@infuro/cms-core 1.0.16 → 1.0.18

package/dist/api.d.cts

@@ -1,3 +1,3 @@
-export { A as AnalyticsHandlerConfig, c as AuthHandlersConfig, B as BlogBySlugConfig, d as ChangePasswordConfig, e as CmsApiHandlerConfig, f as CmsGetter, g as CrudHandlerOptions, D as DashboardStatsConfig, h as EcommerceAnalyticsConfig, b as EntityMap, F as ForgotPasswordConfig, i as FormBySlugConfig, G as GetPublicSettingsGroupConfig, j as GetPublicSettingsGroupDataSource, I as InviteAcceptConfig, k as SetPasswordConfig, l as SettingsApiConfig, n as StorefrontApiConfig, o as StorefrontOtpFlags, U as UploadHandlerConfig, p as UserAuthApiConfig, q as UserAvatarConfig, r as UserProfileConfig, s as UsersApiConfig, t as createAnalyticsHandlers, u as createBlogBySlugHandler, v as createChangePasswordHandler, w as createCmsApiHandler, x as createCrudByIdHandler, y as createCrudHandler, z as createDashboardStatsHandler, H as createEcommerceAnalyticsHandler, J as createForgotPasswordHandler, K as createFormBySlugHandler, L as createInviteAcceptHandler, M as createMediaZipExtractHandler, N as createSetPasswordHandler, P as createSettingsApiHandlers, Q as createStorefrontApiHandler, R as createUploadHandler, V as createUserAuthApiRouter, W as createUserAvatarHandler, X as createUserProfileHandler, Y as createUsersApiHandlers, _ as getPublicSettingsGroup } from './index-h42MoUNq.cjs';
+export { A as AnalyticsHandlerConfig, c as AuthHandlersConfig, B as BlogBySlugConfig, d as ChangePasswordConfig, e as CmsApiHandlerConfig, f as CmsGetter, g as CrudHandlerOptions, D as DashboardStatsConfig, h as EcommerceAnalyticsConfig, b as EntityMap, F as ForgotPasswordConfig, i as FormBySlugConfig, G as GetPublicSettingsGroupConfig, j as GetPublicSettingsGroupDataSource, I as InviteAcceptConfig, k as SetPasswordConfig, l as SettingsApiConfig, n as StorefrontApiConfig, o as StorefrontOtpFlags, U as UploadHandlerConfig, p as UserAuthApiConfig, q as UserAvatarConfig, r as UserProfileConfig, s as UsersApiConfig, t as createAnalyticsHandlers, u as createBlogBySlugHandler, v as createChangePasswordHandler, w as createCmsApiHandler, x as createCrudByIdHandler, y as createCrudHandler, z as createDashboardStatsHandler, H as createEcommerceAnalyticsHandler, J as createForgotPasswordHandler, K as createFormBySlugHandler, L as createInviteAcceptHandler, M as createMediaZipExtractHandler, N as createSetPasswordHandler, P as createSettingsApiHandlers, Q as createStorefrontApiHandler, R as createUploadHandler, V as createUserAuthApiRouter, W as createUserAvatarHandler, X as createUserProfileHandler, Y as createUsersApiHandlers, _ as getPublicSettingsGroup } from './index-D2C1O9b4.cjs';
 import 'typeorm';
 import './helpers-dlrF_49e.cjs';

package/dist/api.d.ts

@@ -1,3 +1,3 @@
-export { A as AnalyticsHandlerConfig, c as AuthHandlersConfig, B as BlogBySlugConfig, d as ChangePasswordConfig, e as CmsApiHandlerConfig, f as CmsGetter, g as CrudHandlerOptions, D as DashboardStatsConfig, h as EcommerceAnalyticsConfig, b as EntityMap, F as ForgotPasswordConfig, i as FormBySlugConfig, G as GetPublicSettingsGroupConfig, j as GetPublicSettingsGroupDataSource, I as InviteAcceptConfig, k as SetPasswordConfig, l as SettingsApiConfig, n as StorefrontApiConfig, o as StorefrontOtpFlags, U as UploadHandlerConfig, p as UserAuthApiConfig, q as UserAvatarConfig, r as UserProfileConfig, s as UsersApiConfig, t as createAnalyticsHandlers, u as createBlogBySlugHandler, v as createChangePasswordHandler, w as createCmsApiHandler, x as createCrudByIdHandler, y as createCrudHandler, z as createDashboardStatsHandler, H as createEcommerceAnalyticsHandler, J as createForgotPasswordHandler, K as createFormBySlugHandler, L as createInviteAcceptHandler, M as createMediaZipExtractHandler, N as createSetPasswordHandler, P as createSettingsApiHandlers, Q as createStorefrontApiHandler, R as createUploadHandler, V as createUserAuthApiRouter, W as createUserAvatarHandler, X as createUserProfileHandler, Y as createUsersApiHandlers, _ as getPublicSettingsGroup } from './index-C85X7cc7.js';
