domma-cms 0.10.0 → 0.12.0

package/server/services/roles.js

@@ -2,6 +2,9 @@
  * Roles Service
  * Preset Collection — seeds roles on first startup, caches them in memory.
  * Auth middleware calls getRoleMap() / getPermissionsFor() at request time.
+ *
+ * Base roles: super-admin (0), admin (1), user (2).
+ * Plugin-contributed roles are tagged with a `plugin` field and removed on plugin teardown.
  */
 import fs from 'fs/promises';
 import path from 'path';
@@ -15,6 +18,15 @@ const DIR = path.join(COLLECTIONS_DIR, SLUG);
 const SCHEMA_PATH = path.join(DIR, 'schema.json');
 const DATA_PATH = path.join(DIR, 'data.json');
 
+/** Users dir — derived from collections dir parent (content/users/) */
+const USERS_DIR = path.resolve(path.dirname(COLLECTIONS_DIR), 'users');
+
+/** Base role slugs that should always exist */
+const BASE_ROLE_NAMES = ['super-admin', 'admin', 'user'];
+
+/** Role slugs that were seeded by the old 4-role system — used to detect legacy data */
+const DEFUNCT_ROLE_NAMES = ['manager', 'editor', 'subscriber'];
+
 export {RESOURCES, ACTIONS};
 
 const PRESET_SCHEMA = {
@@ -35,7 +47,8 @@ const PRESET_SCHEMA = {
         {
             name: 'badgeClass', label: 'Badge Class', type: 'select',
             options: ['badge-danger', 'badge-warning', 'badge-info', 'badge-secondary', 'badge-success', 'badge-primary']
-        }
+        },
+        {name: 'plugin', label: 'Plugin', type: 'text', required: false}
     ],
     api: {
         create: {enabled: false, access: 'admin'},
@@ -46,22 +59,31 @@ const PRESET_SCHEMA = {
 };
 
 const SEED_ENTRIES = [
-    {name: 'admin', label: 'Admin', level: 0, permissions: RESOURCES, badgeClass: 'badge-danger'},
     {
-        name: 'manager',
-        label: 'Manager',
+        name: 'super-admin',
+        label: 'Super Admin',
+        level: 0,
+        permissions: RESOURCES,
+        badgeClass: 'badge-danger'
+    },
+    {
+        name: 'admin',
+        label: 'Admin',
         level: 1,
-        permissions: ['pages', 'settings', 'navigation', 'layouts', 'media', 'users', 'collections', 'views', 'actions'],
+        permissions: [
+            'pages', 'media', 'blocks', 'navigation', 'layouts',
+            'collections', 'views', 'actions',
+            'users', 'settings', 'notifications'
+        ],
         badgeClass: 'badge-warning'
     },
     {
-        name: 'editor',
-        label: 'Editor',
+        name: 'user',
+        label: 'User',
         level: 2,
-        permissions: ['pages.read', 'pages.create', 'pages.update', 'media'],
-        badgeClass: 'badge-info'
-    },
-    {name: 'subscriber', label: 'Subscriber', level: 3, permissions: [], badgeClass: 'badge-secondary'}
+        permissions: ['notifications'],
+        badgeClass: 'badge-secondary'
+    }
 ];
 
 // ---------------------------------------------------------------------------
@@ -80,7 +102,7 @@ let rawPermissionsMap = new Map();
 /**
  * Build in-memory maps from an array of data entries.
  * Supports both bare resource names ('pages') and dotted action strings ('pages.read').
- * Bare names expand to all four actions for backward compatibility.
+ * Bare names expand to all actions for backward compatibility.
  *
  * @param {object[]} entries
  */
@@ -101,44 +123,111 @@ function buildCache(entries) {
         for (const perm of (d.permissions || [])) {
             if (perm.includes('.')) {
                 const [res] = perm.split('.');
-                addTo(perm, d.name);          // 'pages.read' → [role]
-                addTo(res, d.name);          // 'pages'      → [role] (any-action union)
+                addTo(perm, d.name);
+                addTo(res, d.name);
             } else {
-                addTo(perm, d.name);          // 'pages' (bare) → [role]
+                addTo(perm, d.name);
                 for (const action of getActionsForResource(perm)) {
-                    addTo(`${perm}.${action}`, d.name); // expand to resource's actual actions
+                    addTo(`${perm}.${action}`, d.name);
                 }
             }
         }
     }
 }
 
