domma-cms 0.10.0 → 0.13.0

package/server/middleware/auth.js

@@ -125,6 +125,54 @@ export function canManageUser(actorRole, targetRole) {
     return getRoleLevel(actorRole) < getRoleLevel(targetRole);
 }
 
+/**
+ * Check whether a user role satisfies a visibility requirement.
+ * Used by both requireVisibility() and the public page renderer.
+ *
+ * @param {string|null} userRole   - The visitor's role, or null if unauthenticated
+ * @param {string}      visibility - Required visibility ('public', 'private', or a role name)
+ * @returns {boolean} true if access is granted
+ */
+export function checkVisibility(userRole, visibility) {
+    if (!visibility || visibility === 'public') return true;
+    if (!userRole) return false;                              // unauthenticated, non-public page
+    const userLevel       = getRoleLevel(userRole);
+    const requiredLevel   = getRoleLevel(visibility);
+    const threshold       = requiredLevel === Infinity ? 0 : requiredLevel;
+    return userLevel <= threshold;
+}
+
+/**
+ * Fastify preHandler factory — gates a route by visibility level.
+ * Works identically to the content-page visibility system.
+ * Returns a no-op for 'public' so it is safe to apply unconditionally.
+ *
+ * @param {string} visibility - 'public' | 'private' | any role name
+ * @returns {Function} Fastify preHandler
+ */
+export function requireVisibility(visibility) {
+    if (!visibility || visibility === 'public') {
+        return (_request, _reply, done) => { if (done) done(); };
+    }
+
+    return async (request, reply) => {
+        let userRole = null;
+        try {
+            const decoded = await request.jwtVerify();
+            if (decoded.type === 'access') userRole = decoded.role;
+        } catch { /* unauthenticated */ }
+
+        if (!checkVisibility(userRole, visibility)) {
+            const code = userRole ? 403 : 401;
+            return reply.code(code).send({
+                statusCode: code,
+                error:      code === 403 ? 'Forbidden' : 'Unauthorised',
+                message:    code === 403 ? 'Insufficient role for this resource' : 'Authentication required'
+            });
+        }
+    };
+}
+
 /**
  * Return role names ordered from most to least privileged.
  * Computed from the roles cache.

package/server/middleware/managerAuth.js

@@ -0,0 +1,36 @@
+/**
+ * Manager auth middleware — shared-secret guard for inbound requests from domma-cms-manager.
+ * Completely separate from JWT authenticate. Do NOT mix these two auth surfaces.
+ */
+import { timingSafeEqual, createHmac } from 'crypto';
+
+/**
+ * Fastify preHandler — validates the X-Manager-Token or Authorization: Bearer header
+ * against the MANAGER_SECRET environment variable using timing-safe comparison.
+ *
+ * @param {import('fastify').FastifyRequest} request
+ * @param {import('fastify').FastifyReply} reply
+ * @param {Function} done
+ */
+export function requireManager(request, reply, done) {
+    const secret = process.env.MANAGER_SECRET;
+
+    if (!secret || secret.length < 32) {
+        return reply.code(503).send({ error: 'Manager push notifications are not configured on this server.' });
+    }
+
+    const authHeader = request.headers['x-manager-token'] || request.headers['authorization'] || '';
+    const token = authHeader.startsWith('Bearer ') ? authHeader.slice(7) : authHeader;
+
+    if (!token) {
+        return reply.code(401).send({ error: 'Manager token required.' });
+    }
+
+    // Compare HMAC digests — always 32 bytes regardless of input length, preventing timing oracle
+    const digest = (s) => createHmac('sha256', 'domma-cms').update(s).digest();
+    if (!timingSafeEqual(digest(token), digest(secret))) {
+        return reply.code(403).send({ error: 'Invalid manager token.' });
+    }
+
+    done();
+}

