@plank-cms/plank 0.15.3 → 0.17.0

package/dist/{server-TQTYSOGD.js → server-P4JVP3GT.js}

@@ -45,12 +45,26 @@ var DEFAULT_ROLE_PERMISSIONS = {
     "settings:webhooks:write",
     "settings:webhooks:delete"
   ],
-  "User": [
+  "Contributor": [
     "content-types:read",
     "entries:read",
     "entries:write",
+    "entries:delete",
     "media:read",
     "media:write"
+  ],
+  "Editor": [
+    "content-types:read",
+    "entries:read",
+    "entries:write",
+    "entries:delete",
+    "media:read",
+    "media:write"
+  ],
+  "Viewer": [
+    "content-types:read",
+    "entries:read",
+    "media:read"
   ]
 };
 
@@ -289,7 +303,7 @@ async function createTable(contentType) {
   await pool_default.query(sql);
   try {
     await pool_default.query(`CREATE INDEX IF NOT EXISTS idx_${contentType.tableName}_localized_gin ON ${quotedTableName} USING gin (localized)`);
-  } catch (err) {
+  } catch {
   }
   for (const field of contentType.fields) {
     if (field.type === "relation" && (field.relationType ?? "many-to-one") === "many-to-many" && field.relatedTable) {
@@ -397,10 +411,10 @@ async function syncAllTables() {
         existingColumns.add("localized");
         try {
           await pool_default.query(`CREATE INDEX IF NOT EXISTS idx_${ct.tableName}_localized_gin ON ${quotedTableName} USING gin (localized)`);
-        } catch (err) {
+        } catch {
         }
         console.log(`[plank] Added missing column "localized" to table "${ct.tableName}"`);
-      } catch (err) {
+      } catch {
       }
     }
     for (const field of ct.fields) {
@@ -423,6 +437,18 @@ async function syncAllTables() {
 // ../schema/dist/validator.js
 var MAX_NAVIGATION_DEPTH = 3;
 var MAX_NAVIGATION_ITEMS_PER_LEVEL = 20;
+function isMixedArrayValue(value) {
+  if (typeof value !== "object" || value === null)
+    return false;
+  const v3 = value;
+  if (v3.kind === "string")
+    return typeof v3.value === "string";
+  if (v3.kind === "number")
+    return typeof v3.value === "number" && !isNaN(v3.value);
+  if (v3.kind === "boolean")
+    return typeof v3.value === "boolean";
+  return false;
+}
 function validateNavigationItems(value, fieldName, errors, path = fieldName, depth = 1) {
   if (!Array.isArray(value)) {
     errors.push(`Field "${path}" must be an array`);
@@ -535,6 +561,36 @@ function validate(contentType, payload) {
               const subEmpty = subValue === void 0 || subValue === null || subValue === "";
               if (subField.required && subEmpty) {
                 errors.push(`Field "${field.name}[${i2}].${subField.name}" is required`);
+                continue;
+              }
+              if (subEmpty)
+                continue;
+              if (subField.type === "string" || subField.type === "text" || subField.type === "richtext") {
+                if (typeof subValue !== "string") {
+                  errors.push(`Field "${field.name}[${i2}].${subField.name}" must be a string`);
+                }
+              } else if (subField.type === "number") {
+                if (typeof subValue !== "number" || isNaN(subValue)) {
+                  errors.push(`Field "${field.name}[${i2}].${subField.name}" must be a number`);
+                } else if (subField.subtype !== "float" && !Number.isInteger(subValue)) {
+                  errors.push(`Field "${field.name}[${i2}].${subField.name}" must be an integer`);
+                }
+              } else if (subField.type === "boolean") {
+                if (typeof subValue !== "boolean") {
+                  errors.push(`Field "${field.name}[${i2}].${subField.name}" must be a boolean`);
+                }
+              } else if (subField.type === "datetime") {
+                if (!(subValue instanceof Date) && isNaN(Date.parse(String(subValue)))) {
+                  errors.push(`Field "${field.name}[${i2}].${subField.name}" must be a valid date`);
+                }
+              } else if (subField.type === "media") {
+                if (typeof subValue !== "string" || !subValue.trim()) {
+                  errors.push(`Field "${field.name}[${i2}].${subField.name}" must be a non-empty string URL`);
+                }
+              } else if (subField.type === "mixed") {
+                if (!isMixedArrayValue(subValue)) {
+                  errors.push(`Field "${field.name}[${i2}].${subField.name}" must be a mixed value object with kind/value`);
+                }
               }
             }
           }
@@ -2103,7 +2159,7 @@ var localProvider = {
     const base = await publicUrl();
     return { url: `${base}/uploads/${key}`, key };
   },
-  async uploadRaw(buffer, exactKey, mimeType) {
+  async uploadRaw(buffer, exactKey, _mimeType) {
     const base_dir = await uploadsDir();
     const dir = join3(base_dir, exactKey.split("/").slice(0, -1).join("/"));
     await mkdir(dir, { recursive: true });
@@ -2427,7 +2483,7 @@ async function login(req, res) {
     res.status(429).json({ error: "Too many login attempts. Try again in 15 minutes." });
     return;
   }
