domma-cms 0.17.0 → 0.21.0

package/server/middleware/auth.js

@@ -4,6 +4,7 @@
  * Role data is read from the roles cache (not config.auth.roles).
  */
 import {getPermissionsFor, getPermissionsForRole, getRoleHierarchy, getRoleLevel} from '../services/roles.js';
+import {getEffectiveLevel, getEffectiveRoles} from '../services/userRoles.js';
 
 /**
  * Verify JWT Bearer token. Populates request.user on success.
@@ -78,8 +79,12 @@ export function requirePermission(resource, action) {
             });
         }
 
+        // Check ANY of the user's effective roles (primary + additional) against
+        // the resource's permission list — union semantics so a user with both
+        // candidate and recruiter roles can do either role's actions.
         const allowed = getPermissionsFor(resource, action);
-        if (!allowed.includes(request.user.role)) {
+        const roles   = getEffectiveRoles(request.user);
+        if (!roles.some(r => allowed.includes(r))) {
             return reply.code(403).send({
                 statusCode: 403,
                 error: 'Forbidden',
@@ -111,7 +116,9 @@ export async function requireAdmin(request, reply) {
     if (!request.user) {
         return reply.code(401).send({ statusCode: 401, error: 'Unauthorised', message: 'Authentication required' });
     }
-    if (getRoleLevel(request.user.role) > 1) {
+    // Use effective level — a user with "additionalRoles: ['admin']" can do admin work
+    // even if their primary role is something lower-privilege.
+    if (getEffectiveLevel(request.user) > 1) {
         return reply.code(403).send({ statusCode: 403, error: 'Forbidden', message: 'Admin access required' });
     }
 }
@@ -120,53 +127,112 @@ export async function requireAdmin(request, reply) {
  * Determine whether an actor can manage a target user.
  * Managers cannot create, edit, or delete users with a lower level number (higher privilege).
  *
- * @param {string} actorRole - Role of the user performing the action
- * @param {string} targetRole - Role of the user being acted upon
+ * Accepts either user objects (preferred — uses effective level across all roles)
+ * or bare role-name strings (legacy compat). Strings are looked up via
+ * `getRoleLevel`; objects via `getEffectiveLevel` so multi-role actors and
+ * targets are compared by their HIGHEST-privilege role.
+ *
+ * @param {string|object} actor   - Role name OR user object
+ * @param {string|object} target  - Role name OR user object
  * @returns {boolean}
  */
-export function canManageUser(actorRole, targetRole) {
-    return getRoleLevel(actorRole) < getRoleLevel(targetRole);
+export function canManageUser(actor, target) {
+    const actorLevel  = typeof actor  === 'string' ? getRoleLevel(actor)  : getEffectiveLevel(actor);
+    const targetLevel = typeof target === 'string' ? getRoleLevel(target) : getEffectiveLevel(target);
+    return actorLevel < targetLevel;
 }
 
 /**
  * Check whether a user role satisfies a visibility requirement.
  * Used by both requireVisibility() and the public page renderer.
  *
- * @param {string|null} userRole   - The visitor's role, or null if unauthenticated
- * @param {string}      visibility - Required visibility ('public', 'private', or a role name)
+ * Visibility may be either:
+ *   - A single string ('public', 'private', or a role name)
+ *   - An array of role names — granted if ANY entry passes the per-role check
+ *
+ * Per-role semantics are unchanged: each role check passes if the visitor's
+ * role level is at or above the required role (lower or equal level number).
+ * 'private' resolves to super-admin only (Infinity → level 0).
+ *
+ * The "any of" semantics for arrays means siblings at different tiers of the
+ * hierarchy are all granted access — e.g. `visibility: [candidate, employer]`
+ * lets both roles in, plus anyone more privileged than either (typically
+ * admins inherit access automatically via the level comparison).
+ *
+ * @param {string|null}      userRole   - The visitor's role, or null if unauthenticated
+ * @param {string|string[]}  visibility - Required visibility — single value or array
  * @returns {boolean} true if access is granted
  */
-export function checkVisibility(userRole, visibility) {
-    if (!visibility || visibility === 'public') return true;
-    if (!userRole) return false;                              // unauthenticated, non-public page
-    const userLevel       = getRoleLevel(userRole);
-    const requiredLevel   = getRoleLevel(visibility);
-    const threshold       = requiredLevel === Infinity ? 0 : requiredLevel;
+export function checkVisibility(userRoleOrObj, visibility) {
+    if (!visibility) return true;
+
+    // Accept either a bare role name (legacy) or a user object with multi-role
+    // support. When given an object we walk every effective role and grant
+    // access if ANY satisfies — same union semantics as permissions.
+    const roles = typeof userRoleOrObj === 'string'
+        ? (userRoleOrObj ? [userRoleOrObj] : [])
+        : getEffectiveRoles(userRoleOrObj);
+
+    if (Array.isArray(visibility)) {
+        if (visibility.length === 0) return true;
+        if (visibility.includes('public')) return true;
+        if (!roles.length) return false;
+        return roles.some(r => visibility.some(v => checkSingleVisibility(r, v)));
+    }
+
+    if (visibility === 'public') return true;
+    if (!roles.length) return false;
+    return roles.some(r => checkSingleVisibility(r, visibility));
+}
+
+/**
+ * Internal helper — single-role visibility check.
+ * Returns true if the user role is at or above the required role's level.
+ *
+ * @param {string} userRole   - Must not be null
+ * @param {string} visibility - Single visibility token (role name or 'private')
+ * @returns {boolean}
+ */
+function checkSingleVisibility(userRole, visibility) {
+    const userLevel     = getRoleLevel(userRole);
+    const requiredLevel = getRoleLevel(visibility);
+    const threshold     = requiredLevel === Infinity ? 0 : requiredLevel;
     return userLevel <= threshold;
 }
 