package/server/routes/api/actions.js

@@ -178,7 +178,7 @@ export async function actionsRoutes(fastify) {
         }
 
         const user          = request.user;
-        const allowedRoles  = action.access?.roles || ['admin'];
+        const allowedRoles  = action.access?.roles || ['admin', 'super-admin'];
         const userLevel     = getRoleLevel(user?.role);
         const minAllowed    = Math.min(...allowedRoles.map(r => getRoleLevel(r)));
 

package/server/routes/api/auth.js

@@ -11,6 +11,7 @@ import crypto from 'node:crypto';
 import {config, getConfig} from '../../config.js';
 import {hooks} from '../../services/hooks.js';
 import {authenticate, getPermissionsForRole} from '../../middleware/auth.js';
+import {getRoleLevel} from '../../services/roles.js';
 import {GROUP_ORDER, REGISTRY} from '../../services/permissionRegistry.js';
 import {
     clearResetToken,
@@ -80,7 +81,7 @@ export async function authRoutes(fastify) {
 
         setupInProgress = true;
         try {
-            const user = await createUser({name, email, password, role: 'admin'});
+            const user = await createUser({name, email, password, role: 'super-admin'});
             const {token, refreshToken} = signTokens(fastify, user);
             return reply.status(201).send({token, refreshToken, user});
         } finally {
@@ -107,7 +108,7 @@ export async function authRoutes(fastify) {
 
         await touchLastLogin(user.id);
 
-        const safeUser = { id: user.id, name: user.name, email: user.email, role: user.role };
+        const safeUser = { id: user.id, name: user.name, email: user.email, role: user.role, level: getRoleLevel(user.role) };
         hooks.emit('user:loggedIn', {userId: user.id, email: user.email, role: user.role});
         const { token, refreshToken } = signTokens(fastify, safeUser);
         return { token, refreshToken, user: safeUser };
@@ -270,7 +271,7 @@ export async function authRoutes(fastify) {
             return reply.status(401).send({ error: 'User not found or inactive' });
         }
 
-        const safeUser = { id: user.id, name: user.name, email: user.email, role: user.role };
+        const safeUser = { id: user.id, name: user.name, email: user.email, role: user.role, level: getRoleLevel(user.role) };
         const token = fastify.jwt.sign({ ...safeUser, type: 'access' }, { expiresIn: accessTokenExpiry });
         return { token };
     });

