@questpie/admin 3.5.3 → 3.5.4

package/dist/server/modules/admin/factories.mjs

@@ -1,4 +1,4 @@
-import { createActionCallbackProxy } from "../../proxy-factories.mjs";
+import { createActionCallbackProxy, createActionFieldBuilderProxy } from "../../proxy-factories.mjs";
 import { CollectionBuilder } from "questpie";
 
 //#region src/server/modules/admin/factories.ts
@@ -26,37 +26,6 @@ const _componentProxy = new Proxy({}, { get: (_, prop) => (...args) => ({
 	props: typeof args[0] === "string" ? { name: args[0] } : args[0] ?? {}
 }) });
 const _fieldRefProxy = new Proxy({}, { get: (_, prop) => String(prop) });
-/**
-* Field builder proxy for actions context.
-* Supports `f.text().required().label({...})` chaining.
-* Each method call returns a new proxy with accumulated properties.
-*/
-function _createFieldBuilderProxy() {
-	return new Proxy({}, { get: (_, prop) => {
-		if (typeof prop !== "string") return void 0;
-		return (...args) => {
-			const def = { type: prop };
-			if (Array.isArray(args[0])) def.options = args[0];
-			else if (args[0] && typeof args[0] === "object") Object.assign(def, args[0]);
-			else if (args[0] !== void 0) def.value = args[0];
-			return _chainable(def);
-		};
-	} });
-}
-function _chainable(def) {
-	return new Proxy(def, { get: (target, prop) => {
-		if (typeof prop !== "string") return Reflect.get(target, prop);
-		if (prop in target) return target[prop];
-		if (prop === "set") return (key, value) => _chainable({
-			...target,
-			[key]: value
-		});
-		return (...args) => _chainable({
-			...target,
-			[prop]: args.length === 0 ? true : args[0]
-		});
-	} });
-}
 const _actionBuilderProxy = createActionCallbackProxy();
 const _simpleActionProxy = createActionCallbackProxy();
 const _collExt = {
@@ -81,7 +50,8 @@ const _collExt = {
 						collectionTable: "collection-table"
 					}),
 					f: _fieldRefProxy,
-					a: _simpleActionProxy
+					a: _simpleActionProxy,
+					c: _componentProxy
 				}) : configOrFn
 			};
 		}
@@ -112,7 +82,7 @@ const _collExt = {
 			if (typeof configOrFn === "function") return configOrFn({
 				a: _actionBuilderProxy,
 				c: _componentProxy,
-				f: _createFieldBuilderProxy()
+				f: createActionFieldBuilderProxy()
 			});
 			return configOrFn;
 		}

package/dist/server/modules/admin/index.d.mts

@@ -927,7 +927,7 @@ declare const adminModule: {
                 $Infer: {
                   body: {
                     permissions: {
-                      readonly user?: ("list" | "create" | "update" | "set-role" | "ban" | "impersonate" | "impersonate-admins" | "delete" | "set-password" | "get")[] | undefined;
+                      readonly user?: ("create" | "update" | "list" | "set-role" | "ban" | "impersonate" | "impersonate-admins" | "delete" | "set-password" | "get")[] | undefined;
                       readonly session?: ("list" | "delete" | "revoke")[] | undefined;
                     };
                   } & {

package/dist/server/modules/admin/routes/admin-config.d.mts

@@ -1,4 +1,5 @@
-import * as questpie259 from "questpie";
+import "./route-helpers.mjs";
+import * as questpie456 from "questpie";
 
