dineway 0.1.4 → 0.1.6

package/src/astro/routes/api/admin/review-requests/index.ts

@@ -0,0 +1,35 @@
+/**
+ * Admin review requests
+ *
+ * GET /_dineway/api/admin/review-requests - List review requests
+ */
+
+import type { APIRoute } from "astro";
+
+import { requirePerm } from "#api/authorize.js";
+import { handleError, requireDb, unwrapResult } from "#api/error.js";
+import { handleReviewRequestList } from "#api/handlers/review-requests.js";
+import { isParseError, parseQuery } from "#api/parse.js";
+import { reviewRequestListQuery } from "#api/schemas.js";
+
+export const prerender = false;
+
+export const GET: APIRoute = async ({ url, locals }) => {
+	const { dineway, user } = locals;
+
+	const dbErr = requireDb(dineway?.db);
+	if (dbErr) return dbErr;
+
+	const denied = requirePerm(user, "content:edit_any");
+	if (denied) return denied;
+
+	try {
+		const query = parseQuery(url, reviewRequestListQuery);
+		if (isParseError(query)) return query;
+
+		const result = await handleReviewRequestList(dineway.db, query);
+		return unwrapResult(result);
+	} catch (error) {
+		return handleError(error, "Failed to list review requests", "REVIEW_REQUEST_LIST_ERROR");
+	}
+};

package/src/astro/routes/api/admin/users/[id]/disable.ts

@@ -9,6 +9,7 @@ import { createKyselyAdapter } from "@dineway-ai/auth/adapters/kysely";
 import type { APIRoute } from "astro";
 
 import { apiError, apiSuccess, handleError } from "#api/error.js";
+import { withTransaction } from "#db/transaction.js";
 
 export const prerender = false;
 
@@ -23,8 +24,6 @@ export const POST: APIRoute = async ({ params, locals }) => {
 		return apiError("FORBIDDEN", "Admin privileges required", 403);
 	}
 
-	const adapter = createKyselyAdapter(dineway.db);
-
 	const { id } = params;
 
 	if (!id) {
@@ -37,32 +36,36 @@ export const POST: APIRoute = async ({ params, locals }) => {
 	}
 
 	try {
-		// Get target user
-		const targetUser = await adapter.getUserById(id);
-		if (!targetUser) {
-			return apiError("NOT_FOUND", "User not found", 404);
-		}
+		return await withTransaction(dineway.db, async (trx) => {
+			const adapter = createKyselyAdapter(trx);
+
+			// Get target user
+			const targetUser = await adapter.getUserById(id);
+			if (!targetUser) {
+				return apiError("NOT_FOUND", "User not found", 404);
+			}
 
-		// Check if this would leave no active admins
-		if (targetUser.role === Role.ADMIN) {
-			const adminCount = await adapter.countAdmins();
-			if (adminCount <= 1) {
-				return apiError(
-					"VALIDATION_ERROR",
-					"Cannot disable the last admin. Promote another user first.",
-					400,
-				);
+			// Check if this would leave no active admins
+			if (targetUser.role === Role.ADMIN) {
+				const adminCount = await adapter.countAdmins();
+				if (adminCount <= 1) {
+					return apiError(
+						"VALIDATION_ERROR",
+						"Cannot disable the last admin. Promote another user first.",
+						400,
+					);
+				}
 			}
-		}
 
-		// Disable user
-		await adapter.updateUser(id, { disabled: true });
+			// Disable user
+			await adapter.updateUser(id, { disabled: true });
 
-		// SEC-43: Revoke all OAuth tokens for the disabled user.
-		// Without this, existing refresh tokens remain valid for up to 90 days.
-		await dineway.db.deleteFrom("_dineway_oauth_tokens").where("user_id", "=", id).execute();
+			// SEC-43: Revoke all OAuth tokens for the disabled user.
+			// Without this, existing refresh tokens remain valid for up to 90 days.
+			await trx.deleteFrom("_dineway_oauth_tokens").where("user_id", "=", id).execute();
 
-		return apiSuccess({ success: true });
+			return apiSuccess({ success: true });
+		});
 	} catch (error) {
 		return handleError(error, "Failed to disable user", "USER_DISABLE_ERROR");
 	}

package/src/astro/routes/api/admin/users/[id]/index.ts

@@ -12,6 +12,7 @@ import type { APIRoute } from "astro";
 import { apiError, apiSuccess, handleError } from "#api/error.js";
 import { isParseError, parseBody } from "#api/parse.js";
 import { userUpdateBody } from "#api/schemas.js";
+import { withTransaction } from "#db/transaction.js";
 
 export const prerender = false;
 