-  const { rows } = await pool_default.query(`SELECT id, email, password, role_id, first_name, last_name, avatar_url, job_title, organization, country, two_factor_enabled, two_factor_secret, session_version
+  const { rows } = await pool_default.query(`SELECT id, email, password, role_id, first_name, last_name, avatar_url, job_title, organization, country, two_factor_enabled, two_factor_secret, enabled, session_version
      FROM plank_users
      WHERE email = $1`, [email]);
   const user = rows[0];
@@ -2435,6 +2491,10 @@ async function login(req, res) {
     res.status(401).json({ error: "Invalid credentials" });
     return;
   }
+  if (!user.enabled) {
+    res.status(403).json({ error: "User is disabled" });
+    return;
+  }
   await clearRateLimit("login", rateKey);
   if (user.two_factor_enabled && user.two_factor_secret) {
     const challengeToken = buildChallengeToken({
@@ -2478,9 +2538,13 @@ async function loginWithTwoFactor(req, res) {
     res.status(429).json({ error: "Too many 2FA attempts. Try again in 15 minutes." });
     return;
   }
-  const { rows } = await pool_default.query(`SELECT id, email, role_id, first_name, last_name, avatar_url, job_title, organization, country, two_factor_enabled, two_factor_secret, password, session_version
+  const { rows } = await pool_default.query(`SELECT id, email, role_id, first_name, last_name, avatar_url, job_title, organization, country, two_factor_enabled, two_factor_secret, password, enabled, session_version
      FROM plank_users WHERE id = $1`, [payload.sub]);
   const user = rows[0];
+  if (user && !user.enabled) {
+    res.status(403).json({ error: "User is disabled" });
+    return;
+  }
   if (!user || !user.two_factor_enabled || !user.two_factor_secret) {
     res.status(401).json({ error: "2FA is not enabled for this account" });
     return;
@@ -2622,8 +2686,8 @@ async function authenticate(req, res, next) {
     if (typeof payload.sv !== "number") {
       return { ok: false };
     }
-    const { rows } = await pool_default.query("SELECT session_version FROM plank_users WHERE id = $1", [payload.sub]);
-    if (!rows[0] || rows[0].session_version !== payload.sv) {
+    const { rows } = await pool_default.query("SELECT session_version, enabled FROM plank_users WHERE id = $1", [payload.sub]);
+    if (!rows[0] || !rows[0].enabled || rows[0].session_version !== payload.sv) {
       return { ok: false };
     }
     return { ok: true, sessionVersion: rows[0].session_version };
@@ -2669,6 +2733,25 @@ async function authenticate(req, res, next) {
   }
 }
 
+// ../core/dist/lib/editorialMode.js
+async function isEditorialModeEnabled() {
+  const raw = await getSetting("general", "editorial_mode");
+  return String(raw ?? "false").toLowerCase() === "true";
+}
+
+// ../core/dist/lib/appModes.js
+async function resolveAppModes() {
+  return {
+    editorial: await isEditorialModeEnabled()
+  };
+}
+
+// ../core/dist/middlewares/appModes.js
+async function attachAppModes(req, _res, next) {
+  req.appModes = await resolveAppModes();
+  next();
+}
+
 // ../core/dist/middlewares/authorize.js
 function authorize(permission) {
   return async (req, res, next) => {
@@ -2770,7 +2853,7 @@ var RESERVED_SQL_IDENTIFIERS = /* @__PURE__ */ new Set([
 ]);
 var ArraySubFieldSchema = z2.object({
   name: z2.string().regex(/^[a-z][a-z0-9_]*$/, "Sub-field name must be lowercase with underscores"),
-  type: z2.enum(["string", "text", "richtext", "number", "boolean", "datetime", "media"]),
+  type: z2.enum(["string", "text", "richtext", "number", "boolean", "datetime", "media", "mixed"]),
   required: z2.boolean().optional(),
   subtype: z2.enum(["integer", "float"]).optional(),
   allowedTypes: z2.array(z2.enum(["image", "video", "audio", "document"])).optional(),
@@ -3110,11 +3193,17 @@ async function syncManyToMany(entryId, tableName, field, targetIds) {
   const placeholders = targetIds.map((_3, i2) => `($1, $${i2 + 2})`).join(", ");
   await pool_default.query(`INSERT INTO ${quoteIdentifier(jt)} (source_id, target_id) VALUES ${placeholders} ON CONFLICT DO NOTHING`, [entryId, ...targetIds]);
 }
-async function isUserRole(roleId) {
+async function isContributorRole(roleId) {
   if (!roleId)
     return false;
   const { rows } = await pool_default.query("SELECT name FROM plank_roles WHERE id = $1", [roleId]);
-  return rows[0]?.name?.toLowerCase() === "user";
+  return rows[0]?.name?.toLowerCase() === "contributor";
+}
+async function roleName(roleId) {
+  if (!roleId)
+    return "";
+  const { rows } = await pool_default.query("SELECT name FROM plank_roles WHERE id = $1", [roleId]);
+  return rows[0]?.name?.toLowerCase() ?? "";
 }
 var listEntries = async (req, res) => {
   const ct = await findContentTypeBySlug(req.params.slug);
@@ -3124,7 +3213,6 @@ var listEntries = async (req, res) => {
   }
   assertSafeIdentifier(ct.tableName);
   const quotedTableName = quoteIdentifier(ct.tableName);
-  const isUser = await isUserRole(req.user?.roleId);
   const page = Math.max(1, parseInt(String(req.query.page ?? 1)));
   const limit = Math.min(100, Math.max(1, parseInt(String(req.query.limit ?? 20))));
   const offset = (page - 1) * limit;