 //#region src/server/modules/admin/routes/admin-config.d.ts
 
@@ -7,7 +8,8 @@ import * as questpie259 from "questpie";
  * Registered via module routes and exposed through the fetch handler.
  */
 declare const adminConfigFunctions: {
-  readonly getAdminConfig: questpie259.JsonRouteDefinition<Record<string, never> | undefined, any, questpie259.JsonRouteParams>;
+  readonly getAdminConfig: questpie456.JsonRouteDefinition<Record<string, never> | undefined, any, questpie456.JsonRouteParams>;
+  readonly getPublicAdminConfig: questpie456.JsonRouteDefinition<Record<string, never> | undefined, any, questpie456.JsonRouteParams>;
 };
 //#endregion
 export { adminConfigFunctions };

package/dist/server/modules/admin/routes/admin-config.mjs

@@ -514,6 +514,11 @@ async function processDashboardItems(items, accessibleCollections, accessCtx) {
 }
 const getAdminConfigSchema = z.object({}).optional();
 const getAdminConfigOutputSchema = adminConfigDTOSchema;
+function buildPublicAdminConfig(adminCfg) {
+	const response = {};
+	if (adminCfg.branding) response.branding = adminCfg.branding;
+	return stripUndefinedDeep(response);
+}
 /**
 * Get admin configuration including dashboard, sidebar, blocks,
 * and collection/global metadata.
@@ -535,7 +540,7 @@ const getAdminConfigOutputSchema = adminConfigDTOSchema;
 * const config = await client.routes.getAdminConfig({});
 * ```
 */
-const getAdminConfig = route().post().access((ctx) => !!ctx.session).schema(getAdminConfigSchema).outputSchema(getAdminConfigOutputSchema).handler(async (ctx) => {
+const getAdminConfig = route().post().access((ctx) => ctx.session?.user?.role === "admin").schema(getAdminConfigSchema).outputSchema(getAdminConfigOutputSchema).handler(async (ctx) => {
 	const app = getApp(ctx);
 	const appState = getAppState(app);
 	const adminCfg = getAdminConfig$1(app);
@@ -590,10 +595,21 @@ const getAdminConfig = route().post().access((ctx) => !!ctx.session).schema(getA
 	return stripUndefinedDeep(response);
 });
 /**
+* Get public admin bootstrap configuration for unauthenticated auth pages.
+*
+* This intentionally exposes only branding. Full admin config, sidebar,
+* dashboard, blocks, upload collections, and resource metadata stay behind
+* getAdminConfig's admin-session guard.
+*/
+const getPublicAdminConfig = route().post().access(true).schema(getAdminConfigSchema).outputSchema(getAdminConfigOutputSchema).handler(async (ctx) => buildPublicAdminConfig(getAdminConfig$1(getApp(ctx))));
+/**
 * Admin config route handlers.
 * Registered via module routes and exposed through the fetch handler.
 */
-const adminConfigFunctions = { getAdminConfig };
+const adminConfigFunctions = {
+	getAdminConfig,
+	getPublicAdminConfig
+};
 
 //#endregion
 export { adminConfigFunctions };

package/dist/server/modules/admin/routes/execute-action.d.mts

@@ -1,7 +1,7 @@
 import { ServerActionDefinition, ServerActionResult } from "../../../augmentation/actions.mjs";
 import "../../../augmentation.mjs";
 import { App } from "./route-helpers.mjs";
-import * as questpie69 from "questpie";
+import * as questpie64 from "questpie";
 
 //#region src/server/modules/admin/routes/execute-action.d.ts
 
@@ -56,37 +56,37 @@ declare function executeAction(app: App, request: ExecuteActionRequest, session?
  * });
  * ```
  */
-declare const executeActionFn: questpie69.JsonRouteDefinition<{
+declare const executeActionFn: questpie64.JsonRouteDefinition<{
   collection: string;
   actionId: string;
   itemId?: string | undefined;
   itemIds?: string[] | undefined;
   data?: Record<string, unknown> | undefined;
   locale?: string | undefined;
-}, any, questpie69.JsonRouteParams>;
+}, any, questpie64.JsonRouteParams>;
 /**
  * Get actions configuration for a collection.
  * Returns action definitions without handlers for client rendering.
  */
-declare const getActionsConfigFn: questpie69.JsonRouteDefinition<{
+declare const getActionsConfigFn: questpie64.JsonRouteDefinition<{
   collection: string;
-}, any, questpie69.JsonRouteParams>;
+}, any, questpie64.JsonRouteParams>;
 /**
  * QUESTPIE functions for action execution.
  * These are registered on the `adminModule`.
  */
 declare const actionFunctions: {
-  executeAction: questpie69.JsonRouteDefinition<{
+  executeAction: questpie64.JsonRouteDefinition<{
     collection: string;
     actionId: string;
     itemId?: string | undefined;
     itemIds?: string[] | undefined;
     data?: Record<string, unknown> | undefined;
     locale?: string | undefined;
-  }, any, questpie69.JsonRouteParams>;
-  getActionsConfig: questpie69.JsonRouteDefinition<{
+  }, any, questpie64.JsonRouteParams>;
+  getActionsConfig: questpie64.JsonRouteDefinition<{
     collection: string;
-  }, any, questpie69.JsonRouteParams>;
+  }, any, questpie64.JsonRouteParams>;
 };
 //#endregion
 export { ExecuteActionRequest, ExecuteActionResponse, actionFunctions, executeAction, executeActionFn, getActionsConfig, getActionsConfigFn };

