@momentumcms/server-express 0.5.3 → 0.5.4

package/CHANGELOG.md

@@ -1,3 +1,15 @@
+## 0.5.4 (2026-03-07)
+
+### 🚀 Features
+
+- Versioning & drafts with draft/publish workflow ([#50](https://github.com/DonaldMurillo/momentum-cms/pull/50))
+
+### ❤️ Thank You
+
+- Claude Haiku 4.5
+- Claude Opus 4.6
+- Donald Murillo @DonaldMurillo
+
 ## 0.5.0 (2026-02-23)
 
 This was a version bump only for server-express to align it with other projects, there were no code changes.

package/index.cjs

@@ -2335,6 +2335,14 @@ function createSeedHelpers() {
   };
 }
 
+// libs/core/src/lib/versions/version.types.ts
+function hasVersionDrafts(collection) {
+  const v = collection.versions;
+  if (!v || typeof v === "boolean")
+    return false;
+  return !!v.drafts;
+}
+
 // libs/server-core/src/lib/field-access.ts
 function hasFieldAccessControl(fields) {
   for (const field of fields) {
@@ -2921,13 +2929,18 @@ var VersionOperationsImpl = class {
     }
     return "draft";
   }
-  async compare(versionId1, versionId2) {
+  async compare(versionId1, versionId2, parentId) {
     await this.checkAccess("readVersions");
     const version1 = await this.findVersionById(versionId1);
     const version2 = await this.findVersionById(versionId2);
     if (!version1 || !version2) {
       throw new Error("One or both versions not found");
     }
+    if (parentId) {
+      if (version1.parent !== parentId || version2.parent !== parentId) {
+        throw new Error("Version does not belong to the specified document");
+      }
+    }
     const data1 = version1.version;
     const data2 = version2.version;
     if (!isRecord(data1) || !isRecord(data2)) {
@@ -2982,6 +2995,9 @@ var VersionOperationsImpl = class {
   // Private Helpers
   // ============================================
   async checkAccess(operation) {
+    if (this.context.overrideAccess) {
+      return;
+    }
     const accessFn = this.collectionConfig.access?.[operation];
     if (!accessFn) {
       return;
@@ -3138,6 +3154,12 @@ var CollectionOperationsImpl = class _CollectionOperationsImpl {
         Object.assign(whereParams, constraints);
       }
     }
+    if (hasVersionDrafts(this.collectionConfig) && !this.context.overrideAccess) {
+      const canSeeDrafts = await this.canReadDrafts();
+      if (!canSeeDrafts) {
+        whereParams["_status"] = "published";
+      }
+    }
     const query = {
       ...queryOptions,
       ...whereParams,
@@ -3200,6 +3222,15 @@ var CollectionOperationsImpl = class _CollectionOperationsImpl {
     doc[softDeleteField]) {
       return null;
     }
+    if (hasVersionDrafts(this.collectionConfig) && !this.context.overrideAccess) {
+      const canSeeDrafts = await this.canReadDrafts();
+      if (!canSeeDrafts) {
+        const record = doc;
+        if (record["_status"] !== "published") {
+          return null;
+        }
+      }
+    }
     if (!this.matchesDefaultWhereConstraints(doc)) {
       return null;
     }
@@ -3285,6 +3316,15 @@ var CollectionOperationsImpl = class _CollectionOperationsImpl {
     if (!this.matchesDefaultWhereConstraints(originalDoc)) {
       throw new DocumentNotFoundError(this.slug, id);
     }
+    if (hasVersionDrafts(this.collectionConfig) && this.adapter.createVersion) {
+      const status = originalDoc["_status"] ?? "draft";
+      await this.adapter.createVersion(this.slug, id, originalDoc, { status });
+      const versionsConfig = this.collectionConfig.versions;
+      const maxPerDoc = typeof versionsConfig === "object" && versionsConfig !== null ? versionsConfig.maxPerDoc : void 0;
+      if (maxPerDoc && this.adapter.deleteVersions) {