+export { A as AnalyticsHandlerConfig, c as AuthHandlersConfig, B as BlogBySlugConfig, d as ChangePasswordConfig, e as CmsApiHandlerConfig, f as CmsGetter, g as CrudHandlerOptions, D as DashboardStatsConfig, h as EcommerceAnalyticsConfig, b as EntityMap, F as ForgotPasswordConfig, i as FormBySlugConfig, G as GetPublicSettingsGroupConfig, j as GetPublicSettingsGroupDataSource, I as InviteAcceptConfig, k as SetPasswordConfig, l as SettingsApiConfig, n as StorefrontApiConfig, o as StorefrontOtpFlags, U as UploadHandlerConfig, p as UserAuthApiConfig, q as UserAvatarConfig, r as UserProfileConfig, s as UsersApiConfig, t as createAnalyticsHandlers, u as createBlogBySlugHandler, v as createChangePasswordHandler, w as createCmsApiHandler, x as createCrudByIdHandler, y as createCrudHandler, z as createDashboardStatsHandler, H as createEcommerceAnalyticsHandler, J as createForgotPasswordHandler, K as createFormBySlugHandler, L as createInviteAcceptHandler, M as createMediaZipExtractHandler, N as createSetPasswordHandler, P as createSettingsApiHandlers, Q as createStorefrontApiHandler, R as createUploadHandler, V as createUserAuthApiRouter, W as createUserAvatarHandler, X as createUserProfileHandler, Y as createUsersApiHandlers, _ as getPublicSettingsGroup } from './index-GMn7-9PX.js';
 import 'typeorm';
 import './helpers-dlrF_49e.js';

package/dist/api.js

@@ -520,6 +520,28 @@ function buildSearchWhereClause(repo, search) {
   if (ors.length === 0) return {};
   return ors.length === 1 ? ors[0] : ors;
 }
+function entityHasSoftDelete(repo) {
+  return repo.metadata.columns.some((c) => c.propertyName === "deleted");
+}
+function mergeDeletedFalseWhere(repo, where) {
+  if (!entityHasSoftDelete(repo)) return where;
+  const d = { deleted: false };
+  if (Array.isArray(where)) {
+    if (where.length === 0) return [d];
+    return where.map((w) => ({ ...w, ...d }));
+  }
+  return Object.keys(where).length > 0 ? { ...where, ...d } : d;
+}
+function buildSoftDeletePayload(meta, deletedBy) {
+  const payload = { deleted: true };
+  if (meta.columns.some((c) => c.propertyName === "deletedAt")) {
+    payload.deletedAt = /* @__PURE__ */ new Date();
+  }
+  if (deletedBy != null && meta.columns.some((c) => c.propertyName === "deletedBy")) {
+    payload.deletedBy = deletedBy;
+  }
+  return payload;
+}
 function makeContactErpSync(dataSource, entityMap, getCms) {
   return async function syncContactRowToErp(row) {
     if (!getCms) return;
@@ -544,10 +566,11 @@ function createCrudHandler(dataSource, entityMap, options) {
   async function authz(req, resource, action) {
     const authError = await requireAuth(req);
     if (authError) return authError;
-    if (reqPerm) {
-      const pe = await reqPerm(req, resource, action);
-      if (pe) return pe;
+    if (!reqPerm) {
+      return json({ error: "Forbidden", reason: "entity_rbac_required", entity: resource, action }, { status: 403 });
     }
+    const pe = await reqPerm(req, resource, action);
+    if (pe) return pe;
     return null;
   }
   return {
@@ -583,7 +606,7 @@ function createCrudHandler(dataSource, entityMap, options) {
             return json({ total: 0, page, limit, totalPages: 0, data: [] });
           }
         }
-        const qb = repo2.createQueryBuilder("order").leftJoinAndSelect("order.contact", "contact").leftJoinAndSelect("order.items", "items").leftJoinAndSelect("items.product", "product").leftJoinAndSelect("product.collection", "collection").orderBy(`order.${sortField2}`, sortOrderOrders).skip(skip).take(limit);
+        const qb = repo2.createQueryBuilder("order").leftJoinAndSelect("order.contact", "contact").leftJoinAndSelect("order.items", "items").leftJoinAndSelect("items.product", "product").leftJoinAndSelect("product.collection", "collection").andWhere("order.deleted = :orderDel", { orderDel: false }).orderBy(`order.${sortField2}`, sortOrderOrders).skip(skip).take(limit);