package/dist/server/modules/admin/routes/execute-action.mjs

@@ -1,7 +1,7 @@
 import { getApp, getCollection, getCollectionCrud, getCollectionCruds, getGlobalCruds, getSession } from "./route-helpers.mjs";
 import { translateAdminMessage } from "./i18n-helpers.mjs";
 import { z } from "zod";
-import { route, runWithContext } from "questpie";
+import { extractAppServices, route, runWithContext } from "questpie";
 
 //#region src/server/modules/admin/routes/execute-action.ts
 /**
@@ -144,6 +144,11 @@ async function executeAction(app, request, session) {
 	}
 	try {
 		const appRec = app;
+		const services = extractAppServices(app, {
+			db: appRec.db,
+			session,
+			locale
+		});
 		const context = {
 			data: data || {},
 			itemId,
@@ -154,7 +159,8 @@ async function executeAction(app, request, session) {
 			db: appRec.db,
 			session,
 			locale,
-			t
+			t,
+			workflows: services.workflows
 		};
 		const result = await runWithContext({
 			app,
@@ -474,7 +480,7 @@ const getActionsConfigResponseSchema = z.object({
 * });
 * ```
 */
-const executeActionFn = route().post().access((ctx) => !!ctx.session).schema(executeActionRequestSchema).outputSchema(executeActionResponseSchema).handler(async (ctx) => {
+const executeActionFn = route().post().access((ctx) => ctx.session?.user?.role === "admin").schema(executeActionRequestSchema).outputSchema(executeActionResponseSchema).handler(async (ctx) => {
 	const app = getApp(ctx);
 	const session = getSession(ctx);
 	return executeAction(app, ctx.input, session);
@@ -483,7 +489,7 @@ const executeActionFn = route().post().access((ctx) => !!ctx.session).schema(exe
 * Get actions configuration for a collection.
 * Returns action definitions without handlers for client rendering.
 */
-const getActionsConfigFn = route().post().access((ctx) => !!ctx.session).schema(getActionsConfigRequestSchema).outputSchema(getActionsConfigResponseSchema).handler((ctx) => {
+const getActionsConfigFn = route().post().access((ctx) => ctx.session?.user?.role === "admin").schema(getActionsConfigRequestSchema).outputSchema(getActionsConfigResponseSchema).handler((ctx) => {
 	return getActionsConfig(getApp(ctx), ctx.input.collection);
 });
 /**

package/dist/server/modules/admin/routes/locales.d.mts

@@ -1,4 +1,4 @@
-import * as questpie344 from "questpie";
+import * as questpie460 from "questpie";
 
 //#region src/server/modules/admin/routes/locales.d.ts
 
@@ -12,7 +12,7 @@ import * as questpie344 from "questpie";
  * Bundle of locale-related functions.
  */
 declare const localeFunctions: {
-  readonly getContentLocales: questpie344.JsonRouteDefinition<Record<string, never> | undefined, any, questpie344.JsonRouteParams>;
+  readonly getContentLocales: questpie460.JsonRouteDefinition<Record<string, never> | undefined, any, questpie460.JsonRouteParams>;
 };
 //#endregion
 export { localeFunctions };

package/dist/server/modules/admin/routes/locales.mjs

@@ -39,7 +39,7 @@ const getContentLocalesOutputSchema = z.object({
 * // }
 * ```
 */
-const getContentLocales = route().post().schema(getContentLocalesSchema).outputSchema(getContentLocalesOutputSchema).handler(async (ctx) => {
+const getContentLocales = route().post().access(true).schema(getContentLocalesSchema).outputSchema(getContentLocalesOutputSchema).handler(async (ctx) => {
 	const localeConfig = getApp(ctx).config.locale;
 	if (!localeConfig) return {
 		locales: [{