+// ---------------------------------------------------------------------------
+// Internal helpers
+// ---------------------------------------------------------------------------
+
+async function readData() {
+    const raw = await fs.readFile(DATA_PATH, 'utf8');
+    return JSON.parse(raw);
+}
+
+async function writeData(entries) {
+    await fs.writeFile(DATA_PATH, JSON.stringify(entries, null, 2) + '\n', 'utf8');
+}
+
+function makeEntry(data) {
+    return {
+        id: uuidv4(),
+        data,
+        createdAt: new Date().toISOString(),
+        updatedAt: new Date().toISOString()
+    };
+}
+
 // ---------------------------------------------------------------------------
 // Public API
 // ---------------------------------------------------------------------------
 
 /**
- * Seed the preset collection on first startup (no-op if data.json already exists).
+ * Seed the preset collection on first startup.
+ * Always writes schema. Writes base roles if missing; migrates legacy on-disk data.
+ * Scans content/users/ and rewrites any defunct role assignments to 'user'.
  *
  * @returns {Promise<void>}
  */
 export async function seed() {
     await fs.mkdir(DIR, {recursive: true});
-
-    // Always write schema (overwrite to keep in sync with code)
     await fs.writeFile(SCHEMA_PATH, JSON.stringify(PRESET_SCHEMA, null, 2) + '\n', 'utf8');
 
-    // Only write data if it doesn't exist yet
+    let entries;
     try {
         await fs.access(DATA_PATH);
+        entries = await readData();
+
+        // Migrate: if the data still carries defunct base roles, replace the base layer
+        const hasDefunct = entries.some(e => DEFUNCT_ROLE_NAMES.includes(e.data?.name));
+        const missingBase = !entries.some(e => e.data?.name === 'super-admin');
+        if (hasDefunct || missingBase) {
+            // Keep only plugin-contributed entries, rebuild base entries
+            const pluginEntries = entries.filter(e => e.data?.plugin);
+            const baseEntries = SEED_ENTRIES.map(data => makeEntry(data));
+            entries = [...baseEntries, ...pluginEntries];
+            await writeData(entries);
+        }
+    } catch {
+        // data.json doesn't exist — fresh install
+        entries = SEED_ENTRIES.map(data => makeEntry(data));
+        await writeData(entries);
+    }
+
+    // Migrate existing user files whose role is no longer recognised
+    await migrateUserRoles(entries);
+}
+
+/**
+ * Rewrite any user file whose role is not in the current role set to 'user'.
+ *
+ * @param {object[]} roleEntries - Current on-disk role entries
+ * @returns {Promise<void>}
+ */
+async function migrateUserRoles(roleEntries) {
+    const knownRoles = new Set(roleEntries.map(e => e.data?.name).filter(Boolean));
+
+    let files;
+    try {
+        files = await fs.readdir(USERS_DIR);
     } catch {
-        const entries = SEED_ENTRIES.map(data => ({
-            id: uuidv4(),
-            data,
-            createdAt: new Date().toISOString(),
-            updatedAt: new Date().toISOString()
-        }));
-        await fs.writeFile(DATA_PATH, JSON.stringify(entries, null, 2) + '\n', 'utf8');
+        return; // users dir doesn't exist yet — nothing to migrate
+    }
+
+    for (const file of files) {
+        if (!file.endsWith('.json')) continue;
+        const filePath = path.join(USERS_DIR, file);
+        try {
+            const raw = await fs.readFile(filePath, 'utf8');
+            const user = JSON.parse(raw);
+            if (user.role && !knownRoles.has(user.role)) {
+                const oldRole = user.role;
+                user.role = 'user';
+                await fs.writeFile(filePath, JSON.stringify(user, null, 2) + '\n', 'utf8');
+                console.log(`[roles] Migrated user ${user.email ?? file} from '${oldRole}' to 'user'`);
+            }
+        } catch {
+            // skip unreadable files
+        }
     }
 }
 
@@ -149,8 +238,7 @@ export async function seed() {
  */
 export async function load() {
     try {
-        const raw = await fs.readFile(DATA_PATH, 'utf8');
-        const entries = JSON.parse(raw);
+        const entries = await readData();
         buildCache(entries);
     } catch (err) {
         console.warn('[roles] Failed to load roles collection:', err.message);
@@ -166,6 +254,77 @@ export async function invalidate() {
     await load();
 }
 
