Removed gift links permission from the Author role

[kevinansfield]

ref https://linear.app/ghost/issue/BER-3748/

The gift links permission fixtures were too broad: Authors were granted the "Manage gift links" permission, but Authors don't have permission to change post visibility — so they shouldn't be able to manage gift links either.

• Removed gift_link: manage from the Author role in the permission fixtures
• Added a migration to drop the existing "Manage gift links" grant from the Author role on sites that already ran the original gift links permission migration
• Exported the existing removePermissionFromRole migration helper (the natural inverse of addPermissionToRole) so the migration can use it
• Updated the migration integration assertion and the test-utils fixtures copy to match, and extended the gift-links API test to assert Authors (alongside Contributors) get a 403

Gift links are still behind the giftLinks labs flag, so this is not yet user-facing.

[github-actions]

It looks like this PR contains a migration 👀
Here's the checklist for reviewing migrations:

General requirements

• ⚠️ Tested performance on staging database servers, as performance on local machines is not comparable to a production environment
• Satisfies idempotency requirement (both up() and down())
• Does not reference models
• Filename is in the correct format (and correctly ordered)
• Targets the next minor version
• All code paths have appropriate log messages
• Uses the correct utils
• Contains a minimal changeset
• Does not mix DDL/DML operations
• Tested in MySQL and SQLite

Schema changes

• Both schema change and related migration have been implemented
• For index changes: has been performance tested for large tables
• For new tables/columns: fields use the appropriate predefined field lengths
• For new tables/columns: field names follow the appropriate conventions
• Does not drop a non-alpha table outside of a major version

Data changes

• Mass updates/inserts are batched appropriately
• Does not loop over large tables/datasets
• Defends against missing or invalid data
• For settings updates: follows the appropriate guidelines

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 55106688-f2f7-4de6-a1c4-b307ff404a50

📥 Commits

Reviewing files that changed from the base of the PR and between 2979938 and 5f7f4a6.

📒 Files selected for processing (2)

• ghost/core/test/unit/server/data/schema/fixtures/fixture-manager.test.js
• ghost/core/test/unit/server/data/schema/integrity.test.js

✅ Files skipped from review due to trivial changes (1)

• ghost/core/test/unit/server/data/schema/integrity.test.js

---

Walkthrough

Adds a migration helper export and a new migration that removes the Manage gift links permission from the Author role. The seeded Author permissions, migration integration expectations, fixture-manager count, and fixtures hash are updated to match, and the gift-links e2e tests now check 403 responses for Author and Contributor access without that permission.

Possibly related PRs

• TryGhost/Ghost#28784: Updates the same gift-links authorization test area to cover posts and pages permission checks.

Suggested reviewers

• jonatansberg

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly matches the main change: removing the gift links permission from the Author role.
Description check	✅ Passed	The description is directly related to the changeset and accurately summarizes the fixture, migration, and test updates.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ber-3748-remove-author-gift-links-permission

---

_{Comment @coderabbitai help to get the list of available commands.}

[nx-cloud]

🤖 Nx Cloud AI Fix

Ensure the fix-ci command is configured to always run in your CI pipeline to get automatic fixes in future runs. For more information, please see https://nx.dev/ci/features/self-healing-ci

---

View your CI Pipeline Execution ↗ for commit 5f7f4a6

Command	Status	Duration	Result
nx run ghost:test:ci:integration	✅ Succeeded	2m 41s	View ↗
nx run ghost:test:integration	✅ Succeeded	2m 40s	View ↗
nx run ghost:test:legacy	✅ Succeeded	2m 55s	View ↗
nx run ghost:test:e2e	✅ Succeeded	2m 30s	View ↗
nx run-many --target=build --projects=tag:publi...	✅ Succeeded	2s	View ↗
nx run-many -t lint -p ghost	✅ Succeeded	35s	View ↗
nx run @tryghost/admin:build	✅ Succeeded	18s	View ↗
nx run-many -t test:unit -p ghost	✅ Succeeded	30s	View ↗
Additional runs (2)	✅ Succeeded	...	View ↗

💡 Verify your cache is correct by running tasks in a sandbox. Read docs ↗

---

☁️ Nx Cloud last updated this comment at 2026-06-25 18:12:39 UTC