package/dist/server/modules/admin/routes/preview.d.mts

@@ -1,4 +1,4 @@
-import * as questpie129 from "questpie";
+import * as questpie72 from "questpie";
 
 //#region src/server/modules/admin/routes/preview.d.ts
 
@@ -25,13 +25,13 @@ interface PreviewTokenPayload {
  * @returns Object with preview functions
  */
 declare function createPreviewFunctions(secret?: PreviewSecretSource): {
-  mintPreviewToken: questpie129.JsonRouteDefinition<{
+  mintPreviewToken: questpie72.JsonRouteDefinition<{
     path: string;
     ttlMs?: number | undefined;
-  }, any, questpie129.JsonRouteParams>;
-  verifyPreviewToken: questpie129.JsonRouteDefinition<{
+  }, any, questpie72.JsonRouteParams>;
+  verifyPreviewToken: questpie72.JsonRouteDefinition<{
     token: string;
-  }, any, questpie129.JsonRouteParams>;
+  }, any, questpie72.JsonRouteParams>;
 };
 /**
  * Verify a preview token without RPC.
@@ -68,18 +68,18 @@ declare function createPreviewTokenVerifier(secret: string): (token: string) =>
  * Used by the `adminModule` to register preview RPC functions.
  */
 declare const previewFunctions: {
-  getPreviewUrl: questpie129.JsonRouteDefinition<{
+  getPreviewUrl: questpie72.JsonRouteDefinition<{
     collection: string;
     record: Record<string, unknown>;
     locale?: string | undefined;
-  }, any, questpie129.JsonRouteParams>;
-  mintPreviewToken: questpie129.JsonRouteDefinition<{
+  }, any, questpie72.JsonRouteParams>;
+  mintPreviewToken: questpie72.JsonRouteDefinition<{
     path: string;
     ttlMs?: number | undefined;
-  }, any, questpie129.JsonRouteParams>;
-  verifyPreviewToken: questpie129.JsonRouteDefinition<{
+  }, any, questpie72.JsonRouteParams>;
+  verifyPreviewToken: questpie72.JsonRouteDefinition<{
     token: string;
-  }, any, questpie129.JsonRouteParams>;
+  }, any, questpie72.JsonRouteParams>;
 };
 //#endregion
 export { PreviewTokenPayload, createPreviewFunctions, createPreviewTokenVerifier, previewFunctions, verifyPreviewTokenDirect };