package/server/routes/api/layouts.js

@@ -1,49 +1,173 @@
-/**
- * Layouts (Presets) API
- * GET /api/layouts       - get all layout presets
- * PUT /api/layouts       - save layout presets
- */
-import {getConfig, saveConfig} from '../../config.js';
-import {authenticate, requirePermission} from '../../middleware/auth.js';
-
-export async function layoutsRoutes(fastify) {
-    const canRead = {preHandler: [authenticate, requirePermission('layouts', 'read')]};
-    const canUpdate = {preHandler: [authenticate, requirePermission('layouts', 'update')]};
-
-    fastify.get('/layouts', canRead, async () => {
-        return getConfig('presets');
-    });
-
-    fastify.put('/layouts', canUpdate, async (request, reply) => {
-        const data = request.body;
-        if (!data || typeof data !== 'object' || Array.isArray(data)) {
-            return reply.status(400).send({ error: 'Invalid presets data: expected an object' });
-        }
-        // Each preset value must be an object with at least a name field
-        for (const [key, preset] of Object.entries(data)) {
-            if (!preset || typeof preset !== 'object' || Array.isArray(preset)) {
-                return reply.status(400).send({ error: `Invalid preset "${key}": expected an object` });
-            }
-            if (typeof preset.name !== 'string' || !preset.name.trim()) {
-                return reply.status(400).send({ error: `Invalid preset "${key}": missing or empty "name" field` });
-            }
-        }
-        saveConfig('presets', data);
-        return { success: true };
-    });
-
-    fastify.get('/layouts/options', canRead, async () => {
-    return getConfig('site')?.layoutOptions ?? {spacerSize: 8};
-  });
-
-    fastify.put('/layouts/options', canUpdate, async (request, reply) => {
-    const data = request.body;
-    if (!data || typeof data !== 'object') {
-      return reply.status(400).send({error: 'Invalid layout options'});
-    }
-    const site = getConfig('site');
-    site.layoutOptions = {...site.layoutOptions, ...data};
-    saveConfig('site', site);
-    return {success: true};
-  });
-}
+/**
+ * Layouts (Presets) API
+ * GET    /api/layouts        - get all layout presets
+ * PUT    /api/layouts        - bulk-save layout presets (legacy, kept for compatibility)
+ * POST   /api/layouts        - create a new preset
+ * PUT    /api/layouts/:key   - update a single preset
+ * DELETE /api/layouts/:key   - delete a preset (builtin presets cannot be deleted)
+ * GET    /api/layouts/options - get layout options
+ * PUT    /api/layouts/options - save layout options
+ */
+import {getConfig, saveConfig} from '../../config.js';
+import {authenticate, requirePermission} from '../../middleware/auth.js';
+
+const VALID_WIDTHS = new Set(['narrow', 'normal', 'wide', 'full']);
+const BG_COLOR_RE = /^[a-zA-Z0-9#(),.\s%/-]+$/;
+const CLASS_RE = /[^a-zA-Z0-9\s_-]/g;
+
+const BUILTIN_PRESETS = {
+    default: {
+        key: 'default', label: 'Default',
+        description: 'Standard page with navbar and footer.',
+        builtin: true, navbar: true, footer: true, sidebar: false,
+        width: 'normal', bgColor: '', bgImage: '', class: ''
+    },
+    landing: {
+        key: 'landing', label: 'Landing Page',
+        description: 'Full-width landing page with navbar, no footer.',
+        builtin: true, navbar: true, footer: false, sidebar: false,
+        width: 'full', bgColor: '', bgImage: '', class: ''
+    },
+    blank: {
+        key: 'blank', label: 'Blank',
+        description: 'Minimal page with no navbar or footer.',
+        builtin: true, navbar: false, footer: false, sidebar: false,
+        width: 'normal', bgColor: '', bgImage: '', class: ''
+    }
+};
+
+function slugify(str) {
+    return str.toLowerCase().trim().replace(/\s+/g, '-').replace(/[^a-z0-9-]/g, '');
+}
+
+function sanitisePreset(data) {
+    return {
+        navbar: data.navbar !== false,
+        footer: data.footer !== false,
+        sidebar: data.sidebar === true,
+        width: VALID_WIDTHS.has(data.width) ? data.width : 'normal',
+        bgColor: data.bgColor && BG_COLOR_RE.test(data.bgColor) ? data.bgColor : '',
+        bgImage: typeof data.bgImage === 'string' ? data.bgImage.trim() : '',
+        class: typeof data.class === 'string' ? data.class.replace(CLASS_RE, '').trim() : '',
+        label: String(data.label || '').slice(0, 60).trim(),
+        description: String(data.description || '').slice(0, 200).trim()
+    };
+}
+
+export async function layoutsRoutes(fastify) {
+    // ── Merge-in seeding: ensure built-in presets exist ──────────────────────
+    const existing = getConfig('presets') || {};
+    let seeded = false;
+    for (const [key, preset] of Object.entries(BUILTIN_PRESETS)) {
+        if (!existing[key]) {