@@ -117,28 +118,47 @@ export const PUT: APIRoute = async ({ params, request, locals }) => {
 			}
 		}
 
-		// Update user
-		await adapter.updateUser(id, {
-			name: body.name,
-			email: body.email,
-			role,
-		});
+		return await withTransaction(dineway.db, async (trx) => {
+			const txAdapter = createKyselyAdapter(trx);
+			const latestTargetUser = await txAdapter.getUserById(id);
+			if (!latestTargetUser) {
+				return apiError("NOT_FOUND", "User not found", 404);
+			}
+
+			if (role !== undefined && latestTargetUser.role === Role.ADMIN && role < Role.ADMIN) {
+				const adminCount = await txAdapter.countAdmins();
+				if (adminCount <= 1) {
+					return apiError(
+						"VALIDATION_ERROR",
+						"Cannot demote the last admin. Promote another user first.",
+						400,
+					);
+				}
+			}
 
-		// Fetch updated user
-		const updated = await adapter.getUserById(id);
-
-		return apiSuccess({
-			item: {
-				id: updated!.id,
-				email: updated!.email,
-				name: updated!.name,
-				avatarUrl: updated!.avatarUrl,
-				role: updated!.role,
-				emailVerified: updated!.emailVerified,
-				disabled: updated!.disabled,
-				createdAt: updated!.createdAt.toISOString(),
-				updatedAt: updated!.updatedAt.toISOString(),
-			},
+			// Update user
+			await txAdapter.updateUser(id, {
+				name: body.name,
+				email: body.email,
+				role,
+			});
+
+			// Fetch updated user
+			const updated = await txAdapter.getUserById(id);
+
+			return apiSuccess({
+				item: {
+					id: updated!.id,
+					email: updated!.email,
+					name: updated!.name,
+					avatarUrl: updated!.avatarUrl,
+					role: updated!.role,
+					emailVerified: updated!.emailVerified,
+					disabled: updated!.disabled,
+					createdAt: updated!.createdAt.toISOString(),
+					updatedAt: updated!.updatedAt.toISOString(),
+				},
+			});
 		});
 	} catch (error) {
 		return handleError(error, "Failed to update user", "USER_UPDATE_ERROR");

package/src/astro/routes/api/auth/invite/register-options.ts

@@ -0,0 +1,73 @@
+/**
+ * POST /_dineway/api/auth/invite/register-options
+ *
+ * Generate WebAuthn registration options for an invited user.
+ */
+
+import type { APIRoute } from "astro";
+
+export const prerender = false;
+
+import { validateInvite, InviteError } from "@dineway-ai/auth";
+import { createKyselyAdapter } from "@dineway-ai/auth/adapters/kysely";
+import { generateRegistrationOptions } from "@dineway-ai/auth/passkey";
+import { ulid } from "ulidx";
+
+import { apiError, apiSuccess, handleError } from "#api/error.js";
+import { isParseError, parseBody } from "#api/parse.js";
+import { getPublicOrigin } from "#api/public-url.js";
+import { inviteRegisterOptionsBody } from "#api/schemas.js";
+import { createChallengeStore } from "#auth/challenge-store.js";
+import { getPasskeyConfig } from "#auth/passkey-config.js";
+import { OptionsRepository } from "#db/repositories/options.js";
+
+export const POST: APIRoute = async ({ request, locals }) => {
+	const { dineway } = locals;
+
+	if (!dineway?.db) {
+		return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	}
+
+	try {
+		const body = await parseBody(request, inviteRegisterOptionsBody);
+		if (isParseError(body)) return body;
+
+		const adapter = createKyselyAdapter(dineway.db);
+		const invite = await validateInvite(adapter, body.token);
+
+		const url = new URL(request.url);
+		const optionsRepo = new OptionsRepository(dineway.db);
+		const siteName = (await optionsRepo.get<string>("dineway:site_title")) ?? undefined;
+		const siteUrl = getPublicOrigin(url, dineway?.config);
+		const passkeyConfig = getPasskeyConfig(url, siteName, siteUrl);
+
+		const challengeStore = createChallengeStore(dineway.db);
+		const registrationOptions = await generateRegistrationOptions(
+			passkeyConfig,
+			{
+				id: ulid(),
+				email: invite.email,
+				name: body.name || null,
+			},
+			[],
+			challengeStore,
+		);
+
+		return apiSuccess({ options: registrationOptions });
+	} catch (error) {
+		if (error instanceof InviteError) {
+			const statusMap: Record<string, number> = {
+				invalid_token: 404,
+				token_expired: 410,
+				user_exists: 409,
+			};
+			return apiError(error.code.toUpperCase(), error.message, statusMap[error.code] ?? 400);
+		}
+
+		return handleError(
+			error,
+			"Failed to generate registration options",
+			"INVITE_REGISTER_OPTIONS_ERROR",
+		);
+	}
+};

