domma-cms 0.17.0 → 0.21.0

package/server/routes/api/collections.js

@@ -40,6 +40,7 @@ import {
 } from '../../services/collections.js';
 import {authenticate, requireAdmin, requirePermission} from '../../middleware/auth.js';
 import {getRoleLevel, invalidate as invalidateRoles} from '../../services/roles.js';
+import {getEffectiveLevel} from '../../services/userRoles.js';
 import {getConfig, saveConfig} from '../../config.js';
 import {PRESET_COLLECTION_SLUGS} from '../../services/presetCollections.js';
 import {ensureFormForCollection} from '../../services/forms.js';
@@ -57,6 +58,30 @@ function roleLevel(roleName) {
     return getRoleLevel(roleName);
 }
 
+/**
+ * Extract bracket-notation query params (e.g. `filter[location]=London`) into
+ * a flat sub-object keyed by the inner name.
+ *
+ * @example
+ *   extractBracketed({ 'filter[location]': 'London', 'filter[salary_gte]': '50000' }, 'filter')
+ *   → { location: 'London', salary_gte: '50000' }
+ *
+ * @param {Record<string, string>} query
+ * @param {string} prefix
+ * @returns {Record<string, string>}
+ */
+function extractBracketed(query, prefix) {
+    const out  = {};
+    const head = `${prefix}[`;
+    for (const [k, v] of Object.entries(query)) {
+        if (k.startsWith(head) && k.endsWith(']')) {
+            const inner = k.slice(head.length, -1);
+            if (inner) out[inner] = v;
+        }
+    }
+    return out;
+}
+
 /**
  * Check public collection API access.
  * Returns an error reply if access is denied, otherwise resolves (returns undefined).
@@ -84,7 +109,9 @@ async function checkPublicAccess(schema, operation, request, reply) {
 
     const user = request.user;
     const requiredLevel = roleLevel(access.access);
-    const userLevel     = roleLevel(user?.role);
+    // Effective level — multi-role users get the lowest (most privileged) level
+    // across their primary + additional roles for this access decision.
+    const userLevel     = getEffectiveLevel(user);
 
     if (userLevel > requiredLevel) {
         return reply.status(403).send({ error: 'Insufficient permissions' });
@@ -101,8 +128,16 @@ export async function collectionsRoutes(fastify) {
     // Collection CRUD (schema management)
     // -------------------------------------------------------------------------
 
-    fastify.get('/collections', canRead, async () => {
-        return listCollections();
+    fastify.get('/collections', canRead, async (request) => {
+        const {canSeeArtefact} = await import('../../services/projects.js');
+        const all = await listCollections();
+        const filtered = [];
+        for (const c of all) {
+            // listCollections returns metadata only; getCollection returns full record with meta
+            const full = await getCollection(c.slug);
+            if (canSeeArtefact(request.user, full)) filtered.push(c);
+        }
+        return filtered;
     });
 
     fastify.get('/collections/pro-status', canRead, async () => {
@@ -153,6 +188,10 @@ export async function collectionsRoutes(fastify) {
     fastify.get('/collections/:slug', canRead, async (request, reply) => {
         const schema = await getCollection(request.params.slug);
         if (!schema) return reply.status(404).send({ error: 'Collection not found' });
+        const {canSeeArtefact} = await import('../../services/projects.js');
+        if (!canSeeArtefact(request.user, schema)) {
+            return reply.status(403).send({ error: 'Access denied for this project' });
+        }
         return schema;
     });
 
@@ -180,16 +219,34 @@ export async function collectionsRoutes(fastify) {
     // Entry CRUD
     // -------------------------------------------------------------------------
 