         if (search && typeof search === "string" && search.trim()) {
           const term = `%${search.trim()}%`;
           qb.andWhere(
@@ -621,7 +644,7 @@ function createCrudHandler(dataSource, entityMap, options) {
         const dateTo = searchParams.get("dateTo")?.trim();
         const methodFilter = searchParams.get("method")?.trim();
         const orderNumberParam = searchParams.get("orderNumber")?.trim();
-        const qb = repo2.createQueryBuilder("payment").leftJoinAndSelect("payment.order", "ord").leftJoinAndSelect("ord.contact", "orderContact").leftJoinAndSelect("payment.contact", "contact").orderBy(`payment.${sortField2}`, sortOrderPayments).skip(skip).take(limit);
+        const qb = repo2.createQueryBuilder("payment").leftJoinAndSelect("payment.order", "ord").leftJoinAndSelect("ord.contact", "orderContact").leftJoinAndSelect("payment.contact", "contact").andWhere("payment.deleted = :payDel", { payDel: false }).orderBy(`payment.${sortField2}`, sortOrderPayments).skip(skip).take(limit);
         if (search && typeof search === "string" && search.trim()) {
           const term = `%${search.trim()}%`;
           qb.andWhere(
@@ -652,7 +675,7 @@ function createCrudHandler(dataSource, entityMap, options) {
         const repo2 = dataSource.getRepository(entity);
         const statusFilter = searchParams.get("status")?.trim();
         const inventory = searchParams.get("inventory")?.trim();
-        const productWhere = {};
+        const productWhere = { deleted: false };
         if (statusFilter) productWhere.status = statusFilter;
         if (inventory === "in_stock") productWhere.quantity = MoreThan(0);
         if (inventory === "out_of_stock") productWhere.quantity = 0;
@@ -675,7 +698,7 @@ function createCrudHandler(dataSource, entityMap, options) {
         const typeFilter2 = searchParams.get("type")?.trim();
         const orderIdParam = searchParams.get("orderId")?.trim();
         const includeSummary = searchParams.get("includeSummary") === "1";
-        const qb = repo2.createQueryBuilder("contact").orderBy(`contact.${sortField2}`, sortOrderContacts).skip(skip).take(limit);
+        const qb = repo2.createQueryBuilder("contact").andWhere("contact.deleted = :contactDel", { contactDel: false }).orderBy(`contact.${sortField2}`, sortOrderContacts).skip(skip).take(limit);
         if (search && typeof search === "string" && search.trim()) {
           const term = `%${search.trim()}%`;
           qb.andWhere("(contact.name ILIKE :term OR contact.email ILIKE :term OR contact.phone ILIKE :term)", { term });
@@ -716,9 +739,9 @@ function createCrudHandler(dataSource, entityMap, options) {
         if (parentIdParam != null && parentIdParam !== "") {
           const n = Number(parentIdParam);
           if (!Number.isFinite(n)) return json({ error: "Invalid parentId" }, { status: 400 });
-          qb.where("m.parentId = :pid", { pid: n });
+          qb.where("m.deleted = :mediaDel AND m.parentId = :pid", { mediaDel: false, pid: n });
         } else {
-          qb.where("m.parentId IS NULL");
+          qb.where("m.deleted = :mediaDel AND m.parentId IS NULL", { mediaDel: false });
         }
         if (search && typeof search === "string" && search.trim()) {
           qb.andWhere("m.filename ILIKE :search", { search: `%${search.trim()}%` });
@@ -762,6 +785,7 @@ function createCrudHandler(dataSource, entityMap, options) {
           where = extraWhere;
         }
       }
+      where = mergeDeletedFalseWhere(repo, where);
       const [data, total] = await repo.findAndCount({
         skip,
         take: limit,
@@ -929,15 +953,16 @@ function createCrudHandler(dataSource, entityMap, options) {
   };
 }
 function createCrudByIdHandler(dataSource, entityMap, options) {