+            existing[key] = preset;
+            seeded = true;
+        }
+    }
+    if (seeded) saveConfig('presets', existing);
+
+    const canRead = {preHandler: [authenticate, requirePermission('layouts', 'read')]};
+    const canUpdate = {preHandler: [authenticate, requirePermission('layouts', 'update')]};
+
+    // ── Existing routes ───────────────────────────────────────────────────────
+    fastify.get('/layouts', canRead, async () => {
+        return getConfig('presets');
+    });
+
+    fastify.put('/layouts', canUpdate, async (request, reply) => {
+        const data = request.body;
+        if (!data || typeof data !== 'object' || Array.isArray(data)) {
+            return reply.status(400).send({error: 'Invalid presets data: expected an object'});
+        }
+        for (const [key, preset] of Object.entries(data)) {
+            if (!preset || typeof preset !== 'object' || Array.isArray(preset)) {
+                return reply.status(400).send({error: `Invalid preset "${key}": expected an object`});
+            }
+            if (typeof preset.label !== 'string' || !preset.label.trim()) {
+                return reply.status(400).send({error: `Invalid preset "${key}": missing or empty "label" field`});
+            }
+        }
+        saveConfig('presets', data);
+        return {success: true};
+    });
+
+    // ── New CRUD routes ───────────────────────────────────────────────────────
+    fastify.post('/layouts', canUpdate, async (request, reply) => {
+        const {label, description, ...rest} = request.body || {};
+        if (!label || !String(label).trim()) {
+            return reply.status(400).send({error: 'label is required'});
+        }
+        const key = slugify(label);
+        if (!key) {
+            return reply.status(400).send({error: 'label must contain at least one alphanumeric character'});
+        }
+        const presets = getConfig('presets') || {};
+        if (presets[key]) {
+            return reply.status(409).send({error: 'A preset with this key already exists'});
+        }
+        presets[key] = {
+            key,
+            builtin: false,
+            ...sanitisePreset({label, description, ...rest})
+        };
+        saveConfig('presets', presets);
+        return {success: true, key, preset: presets[key]};
+    });
+
+    fastify.put('/layouts/:key', canUpdate, async (request, reply) => {
+        const {key} = request.params;
+        const presets = getConfig('presets') || {};
+        if (!presets[key]) {
+            return reply.status(404).send({error: `Preset "${key}" not found`});
+        }
+        const {label, description, ...rest} = request.body || {};
+        if (!label || !String(label).trim()) {
+            return reply.status(400).send({error: 'label is required'});
+        }
+        presets[key] = {
+            ...presets[key],
+            label: String(label).slice(0, 60).trim(),
+            description: String(description || '').slice(0, 200).trim(),
+            ...sanitisePreset({label, description, ...rest}),
+            key,
+            builtin: presets[key].builtin  // never overwrite builtin flag
+        };
+        saveConfig('presets', presets);
+        return {success: true, preset: presets[key]};
+    });
+
+    fastify.delete('/layouts/:key', canUpdate, async (request, reply) => {
+        const {key} = request.params;
+        const presets = getConfig('presets') || {};
+        if (!presets[key]) {
+            return reply.status(404).send({error: `Preset "${key}" not found`});
+        }
+        if (presets[key].builtin) {
+            return reply.status(400).send({error: 'Built-in presets cannot be deleted'});
+        }
+        delete presets[key];
+        saveConfig('presets', presets);
+        return {success: true};
+    });
+
+    // ── Layout options ────────────────────────────────────────────────────────
+    fastify.get('/layouts/options', canRead, async () => {
+        return getConfig('site')?.layoutOptions ?? {spacerSize: 8};
+    });
+
+    fastify.put('/layouts/options', canUpdate, async (request, reply) => {
+        const data = request.body;
+        if (!data || typeof data !== 'object') {
+            return reply.status(400).send({error: 'Invalid layout options'});
+        }
+        const site = getConfig('site');
+        const {spacerSize, spacerClass} = data;
+        site.layoutOptions = {
+            ...site.layoutOptions,
+            ...(spacerSize !== undefined ? {spacerSize: Math.max(0, Math.min(500, parseInt(spacerSize, 10) || 0))} : {}),
+            ...(spacerClass !== undefined ? {spacerClass: String(spacerClass).replace(/[^a-zA-Z0-9\s_-]/g, '').trim()} : {})
+        };
+        saveConfig('site', site);
+        return {success: true};
+    });
+}