 /**
  * Fastify preHandler factory — gates a route by visibility level.
- * Works identically to the content-page visibility system.
- * Returns a no-op for 'public' so it is safe to apply unconditionally.
+ * Works identically to the content-page visibility system; accepts the same
+ * single-string or array-of-roles syntax as checkVisibility().
  *
- * @param {string} visibility - 'public' | 'private' | any role name
+ * Returns a no-op for 'public' (or any array containing 'public') so it is
+ * safe to apply unconditionally.
+ *
+ * @param {string|string[]} visibility - 'public' | 'private' | role name | array of role names
  * @returns {Function} Fastify preHandler
  */
 export function requireVisibility(visibility) {
-    if (!visibility || visibility === 'public') {
+    const isPublic = !visibility
+        || visibility === 'public'
+        || (Array.isArray(visibility) && (visibility.length === 0 || visibility.includes('public')));
+
+    if (isPublic) {
         return (_request, _reply, done) => { if (done) done(); };
     }
 
     return async (request, reply) => {
-        let userRole = null;
+        // Build a user-shaped object so checkVisibility can see multi-role
+        // (primary + additional). Unauthenticated → null → public-only access.
+        let userObj = null;
         try {
             const decoded = await request.jwtVerify();
-            if (decoded.type === 'access') userRole = decoded.role;
+            if (decoded.type === 'access') {
+                userObj = { role: decoded.role, additionalRoles: decoded.additionalRoles || [] };
+            }
         } catch { /* unauthenticated */ }
 
-        if (!checkVisibility(userRole, visibility)) {
-            const code = userRole ? 403 : 401;
+        if (!checkVisibility(userObj, visibility)) {
+            const code = userObj ? 403 : 401;
             return reply.code(code).send({
                 statusCode: code,
                 error:      code === 403 ? 'Forbidden' : 'Unauthorised',

package/server/routes/api/actions.js

@@ -20,11 +20,13 @@ import {
     getAction,
     listActions,
     listActionsForCollection,
+    listTransitionsForEntry,
     updateAction
 } from '../../services/actions.js';
 import {getEntry} from '../../services/collections.js';
 import {authenticate, requirePermission} from '../../middleware/auth.js';
 import {getRoleLevel} from '../../services/roles.js';
+import {getEffectiveLevel} from '../../services/userRoles.js';
 import {checkEntryAccess} from '../../services/rowAccess.js';
 
 export async function actionsRoutes(fastify) {
@@ -39,7 +41,10 @@ export async function actionsRoutes(fastify) {
 
     fastify.get('/actions', canRead, async (request, reply) => {
         try {
-            return await listActions();
+            const {canSeeArtefact} = await import('../../services/projects.js');
+            const all = await listActions();
+            // listActions returns full records with meta inline — filter directly
+            return all.filter(a => canSeeArtefact(request.user, a));
         } catch (err) {
             return reply.status(503).send({ error: err.message });
         }
@@ -68,6 +73,10 @@ export async function actionsRoutes(fastify) {
         try {
             const action = await getAction(request.params.slug);
             if (!action) return reply.status(404).send({ error: 'Action not found' });
+            const {canSeeArtefact} = await import('../../services/projects.js');
+            if (!canSeeArtefact(request.user, action)) {
+                return reply.status(403).send({ error: 'Access denied for this project' });
+            }
             return action;
         } catch (err) {
             return reply.status(503).send({ error: err.message });
@@ -136,8 +145,8 @@ export async function actionsRoutes(fastify) {
         const rowLevel = action.access?.rowLevel;
         const user = request.user;
 