-  const { requireAuth, json, requireEntityPermission: reqPerm, getCms } = options;
+  const { requireAuth, json, requireEntityPermission: reqPerm, getCms, getDeletedByUserId } = options;
   const syncContactRowToErp = makeContactErpSync(dataSource, entityMap, getCms);
   async function authz(req, resource, action) {
     const authError = await requireAuth(req);
     if (authError) return authError;
-    if (reqPerm) {
-      const pe = await reqPerm(req, resource, action);
-      if (pe) return pe;
+    if (!reqPerm) {
+      return json({ error: "Forbidden", reason: "entity_rbac_required", entity: resource, action }, { status: 403 });
     }
+    const pe = await reqPerm(req, resource, action);
+    if (pe) return pe;
     return null;
   }
   return {
@@ -949,7 +974,7 @@ function createCrudByIdHandler(dataSource, entityMap, options) {
       const repo = dataSource.getRepository(entity);
       if (resource === "orders") {
         const order = await repo.findOne({
-          where: { id: Number(id) },
+          where: { id: Number(id), deleted: false },
           relations: ["contact", "billingAddress", "shippingAddress", "items", "items.product", "items.product.collection", "payments"]
         });
         if (!order) return json({ message: "Not found" }, { status: 404 });
@@ -961,7 +986,7 @@ function createCrudByIdHandler(dataSource, entityMap, options) {
       }
       if (resource === "contacts") {
         const contact = await repo.findOne({
-          where: { id: Number(id) },
+          where: { id: Number(id), deleted: false },
           relations: ["form_submissions", "form_submissions.form", "orders", "payments", "addresses"]
         });
         if (!contact) return json({ message: "Not found" }, { status: 404 });
@@ -983,7 +1008,7 @@ function createCrudByIdHandler(dataSource, entityMap, options) {
       }
       if (resource === "payments") {
         const payment = await repo.findOne({
-          where: { id: Number(id) },
+          where: { id: Number(id), deleted: false },
           relations: ["order", "order.contact", "contact"]
         });
         if (!payment) return json({ message: "Not found" }, { status: 404 });
@@ -991,12 +1016,13 @@ function createCrudByIdHandler(dataSource, entityMap, options) {
       }
       if (resource === "blogs") {
         const blog = await repo.findOne({
-          where: { id: Number(id) },
+          where: { id: Number(id), deleted: false },
           relations: ["category", "seo", "tags"]
         });
         return blog ? json(blog) : json({ message: "Not found" }, { status: 404 });
       }
-      const item = await repo.findOne({ where: { id: Number(id) } });
+      const idWhere = entityHasSoftDelete(repo) ? { id: Number(id), deleted: false } : { id: Number(id) };
+      const item = await repo.findOne({ where: idWhere });
       return item ? json(item) : json({ message: "Not found" }, { status: 404 });
     },
     async PUT(req, resource, id) {
@@ -1008,7 +1034,9 @@ function createCrudByIdHandler(dataSource, entityMap, options) {
       const repo = dataSource.getRepository(entity);
       const numericId = Number(id);
       if (resource === "blogs" && rawBody && typeof rawBody === "object" && entityMap.categories && entityMap.seos && entityMap.tags) {
-        const existing = await repo.findOne({ where: { id: numericId } });
+        const existing = await repo.findOne({
+          where: { id: numericId, deleted: false }
+        });
         if (!existing) return json({ message: "Not found" }, { status: 404 });
         const updatePayload2 = pickColumnUpdates(repo, rawBody);
         if ("category" in rawBody) {
@@ -1084,6 +1112,12 @@ function createCrudByIdHandler(dataSource, entityMap, options) {
         });
         return updated2 ? json(updated2) : json({ message: "Not found" }, { status: 404 });
       }
+      if (entityHasSoftDelete(repo)) {
+        const cur = await repo.findOne({