+        await this.adapter.deleteVersions(this.slug, id, maxPerDoc);
+      }
+    }
     let processedData = data;
     const softDeleteField = getSoftDeleteField(this.collectionConfig);
     if (softDeleteField && softDeleteField in processedData) {
@@ -3616,6 +3656,30 @@ var CollectionOperationsImpl = class _CollectionOperationsImpl {
       throw new AccessDeniedError(operation, this.slug);
     }
   }
+  /**
+   * Check if the current user can see draft documents (non-throwing).
+   * Uses `access.readDrafts` if configured, otherwise falls back to `access.update`.
+   */
+  async canReadDrafts() {
+    if (!this.context.user)
+      return false;
+    const readDraftsFn = this.collectionConfig.access?.readDrafts;
+    if (readDraftsFn) {
+      try {
+        return !!await Promise.resolve(readDraftsFn({ req: this.buildRequestContext() }));
+      } catch {
+        return false;
+      }
+    }
+    const updateFn = this.collectionConfig.access?.update;
+    if (!updateFn)
+      return true;
+    try {
+      return !!await Promise.resolve(updateFn({ req: this.buildRequestContext() }));
+    } catch {
+      return false;
+    }
+  }
   buildRequestContext() {
     return {
       user: this.context.user
@@ -4752,7 +4816,7 @@ function startPublishScheduler(adapter, collections, options) {
         const scheduled = await adapter.findScheduledDocuments(collection.slug, now);
         for (const doc of scheduled) {
           try {
-            const api = getMomentumAPI();
+            const api = getMomentumAPI().setContext({ overrideAccess: true });
             const versionOps = api.collection(collection.slug).versions();
             if (!versionOps)
               continue;
@@ -4859,8 +4923,9 @@ function buildGraphQLSchema(collections) {
   }
   function getOrCreateEnum(field, parentName) {
     const key = `${parentName}_${field.name}`;
-    if (enumCache.has(key)) {
-      return enumCache.get(key);
+    const cached = enumCache.get(key);
+    if (cached) {
+      return cached;
     }
     const values = {};
     for (const opt of field.options) {
@@ -4971,8 +5036,9 @@ function buildGraphQLSchema(collections) {
     }
   }
   function getOrCreateObjectType(fields, typeName) {
-    if (typeCache.has(typeName)) {
-      return typeCache.get(typeName);
+    const cachedType = typeCache.get(typeName);
+    if (cachedType) {
+      return cachedType;
     }
     const objType = new import_graphql2.GraphQLObjectType({
       name: typeName,
@@ -4993,8 +5059,9 @@ function buildGraphQLSchema(collections) {
   }
   function getOrCreateInputType(fields, typeName) {
     const inputName = `${typeName}Input`;
-    if (inputCache.has(inputName)) {
-      return inputCache.get(inputName);
+    const cachedInput = inputCache.get(inputName);
+    if (cachedInput) {
+      return cachedInput;
     }
     const inputType = new import_graphql2.GraphQLInputObjectType({
       name: inputName,
@@ -6823,6 +6890,10 @@ function momentumApiMiddleware(config) {
       res.json(result);
     } catch (error) {
       const message = sanitizeErrorMessage(error, "Unknown error");
+      if (error instanceof Error && error.name === "AccessDeniedError") {
+        res.status(403).json({ error: "Access denied" });
+        return;
+      }
       res.status(500).json({ error: "Failed to fetch versions", message });
     }
   });
@@ -6851,6 +6922,10 @@ function momentumApiMiddleware(config) {
       res.json(version);
     } catch (error) {
       const message = sanitizeErrorMessage(error, "Unknown error");
+      if (error instanceof Error && error.name === "AccessDeniedError") {