package/src/astro/routes/api/auth/magic-link/send.ts

@@ -19,6 +19,7 @@ import { isParseError, parseBody } from "#api/parse.js";
 import { magicLinkSendBody } from "#api/schemas.js";
 import { getSiteBaseUrl } from "#api/site-url.js";
 import { checkRateLimit, getClientIp } from "#auth/rate-limit.js";
+import { getTrustedProxyHeaders } from "#auth/trusted-proxy.js";
 import { OptionsRepository } from "#db/repositories/options.js";
 
 export const POST: APIRoute = async ({ request, locals }) => {
@@ -36,7 +37,7 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		if (isParseError(body)) return body;
 
 		// Rate limit: 3 requests per 300 seconds (5 minutes) per IP
-		const ip = getClientIp(request);
+		const ip = getClientIp(request, getTrustedProxyHeaders(dineway.config));
 		const rateLimit = await checkRateLimit(dineway.db, ip, "magic-link/send", 3, 300);
 		if (!rateLimit.allowed) {
 			// Return success-shaped response to avoid revealing rate limit

package/src/astro/routes/api/auth/passkey/options.ts

@@ -20,6 +20,7 @@ import { passkeyOptionsBody } from "#api/schemas.js";
 import { createChallengeStore, cleanupExpiredChallenges } from "#auth/challenge-store.js";
 import { getPasskeyConfig } from "#auth/passkey-config.js";
 import { checkRateLimit, getClientIp, rateLimitResponse } from "#auth/rate-limit.js";
+import { getTrustedProxyHeaders } from "#auth/trusted-proxy.js";
 import { OptionsRepository } from "#db/repositories/options.js";
 
 export const POST: APIRoute = async ({ request, locals }) => {
@@ -38,7 +39,7 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		if (isParseError(body)) return body;
 
 		// Rate limit: 10 requests per 60 seconds per IP
-		const ip = getClientIp(request);
+		const ip = getClientIp(request, getTrustedProxyHeaders(dineway.config));
 		const rateLimit = await checkRateLimit(dineway.db, ip, "passkey/options", 10, 60);
 		if (!rateLimit.allowed) {
 			return rateLimitResponse(60);

package/src/astro/routes/api/auth/passkey/verify.ts

@@ -9,7 +9,7 @@ import type { APIRoute } from "astro";
 export const prerender = false;
 
 import { createKyselyAdapter } from "@dineway-ai/auth/adapters/kysely";
-import { authenticateWithPasskey } from "@dineway-ai/auth/passkey";
+import { authenticateWithPasskey, PasskeyAuthenticationError } from "@dineway-ai/auth/passkey";
 
 import { apiError, apiSuccess, handleError } from "#api/error.js";
 import { isParseError, parseBody } from "#api/parse.js";
@@ -63,6 +63,10 @@ export const POST: APIRoute = async ({ request, locals, session }) => {
 			},
 		});
 	} catch (error) {
+		if (error instanceof PasskeyAuthenticationError) {
+			return apiError("UNAUTHORIZED", "Authentication failed", 401);
+		}
+
 		return handleError(error, "Authentication failed", "PASSKEY_VERIFY_ERROR");
 	}
 };

package/src/astro/routes/api/auth/signup/request.ts

@@ -3,6 +3,8 @@
  *
  * Request self-signup. Sends verification email if domain is allowed.
  * Always returns 200 to prevent email enumeration.
+ *
+ * Rate limited: 3 requests per 5 minutes per IP. Mirrors magic-link/send.
  */
 
 import type { APIRoute } from "astro";
@@ -16,8 +18,15 @@ import { apiError, apiSuccess } from "#api/error.js";
 import { isParseError, parseBody } from "#api/parse.js";
 import { signupRequestBody } from "#api/schemas.js";
 import { getSiteBaseUrl } from "#api/site-url.js";
+import { checkRateLimit, getClientIp } from "#auth/rate-limit.js";
+import { getTrustedProxyHeaders } from "#auth/trusted-proxy.js";
 import { OptionsRepository } from "#db/repositories/options.js";
 