-        // Admin or no row-level config → all IDs allowed
-        if (!rowLevel || getRoleLevel(user?.role) === 0) {
+        // Admin (across primary OR additional roles) or no row-level config → all IDs allowed
+        if (!rowLevel || getEffectiveLevel(user) === 0) {
             return {allowed: entryIds};
         }
 
@@ -146,7 +155,7 @@ export async function actionsRoutes(fastify) {
             entryIds.map(async (id) => {
                 try {
                     const entry = await getEntry(action.collection, id);
-                    return entry && checkEntryAccess(entry, user, rowLevel) ? id : null;
+                    return (entry && (await checkEntryAccess(entry, user, rowLevel))) ? id : null;
                 } catch {
                     return null;
                 }
@@ -179,7 +188,8 @@ export async function actionsRoutes(fastify) {
 
         const user          = request.user;
         const allowedRoles  = action.access?.roles || ['admin', 'super-admin'];
-        const userLevel     = getRoleLevel(user?.role);
+        // Use effective level — a candidate-with-also-admin can run admin-tier actions.
+        const userLevel     = getEffectiveLevel(user);
         const minAllowed    = Math.min(...allowedRoles.map(r => getRoleLevel(r)));
 
         if (userLevel > minAllowed) {
@@ -197,4 +207,47 @@ export async function actionsRoutes(fastify) {
             return reply.status(status).send({ error: err.message });
         }
     });
+
+    /*
+     * GET /api/actions/transitions?collection=<slug>&entryId=<id>
+     *
+     * Returns the actions valid as *next-state transitions* for the given
+     * entry, filtered by the requesting user's role. Used by the per-row
+     * transitions UI in the Collection Browser and the `[transitions]`
+     * shortcode to render only the buttons that will actually succeed.
+     *
+     * Auth: optional. Anonymous calls return actions accessible to anonymous
+     * users (rare — most transitions require a role). With a JWT we narrow
+     * to what the signed-in user can do.
+     *
+     * Response: { transitions: [{slug, title, trigger, transition}, ...] }
+     * Returns 503 if MongoDB is unavailable (actions are a Pro feature).
+     */
+    fastify.get('/actions/transitions', async (request, reply) => {
+        const { collection: collectionSlug, entryId } = request.query;
+        if (!collectionSlug || !entryId) {
+            return reply.status(400).send({ error: 'collection and entryId are required' });
+        }
+
+        let user = null;
+        try {
+            const decoded = await request.jwtVerify();
+            if (decoded.type === 'access') user = {id: decoded.id, role: decoded.role};
+        } catch { /* anonymous */ }
+
+        let entry;
+        try {
+            entry = await getEntry(collectionSlug, entryId);
+        } catch {
+            return reply.status(404).send({ error: 'Entry not found' });
+        }
+        if (!entry) return reply.status(404).send({ error: 'Entry not found' });
+
+        try {
+            const transitions = await listTransitionsForEntry(collectionSlug, entry, user);
+            return { transitions };
+        } catch (err) {
+            return reply.status(503).send({ error: err.message, transitions: [] });
+        }
+    });
 }

package/server/routes/api/auth.js

@@ -108,7 +108,7 @@ export async function authRoutes(fastify) {
 
         await touchLastLogin(user.id);
 
-        const safeUser = { id: user.id, name: user.name, email: user.email, role: user.role, level: getRoleLevel(user.role) };
+        const safeUser = { id: user.id, name: user.name, email: user.email, role: user.role, additionalRoles: user.additionalRoles || [], level: getRoleLevel(user.role) };
         hooks.emit('user:loggedIn', {userId: user.id, email: user.email, role: user.role});
         const { token, refreshToken } = signTokens(fastify, safeUser);
         return { token, refreshToken, user: safeUser };
@@ -271,7 +271,7 @@ export async function authRoutes(fastify) {
             return reply.status(401).send({ error: 'User not found or inactive' });
         }
 