+        res.status(403).json({ error: "Access denied" });
+        return;
+      }
       res.status(500).json({ error: "Failed to fetch version", message });
     }
   });
@@ -6889,6 +6964,10 @@ function momentumApiMiddleware(config) {
         res.status(400).json({ error: "Version parent mismatch", message });
         return;
       }
+      if (error instanceof Error && error.name === "AccessDeniedError") {
+        res.status(403).json({ error: "Access denied" });
+        return;
+      }
       res.status(500).json({ error: "Failed to restore version", message });
     }
   });
@@ -6910,6 +6989,10 @@ function momentumApiMiddleware(config) {
       res.json({ doc: published, message: "Document published successfully" });
     } catch (error) {
       const message = sanitizeErrorMessage(error, "Unknown error");
+      if (error instanceof Error && error.name === "AccessDeniedError") {
+        res.status(403).json({ error: "Access denied" });
+        return;
+      }
       res.status(500).json({ error: "Failed to publish document", message });
     }
   });
@@ -6939,6 +7022,10 @@ function momentumApiMiddleware(config) {
       res.json(result);
     } catch (error) {
       const message = sanitizeErrorMessage(error, "Unknown error");
+      if (error instanceof Error && error.name === "AccessDeniedError") {
+        res.status(403).json({ error: "Access denied" });
+        return;
+      }
       res.status(500).json({ error: "Failed to schedule publish", message });
     }
   });
@@ -6960,6 +7047,10 @@ function momentumApiMiddleware(config) {
       res.json({ message: "Scheduled publish cancelled" });
     } catch (error) {
       const message = sanitizeErrorMessage(error, "Unknown error");
+      if (error instanceof Error && error.name === "AccessDeniedError") {
+        res.status(403).json({ error: "Access denied" });
+        return;
+      }
       res.status(500).json({ error: "Failed to cancel scheduled publish", message });
     }
   });
@@ -6981,6 +7072,10 @@ function momentumApiMiddleware(config) {
       res.json({ doc: unpublished, message: "Document unpublished successfully" });
     } catch (error) {
       const message = sanitizeErrorMessage(error, "Unknown error");
+      if (error instanceof Error && error.name === "AccessDeniedError") {
+        res.status(403).json({ error: "Access denied" });
+        return;
+      }
       res.status(500).json({ error: "Failed to unpublish document", message });
     }
   });
@@ -7003,6 +7098,10 @@ function momentumApiMiddleware(config) {
       res.json({ version: draft, message: "Draft saved successfully" });
     } catch (error) {
       const message = sanitizeErrorMessage(error, "Unknown error");
+      if (error instanceof Error && error.name === "AccessDeniedError") {
+        res.status(403).json({ error: "Access denied" });
+        return;
+      }
       res.status(500).json({ error: "Failed to save draft", message });
     }
   });
@@ -7028,10 +7127,15 @@ function momentumApiMiddleware(config) {
         });
         return;
       }
-      const differences = await versionOps.compare(versionId1, versionId2);
+      const parentId = req.params["id"];
+      const differences = await versionOps.compare(versionId1, versionId2, parentId);
       res.json({ differences });
     } catch (error) {
       const message = sanitizeErrorMessage(error, "Unknown error");
+      if (error instanceof Error && error.name === "AccessDeniedError") {
+        res.status(403).json({ error: "Access denied" });
+        return;
+      }
       res.status(500).json({ error: "Failed to compare versions", message });
     }
   });