@@ -3135,19 +3223,15 @@ var listEntries = async (req, res) => {
   const quotedSortField = quoteIdentifier(sortField);
   const locale = req.query.locale ? String(req.query.locale) : void 0;
   const fallbacks = req.query.fallback ? String(req.query.fallback).split(",") : [];
-  const ownCollectionOnly = isUser && ct.kind === "collection";
-  const whereClause = ownCollectionOnly ? "WHERE e.created_by = $3" : "";
-  const countWhereClause = ownCollectionOnly ? "WHERE created_by = $1" : "";
-  const listValues = ownCollectionOnly ? [limit, offset, req.user?.id ?? null] : [limit, offset];
-  const countValues = ownCollectionOnly ? [req.user?.id ?? null] : [];
   const [{ rows }, { rows: countRows }] = await Promise.all([
-    pool_default.query(`SELECT e.*, u.first_name AS _author_first_name, u.last_name AS _author_last_name, u.avatar_url AS _author_avatar_url
+    pool_default.query(`SELECT e.*, u.first_name AS _author_first_name, u.last_name AS _author_last_name, u.avatar_url AS _author_avatar_url,
+              ed.first_name AS _editor_first_name, ed.last_name AS _editor_last_name, ed.avatar_url AS _editor_avatar_url
        FROM ${quotedTableName} e
        LEFT JOIN plank_users u ON u.id = e.created_by
-       ${whereClause}
+       LEFT JOIN plank_users ed ON ed.id = e.editor_id
        ORDER BY e.${quotedSortField} ${sortDir}
-       LIMIT $1 OFFSET $2`, listValues),
-    pool_default.query(`SELECT COUNT(*) as count FROM ${quotedTableName} ${countWhereClause}`, countValues)
+       LIMIT $1 OFFSET $2`, [limit, offset]),
+    pool_default.query(`SELECT COUNT(*) as count FROM ${quotedTableName}`)
   ]);
   const provider = await getProvider();
   function entryMatchesLocale(row, locale2) {
@@ -3155,7 +3239,7 @@ var listEntries = async (req, res) => {
       return true;
     const localized = row.localized && typeof row.localized === "object" ? row.localized : {};
     const locales = Object.keys(localized).filter((k3) => !k3.startsWith("_"));
-    const meta = localized._meta || {};
+    const meta = localized._meta ?? {};
     const enabled = meta.enabled ?? locales.length > 0;
     const primary = meta.primary;
     if (enabled) {
@@ -3171,6 +3255,10 @@ var listEntries = async (req, res) => {
     if (key && !key.startsWith("http")) {
       resolved._author_avatar_url = await provider.getUrl(key);
     }
+    const editorKey = resolved._editor_avatar_url;
+    if (editorKey && !editorKey.startsWith("http")) {
+      resolved._editor_avatar_url = await provider.getUrl(editorKey);
+    }
     return normalizeNavigationFields({ ...resolved, ...mmIds }, ct.fields);
   }));
   let total = parseInt(countRows[0].count);
@@ -3179,7 +3267,7 @@ var listEntries = async (req, res) => {
       const { rows: allRows } = await pool_default.query(`SELECT localized FROM ${quotedTableName}`);
       const matching = allRows.filter((r2) => entryMatchesLocale(r2, locale));
       total = matching.length;
-    } catch (err) {
+    } catch {
     }
   }
   res.json({ data, total, page, limit });
@@ -3204,16 +3292,16 @@ var getEntry = async (req, res) => {
   }
   assertSafeIdentifier(ct.tableName);
   const quotedTableName = quoteIdentifier(ct.tableName);
-  const isUser = await isUserRole(req.user?.roleId);
-  const { rows } = await pool_default.query(`SELECT * FROM ${quotedTableName} WHERE id = $1`, [req.params.id]);
+  const { rows } = await pool_default.query(`SELECT e.*, u.first_name AS _author_first_name, u.last_name AS _author_last_name, u.avatar_url AS _author_avatar_url,
+            ed.first_name AS _editor_first_name, ed.last_name AS _editor_last_name, ed.avatar_url AS _editor_avatar_url
+     FROM ${quotedTableName} e
+     LEFT JOIN plank_users u ON u.id = e.created_by
+     LEFT JOIN plank_users ed ON ed.id = e.editor_id
+     WHERE e.id = $1`, [req.params.id]);
   if (!rows[0]) {
     res.status(404).json({ error: "Entry not found" });
     return;
   }
-  if (isUser && ct.kind === "collection" && rows[0].created_by !== req.user?.id) {
-    res.status(403).json({ error: "Forbidden" });
-    return;
-  }
   const locale = req.query.locale ? String(req.query.locale) : void 0;
   const fallbacks = req.query.fallback ? String(req.query.fallback).split(",") : [];
   const mmIds = await loadManyToManyIds(req.params.id, ct.tableName, ct.fields);
@@ -3222,6 +3310,9 @@ var getEntry = async (req, res) => {
   const key = resolved._author_avatar_url;
   if (key && !key.startsWith("http"))
     resolved._author_avatar_url = await provider.getUrl(key);
+  const editorKey = resolved._editor_avatar_url;
+  if (editorKey && !editorKey.startsWith("http"))
+    resolved._editor_avatar_url = await provider.getUrl(editorKey);
   res.json(normalizeNavigationFields({ ...resolved, ...mmIds }, ct.fields));
 };
 var createEntry = async (req, res) => {
@@ -3233,9 +3324,9 @@ var createEntry = async (req, res) => {
   validate(ct, req.body);
   assertSafeIdentifier(ct.tableName);
   const quotedTableName = quoteIdentifier(ct.tableName);
-  const isUser = await isUserRole(req.user?.roleId);
-  if (isUser && ct.kind === "single") {