package/dist/server/modules/admin/routes/preview.mjs

@@ -1,4 +1,5 @@
-import { getApp, getCollectionState, getLocale, getSession } from "./route-helpers.mjs";
+import { hasAdminRole } from "../auth-helpers.mjs";
+import { getApp, getCollectionState, getLocale } from "./route-helpers.mjs";
 import { translateAdminMessage } from "./i18n-helpers.mjs";
 import { z } from "zod";
 import { ApiError, route } from "questpie";
@@ -103,11 +104,11 @@ const DEFAULT_TTL_MS = 3600 * 1e3;
 */
 function createPreviewFunctions(secret = defaultPreviewSecret) {
 	return {
-		mintPreviewToken: route().post().schema(mintPreviewTokenSchema).outputSchema(mintPreviewTokenOutputSchema).handler(async (ctx) => {
+		mintPreviewToken: route().post().access((ctx) => ctx.session?.user?.role === "admin").schema(mintPreviewTokenSchema).outputSchema(mintPreviewTokenOutputSchema).handler(async (ctx) => {
 			const { input } = ctx;
 			const locale = getLocale(ctx);
 			const t = (key, params) => translateAdminMessage(locale, key, params);
-			if (!getSession(ctx)) throw ApiError.unauthorized(t("preview.adminSessionRequired"));
+			if (!hasAdminRole(ctx)) throw ApiError.unauthorized(t("preview.adminSessionRequired"));
 			const { path, ttlMs = DEFAULT_TTL_MS } = input;
 			const expiresAt = Date.now() + ttlMs;
 			const payload = {
@@ -210,11 +211,11 @@ const getPreviewUrlOutputSchema = z.object({
 * // Returns: "/about?preview=true"
 * ```
 */
-const getPreviewUrl = route().post().schema(getPreviewUrlSchema).outputSchema(getPreviewUrlOutputSchema).handler(async (ctx) => {
+const getPreviewUrl = route().post().access((ctx) => ctx.session?.user?.role === "admin").schema(getPreviewUrlSchema).outputSchema(getPreviewUrlOutputSchema).handler(async (ctx) => {
 	const { input } = ctx;
 	const messageLocale = getLocale(ctx) ?? input.locale;
 	const t = (key, params) => translateAdminMessage(messageLocale, key, params);
-	if (!getSession(ctx)) return {
+	if (!hasAdminRole(ctx)) return {
 		url: null,
 		error: t("preview.adminSessionRequired")
 	};

package/dist/server/modules/admin/routes/reactive.d.mts

@@ -1,4 +1,4 @@
-import * as questpie121 from "questpie";
+import * as questpie82 from "questpie";
 
 //#region src/server/modules/admin/routes/reactive.d.ts
 
@@ -13,7 +13,7 @@ import * as questpie121 from "questpie";
  * Batch reactive endpoint.
  * Executes multiple reactive handlers in a single request.
  */
-declare const batchReactive: questpie121.JsonRouteDefinition<{
+declare const batchReactive: questpie82.JsonRouteDefinition<{
   collection: string;
   type: "collection" | "global";
   requests: {
@@ -27,12 +27,12 @@ declare const batchReactive: questpie121.JsonRouteDefinition<{
   }[];
   formData?: Record<string, unknown> | undefined;
   prevData?: Record<string, unknown> | null | undefined;
-}, any, questpie121.JsonRouteParams>;
+}, any, questpie82.JsonRouteParams>;
 /**
  * Dynamic options endpoint.
  * Fetches options for select/relation fields with search and pagination.
  */
-declare const fieldOptions: questpie121.JsonRouteDefinition<{
+declare const fieldOptions: questpie82.JsonRouteDefinition<{
   collection: string;
   type: "collection" | "global";
   field: string;
@@ -41,12 +41,12 @@ declare const fieldOptions: questpie121.JsonRouteDefinition<{
   page: number;
   limit: number;
   siblingData?: Record<string, unknown> | null | undefined;
-}, any, questpie121.JsonRouteParams>;
+}, any, questpie82.JsonRouteParams>;
 /**
  * Reactive functions bundle.
  */
 declare const reactiveFunctions: {
