Removed formats from private posts in content api (TryGhost#10154)

closes TryGhost#10118

All behind a members labs switch for now

* Added filter for member only content

* Updated frame context

* Cleaned up members content check

* Cleanup

* Cleanup

* Ensured members filtering works without include=tags

* Protected against missing query

* Fixed usage of include vs withRelated

* Moved includeTags logic for members behind members flag to use tags

* Cleanup

* Update input serializer dependency

Co-Authored-By: rishabhgrg <zrishabhgarg@gmail.com>

* Added some explanations

Author: rshbhgrg

core/server/api/v2/utils/serializers/input/posts.js

@@ -2,6 +2,7 @@ const _ = require('lodash');
 const debug = require('ghost-ignition').debug('api:v2:utils:serializers:input:posts');
 const url = require('./utils/url');
 const utils = require('../../index');
+const labs = require('../../../../../services/labs');
 
 function removeMobiledocFormat(frame) {
     if (frame.options.formats && frame.options.formats.includes('mobiledoc')) {
@@ -11,6 +12,14 @@ function removeMobiledocFormat(frame) {
     }
 }
 
+function includeTags(frame) {
+    if (!frame.options.withRelated) {
+        frame.options.withRelated = ['tags'];
+    } else if (!frame.options.withRelated.includes('tags')) {
+        frame.options.withRelated.push('tags');
+    }
+}
+
 module.exports = {
     browse(apiConfig, frame) {
         debug('browse');
@@ -39,6 +48,10 @@ module.exports = {
             }
             // CASE: the content api endpoint for posts should not return mobiledoc
             removeMobiledocFormat(frame);
+            if (labs.isSet('members')) {
+                // CASE: Members needs to have the tags to check if its allowed access
+                includeTags(frame);
+            }
         }
 
         debug(frame.options);
@@ -58,6 +71,10 @@ module.exports = {
             frame.data.page = false;
             // CASE: the content api endpoint for posts should not return mobiledoc
             removeMobiledocFormat(frame);
+            if (labs.isSet('members')) {
+                // CASE: Members needs to have the tags to check if its allowed access
+                includeTags(frame);
+            }
         }
 
         debug(frame.options);

core/server/api/v2/utils/serializers/output/utils/mapper.js

@@ -1,6 +1,7 @@
 const utils = require('../../../index');
 const url = require('./url');
 const date = require('./date');
+const members = require('./members');
 
 const mapPost = (model, frame) => {
     const jsonModel = model.toJSON(frame.options);
@@ -9,6 +10,7 @@ const mapPost = (model, frame) => {
 
     if (utils.isContentAPI(frame)) {
         date.forPost(jsonModel);
+        members.forPost(jsonModel, frame);
     }
 
     if (frame.options && frame.options.withRelated) {

core/server/api/v2/utils/serializers/output/utils/members.js

@@ -0,0 +1,33 @@
+const labs = require('../../../../../../services/labs');
+const MEMBER_TAG = '#members';
+
+// Checks if request should hide memnbers only content
+function hideMembersOnlyContent(attrs, frame) {
+    let hasMemberTag = false;
+    if (labs.isSet('members') && !frame.original.context.member && attrs.tags) {
+        hasMemberTag = attrs.tags.find((tag) => {
+            return (tag.name === MEMBER_TAG);
+        });
+    }
+    return hasMemberTag;
+}
+
+const forPost = (attrs, frame) => {
+    const hideFormatsData = hideMembersOnlyContent(attrs, frame);
+    if (hideFormatsData) {
+        ['plaintext', 'html'].forEach((field) => {
+            attrs[field] = '';
+        });
+    }
+    if (labs.isSet('members')) {
+        // CASE: Members always adds tags, remove if the user didn't originally ask for them
+        const origQuery = frame.original.query || {};
+        if (!origQuery.include || !origQuery.include.includes('tags')) {
+            delete attrs.tags;
+        }
+    }
+
+    return attrs;
+};
+
+module.exports.forPost = forPost;