+          where: { id: numericId, deleted: false }
+        });
+        if (!cur) return json({ message: "Not found" }, { status: 404 });
+      }
       const updatePayload = rawBody && typeof rawBody === "object" ? pickColumnUpdates(repo, rawBody) : {};
       if (resource === "media") {
         const u = updatePayload;
@@ -1110,7 +1144,24 @@ function createCrudByIdHandler(dataSource, entityMap, options) {
       const entity = entityMap[resource];
       if (!entity) return json({ error: "Invalid resource" }, { status: 400 });
       const repo = dataSource.getRepository(entity);
-      const result = await repo.delete(Number(id));
+      const numericId = Number(id);
+      if (entityHasSoftDelete(repo)) {
+        const existing = await repo.findOne({
+          where: { id: numericId, deleted: false }
+        });
+        if (!existing) return json({ message: "Not found" }, { status: 404 });
+        let deletedBy = null;
+        if (getDeletedByUserId) {
+          try {
+            deletedBy = await getDeletedByUserId(req);
+          } catch {
+            deletedBy = null;
+          }
+        }
+        await repo.update(numericId, buildSoftDeletePayload(repo.metadata, deletedBy));
+        return json({ message: "Deleted successfully" }, { status: 200 });
+      }
+      const result = await repo.delete(numericId);
       if (result.affected === 0) return json({ message: "Not found" }, { status: 404 });
       return json({ message: "Deleted successfully" }, { status: 200 });
     }
@@ -2218,7 +2269,7 @@ function createFormSubmissionHandler(config) {
   };
 }
 function createUsersApiHandlers(config) {
-  const { dataSource, entityMap, json, requireAuth, requireEntityPermission, baseUrl, getCms, getCompanyDetails } = config;
+  const { dataSource, entityMap, json, requireAuth, requireEntityPermission, baseUrl, getCms, getCompanyDetails, getSessionUser } = config;
   async function trySendInviteEmail(toEmail, inviteLink, inviteeName) {
     if (!getCms) return;
     try {
@@ -2254,7 +2305,10 @@ function createUsersApiHandlers(config) {
         const sortField = url.searchParams.get("sortField") || "createdAt";
         const sortOrder = url.searchParams.get("sortOrder") === "desc" ? "DESC" : "ASC";
         const search = url.searchParams.get("search");
-        const where = search ? [{ name: ILike2(`%${search}%`) }, { email: ILike2(`%${search}%`) }] : {};
+        const where = search ? [
+          { name: ILike2(`%${search}%`), deleted: false },
+          { email: ILike2(`%${search}%`), deleted: false }
+        ] : { deleted: false };
         const [data, total] = await userRepo().findAndCount({
           skip,
           take: limit,
@@ -2319,7 +2373,7 @@ function createUsersApiHandlers(config) {
       }
       try {
         const user = await userRepo().findOne({
-          where: { id: parseInt(id, 10) },
+          where: { id: parseInt(id, 10), deleted: false },
           relations: ["group"],
           select: ["id", "name", "email", "blocked", "createdAt", "updatedAt", "groupId"]
         });
@@ -2337,11 +2391,14 @@ function createUsersApiHandlers(config) {
         if (pe) return pe;
       }
       try {
+        const uid = parseInt(id, 10);
+        const existing = await userRepo().findOne({ where: { id: uid, deleted: false } });
+        if (!existing) return json({ error: "Not found" }, { status: 404 });
         const body = await req.json();
         const { password: _p, ...safe } = body;
-        await userRepo().update(parseInt(id, 10), safe);
+        await userRepo().update(uid, safe);
         const updated = await userRepo().findOne({
-          where: { id: parseInt(id, 10) },
+          where: { id: uid, deleted: false },
           relations: ["group"],
           select: ["id", "name", "email", "blocked", "createdAt", "updatedAt", "groupId"]
         });
@@ -2358,8 +2415,23 @@ function createUsersApiHandlers(config) {