package/index.js

@@ -2291,6 +2291,14 @@ function createSeedHelpers() {
   };
 }
 
+// libs/core/src/lib/versions/version.types.ts
+function hasVersionDrafts(collection) {
+  const v = collection.versions;
+  if (!v || typeof v === "boolean")
+    return false;
+  return !!v.drafts;
+}
+
 // libs/server-core/src/lib/field-access.ts
 function hasFieldAccessControl(fields) {
   for (const field of fields) {
@@ -2877,13 +2885,18 @@ var VersionOperationsImpl = class {
     }
     return "draft";
   }
-  async compare(versionId1, versionId2) {
+  async compare(versionId1, versionId2, parentId) {
     await this.checkAccess("readVersions");
     const version1 = await this.findVersionById(versionId1);
     const version2 = await this.findVersionById(versionId2);
     if (!version1 || !version2) {
       throw new Error("One or both versions not found");
     }
+    if (parentId) {
+      if (version1.parent !== parentId || version2.parent !== parentId) {
+        throw new Error("Version does not belong to the specified document");
+      }
+    }
     const data1 = version1.version;
     const data2 = version2.version;
     if (!isRecord(data1) || !isRecord(data2)) {
@@ -2938,6 +2951,9 @@ var VersionOperationsImpl = class {
   // Private Helpers
   // ============================================
   async checkAccess(operation) {
+    if (this.context.overrideAccess) {
+      return;
+    }
     const accessFn = this.collectionConfig.access?.[operation];
     if (!accessFn) {
       return;
@@ -3094,6 +3110,12 @@ var CollectionOperationsImpl = class _CollectionOperationsImpl {
         Object.assign(whereParams, constraints);
       }
     }
+    if (hasVersionDrafts(this.collectionConfig) && !this.context.overrideAccess) {
+      const canSeeDrafts = await this.canReadDrafts();
+      if (!canSeeDrafts) {
+        whereParams["_status"] = "published";
+      }
+    }
     const query = {
       ...queryOptions,
       ...whereParams,
@@ -3156,6 +3178,15 @@ var CollectionOperationsImpl = class _CollectionOperationsImpl {
     doc[softDeleteField]) {
       return null;
     }
+    if (hasVersionDrafts(this.collectionConfig) && !this.context.overrideAccess) {
+      const canSeeDrafts = await this.canReadDrafts();
+      if (!canSeeDrafts) {
+        const record = doc;
+        if (record["_status"] !== "published") {
+          return null;
+        }
+      }
+    }
     if (!this.matchesDefaultWhereConstraints(doc)) {
       return null;
     }
@@ -3241,6 +3272,15 @@ var CollectionOperationsImpl = class _CollectionOperationsImpl {
     if (!this.matchesDefaultWhereConstraints(originalDoc)) {
       throw new DocumentNotFoundError(this.slug, id);
     }
+    if (hasVersionDrafts(this.collectionConfig) && this.adapter.createVersion) {
+      const status = originalDoc["_status"] ?? "draft";
+      await this.adapter.createVersion(this.slug, id, originalDoc, { status });
+      const versionsConfig = this.collectionConfig.versions;
+      const maxPerDoc = typeof versionsConfig === "object" && versionsConfig !== null ? versionsConfig.maxPerDoc : void 0;
+      if (maxPerDoc && this.adapter.deleteVersions) {
+        await this.adapter.deleteVersions(this.slug, id, maxPerDoc);
+      }
+    }
     let processedData = data;
     const softDeleteField = getSoftDeleteField(this.collectionConfig);
     if (softDeleteField && softDeleteField in processedData) {
@@ -3572,6 +3612,30 @@ var CollectionOperationsImpl = class _CollectionOperationsImpl {
       throw new AccessDeniedError(operation, this.slug);
     }
   }
+  /**
+   * Check if the current user can see draft documents (non-throwing).
+   * Uses `access.readDrafts` if configured, otherwise falls back to `access.update`.
+   */
+  async canReadDrafts() {
+    if (!this.context.user)
+      return false;
+    const readDraftsFn = this.collectionConfig.access?.readDrafts;
+    if (readDraftsFn) {
+      try {
+        return !!await Promise.resolve(readDraftsFn({ req: this.buildRequestContext() }));
+      } catch {
+        return false;
+      }
+    }
+    const updateFn = this.collectionConfig.access?.update;
+    if (!updateFn)
+      return true;
+    try {
+      return !!await Promise.resolve(updateFn({ req: this.buildRequestContext() }));
+    } catch {
+      return false;
+    }
+  }
   buildRequestContext() {
     return {
       user: this.context.user
@@ -4708,7 +4772,7 @@ function startPublishScheduler(adapter, collections, options) {
         const scheduled = await adapter.findScheduledDocuments(collection.slug, now);
         for (const doc of scheduled) {
           try {
-            const api = getMomentumAPI();
+            const api = getMomentumAPI().setContext({ overrideAccess: true });
             const versionOps = api.collection(collection.slug).versions();
             if (!versionOps)
               continue;
@@ -4828,8 +4892,9 @@ function buildGraphQLSchema(collections) {
   }
   function getOrCreateEnum(field, parentName) {
     const key = `${parentName}_${field.name}`;
-    if (enumCache.has(key)) {
-      return enumCache.get(key);
+    const cached = enumCache.get(key);
+    if (cached) {
+      return cached;
     }
     const values = {};
     for (const opt of field.options) {
@@ -4940,8 +5005,9 @@ function buildGraphQLSchema(collections) {
     }
   }