-  readonly batchReactive: questpie121.JsonRouteDefinition<{
+  readonly batchReactive: questpie82.JsonRouteDefinition<{
     collection: string;
     type: "collection" | "global";
     requests: {
@@ -60,8 +60,8 @@ declare const reactiveFunctions: {
     }[];
     formData?: Record<string, unknown> | undefined;
     prevData?: Record<string, unknown> | null | undefined;
-  }, any, questpie121.JsonRouteParams>;
-  readonly fieldOptions: questpie121.JsonRouteDefinition<{
+  }, any, questpie82.JsonRouteParams>;
+  readonly fieldOptions: questpie82.JsonRouteDefinition<{
     collection: string;
     type: "collection" | "global";
     field: string;
@@ -70,7 +70,7 @@ declare const reactiveFunctions: {
     page: number;
     limit: number;
     siblingData?: Record<string, unknown> | null | undefined;
-  }, any, questpie121.JsonRouteParams>;
+  }, any, questpie82.JsonRouteParams>;
 };
 //#endregion
 export { batchReactive, fieldOptions, reactiveFunctions };

package/dist/server/modules/admin/routes/reactive.mjs

@@ -306,7 +306,7 @@ const optionsOutputSchema = z.object({
 * Batch reactive endpoint.
 * Executes multiple reactive handlers in a single request.
 */
-const batchReactive = route().post().access((ctx) => !!ctx.session).schema(batchReactiveInputSchema).outputSchema(batchReactiveOutputSchema).handler(async (ctx) => {
+const batchReactive = route().post().access((ctx) => ctx.session?.user?.role === "admin").schema(batchReactiveInputSchema).outputSchema(batchReactiveOutputSchema).handler(async (ctx) => {
 	const app = getApp(ctx);
 	const { collection: entityName, type: entityType, requests, formData: sharedFormData, prevData: sharedPrevData } = ctx.input;
 	const serverCtx = buildServerContext(ctx);
@@ -359,7 +359,7 @@ const batchReactive = route().post().access((ctx) => !!ctx.session).schema(batch
 * Dynamic options endpoint.
 * Fetches options for select/relation fields with search and pagination.
 */
-const fieldOptions = route().post().access((ctx) => !!ctx.session).schema(optionsInputSchema).outputSchema(optionsOutputSchema).handler(async (ctx) => {
+const fieldOptions = route().post().access((ctx) => ctx.session?.user?.role === "admin").schema(optionsInputSchema).outputSchema(optionsOutputSchema).handler(async (ctx) => {
 	const app = getApp(ctx);
 	const { collection: entityName, type: entityType, field: field$1, formData, siblingData, search, page, limit } = ctx.input;
 	const serverCtx = buildServerContext(ctx);

package/dist/server/modules/admin/routes/route-helpers.mjs

@@ -102,7 +102,7 @@ function buildServerContext(ctx) {
 	return {
 		db: getDb(ctx),
 		user: session?.user ?? null,
-		req: new Request("http://localhost"),
+		...ctx.request ? { req: ctx.request } : {},
 		locale: getLocale(ctx) ?? "en"
 	};
 }

package/dist/server/modules/admin/routes/setup.d.mts

@@ -1,4 +1,4 @@
-import * as questpie139 from "questpie";
+import * as questpie90 from "questpie";
 
 //#region src/server/modules/admin/routes/setup.d.ts
 
@@ -13,7 +13,7 @@ import * as questpie139 from "questpie";
  * }
  * ```
  */
-declare const isSetupRequired: questpie139.JsonRouteDefinition<Record<string, never>, any, questpie139.JsonRouteParams>;
+declare const isSetupRequired: questpie90.JsonRouteDefinition<Record<string, never>, any, questpie90.JsonRouteParams>;
 /**
  * Create the first admin user in the system.
  * This function only works when no admin users exist (setup mode).
@@ -36,21 +36,21 @@ declare const isSetupRequired: questpie139.JsonRouteDefinition<Record<string, ne