+/**
+ * Persist a new role entry and rebuild the cache.
+ * Idempotent — if a role with the same name exists, it is updated in place.
+ *
+ * @param {{name:string,label:string,level:number,permissions:string[],badgeClass?:string,plugin?:string}} data
+ * @returns {Promise<void>}
+ */
+export async function createRole(data) {
+    let entries;
+    try {
+        entries = await readData();
+    } catch {
+        entries = [];
+    }
+
+    const idx = entries.findIndex(e => e.data?.name === data.name);
+    if (idx >= 0) {
+        entries[idx].data = {...entries[idx].data, ...data, updatedAt: new Date().toISOString()};
+        entries[idx].updatedAt = new Date().toISOString();
+    } else {
+        entries.push(makeEntry(data));
+    }
+
+    await writeData(entries);
+    buildCache(entries);
+}
+
+/**
+ * Remove a role entry by name and rebuild the cache.
+ * Refuses to remove base roles (level 0 protection is enforced elsewhere;
+ * here we additionally refuse by name).
+ *
+ * @param {string} name - Role slug
+ * @returns {Promise<void>}
+ */
+export async function removeRole(name) {
+    if (BASE_ROLE_NAMES.includes(name)) {
+        throw new Error(`Cannot remove built-in role '${name}'`);
+    }
+
+    let entries;
+    try {
+        entries = await readData();
+    } catch {
+        return;
+    }
+
+    entries = entries.filter(e => e.data?.name !== name);
+    await writeData(entries);
+    buildCache(entries);
+}
+
+/**
+ * Remove all roles contributed by a plugin and rebuild the cache.
+ *
+ * @param {string} plugin - Plugin name
+ * @returns {Promise<void>}
+ */
+export async function removeRolesByPlugin(plugin) {
+    let entries;
+    try {
+        entries = await readData();
+    } catch {
+        return;
+    }
+
+    entries = entries.filter(e => e.data?.plugin !== plugin);
+    await writeData(entries);
+    buildCache(entries);
+}
+
 /**
  * Return the full role map.
  *
@@ -187,26 +346,19 @@ export function getRoleLevel(roleName) {
 
 /**
  * Return the role names allowed to access a resource (and optional action).
- * - getPermissionsFor('pages')          → roles with ANY action on pages (backward compat)
- * - getPermissionsFor('pages', 'delete')→ roles with delete on pages
- * - getPermissionsFor('pages.delete')   → same as above (dot-notation shorthand)
  *
  * @param {string}  resource - Resource key, or 'resource.action' dot notation
  * @param {string} [action]  - Optional action (read | create | update | delete)
  * @returns {string[]}
  */
 export function getPermissionsFor(resource, action) {
-    if (action) {
-        return permissionsMap.get(`${resource}.${action}`) ?? [];
-    }
-    if (resource.includes('.')) {
-        return permissionsMap.get(resource) ?? [];
-    }
+    if (action) return permissionsMap.get(`${resource}.${action}`) ?? [];
+    if (resource.includes('.')) return permissionsMap.get(resource) ?? [];
     return permissionsMap.get(resource) ?? [];
 }
 
 /**
- * Return the raw permissions array for a role — used by the /api/auth/permissions endpoint.
+ * Return the raw permissions array for a role.
  *
  * @param {string} roleName
  * @returns {string[]}

package/server/services/users.js

@@ -122,7 +122,7 @@ export async function getUserByEmail(email) {
  * @param {object} data - { name, email, password, role }
  * @returns {Promise<object>} Created user (password stripped)
  */
-export async function createUser({ name, email, password, role = 'editor' }) {
+export async function createUser({ name, email, password, role = 'user' }) {
     const existing = await getUserByEmail(email);
     if (existing) throw new Error('A user with that email already exists');
 

package/server/services/views.js

@@ -165,7 +165,7 @@ export async function createView(data, userId = null) {
             block: display?.block || ''
         },
         access: {
-            roles: access?.roles || ['admin'],
+            roles: access?.roles || ['admin', 'super-admin'],
             public: access?.public || false,
             rowLevel: access?.rowLevel || null
         },

package/server/templates/page.html

@@ -29,7 +29,7 @@
   <!-- Late head injection — custom CSS always loads last so it can override everything -->
   {{headInjectLate}}
 </head>
-<body class="dm-cloaked dm-theme-{{theme}}" data-layout="{{layout}}">
+<body class="dm-cloaked dm-theme-{{theme}} {{layoutBodyClass}}" data-layout="{{layout}}">
 