+const GENERIC_SUCCESS = {
+	success: true,
+	message: "If your email domain is allowed, you'll receive a verification email.",
+};
+
 export const POST: APIRoute = async ({ request, locals }) => {
 	const { dineway } = locals;
 
@@ -38,6 +47,15 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		const body = await parseBody(request, signupRequestBody);
 		if (isParseError(body)) return body;
 
+		// Rate limit: 3 requests per 300 seconds per IP. Return the same
+		// response as the normal path so callers cannot observe the limit.
+		const trustedHeaders = getTrustedProxyHeaders(dineway.config);
+		const ip = getClientIp(request, trustedHeaders);
+		const rateLimit = await checkRateLimit(dineway.db, ip, "signup/request", 3, 300);
+		if (!rateLimit.allowed) {
+			return apiSuccess(GENERIC_SUCCESS);
+		}
+
 		const adapter = createKyselyAdapter(dineway.db);
 
 		// Get site config for signup email
@@ -60,18 +78,12 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		);
 
 		// Always return success to prevent email enumeration
-		return apiSuccess({
-			success: true,
-			message: "If your email domain is allowed, you'll receive a verification email.",
-		});
+		return apiSuccess(GENERIC_SUCCESS);
 	} catch (error) {
 		console.error("Signup request error:", error);
 
 		// Don't reveal internal errors - just return generic success
 		// to prevent information leakage
-		return apiSuccess({
-			success: true,
-			message: "If your email domain is allowed, you'll receive a verification email.",
-		});
+		return apiSuccess(GENERIC_SUCCESS);
 	}
 };

package/src/astro/routes/api/comments/[collection]/[contentId]/index.ts

@@ -15,6 +15,7 @@ import { getSiteBaseUrl } from "#api/site-url.js";
 import { sendCommentNotification } from "#comments/notifications.js";
 import { createComment, type CommentHookRunner } from "#comments/service.js";
 import { CommentRepository } from "#db/repositories/comment.js";
+import { validateIdentifier } from "#db/validate.js";
 import { extractRequestMeta } from "#plugins/request-meta.js";
 import type { CollectionCommentSettings, ModerationDecision } from "#plugins/types.js";
 
@@ -106,6 +107,7 @@ export const POST: APIRoute = async ({ params, request, locals }) => {
 		}
 
 		// Verify the content item exists, is published, and not soft-deleted
+		validateIdentifier(collection, "collection");
 		const contentRow = await dineway.db
 			.selectFrom(`ec_${collection}` as never)
 			.select(["id" as never, "slug" as never, "author_id" as never, "published_at" as never])
@@ -137,15 +139,12 @@ export const POST: APIRoute = async ({ params, request, locals }) => {
 		}
 
 		// Anti-spam: Rate limiting
-		const meta = extractRequestMeta(request);
+		const meta = extractRequestMeta(request, dineway.config);
 		const ipSalt =
 			import.meta.env.DINEWAY_AUTH_SECRET || import.meta.env.AUTH_SECRET || "dineway-ip-salt";
 		let ipHash: string;
 		if (meta.ip) {
 			ipHash = await hashIp(meta.ip, ipSalt);
-		} else if (meta.userAgent) {
-			// Fallback: hash user-agent as a rough identifier when IP is unavailable
-			ipHash = await hashIp(`ua:${meta.userAgent}`, ipSalt);
 		} else {
 			// Fail closed: all unidentifiable requests share one rate-limit bucket.
 			// Use a larger limit since this bucket is shared across all anonymous users.