+    /*
+     * GET /api/collections/:slug/entries
+     *
+     * Query parameters:
+     *   page, limit, sort, order   — pagination/sort (limit=0 means "no limit")
+     *   search                     — free-text substring across all field values
+     *   filter[<field>_<op>]=val   — structured filter; see filterEngine.js
+     *
+     * Example:
+     *   /api/collections/jobs/entries?filter[location]=London&filter[salary_gte]=50000
+     *   /api/collections/jobs/entries?filter[tags_in]=remote,hybrid&sort=postedAt
+     *
+     * Fastify's default querystring parser keeps bracketed keys flat
+     * (`'filter[location]': 'London'`), so we expand them ourselves to avoid
+     * adding the `qs` dependency for one route.
+     */
     fastify.get('/collections/:slug/entries', canRead, async (request, reply) => {
         const schema = await getCollection(request.params.slug);
         if (!schema) return reply.status(404).send({ error: 'Collection not found' });
         const { page, limit, sort, order, search } = request.query;
+        const filter = extractBracketed(request.query, 'filter');
         return listEntries(request.params.slug, {
             page:   parseInt(page, 10)  || 1,
             limit:  parseInt(limit, 10) || 50,
             sort:   sort   || 'createdAt',
             order:  order  || 'desc',
-            search: search || undefined
+            search: search || undefined,
+            filter: Object.keys(filter).length ? filter : undefined
         });
     });
 
@@ -345,20 +402,54 @@ export async function collectionsRoutes(fastify) {
     // Public access endpoints
     // -------------------------------------------------------------------------
 
+    /*
+     * GET /api/collections/:slug/public
+     *
+     * Public read endpoint — gated by `api.read` in the collection schema.
+     * Supports the same pagination/sort/search/filter as the admin endpoint
+     * (see GET /collections/:slug/entries above), plus:
+     *
+     *   scope=mine   — restrict results to entries created by the current
+     *                  user (`meta.createdBy === user.id`). Requires a valid
+     *                  JWT; returns 401 if unauthenticated. Used by the
+     *                  `[collection scope="mine"]` shortcode for per-user
+     *                  client-side hydration (e.g. "My Applications").
+     */
     fastify.get('/collections/:slug/public', async (request, reply) => {
         const schema = await getCollection(request.params.slug);
         if (!schema) return reply.status(404).send({ error: 'Collection not found' });
 
-        const denied = await checkPublicAccess(schema, 'read', request, reply);
-        if (denied !== undefined) return;
+        const { page, limit, sort, order, search, scope, resolveRefs } = request.query;
+        const filter = extractBracketed(request.query, 'filter');
+
+        // scope=mine has its own security model: it requires auth and scopes
+        // results to the caller's own entries via `createdBy = user.id`. Bypasses
+        // the regular `api.read` gate so users can always view their own data
+        // (the typical "My applications", "My bookmarks", "My orders" pattern)
+        // without the admin having to expose the whole collection publicly.
+        if (scope === 'mine') {
+            try {
+                const decoded = await request.jwtVerify();
+                if (decoded.type !== 'access' || !decoded.id) {
+                    return reply.status(401).send({ error: 'Authentication required' });
+                }
+                filter.createdBy = decoded.id;
+            } catch {
+                return reply.status(401).send({ error: 'Authentication required' });
+            }
+        } else {
+            const denied = await checkPublicAccess(schema, 'read', request, reply);
+            if (denied !== undefined) return;
+        }
 
-        const { page, limit, sort, order, search } = request.query;
         return listEntries(request.params.slug, {
             page:   parseInt(page, 10)  || 1,
             limit:  parseInt(limit, 10) || 50,
             sort:   sort   || 'createdAt',
             order:  order  || 'desc',
-            search: search || undefined
+            search: search || undefined,
+            filter: Object.keys(filter).length ? filter : undefined,
+            resolveRefs: resolveRefs === 'true' || resolveRefs === '1'
         });
     });
 
@@ -374,6 +465,108 @@ export async function collectionsRoutes(fastify) {
         return entry;
     });
 