     {{#if showNavbar}}
     <nav id="site-navbar"></nav>
@@ -43,7 +43,7 @@
         <article class="site-content">
             <div class="container">
                 {{breadcrumbsHtml}}
-                <div class="page-body">
+                <div class="page-body"{{#if pageBodyStyle}} style="{{pageBodyStyle}}"{{/if}}>
                     {{html}}
                 </div>
             </div>

package/plugins/docs/admin/templates/docs.html

@@ -1,69 +0,0 @@
-<div class="docs-layout" style="display:grid;grid-template-columns:200px 260px 1fr;height:calc(100vh - 120px);gap:0;border:1px solid var(--dm-border);border-radius:var(--dm-radius);overflow:hidden;">
-
-  <!-- Folder sidebar -->
-  <div class="docs-folders" style="border-right:1px solid var(--dm-border);display:flex;flex-direction:column;">
-    <div style="padding:0.75rem;border-bottom:1px solid var(--dm-border);display:flex;align-items:center;justify-content:space-between;">
-      <span style="font-weight:600;font-size:0.85rem;">Folders</span>
-      <button id="new-folder-btn" class="btn btn-sm btn-ghost" title="New Folder">
-        <span data-icon="plus" data-icon-size="14"></span>
-      </button>
-    </div>
-    <div id="folder-sidebar" style="flex:1;overflow-y:auto;padding:0.5rem;"></div>
-  </div>
-
-  <!-- Document list -->
-  <div class="docs-list-pane" style="border-right:1px solid var(--dm-border);display:flex;flex-direction:column;">
-    <div style="padding:0.75rem;border-bottom:1px solid var(--dm-border);">
-        <input id="doc-search" class="form-input form-input-sm" placeholder="Search documents..." style="width:100%;">
-    </div>
-    <div style="padding:0.5rem;border-bottom:1px solid var(--dm-border);display:flex;gap:0.5rem;">
-      <button id="new-doc-btn" class="btn btn-sm btn-primary" style="flex:1;">
-        <span data-icon="plus" data-icon-size="14"></span> New
-      </button>
-      <button id="new-from-template-btn" class="btn btn-sm btn-outline" title="New from Template">
-        <span data-icon="layout" data-icon-size="14"></span>
-      </button>
-    </div>
-    <div id="doc-list" style="flex:1;overflow-y:auto;"></div>
-  </div>
-
-  <!-- Editor pane -->
-  <div style="display:flex;flex-direction:column;overflow:hidden;">
-
-    <!-- Placeholder when no doc is selected -->
-    <div id="editor-placeholder" style="flex:1;display:flex;align-items:center;justify-content:center;color:var(--dm-text-muted);">
-      <div style="text-align:center;">
-        <span data-icon="book-open" data-icon-size="48" style="display:block;margin-bottom:1rem;opacity:0.4;"></span>
-        <p>Select a document to start editing</p>
-      </div>
-    </div>
-
-    <!-- Editor when a doc is open -->
-    <div id="editor-pane" style="display:none;flex-direction:column;flex:1;overflow:hidden;">
-      <!-- Toolbar -->
-      <div style="padding:0.5rem 0.75rem;border-bottom:1px solid var(--dm-border);display:flex;align-items:center;gap:0.5rem;flex-shrink:0;">
-          <input id="doc-title-input" class="form-input" placeholder="Document title"
-          style="flex:1;border:none;font-weight:600;font-size:1rem;background:transparent;outline:none;padding:0.25rem;">
-        <button id="save-doc-btn" class="btn btn-sm btn-primary">
-          <span data-icon="save" data-icon-size="14"></span> Save
-        </button>
-        <button id="find-replace-btn" class="btn btn-sm btn-ghost" title="Find &amp; Replace">
-          <span data-icon="search" data-icon-size="14"></span>
-        </button>
-        <button id="version-history-btn" class="btn btn-sm btn-ghost" title="Version History">
-          <span data-icon="clock" data-icon-size="14"></span>
-        </button>
-        <button id="duplicate-doc-btn" class="btn btn-sm btn-ghost" title="Duplicate Document">
-          <span data-icon="copy" data-icon-size="14"></span>
-        </button>
-        <button id="delete-doc-btn" class="btn btn-sm btn-ghost btn-danger" title="Delete Document">
-          <span data-icon="trash" data-icon-size="14"></span>
-        </button>
-      </div>
-      <!-- Content area -->
-      <div id="doc-editor-content" style="flex:1;overflow-y:auto;padding:1rem;"></div>
-    </div>
-
-  </div>
-
-</div>