package/src/astro/routes/api/content/[collection]/[id]/compare.ts

@@ -13,7 +13,7 @@ export const prerender = false;
 
 export const GET: APIRoute = async ({ params, locals }) => {
 	const { dineway, user } = locals;
-	const denied = requirePerm(user, "content:read");
+	const denied = requirePerm(user, "content:read_drafts");
 	if (denied) return denied;
 	const collection = params.collection!;
 	const id = params.id!;

package/src/astro/routes/api/content/[collection]/[id]/discard-draft.ts

@@ -8,6 +8,11 @@ import type { APIRoute } from "astro";
 
 import { requireOwnerPerm } from "#api/authorize.js";
 import { apiError, mapErrorStatus, unwrapResult } from "#api/error.js";
+import {
+	contentApiRouteSource,
+	extractActivityItemId,
+	logContentActivity,
+} from "#site-context/activity-events.js";
 
 export const prerender = false;
 
@@ -43,12 +48,21 @@ export const POST: APIRoute = async ({ params, locals, cache }) => {
 	const authorId = typeof existingItem?.authorId === "string" ? existingItem.authorId : "";
 	const denied = requireOwnerPerm(user, authorId, "content:edit_own", "content:edit_any");
 	if (denied) return denied;
+	const resolvedId = typeof existingItem?.id === "string" ? existingItem.id : id;
 
-	const result = await dineway.handleContentDiscardDraft(collection, id);
+	const result = await dineway.handleContentDiscardDraft(collection, resolvedId);
 
 	if (!result.success) return unwrapResult(result);
 
-	if (cache.enabled) await cache.invalidate({ tags: [collection, id] });
+	if (cache.enabled) await cache.invalidate({ tags: [collection, resolvedId] });
+
+	await logContentActivity(dineway.db, locals, {
+		action: "draft_discarded",
+		collection,
+		entryId: extractActivityItemId(result.data, resolvedId),
+		...contentApiRouteSource("draft_discarded"),
+		summary: `Discarded draft for content in ${collection}`,
+	});
 
 	return unwrapResult(result);
 };

package/src/astro/routes/api/content/[collection]/[id]/duplicate.ts

@@ -8,6 +8,11 @@ import type { APIRoute } from "astro";
 
 import { requirePerm, requireOwnerPerm } from "#api/authorize.js";
 import { apiError, mapErrorStatus, unwrapResult } from "#api/error.js";
+import {
+	contentApiRouteSource,
+	extractActivityItemId,
+	logContentActivity,
+} from "#site-context/activity-events.js";
 
 export const prerender = false;
 
@@ -57,5 +62,16 @@ export const POST: APIRoute = async ({ params, locals, cache }) => {
 
 	if (cache.enabled) await cache.invalidate({ tags: [collection] });
 
+	await logContentActivity(dineway.db, locals, {
+		action: "duplicated",
+		collection,
+		entryId: extractActivityItemId(result.data),
+		...contentApiRouteSource("duplicated"),
+		summary: `Duplicated content in ${collection}`,
+		detail: {
+			sourceEntryId: resolvedId,
+		},
+	});
+
 	return unwrapResult(result, 201);
 };

package/src/astro/routes/api/content/[collection]/[id]/permanent.ts

@@ -8,6 +8,7 @@ import type { APIRoute } from "astro";
 
 import { requirePerm } from "#api/authorize.js";
 import { apiError, unwrapResult } from "#api/error.js";
+import { contentApiRouteSource, logContentActivity } from "#site-context/activity-events.js";
 
 export const prerender = false;
 
@@ -29,5 +30,13 @@ export const DELETE: APIRoute = async ({ params, locals, cache }) => {
 
 	if (cache.enabled) await cache.invalidate({ tags: [collection, id] });
 
+	await logContentActivity(dineway.db, locals, {
+		action: "permanently_deleted",
+		collection,
+		entryId: id,
+		...contentApiRouteSource("permanently_deleted"),
+		summary: `Permanently deleted content in ${collection}`,
+	});
+
 	return unwrapResult(result);
 };

package/src/astro/routes/api/content/[collection]/[id]/preview-url.ts

@@ -30,7 +30,7 @@ const DURATION_PATTERN = /^(\d+)([smhdw])$/;
 
 export const POST: APIRoute = async ({ params, request, locals }) => {
 	const { dineway, user } = locals;
-	const denied = requirePerm(user, "content:read");
+	const denied = requirePerm(user, "content:read_drafts");
 	if (denied) return denied;
 	const collection = params.collection!;
 	const id = params.id!;

package/src/astro/routes/api/content/[collection]/[id]/publish.ts

@@ -8,10 +8,18 @@ import type { APIRoute } from "astro";
 
 import { requireOwnerPerm } from "#api/authorize.js";
 import { apiError, mapErrorStatus, unwrapResult } from "#api/error.js";
+import { isParseError, parseOptionalBody } from "#api/parse.js";
+import { contentPublishBody } from "#api/schemas.js";
+import {
+	contentApiRouteSource,
+	extractActivityItemId,
+	logContentActivity,
+} from "#site-context/activity-events.js";
+import { resolveActorIdentity, RiskPolicyEvaluator } from "#site-context/index.js";
 
 export const prerender = false;
 