-    res.status(403).json({ error: "Single types are read-only for User role" });
+  const isContributor = await isContributorRole(req.user?.roleId);
+  if (isContributor && ct.kind === "single") {
+    res.status(403).json({ error: "Single types are read-only for Contributor role" });
     return;
   }
   const mmFields = ct.fields.filter((f2) => f2.type === "relation" && (f2.relationType ?? "many-to-one") === "many-to-many" && req.body[f2.name] !== void 0);
@@ -3343,13 +3434,16 @@ var updateEntry = async (req, res) => {
   validate(ct, req.body);
   assertSafeIdentifier(ct.tableName);
   const quotedTableName = quoteIdentifier(ct.tableName);
-  const isUser = await isUserRole(req.user?.roleId);
-  if (isUser && ct.kind === "single") {
-    res.status(403).json({ error: "Single types are read-only for User role" });
+  const editorialMode = req.appModes?.editorial ?? false;
+  const currentRole = await roleName(req.user?.roleId);
+  const isContributor = currentRole === "contributor";
+  const isEditor = currentRole === "editor";
+  if (isContributor && ct.kind === "single") {
+    res.status(403).json({ error: "Single types are read-only for Contributor role" });
     return;
   }
-  if (isUser && ct.kind === "collection") {
-    const { rows: authorRows } = await pool_default.query(`SELECT created_by FROM ${quotedTableName} WHERE id = $1`, [req.params.id]);
+  if ((isContributor || isEditor) && ct.kind === "collection") {
+    const { rows: authorRows } = await pool_default.query(`SELECT created_by, status FROM ${quotedTableName} WHERE id = $1`, [req.params.id]);
     if (!authorRows[0]) {
       res.status(404).json({ error: "Entry not found" });
       return;
@@ -3358,6 +3452,10 @@ var updateEntry = async (req, res) => {
       res.status(403).json({ error: "Forbidden" });
       return;
     }
+    if (editorialMode && isContributor && authorRows[0].status === "in_review") {
+      res.status(403).json({ error: "Entry is currently in review and locked for contributor edits" });
+      return;
+    }
   }
   const mmFields = ct.fields.filter((f2) => f2.type === "relation" && (f2.relationType ?? "many-to-one") === "many-to-many" && req.body[f2.name] !== void 0);
   const fields = ct.fields.filter((f2) => req.body[f2.name] !== void 0 && !isVirtualRelation(f2));
@@ -3407,9 +3505,9 @@ function buildSnapshotExpr(tableName) {
   return `(SELECT ${strip} FROM ${quoteIdentifier(tableName)} t WHERE t.id = $1)`;
 }
 var patchEntryStatus = async (req, res) => {
-  const { status, scheduled_for } = req.body;
-  if (status !== "draft" && status !== "published" && status !== "scheduled") {
-    res.status(400).json({ error: "status must be draft, published, or scheduled" });
+  const { status, scheduled_for, editor_id, review_locked_by_editor, review_rejected } = req.body;
+  if (status !== "draft" && status !== "published" && status !== "scheduled" && status !== "pending" && status !== "in_review") {
+    res.status(400).json({ error: "status must be draft, published, scheduled, pending, or in_review" });
     return;
   }
   if (status === "scheduled") {
@@ -3429,13 +3527,17 @@ var patchEntryStatus = async (req, res) => {
   }
   assertSafeIdentifier(ct.tableName);
   const quotedTableName = quoteIdentifier(ct.tableName);
-  const isUser = await isUserRole(req.user?.roleId);
-  if (isUser && ct.kind === "single") {
-    res.status(403).json({ error: "Single types are read-only for User role" });
+  const editorialMode = req.appModes?.editorial ?? false;
+  const currentRole = await roleName(req.user?.roleId);
+  const isContributor = currentRole === "contributor";
+  const isAdminRole = currentRole === "admin" || currentRole === "super admin";
+  const isEditorRole = currentRole === "editor";
+  if (isContributor && ct.kind === "single") {
+    res.status(403).json({ error: "Single types are read-only for Contributor role" });
     return;
   }
-  if (isUser && ct.kind === "collection") {
-    const { rows: authorRows } = await pool_default.query(`SELECT created_by FROM ${quotedTableName} WHERE id = $1`, [req.params.id]);
+  if (isContributor && ct.kind === "collection") {
+    const { rows: authorRows } = await pool_default.query(`SELECT created_by, review_locked_by_editor FROM ${quotedTableName} WHERE id = $1`, [req.params.id]);
     if (!authorRows[0]) {
       res.status(404).json({ error: "Entry not found" });
       return;
@@ -3444,6 +3546,18 @@ var patchEntryStatus = async (req, res) => {
       res.status(403).json({ error: "Forbidden" });
       return;
     }
+    if (editorialMode && authorRows[0].review_locked_by_editor && status !== "pending") {
+      res.status(403).json({ error: "Entry is currently locked for contributor edits" });
+      return;
+    }
+  }
+  if (editorialMode && isContributor && status === "published") {
+    res.status(403).json({ error: "Contributors cannot publish in editorial mode" });
+    return;
+  }
+  if (editorialMode && isContributor && status === "scheduled") {
+    res.status(403).json({ error: "Contributors cannot schedule in editorial mode" });
+    return;
   }
   let sql;
   let values;