         if (pe) return pe;
       }
       try {
-        const r = await userRepo().delete(parseInt(id, 10));
-        if (r.affected === 0) return json({ error: "User not found" }, { status: 404 });
+        const uid = parseInt(id, 10);
+        const existing = await userRepo().findOne({ where: { id: uid, deleted: false } });
+        if (!existing) return json({ error: "User not found" }, { status: 404 });
+        let deletedBy = null;
+        if (getSessionUser) {
+          try {
+            const u = await getSessionUser();
+            if (u?.id) {
+              const n = Number(u.id);
+              if (Number.isFinite(n)) deletedBy = n;
+            }
+          } catch {
+          }
+        }
+        const payload = { deleted: true, deletedAt: /* @__PURE__ */ new Date() };
+        if (deletedBy != null) payload.deletedBy = deletedBy;
+        await userRepo().update(uid, payload);
         return json({ message: "User deleted successfully" });
       } catch {
         return json({ error: "Server Error" }, { status: 500 });
@@ -2373,7 +2445,10 @@ function createUsersApiHandlers(config) {
         if (pe) return pe;
       }
       try {
-        const user = await userRepo().findOne({ where: { id: parseInt(id, 10) }, select: ["email", "name"] });
+        const user = await userRepo().findOne({
+          where: { id: parseInt(id, 10), deleted: false },
+          select: ["email", "name"]
+        });
         if (!user) return json({ error: "User not found" }, { status: 404 });
         const emailToken = Buffer.from(user.email).toString("base64");
         const inviteLink = `${baseUrl}/admin/invite?token=${emailToken}`;
@@ -2996,9 +3071,10 @@ function createCmsApiHandler(config) {
     userProfile,
     settings: settingsConfig,
     chat: chatConfig,
-    requireEntityPermission: reqEntityPerm,
+    requireEntityPermission: userRequireEntityPermission,
     getSessionUser
   } = config;
+  const requireEntityPermissionEffective = userRequireEntityPermission ?? (async (_req, entity, action) => config.json({ error: "Forbidden", reason: "entity_rbac_required", entity, action }, { status: 403 }));
   const analytics = analyticsConfig ?? (getCms ? {
     json: config.json,
     requireAuth: async () => null,
@@ -3036,12 +3112,20 @@ function createCmsApiHandler(config) {
   const crudOpts = {
     requireAuth: config.requireAuth,
     json: config.json,
-    requireEntityPermission: reqEntityPerm,
-    getCms
+    requireEntityPermission: requireEntityPermissionEffective,
+    getCms,
+    ...getSessionUser ? {
+      getDeletedByUserId: async () => {
+        const u = await getSessionUser();
+        if (!u?.id) return null;
+        const n = Number(u.id);
+        return Number.isFinite(n) ? n : null;
+      }
+    } : {}
   };
   const crud = createCrudHandler(dataSource, entityMap, crudOpts);
   const crudById = createCrudByIdHandler(dataSource, entityMap, crudOpts);
-  const mergePerm = (c) => !c ? void 0 : reqEntityPerm ? { ...c, requireEntityPermission: reqEntityPerm } : c;
+  const mergePerm = (c) => !c ? void 0 : { ...c, requireEntityPermission: requireEntityPermissionEffective };
   const adminRoles = getSessionUser && createAdminRolesHandlers({
     dataSource,
     entityMap,
@@ -3057,12 +3141,7 @@ function createCmsApiHandler(config) {
       json: config.json,
       requireAuth: config.requireAuth
     }
-  ) ?? {
-    dataSource,
-    entityMap,
-    json: config.json,
-    requireAuth: config.requireAuth
-  };
+  );
   const ecommerceAnalyticsGet = createEcommerceAnalyticsHandler(ecommerceAnalyticsResolved);
   const analyticsHandlers = analytics ? createAnalyticsHandlers(analytics) : null;
   const uploadMerged = upload ? {
@@ -3081,7 +3160,11 @@ function createCmsApiHandler(config) {
   const usersApiMerged = usersApi && getCms ? {
     ...usersApi,
     getCms: usersApi.getCms ?? getCms,