-        const safeUser = { id: user.id, name: user.name, email: user.email, role: user.role, level: getRoleLevel(user.role) };
+        const safeUser = { id: user.id, name: user.name, email: user.email, role: user.role, additionalRoles: user.additionalRoles || [], level: getRoleLevel(user.role) };
         const token = fastify.jwt.sign({ ...safeUser, type: 'access' }, { expiresIn: accessTokenExpiry });
         return { token };
     });

package/server/routes/api/blocks.js

@@ -20,20 +20,35 @@ export async function blocksRoutes(fastify) {
     const canDelete = {preHandler: [authenticate, requirePermission('pages', 'delete')]};
 
     // List all blocks
-    fastify.get('/blocks', canRead, async () => {
-        return listBlocks();
+    fastify.get('/blocks', canRead, async (request) => {
+        const {canSeeArtefact} = await import('../../services/projects.js');
+        const all = await listBlocks();
+        const filtered = [];
+        for (const b of all) {
+            // listBlocks returns metadata only; getBlock returns full record with meta
+            let full = null;
+            try { full = await getBlock(b.name); } catch { /* skip */ }
+            if (canSeeArtefact(request.user, full)) filtered.push(b);
+        }
+        return filtered;
     });
 
     // Get single block
     fastify.get('/blocks/:name', canRead, async (request, reply) => {
         const {name} = request.params;
+        let block;
         try {
-            return await getBlock(name);
+            block = await getBlock(name);
         } catch (err) {
             if (err.code === 'INVALID_NAME') return reply.status(400).send({error: err.message});
             if (err.code === 'ENOENT') return reply.status(404).send({error: 'Block not found'});
             throw err;
         }
+        const {canSeeArtefact} = await import('../../services/projects.js');
+        if (!canSeeArtefact(request.user, block)) {
+            return reply.status(403).send({error: 'Access denied for this project'});
+        }
+        return block;
     });
 
     // Export single block as downloadable .dmblock.json bundle

package/server/routes/api/cache.js

@@ -0,0 +1,57 @@
+/**
+ * Cache API
+ * GET  /api/cache/status  - report enabled flag plus live stats
+ * GET  /api/cache/keys    - list cached keys with their tags (no values)
+ * POST /api/cache/toggle  - flip enabled on/off, persist to config/cache.json
+ * POST /api/cache/clear   - flush every cached entry
+ *
+ * All endpoints are admin-only.
+ */
+import fs from 'fs/promises';
+import path from 'path';
+import {fileURLToPath} from 'url';
+import * as cache from '../../services/cache/index.js';
+import {authenticate, requireAdmin} from '../../middleware/auth.js';
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const CACHE_CONFIG_FILE = path.resolve(__dirname, '../../../config/cache.json');
+
+const CACHE_DEFAULTS = {
+    enabled: process.env.NODE_ENV === 'production',
+    driver: 'memory',
+    memory: {maxItems: 1000, defaultTtlSeconds: 3600}
+};
+
+async function readCacheConfig() {
+    try {
+        return {...CACHE_DEFAULTS, ...JSON.parse(await fs.readFile(CACHE_CONFIG_FILE, 'utf8'))};
+    } catch {
+        return {...CACHE_DEFAULTS};
+    }
+}
+
+async function writeCacheConfig(cfg) {
+    await fs.writeFile(CACHE_CONFIG_FILE, JSON.stringify(cfg, null, 2) + '\n', 'utf8');
+}
+
+export async function cacheRoutes(fastify) {
+    const adminOnly = {preHandler: [authenticate, requireAdmin]};
+
+    fastify.get('/cache/status', adminOnly, async () => cache.getStats());
+
+    fastify.get('/cache/keys', adminOnly, async () => ({entries: cache.listEntries()}));
+
+    fastify.post('/cache/toggle', adminOnly, async (request, reply) => {
+        const enabled = !!request.body?.enabled;
+        const cfg = await readCacheConfig();
+        cfg.enabled = enabled;
+        await writeCacheConfig(cfg);
+        await cache.setEnabled(enabled);
+        return reply.send(cache.getStats());
+    });
+
+    fastify.post('/cache/clear', adminOnly, async () => {
+        await cache.clear();
+        return cache.getStats();
+    });
+}