@@ -3454,6 +3568,7 @@ var patchEntryStatus = async (req, res) => {
         published_data = ${buildSnapshotExpr(ct.tableName)},
         published_at = NOW(),
         scheduled_for = NULL,
+        review_rejected = FALSE,
         updated_at = NOW()
       WHERE id = $1
       RETURNING *
@@ -3464,11 +3579,66 @@ var patchEntryStatus = async (req, res) => {
       UPDATE ${quotedTableName} SET
         status = 'scheduled',
         scheduled_for = $2,
+        review_rejected = FALSE,
         updated_at = NOW()
       WHERE id = $1
       RETURNING *
     `;
     values = [req.params.id, scheduled_for];
+  } else if (status === "pending") {
+    sql = `
+      UPDATE ${quotedTableName} SET
+        status = 'pending',
+        review_rejected = COALESCE($2, FALSE),
+        review_locked_by_editor = FALSE,
+        updated_at = NOW()
+      WHERE id = $1
+      RETURNING *
+    `;
+    values = [req.params.id, typeof review_rejected === "boolean" ? review_rejected : false];
+  } else if (status === "in_review") {
+    if (!editorialMode) {
+      res.status(403).json({ error: "In review status requires editorial mode" });
+      return;
+    }
+    if (!isAdminRole && !isEditorRole) {
+      res.status(403).json({ error: "Forbidden" });
+      return;
+    }
+    const requestedEditorId = typeof editor_id === "string" && editor_id.trim().length > 0 ? editor_id : isEditorRole ? req.user?.id ?? null : null;
+    if (isEditorRole && requestedEditorId && requestedEditorId !== req.user?.id) {
+      res.status(403).json({ error: "Editors can only assign themselves" });
+      return;
+    }
+    if (requestedEditorId) {
+      const { rows: editorRows } = await pool_default.query(`SELECT r.name as role_name
+         FROM plank_users u
+         JOIN plank_roles r ON r.id = u.role_id
+         WHERE u.id = $1`, [requestedEditorId]);
+      const targetRole = editorRows[0]?.role_name?.toLowerCase();
+      if (isAdminRole) {
+        if (requestedEditorId !== req.user?.id && targetRole !== "editor") {
+          res.status(403).json({ error: "Admins can assign only themselves or Editors" });
+          return;
+        }
+      } else if (targetRole !== "editor") {
+        res.status(403).json({ error: "Invalid editor assignee" });
+        return;
+      }
+    }
+    const nextEditorId = requestedEditorId ?? (isEditorRole ? req.user?.id ?? null : null);
+    const lock = typeof review_locked_by_editor === "boolean" ? review_locked_by_editor : false;
+    sql = `
+      UPDATE ${quotedTableName} SET
+        status = 'in_review',
+        editor_id = COALESCE($2, editor_id),
+        review_locked_by_editor = $3,
+        review_rejected = FALSE,
+        updated_at = NOW()
+      WHERE id = $1
+      RETURNING *
+    `;
+    values = [req.params.id, nextEditorId, lock];
   } else {
     sql = `
       UPDATE ${quotedTableName} SET
@@ -3476,6 +3646,8 @@ var patchEntryStatus = async (req, res) => {
         published_data = NULL,
         published_at = NULL,
         scheduled_for = NULL,
+        review_rejected = FALSE,
+        review_locked_by_editor = FALSE,
         updated_at = NOW()
       WHERE id = $1
       RETURNING *
@@ -3500,12 +3672,14 @@ var deleteEntry = async (req, res) => {
   }
   assertSafeIdentifier(ct.tableName);
   const quotedTableName = quoteIdentifier(ct.tableName);
-  const isUser = await isUserRole(req.user?.roleId);
-  if (isUser && ct.kind === "single") {
-    res.status(403).json({ error: "Single types are read-only for User role" });
+  const currentRole = await roleName(req.user?.roleId);
+  const isContributor = currentRole === "contributor";
+  const isEditor = currentRole === "editor";
+  if (isContributor && ct.kind === "single") {
+    res.status(403).json({ error: "Single types are read-only for Contributor role" });
     return;
   }
-  if (isUser && ct.kind === "collection") {
+  if ((isContributor || isEditor) && ct.kind === "collection") {
     const { rows: authorRows } = await pool_default.query(`SELECT created_by FROM ${quotedTableName} WHERE id = $1`, [req.params.id]);
     if (!authorRows[0]) {
       res.status(404).json({ error: "Entry not found" });
@@ -3534,13 +3708,15 @@ import { z as z4, flattenError as flattenError4 } from "zod";
 var CreateUserSchema = z4.object({
   email: z4.email(),
   password: z4.string().min(8),
-  roleId: z4.string().min(1)
+  roleId: z4.string().min(1),
+  enabled: z4.boolean().optional()
 });
 var UpdateUserSchema = z4.object({
   email: z4.email().optional(),
   roleId: z4.string().min(1).optional(),
   firstName: z4.string().max(100).nullable().optional(),
-  lastName: z4.string().max(100).nullable().optional()
+  lastName: z4.string().max(100).nullable().optional(),
+  enabled: z4.boolean().optional()
 });
 var ChangePasswordSchema = z4.object({
   currentPassword: z4.string().min(1),
@@ -3594,7 +3770,7 @@ async function roleNameById(roleId) {
   return rows[0]?.name ?? null;
 }
 async function listUsers(_req, res) {
-  const { rows } = await pool_default.query(`SELECT u.id, u.email, u.role_id, r.name as role_name, u.first_name, u.last_name, u.created_at
