.cacheRules.private)
+            .expect(200)
+            .end(function (err, res) {
+                console.log(res.body);
+                if (err) {
+                    return done(err);
+                }
+
+                should.not.exist(res.headers['x-cache-invalidate']);
+                var jsonResponse = res.body;
+                jsonResponse.posts.should.exist;
+                testUtils.API.checkResponse(jsonResponse, 'posts');
+                jsonResponse.posts.should.have.length(5);
+                testUtils.API.checkResponse(jsonResponse.posts[0], 'post');
+                testUtils.API.checkResponse(jsonResponse.meta.pagination, 'pagination');
+                _.isBoolean(jsonResponse.posts[0].featured).should.eql(true);
+                _.isBoolean(jsonResponse.posts[0].page).should.eql(true);
+                done();
+            });
+    });
+
     it('browse tags without limit defaults to 15', function (done) {
         request.get(testUtils.API.getApiQuery('tags/?client_id=ghost-admin&client_secret=not_available'))
             .set('Origin', testUtils.API.getURL())