package/server/routes/api/notifications.js

@@ -0,0 +1,155 @@
+/**
+ * Notifications API
+ * POST   /api/system/notifications              - Manager push (requireManager)
+ * GET    /api/system/notifications              - List active notifications (admin/manager)
+ * GET    /api/system/notifications/unread-count - Unread count for bell badge
+ * POST   /api/system/notifications/:id/read     - Mark read (idempotent)
+ * POST   /api/system/notifications/:id/dismiss  - Mark dismissed
+ * DELETE /api/system/notifications/:id          - Hard delete (admin only)
+ */
+import { authenticate, requirePermission } from '../../middleware/auth.js';
+import { requireManager } from '../../middleware/managerAuth.js';
+import { getAdapter } from '../../services/adapterRegistry.js';
+
+const SLUG = 'notifications';
+
+export async function notificationsRoutes(fastify) {
+    const canRead   = { preHandler: [authenticate, requirePermission('notifications', 'read')]   };
+    const canDelete = { preHandler: [authenticate, requirePermission('notifications', 'delete')] };
+
+    // --- Manager inbound push ---
+    fastify.post('/system/notifications', { preHandler: [requireManager] }, async (request, reply) => {
+        const { title, body, severity = 'info', link, expiresAt } = request.body || {};
+
+        if (!title || typeof title !== 'string' || !title.trim()) {
+            return reply.code(400).send({ error: 'title is required.' });
+        }
+        if (!body || typeof body !== 'string' || !body.trim()) {
+            return reply.code(400).send({ error: 'body is required.' });
+        }
+        const VALID_SEVERITIES = ['info', 'success', 'warning', 'critical'];
+        if (!VALID_SEVERITIES.includes(severity)) {
+            return reply.code(400).send({ error: `severity must be one of: ${VALID_SEVERITIES.join(', ')}.` });
+        }
+
+        if (link !== undefined && link !== null && link !== '') {
+            if (typeof link !== 'string' || !/^https?:\/\//i.test(link)) {
+                return reply.code(400).send({ error: 'link must be an absolute https:// or http:// URL.' });
+            }
+        }
+
+        if (expiresAt !== undefined && expiresAt !== null && expiresAt !== '') {
+            if (typeof expiresAt !== 'string' || isNaN(Date.parse(expiresAt))) {
+                return reply.code(400).send({ error: 'expiresAt must be a valid ISO 8601 datetime string.' });
+            }
+        }
+
+        const adapter = await getAdapter(SLUG);
+        const entry = await adapter.insert(SLUG, {
+            title: title.trim(),
+            body: body.trim(),
+            severity,
+            source: 'manager',
+            link: link || null,
+            createdAt: new Date().toISOString(),
+            expiresAt: expiresAt || null,
+            readBy: [],
+            dismissedBy: []
+        });
+
+        return reply.code(201).send(entry);
+    });
+
+    // --- List active notifications for current user ---
+    fastify.get('/system/notifications', canRead, async (request) => {
+        const userId = request.user.id;
+        const now = new Date().toISOString();
+        const adapter = await getAdapter(SLUG);
+        const all = await adapter.all(SLUG);
+
+        return all
+            .filter(entry => {
+                const d = entry.data;
+                // Exclude expired