+  const { rows } = await pool_default.query(`SELECT u.id, u.email, u.role_id, r.name as role_name, u.first_name, u.last_name, u.enabled, u.created_at
      FROM plank_users u
      JOIN plank_roles r ON r.id = u.role_id
      ORDER BY u.created_at DESC`);
@@ -3602,7 +3778,7 @@ async function listUsers(_req, res) {
 }
 async function getMe(req, res) {
   const { rows } = await pool_default.query(`SELECT u.id, u.email, u.role_id, u.first_name, u.last_name, u.avatar_url,
-            u.job_title, u.organization, u.country, u.two_factor_enabled, u.created_at,
+            u.job_title, u.organization, u.country, u.two_factor_enabled, u.enabled, u.created_at,
             r.name AS role_name, r.permissions
      FROM plank_users u
      JOIN plank_roles r ON r.id = u.role_id
@@ -3612,11 +3788,14 @@ async function getMe(req, res) {
     return;
   }
   const resolved = await resolveAvatarUrl(rows[0]);
+  const modes = req.appModes ?? await resolveAppModes();
   res.json({
     ...resolved,
     role: rows[0].role_name,
     permissions: rows[0].permissions,
-    two_factor_enabled: rows[0].two_factor_enabled
+    enabled: rows[0].enabled ?? true,
+    two_factor_enabled: rows[0].two_factor_enabled,
+    modes
   });
 }
 async function getTwoFactorStatus(req, res) {
@@ -3831,17 +4010,20 @@ async function createUser(req, res) {
     res.status(400).json({ errors: flattenError4(parsed.error, (i2) => i2.message) });
     return;
   }
-  const { email, password, roleId } = parsed.data;
+  const { email, password, roleId, enabled } = parsed.data;
   const requesterRoleName = await roleNameById(req.user.roleId);
   const targetRoleName = await roleNameById(roleId);
   if (targetRoleName === "Super Admin" && requesterRoleName !== "Super Admin") {
     res.status(403).json({ error: "Only Super Admin can assign Super Admin role" });
     return;
   }
+  const editorialMode = req.appModes?.editorial ?? false;
+  const isEditorialExclusiveRole = ["Editor", "Viewer"].includes(targetRoleName ?? "");
+  const nextEnabled = editorialMode || !isEditorialExclusiveRole ? enabled ?? true : false;
   const hashed = await bcrypt2.hash(password, 12);
   const id = createId();
-  await pool_default.query("INSERT INTO plank_users (id, email, password, role_id) VALUES ($1, $2, $3, $4)", [id, email, hashed, roleId]);
-  res.status(201).json({ id, email, roleId });
+  await pool_default.query("INSERT INTO plank_users (id, email, password, role_id, enabled) VALUES ($1, $2, $3, $4, $5)", [id, email, hashed, roleId, nextEnabled]);
+  res.status(201).json({ id, email, roleId, enabled: nextEnabled });
 }
 async function updateUser(req, res) {
   const parsed = UpdateUserSchema.safeParse(req.body);
@@ -3849,7 +4031,7 @@ async function updateUser(req, res) {
     res.status(400).json({ errors: flattenError4(parsed.error, (i2) => i2.message) });
     return;
   }
-  const { email, roleId, firstName, lastName } = parsed.data;
+  const { email, roleId, firstName, lastName, enabled } = parsed.data;
   const requesterRoleName = await roleNameById(req.user.roleId);
   const { rows: targetRows } = await pool_default.query("SELECT role_id FROM plank_users WHERE id = $1", [req.params.id]);
   if (!targetRows[0]) {
@@ -3861,20 +4043,30 @@ async function updateUser(req, res) {
     res.status(403).json({ error: "Only Super Admin can edit Super Admin users" });
     return;
   }
+  const editorialMode = req.appModes?.editorial ?? false;
+  let resolvedEnabled = enabled;
   if (roleId) {
     const nextRoleName = await roleNameById(roleId);
     if (nextRoleName === "Super Admin" && requesterRoleName !== "Super Admin") {
       res.status(403).json({ error: "Only Super Admin can assign Super Admin role" });
       return;
     }
+    if (!editorialMode && ["Editor", "Viewer"].includes(nextRoleName ?? "")) {
+      resolvedEnabled = false;
+    }
   }
   const { rows } = await pool_default.query(`UPDATE plank_users
      SET email      = COALESCE($1, email),
          role_id    = COALESCE($2, role_id),
          first_name = COALESCE($3, first_name),
-         last_name  = COALESCE($4, last_name)
-     WHERE id = $5
-     RETURNING id, email, role_id, first_name, last_name, created_at`, [email ?? null, roleId ?? null, firstName ?? null, lastName ?? null, req.params.id]);
+         last_name  = COALESCE($4, last_name),
+         enabled    = COALESCE($5, enabled),
+         session_version = CASE
+           WHEN $5 IS NOT NULL AND $5 = FALSE AND enabled = TRUE THEN session_version + 1
+           ELSE session_version
+         END
+     WHERE id = $6
+     RETURNING id, email, role_id, first_name, last_name, enabled, created_at`, [email ?? null, roleId ?? null, firstName ?? null, lastName ?? null, resolvedEnabled ?? null, req.params.id]);
   if (!rows[0]) {
     res.status(404).json({ error: "User not found" });
     return;
@@ -4222,6 +4414,14 @@ async function getNamespaceSettings(req, res) {
   const settings = await getSettings(namespace);
   res.json(maskSettings(namespace, settings));
 }
+async function getAppModes(req, res) {