-export const POST: APIRoute = async ({ params, locals, cache }) => {
+export const POST: APIRoute = async ({ params, request, locals, cache }) => {
 	const { dineway, user } = locals;
 	const collection = params.collection!;
 	const id = params.id!;
@@ -45,6 +53,31 @@ export const POST: APIRoute = async ({ params, locals, cache }) => {
 	if (denied) return denied;
 
 	const resolvedId = typeof existingItem?.id === "string" ? existingItem.id : id;
+	const body = await parseOptionalBody(request, contentPublishBody, {});
+	if (isParseError(body)) return body;
+
+	const actor = resolveActorIdentity({
+		user: user ? { id: user.id } : null,
+		tokenScopes: locals.tokenScopes,
+		authToken: locals.authToken,
+	});
+	const evaluator = new RiskPolicyEvaluator({
+		db: dineway.db,
+		handlers: dineway,
+	});
+	const reviewRequestId = body.reviewRequestId ?? body.review_request_id;
+	const decision = await evaluator.evaluateContentPublishReview({
+		actor,
+		collection,
+		id: resolvedId,
+		reviewRequestId,
+	});
+	if (!decision.allowed) {
+		return apiError("REVIEW_REQUEST_REQUIRED", decision.message, 409, {
+			reason: decision.reason,
+			target: decision.target ?? null,
+		});
+	}
 
 	const result = await dineway.handleContentPublish(collection, resolvedId);
 
@@ -52,5 +85,16 @@ export const POST: APIRoute = async ({ params, locals, cache }) => {
 
 	if (cache.enabled) await cache.invalidate({ tags: [collection, resolvedId] });
 
+	await logContentActivity(dineway.db, locals, {
+		action: "published",
+		collection,
+		entryId: extractActivityItemId(result.data, resolvedId),
+		...contentApiRouteSource("published"),
+		summary: `Published content in ${collection}`,
+		detail: {
+			reviewRequestId: decision.required ? decision.reviewRequest.id : null,
+		},
+	});
+
 	return unwrapResult(result);
 };

package/src/astro/routes/api/content/[collection]/[id]/restore.ts

@@ -8,6 +8,7 @@ import type { APIRoute } from "astro";
 
 import { requireOwnerPerm } from "#api/authorize.js";
 import { apiError, mapErrorStatus, unwrapResult } from "#api/error.js";
+import { contentApiRouteSource, logContentActivity } from "#site-context/activity-events.js";
 
 export const prerender = false;
 
@@ -43,12 +44,21 @@ export const POST: APIRoute = async ({ params, locals, cache }) => {
 	const authorId = typeof existingItem?.authorId === "string" ? existingItem.authorId : "";
 	const denied = requireOwnerPerm(user, authorId, "content:edit_own", "content:edit_any");
 	if (denied) return denied;
+	const resolvedId = typeof existingItem?.id === "string" ? existingItem.id : id;
 
-	const result = await dineway.handleContentRestore(collection, id);
+	const result = await dineway.handleContentRestore(collection, resolvedId);
 
 	if (!result.success) return unwrapResult(result);
 
-	if (cache.enabled) await cache.invalidate({ tags: [collection, id] });
+	if (cache.enabled) await cache.invalidate({ tags: [collection, resolvedId] });
+
+	await logContentActivity(dineway.db, locals, {
+		action: "restored",
+		collection,
+		entryId: resolvedId,
+		...contentApiRouteSource("restored"),
+		summary: `Restored content in ${collection}`,
+	});
 
 	return unwrapResult(result);
 };

package/src/astro/routes/api/content/[collection]/[id]/revisions.ts

@@ -13,7 +13,7 @@ export const prerender = false;
 
 export const GET: APIRoute = async ({ params, url, locals }) => {
 	const { dineway, user } = locals;
-	const denied = requirePerm(user, "content:read");
+	const denied = requirePerm(user, "content:read_drafts");
 	if (denied) return denied;
 	const collection = params.collection!;
 	const id = params.id!;