+                if (d.expiresAt && d.expiresAt < now) return false;
+                // Exclude dismissed by this user
+                if (Array.isArray(d.dismissedBy) && d.dismissedBy.includes(userId)) return false;
+                return true;
+            })
+            .sort((a, b) => b.data.createdAt.localeCompare(a.data.createdAt))
+            .map(entry => ({
+                ...entry,
+                unread: !Array.isArray(entry.data.readBy) || !entry.data.readBy.includes(userId)
+            }));
+    });
+
+    // --- Unread count (lightweight — for bell badge) ---
+    fastify.get('/system/notifications/unread-count', canRead, async (request) => {
+        const userId = request.user.id;
+        const now = new Date().toISOString();
+        const adapter = await getAdapter(SLUG);
+        const all = await adapter.all(SLUG);
+
+        const count = all.filter(entry => {
+            const d = entry.data;
+            if (d.expiresAt && d.expiresAt < now) return false;
+            if (Array.isArray(d.dismissedBy) && d.dismissedBy.includes(userId)) return false;
+            return !Array.isArray(d.readBy) || !d.readBy.includes(userId);
+        }).length;
+
+        return { count };
+    });
+
+    // --- Mark read (idempotent) ---
+    fastify.post('/system/notifications/:id/read', canRead, async (request, reply) => {
+        const { id } = request.params;
+        const userId = request.user.id;
+        const adapter = await getAdapter(SLUG);
+        const entry = await adapter.get(SLUG, id);
+
+        if (!entry) return reply.code(404).send({ error: 'Notification not found.' });
+
+        const readBy = Array.isArray(entry.data.readBy) ? entry.data.readBy : [];
+        if (readBy.includes(userId)) return { ok: true }; // already read — idempotent
+
+        const updated = await adapter.update(SLUG, id, {
+            ...entry.data,
+            readBy: [...readBy, userId]
+        });
+
+        return { ok: true, entry: updated };
+    });
+
+    // --- Dismiss ---
+    fastify.post('/system/notifications/:id/dismiss', canRead, async (request, reply) => {
+        const { id } = request.params;
+        const userId = request.user.id;
+        const adapter = await getAdapter(SLUG);
+        const entry = await adapter.get(SLUG, id);
+
+        if (!entry) return reply.code(404).send({ error: 'Notification not found.' });
+
+        const dismissedBy = Array.isArray(entry.data.dismissedBy) ? entry.data.dismissedBy : [];
+        const readBy = Array.isArray(entry.data.readBy) ? entry.data.readBy : [];
+
+        const updated = await adapter.update(SLUG, id, {
+            ...entry.data,
+            dismissedBy: dismissedBy.includes(userId) ? dismissedBy : [...dismissedBy, userId],
+            readBy: readBy.includes(userId) ? readBy : [...readBy, userId] // dismissing also marks read
+        });
+
+        return { ok: true, entry: updated };
+    });
+
+    // --- Hard delete (admin only) ---
+    fastify.delete('/system/notifications/:id', canDelete, async (request, reply) => {
+        const { id } = request.params;
+        const adapter = await getAdapter(SLUG);
+        const entry = await adapter.get(SLUG, id);
+
+        if (!entry) return reply.code(404).send({ error: 'Notification not found.' });
+
+        await adapter.remove(SLUG, id);
+        return { ok: true };
+    });
+}