   function getOrCreateObjectType(fields, typeName) {
-    if (typeCache.has(typeName)) {
-      return typeCache.get(typeName);
+    const cachedType = typeCache.get(typeName);
+    if (cachedType) {
+      return cachedType;
     }
     const objType = new GraphQLObjectType({
       name: typeName,
@@ -4962,8 +5028,9 @@ function buildGraphQLSchema(collections) {
   }
   function getOrCreateInputType(fields, typeName) {
     const inputName = `${typeName}Input`;
-    if (inputCache.has(inputName)) {
-      return inputCache.get(inputName);
+    const cachedInput = inputCache.get(inputName);
+    if (cachedInput) {
+      return cachedInput;
     }
     const inputType = new GraphQLInputObjectType({
       name: inputName,
@@ -6792,6 +6859,10 @@ function momentumApiMiddleware(config) {
       res.json(result);
     } catch (error) {
       const message = sanitizeErrorMessage(error, "Unknown error");
+      if (error instanceof Error && error.name === "AccessDeniedError") {
+        res.status(403).json({ error: "Access denied" });
+        return;
+      }
       res.status(500).json({ error: "Failed to fetch versions", message });
     }
   });
@@ -6820,6 +6891,10 @@ function momentumApiMiddleware(config) {
       res.json(version);
     } catch (error) {
       const message = sanitizeErrorMessage(error, "Unknown error");
+      if (error instanceof Error && error.name === "AccessDeniedError") {
+        res.status(403).json({ error: "Access denied" });
+        return;
+      }
       res.status(500).json({ error: "Failed to fetch version", message });
     }
   });
@@ -6858,6 +6933,10 @@ function momentumApiMiddleware(config) {
         res.status(400).json({ error: "Version parent mismatch", message });
         return;
       }
+      if (error instanceof Error && error.name === "AccessDeniedError") {
+        res.status(403).json({ error: "Access denied" });
+        return;
+      }
       res.status(500).json({ error: "Failed to restore version", message });
     }
   });
@@ -6879,6 +6958,10 @@ function momentumApiMiddleware(config) {
       res.json({ doc: published, message: "Document published successfully" });
     } catch (error) {
       const message = sanitizeErrorMessage(error, "Unknown error");
+      if (error instanceof Error && error.name === "AccessDeniedError") {
+        res.status(403).json({ error: "Access denied" });
+        return;
+      }
       res.status(500).json({ error: "Failed to publish document", message });
     }
   });
@@ -6908,6 +6991,10 @@ function momentumApiMiddleware(config) {
       res.json(result);
     } catch (error) {
       const message = sanitizeErrorMessage(error, "Unknown error");
+      if (error instanceof Error && error.name === "AccessDeniedError") {
+        res.status(403).json({ error: "Access denied" });
+        return;
+      }
       res.status(500).json({ error: "Failed to schedule publish", message });
     }
   });
@@ -6929,6 +7016,10 @@ function momentumApiMiddleware(config) {
       res.json({ message: "Scheduled publish cancelled" });
     } catch (error) {
       const message = sanitizeErrorMessage(error, "Unknown error");
+      if (error instanceof Error && error.name === "AccessDeniedError") {
+        res.status(403).json({ error: "Access denied" });
+        return;
+      }
       res.status(500).json({ error: "Failed to cancel scheduled publish", message });
     }
   });
@@ -6950,6 +7041,10 @@ function momentumApiMiddleware(config) {
       res.json({ doc: unpublished, message: "Document unpublished successfully" });
     } catch (error) {
       const message = sanitizeErrorMessage(error, "Unknown error");
+      if (error instanceof Error && error.name === "AccessDeniedError") {
+        res.status(403).json({ error: "Access denied" });
+        return;
+      }
       res.status(500).json({ error: "Failed to unpublish document", message });
     }
   });
@@ -6972,6 +7067,10 @@ function momentumApiMiddleware(config) {
       res.json({ version: draft, message: "Draft saved successfully" });
     } catch (error) {
       const message = sanitizeErrorMessage(error, "Unknown error");
+      if (error instanceof Error && error.name === "AccessDeniedError") {
+        res.status(403).json({ error: "Access denied" });
+        return;
+      }
       res.status(500).json({ error: "Failed to save draft", message });
     }
   });
@@ -6997,10 +7096,15 @@ function momentumApiMiddleware(config) {
         });
         return;
       }
-      const differences = await versionOps.compare(versionId1, versionId2);
+      const parentId = req.params["id"];
+      const differences = await versionOps.compare(versionId1, versionId2, parentId);
       res.json({ differences });
     } catch (error) {
       const message = sanitizeErrorMessage(error, "Unknown error");
+      if (error instanceof Error && error.name === "AccessDeniedError") {
+        res.status(403).json({ error: "Access denied" });
+        return;
+      }
       res.status(500).json({ error: "Failed to compare versions", message });
     }
   });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@momentumcms/server-express",
-  "version": "0.5.3",
+  "version": "0.5.4",
   "description": "Express adapter for Momentum CMS with Angular SSR support",
   "license": "MIT",
   "author": "Momentum CMS Contributors",