+  const modes = req.appModes ?? await resolveAppModes();
+  res.json(modes);
+}
+async function getEditorialMode(_req, res) {
+  const { editorial: enabled } = await resolveAppModes();
+  res.json({ enabled });
+}
 async function updateNamespaceSettings(req, res) {
   const { namespace } = req.params;
   const incoming = req.body;
@@ -4237,6 +4437,13 @@ async function updateNamespaceSettings(req, res) {
     toSave[key] = value;
   }
   await setSettings(namespace, toSave);
+  if (namespace === "general" && Object.prototype.hasOwnProperty.call(toSave, "editorial_mode") && String(toSave.editorial_mode).toLowerCase() === "false") {
+    await pool_default.query(`UPDATE plank_users
+       SET enabled = FALSE, session_version = session_version + 1
+       WHERE role_id IN (
+         SELECT id FROM plank_roles WHERE LOWER(name) IN ('editor', 'viewer')
+       )`);
+  }
   const updated = await getSettings(namespace);
   res.json(maskSettings(namespace, updated));
 }
@@ -4244,6 +4451,7 @@ async function updateNamespaceSettings(req, res) {
 // ../core/dist/routes/admin.js
 var router2 = Router2();
 router2.use(authenticate);
+router2.use(attachAppModes);
 router2.get("/content-types", authorize("content-types:read"), listContentTypes);
 router2.post("/content-types", authorize("content-types:write"), createContentType);
 router2.get("/content-types/:slug", authorize("content-types:read"), getContentType);
@@ -4292,6 +4500,8 @@ router2.post("/media", authorize("media:write"), upload.array("files", 500), upl
 router2.get("/media/:id/url", authorize("media:read"), getMediaUrl);
 router2.patch("/media/:id", authorize("media:write"), updateMedia);
 router2.delete("/media/:id", authorize("media:delete"), deleteMedia);
+router2.get("/modes", getAppModes);
+router2.get("/editorial-mode", getEditorialMode);
 router2.get("/settings/:namespace", authorize("settings:overview:read"), getNamespaceSettings);
 router2.put("/settings/:namespace", authorize("settings:overview:write"), updateNamespaceSettings);
 router2.get("/webhooks", authorize("settings:webhooks:read"), listWebhooks);
@@ -4353,6 +4563,29 @@ function normalizeNavigationItems2(value) {
     return normalized;
   });
 }
+function normalizeArrayItemsBySchema(value, field) {
+  if (field.type !== "array" || !Array.isArray(value))
+    return value;
+  const subFields = field.arrayFields ?? [];
+  if (subFields.length === 0)
+    return value;
+  return value.map((item) => {
+    if (typeof item !== "object" || item === null || Array.isArray(item))
+      return item;
+    const raw = item;
+    const normalized = {};
+    for (const subField of subFields) {
+      if (subField.name in raw)
+        normalized[subField.name] = raw[subField.name];
+    }
+    for (const [key, val] of Object.entries(raw)) {
+      if (key in normalized)
+        continue;
+      normalized[key] = val;
+    }
+    return normalized;
+  });
+}
 async function resolveMediaFields(entries, ct) {
   const singleFields = ct.fields.filter((f2) => f2.type === "media").map((f2) => f2.name);
   const galleryFields = ct.fields.filter((f2) => f2.type === "media-gallery").map((f2) => f2.name);
@@ -4465,14 +4698,19 @@ async function resolveAuthorAvatars(entries) {
     if (author?.avatar_url && !author.avatar_url.startsWith("http")) {
       author.avatar_url = await provider.getUrl(author.avatar_url);
     }
+    const editor = entry.editor;
+    if (editor?.avatar_url && !editor.avatar_url.startsWith("http")) {
+      editor.avatar_url = await provider.getUrl(editor.avatar_url);
+    }
   }));
 }
 function serializeEntry(row, ct, statusParam, locale, fallbacks = []) {
-  const { published_data, _author_first_name, _author_last_name, _author_avatar_url, _author_job_title, _author_organization, _author_country, ...rest } = row;
+  const { published_data, _author_first_name, _author_last_name, _author_avatar_url, _author_job_title, _author_organization, _author_country, _editor_first_name, _editor_last_name, _editor_avatar_url, _editor_job_title, _editor_organization, _editor_country, ...rest } = row;
   const source = statusParam === "published" && published_data ? published_data : rest;
   const effective = { ...source };
   if (locale) {
-    const localizedContainer = source && typeof source === "object" && source.localized && typeof source.localized === "object" ? source.localized : row.localized && typeof row.localized === "object" ? row.localized : {};
+    const sourceObj = source;
+    const localizedContainer = source && typeof source === "object" && sourceObj.localized && typeof sourceObj.localized === "object" ? sourceObj.localized : row.localized && typeof row.localized === "object" ? row.localized : {};
     const localizableTypes = /* @__PURE__ */ new Set(["string", "text", "richtext", "uid"]);
     for (const f2 of ct.fields) {
       if (!localizableTypes.has(f2.type))
@@ -4496,7 +4734,15 @@ function serializeEntry(row, ct, statusParam, locale, fallbacks = []) {
   for (const field of ct.fields) {
     if (!(field.name in effective))
       continue;