-    getCompanyDetails: usersApi.getCompanyDetails ?? config.getCompanyDetails
+    getCompanyDetails: usersApi.getCompanyDetails ?? config.getCompanyDetails,
+    ...getSessionUser ? { getSessionUser: usersApi.getSessionUser ?? getSessionUser } : {}
+  } : usersApi ? {
+    ...usersApi,
+    ...getSessionUser ? { getSessionUser: usersApi.getSessionUser ?? getSessionUser } : {}
   } : usersApi;
   const usersHandlers = usersApiMerged ? createUsersApiHandlers(mergePerm(usersApiMerged) ?? usersApiMerged) : null;
   const avatarPost = userAvatar ? createUserAvatarHandler(userAvatar) : null;
@@ -3092,7 +3175,7 @@ function createCmsApiHandler(config) {
     entityMap,
     json: config.json,
     requireAuth: config.requireAuth,
-    requireEntityPermission: reqEntityPerm
+    requireEntityPermission: requireEntityPermissionEffective
   });
   const chatHandlers = chatConfig ? createChatHandlers(chatConfig) : null;
   function resolveResource(segment) {
@@ -3101,12 +3184,10 @@ function createCmsApiHandler(config) {
   }
   return {
     async handle(method, path, req) {
-      const perm = reqEntityPerm;
       async function analyticsGate() {
         const a = await config.requireAuth(req);
         if (a) return a;
-        if (perm) return perm(req, "analytics", "read");
-        return null;
+        return requireEntityPermissionEffective(req, "analytics", "read");
       }
       if (path[0] === "admin" && path[1] === "roles") {
         if (!adminRoles) return config.json({ error: "Not found" }, { status: 404 });
@@ -3190,19 +3271,17 @@ function createCmsApiHandler(config) {
         const group = path[1];
         const isPublic = settingsConfig?.publicGetGroups?.includes(group);
         if (method === "GET") {
-          if (!isPublic && perm) {
+          if (!isPublic) {
             const a = await config.requireAuth(req);
             if (a) return a;
-            const pe = await perm(req, "settings", "read");
+            const pe = await requireEntityPermissionEffective(req, "settings", "read");
             if (pe) return pe;
           }
           return settingsHandlers.GET(req, group);
         }
         if (method === "PUT") {
-          if (perm) {
-            const pe = await perm(req, "settings", "update");
-            if (pe) return pe;
-          }
+          const pe = await requireEntityPermissionEffective(req, "settings", "update");
+          if (pe) return pe;
           return settingsHandlers.PUT(req, group);
         }
       }
@@ -3218,10 +3297,8 @@ function createCmsApiHandler(config) {
       if (path[0] === "orders" && path.length === 3 && path[2] === "invoice" && method === "GET" && getCms) {
         const a = await config.requireAuth(req);
         if (a) return a;
-        if (perm) {
-          const pe = await perm(req, "orders", "read");
-          if (pe) return pe;
-        }
+        const pe = await requireEntityPermissionEffective(req, "orders", "read");
+        if (pe) return pe;
         const cms = await getCms();
         const { streamOrderInvoicePdf: streamOrderInvoicePdf2 } = await Promise.resolve().then(() => (init_erp_order_invoice(), erp_order_invoice_exports));
         const oid = Number(path[1]);
@@ -3231,10 +3308,8 @@ function createCmsApiHandler(config) {
       if (path[0] === "orders" && path.length === 3 && path[2] === "repost-erp" && getCms) {
         const a = await config.requireAuth(req);
         if (a) return a;
-        if (perm) {
-          const pe = await perm(req, "orders", method === "GET" ? "read" : "update");
-          if (pe) return pe;
-        }
+        const pe = await requireEntityPermissionEffective(req, "orders", method === "GET" ? "read" : "update");
+        if (pe) return pe;
         const oid = Number(path[1]);
         if (!Number.isFinite(oid)) return config.json({ error: "Invalid id" }, { status: 400 });
         const cms = await getCms();