Allow querying drafts from Content API by id only


#1

Hello everyone,

As far as I can tell, it is not possible to query draft posts from the content API:

Request:

curl <url>/ghost/api/v2/content/posts/?key=<key>&status=draft

Result:

{
  "errors": [
    {
      "message": "You do not have permission to retrieve posts with that status",
      "errorType": "NoPermissionError"
    }
  ]
}

I have also tried using a filter, but filtering on status does not affect the results. Strangely, it does not respond with an error either. (Entering an invalid filter type, for instance, responds with an error.)

curl <url>/ghost/api/v2/content/posts/?key=<key>&filter=status%3Adraft

What I would like to propose is the ability to query for drafts via a read request but not browse.

With a sufficiently random (non enumerable) id, exposing draft content only for callers who posses the id should not be a significant risk to exposing draft content.

With this change, a request to /ghost/api/v2/content/posts/:uuid could return a draft post but draft posts would not be accessible by :slug or in a browse request.

I am interested in this feature because I am using Ghost as a “headless” backend alongside Gatsby and I would like to support viewing post previews.

Expecting the draft post’s UUID in the query would mean that the existing “View Preview” popup in the admin editor could be re-used to support previews in a Gatsby site as well.

This change should not be considered any less secure than the current implementation since it is already possible to visit the url /p/<:uuid>/ in the browser to view a preview.


If this is something that the Ghost team would be open to, I would be happy work on this feature.

Thanks for reading!


#2

I also would love to have this, and I’m open to contribute if needed :smile:


#3

Just wanted to bump this topic to see if there is any interest by the Ghost maintainers to implement something like this?