-    out[field.name] = field.type === "navigation" ? normalizeNavigationItems2(effective[field.name]) : effective[field.name];
+    if (field.type === "navigation") {
+      out[field.name] = normalizeNavigationItems2(effective[field.name]);
+      continue;
+    }
+    if (field.type === "array") {
+      out[field.name] = normalizeArrayItemsBySchema(effective[field.name], field);
+      continue;
+    }
+    out[field.name] = effective[field.name];
   }
   out.status = row.status;
   out.published_at = row.published_at ?? null;
@@ -4510,6 +4756,14 @@ function serializeEntry(row, ct, statusParam, locale, fallbacks = []) {
     organization: _author_organization ?? null,
     country: _author_country ?? null
   } : null;
+  out.editor = _editor_first_name || _editor_last_name ? {
+    first_name: _editor_first_name ?? null,
+    last_name: _editor_last_name ?? null,
+    avatar_url: _editor_avatar_url ?? null,
+    job_title: _editor_job_title ?? null,
+    organization: _editor_organization ?? null,
+    country: _editor_country ?? null
+  } : null;
   return out;
 }
 var listPublicEntries = async (req, res) => {
@@ -4525,9 +4779,11 @@ var listPublicEntries = async (req, res) => {
     const fallbacks2 = req.query.fallback ? String(req.query.fallback).split(",") : [];
     const statusClause = statusParam2 === "published" || statusParam2 === "draft" ? `WHERE e.status = $1` : "";
     const values = statusClause ? [statusParam2] : [];
-    const { rows: rows2 } = await pool_default.query(`SELECT e.*, u.first_name AS _author_first_name, u.last_name AS _author_last_name, u.avatar_url AS _author_avatar_url, u.job_title AS _author_job_title, u.organization AS _author_organization, u.country AS _author_country
+    const { rows: rows2 } = await pool_default.query(`SELECT e.*, u.first_name AS _author_first_name, u.last_name AS _author_last_name, u.avatar_url AS _author_avatar_url, u.job_title AS _author_job_title, u.organization AS _author_organization, u.country AS _author_country,
+              ed.first_name AS _editor_first_name, ed.last_name AS _editor_last_name, ed.avatar_url AS _editor_avatar_url, ed.job_title AS _editor_job_title, ed.organization AS _editor_organization, ed.country AS _editor_country
        FROM ${ct.tableName} e
        LEFT JOIN plank_users u ON u.id = e.created_by
+       LEFT JOIN plank_users ed ON ed.id = e.editor_id
        ${statusClause} LIMIT 1`, values);
     if (!rows2[0]) {
       res.status(404).json({ error: "Not found" });
@@ -4573,9 +4829,11 @@ var listPublicEntries = async (req, res) => {
   const limitParam = filterValues.length + 1;
   const offsetParam = filterValues.length + 2;
   const [{ rows }, { rows: countRows }] = await Promise.all([
-    pool_default.query(`SELECT e.*, u.first_name AS _author_first_name, u.last_name AS _author_last_name, u.avatar_url AS _author_avatar_url, u.job_title AS _author_job_title, u.organization AS _author_organization, u.country AS _author_country
+    pool_default.query(`SELECT e.*, u.first_name AS _author_first_name, u.last_name AS _author_last_name, u.avatar_url AS _author_avatar_url, u.job_title AS _author_job_title, u.organization AS _author_organization, u.country AS _author_country,
+              ed.first_name AS _editor_first_name, ed.last_name AS _editor_last_name, ed.avatar_url AS _editor_avatar_url, ed.job_title AS _editor_job_title, ed.organization AS _editor_organization, ed.country AS _editor_country
        FROM ${ct.tableName} e
        LEFT JOIN plank_users u ON u.id = e.created_by
+       LEFT JOIN plank_users ed ON ed.id = e.editor_id
        ${where} ORDER BY e.${sortField} ${sortDir} LIMIT $${limitParam} OFFSET $${offsetParam}`, [...filterValues, limit, offset]),
     pool_default.query(`SELECT COUNT(*) as count FROM ${ct.tableName} e ${where}`, filterValues)
   ]);
@@ -4597,9 +4855,11 @@ var getPublicEntry = async (req, res) => {
   const statusParam = String(req.query.status ?? "published");
   const statusClause = statusParam === "published" || statusParam === "draft" ? ` AND e.status = $2` : "";
   const values = statusClause ? [req.params.id, statusParam] : [req.params.id];
-  const { rows } = await pool_default.query(`SELECT e.*, u.first_name AS _author_first_name, u.last_name AS _author_last_name, u.avatar_url AS _author_avatar_url, u.job_title AS _author_job_title, u.organization AS _author_organization, u.country AS _author_country
+  const { rows } = await pool_default.query(`SELECT e.*, u.first_name AS _author_first_name, u.last_name AS _author_last_name, u.avatar_url AS _author_avatar_url, u.job_title AS _author_job_title, u.organization AS _author_organization, u.country AS _author_country,
+            ed.first_name AS _editor_first_name, ed.last_name AS _editor_last_name, ed.avatar_url AS _editor_avatar_url, ed.job_title AS _editor_job_title, ed.organization AS _editor_organization, ed.country AS _editor_country
      FROM ${ct.tableName} e
      LEFT JOIN plank_users u ON u.id = e.created_by
+     LEFT JOIN plank_users ed ON ed.id = e.editor_id
      WHERE e.id = $1${statusClause}`, values);
   if (!rows[0]) {
     res.status(404).json({ error: "Not found" });