  * }
  * ```
  */
-declare const createFirstAdmin: questpie139.JsonRouteDefinition<{
+declare const createFirstAdmin: questpie90.JsonRouteDefinition<{
   email: string;
   password: string;
   name: string;
-}, any, questpie139.JsonRouteParams>;
+}, any, questpie90.JsonRouteParams>;
 /**
  * Bundle of setup-related functions.
  */
 declare const setupFunctions: {
-  readonly isSetupRequired: questpie139.JsonRouteDefinition<Record<string, never>, any, questpie139.JsonRouteParams>;
-  readonly createFirstAdmin: questpie139.JsonRouteDefinition<{
+  readonly isSetupRequired: questpie90.JsonRouteDefinition<Record<string, never>, any, questpie90.JsonRouteParams>;
+  readonly createFirstAdmin: questpie90.JsonRouteDefinition<{
     email: string;
     password: string;
     name: string;
-  }, any, questpie139.JsonRouteParams>;
+  }, any, questpie90.JsonRouteParams>;
 };
 //#endregion
 export { createFirstAdmin, isSetupRequired, setupFunctions };

package/dist/server/modules/admin/routes/translations.d.mts

@@ -1,4 +1,4 @@
-import * as questpie346 from "questpie";
+import * as questpie462 from "questpie";
 
 //#region src/server/modules/admin/routes/translations.d.ts
 
@@ -17,10 +17,10 @@ import * as questpie346 from "questpie";
  * Bundle of translation-related functions.
  */
 declare const translationFunctions: {
-  readonly getAdminTranslations: questpie346.JsonRouteDefinition<{
+  readonly getAdminTranslations: questpie462.JsonRouteDefinition<{
     locale: string;
-  }, any, questpie346.JsonRouteParams>;
-  readonly getAdminLocales: questpie346.JsonRouteDefinition<Record<string, never> | undefined, any, questpie346.JsonRouteParams>;
+  }, any, questpie462.JsonRouteParams>;
+  readonly getAdminLocales: questpie462.JsonRouteDefinition<Record<string, never> | undefined, any, questpie462.JsonRouteParams>;
 };
 //#endregion
 export { translationFunctions };

package/dist/server/modules/admin/routes/widget-data.d.mts

@@ -1,4 +1,4 @@
-import * as questpie147 from "questpie";
+import * as questpie16 from "questpie";
 
 //#region src/server/modules/admin/routes/widget-data.d.ts
 
@@ -20,13 +20,13 @@ import * as questpie147 from "questpie";
  * const data = await client.routes.fetchWidgetData({ widgetId: "my-widget" });
  * ```
  */
-declare const fetchWidgetData: questpie147.JsonRouteDefinition<{
+declare const fetchWidgetData: questpie16.JsonRouteDefinition<{
   widgetId: string;
-}, any, questpie147.JsonRouteParams>;
+}, any, questpie16.JsonRouteParams>;
 declare const widgetDataFunctions: {
-  readonly fetchWidgetData: questpie147.JsonRouteDefinition<{
+  readonly fetchWidgetData: questpie16.JsonRouteDefinition<{
     widgetId: string;
-  }, any, questpie147.JsonRouteParams>;
+  }, any, questpie16.JsonRouteParams>;
 };
 //#endregion
 export { fetchWidgetData, widgetDataFunctions };

package/dist/server/modules/admin/routes/widget-data.mjs

@@ -39,7 +39,7 @@ const fetchWidgetDataSchema = z.object({ widgetId: z.string() });
 * const data = await client.routes.fetchWidgetData({ widgetId: "my-widget" });
 * ```
 */
-const fetchWidgetData = route().post().access((ctx) => !!ctx.session).schema(fetchWidgetDataSchema).outputSchema(z.unknown()).handler(async (ctx) => {
+const fetchWidgetData = route().post().access((ctx) => ctx.session?.user?.role === "admin").schema(fetchWidgetDataSchema).outputSchema(z.unknown()).handler(async (ctx) => {
 	const stored = tryGetContext();
 	const routeApp = ctx.app ?? stored?.app;
 	const appState = routeApp?.state || {};