package/server/routes/api/plugin-marketplace.js

@@ -0,0 +1,75 @@
+/**
+ * Plugin Marketplace API
+ * GET    /api/plugins/marketplace         — fetch catalogue from manager (requires MANAGER_URL)
+ * POST   /api/plugins/marketplace/install — download + install a plugin bundle
+ * DELETE /api/plugins/marketplace/:slug   — uninstall an installed plugin
+ *
+ * All routes require authentication + admin role.
+ */
+import {authenticate, requireAdmin} from '../../middleware/auth.js';
+import {fetchCatalogue, fetchPluginBundle} from '../../services/managerClient.js';
+import {installPlugin, uninstallPlugin} from '../../services/pluginInstaller.js';
+
+export async function pluginMarketplaceRoutes(fastify) {
+    const adminOnly = { preHandler: [authenticate, requireAdmin] };
+
+    // GET /plugins/marketplace
+    fastify.get('/plugins/marketplace', adminOnly, async (_request, reply) => {
+        if (!process.env.MANAGER_URL) {
+            return reply.send({ available: false, catalogue: [] });
+        }
+
+        const licenceToken = process.env.LICENCE_TOKEN;
+        const catalogue = await fetchCatalogue(licenceToken);
+        return reply.send({ available: true, catalogue });
+    });
+
+    // POST /plugins/marketplace/install
+    fastify.post('/plugins/marketplace/install', adminOnly, async (request, reply) => {
+        const { slug, version } = request.body || {};
+
+        if (!slug || !/^[a-z0-9][a-z0-9-_]{0,63}$/.test(slug)) {
+            return reply.code(400).send({ error: 'Invalid plugin slug.' });
+        }
+        if (!version || !/^\d+\.\d+\.\d+$/.test(version)) {
+            return reply.code(400).send({ error: 'Invalid version format. Expected semver (e.g. 1.0.0).' });
+        }
+
+        const licenceToken = process.env.LICENCE_TOKEN;
+        const bundle = await fetchPluginBundle(slug, version, licenceToken);
+
+        if (!bundle) {
+            return reply.code(503).send({ error: 'Manager unavailable' });
+        }
+
+        try {
+            await installPlugin(slug, bundle);
+        } catch (err) {
+            fastify.log.error({ err }, '[marketplace] install failed');
+            // Known safe error messages from pluginInstaller (for admin clarity)
+            const safeMessages = ['Plugin already installed', 'Plugin signature invalid', 'Unknown public key', 'Invalid plugin slug'];
+            const safe = safeMessages.some(m => err.message.startsWith(m));
+            return reply.code(400).send({ error: safe ? err.message : 'Installation failed.' });
+        }
+
+        return reply.send({ success: true });
+    });
+
+    // DELETE /plugins/marketplace/:slug
+    fastify.delete('/plugins/marketplace/:slug', adminOnly, async (request, reply) => {
+        const { slug } = request.params;
+
+        if (!slug || !/^[a-z0-9][a-z0-9-_]{0,63}$/.test(slug)) {
+            return reply.code(400).send({ error: 'Invalid plugin slug.' });
+        }
+
+        try {
+            await uninstallPlugin(slug);
+        } catch (err) {
+            fastify.log.error({ err }, '[marketplace] uninstall failed');
+            return reply.code(400).send({ error: 'Uninstall failed.' });
+        }
+
+        return reply.send({ success: true });
+    });
+}

package/server/routes/api/users.js

@@ -54,7 +54,7 @@ export async function usersRoutes(fastify) {
             return reply.status(400).send({ error: 'Password must be at least 8 characters' });
         }
 
-        const targetRole = role || 'editor';
+        const targetRole = role || 'user';
         if (!canManageUser(request.user.role, targetRole)) {
             return reply.code(403).send({ error: 'You cannot create a user with that role' });
         }

package/server/routes/api/views.js

@@ -125,7 +125,7 @@ export async function viewsRoutes(fastify) {
             }
 
             const user          = request.user;
-            const allowedRoles  = view.access?.roles || ['admin'];
+            const allowedRoles  = view.access?.roles || ['admin', 'super-admin'];
             const userLevel     = getRoleLevel(user?.role);
             const minAllowed    = Math.min(...allowedRoles.map(r => getRoleLevel(r)));
 

package/server/routes/public.js

@@ -6,7 +6,7 @@
  */
 import {getPage} from '../services/content.js';
 import {renderPage} from '../services/renderer.js';
-import {getRoleLevel} from '../services/roles.js';
+import {checkVisibility} from '../middleware/auth.js';
 import {hooks} from '../services/hooks.js';
 
 /**
@@ -69,15 +69,10 @@ export async function publicRoutes(fastify) {
             let userRole = null;
             try {
                 const decoded = await request.jwtVerify();
-                userRole = decoded.role;
-            } catch { /* no token — treat as unauthenticated */
-            }
-
-            const userLevel = getRoleLevel(userRole);
-            const visibilityLevel = getRoleLevel(page.visibility);
-            const requiredLevel = visibilityLevel === Infinity ? 0 : visibilityLevel;
+                if (decoded.type === 'access') userRole = decoded.role;
+            } catch { /* no token — treat as unauthenticated */ }
 
-            if (userLevel > requiredLevel) {
+            if (!checkVisibility(userRole, page.visibility)) {
                 reply.status(403);
                 return reply.type('text/html').send(accessDeniedHtml(urlPath));
             }