+    /*
+     * POST /api/collections/render-scope
+     *
+     * Renders a `[collection scope="mine"]` shortcode for the current user.
+     * Called by site.js for every `.dm-collection-hydrate` placeholder on a
+     * public page. The page itself is cached per-role; the per-user data is
+     * resolved here and the rendered HTML fragment swapped in client-side.
+     *
+     * Body: { attrs: <base64 JSON of the original shortcode attributes> }
+     * Auth: JWT required — `createdBy = <user.id>` is injected server-side
+     *       (the client cannot tamper with which user's data they see).
+     * Returns: { html: '<div class="dm-collection-…">…</div>' }
+     *
+     * Security: results are always scoped to `createdBy = <user.id>` —
+     * a caller can only ever render their own entries, regardless of the
+     * collection's `api.read` setting. This matches the security model
+     * of GET /:slug/public?scope=mine.
+     */
+    fastify.post('/collections/render-fragment', async (request, reply) => {
+        /*
+         * POST /api/collections/render-fragment
+         *
+         * Renders a `[collection]` shortcode fragment server-side for the
+         * Collection Browser's `display="block"` mode (and any future display
+         * that needs server-rendered HTML per state change). Used because
+         * block templates are arbitrary HTML the client can't replicate.
+         *
+         * Body: {
+         *   attrs: <base64 JSON of the shortcode attributes>,
+         *   page:  <number, optional — applied via attrs.limit + slicing>
+         * }
+         *
+         * Auth: gated by the target collection's `api.read` setting via
+         *       checkPublicAccess(). No user identity is injected — this
+         *       endpoint is for general fragment rendering, not per-user
+         *       scoping (that's render-scope's job).
+         *
+         * Returns: { html: '<div class="dm-collection-…">…</div>' }
+         */
+        const encoded = request.body?.attrs;
+        if (typeof encoded !== 'string' || !encoded) {
+            return reply.status(400).send({ error: 'attrs is required' });
+        }
+
+        let attrs;
+        try {
+            attrs = JSON.parse(Buffer.from(encoded, 'base64').toString('utf8'));
+        } catch {
+            return reply.status(400).send({ error: 'Invalid attrs payload' });
+        }
+        if (!attrs || typeof attrs !== 'object' || typeof attrs.slug !== 'string') {
+            return reply.status(400).send({ error: 'Invalid attrs payload' });
+        }
+
+        const schema = await getCollection(attrs.slug);
+        if (!schema) return reply.status(404).send({ error: 'Collection not found' });
+
+        const denied = await checkPublicAccess(schema, 'read', request, reply);
+        if (denied !== undefined) return;
+
+        const { renderCollectionFragment } = await import('../../services/markdown.js');
+        const html = await renderCollectionFragment(attrs);
+        return { html };
+    });
+
+    fastify.post('/collections/render-scope', async (request, reply) => {
+        let decoded;
+        try {
+            decoded = await request.jwtVerify();
+            if (decoded.type !== 'access' || !decoded.id) {
+                return reply.status(401).send({ error: 'Authentication required' });
+            }
+        } catch {
+            return reply.status(401).send({ error: 'Authentication required' });
+        }
+
+        const encoded = request.body?.attrs;
+        if (typeof encoded !== 'string' || !encoded) {
+            return reply.status(400).send({ error: 'attrs is required' });
+        }
+
+        let attrs;
+        try {
+            attrs = JSON.parse(Buffer.from(encoded, 'base64').toString('utf8'));
+        } catch {
+            return reply.status(400).send({ error: 'Invalid attrs payload' });
+        }
+        if (!attrs || typeof attrs !== 'object' || typeof attrs.slug !== 'string') {
+            return reply.status(400).send({ error: 'Invalid attrs payload' });
+        }
+
+        const schema = await getCollection(attrs.slug);
+        if (!schema) return reply.status(404).send({ error: 'Collection not found' });
+
+        const { renderCollectionFragment } = await import('../../services/markdown.js');
+        const html = await renderCollectionFragment(attrs, {
+            extraFilter: { createdBy: decoded.id }
+        });
+
+        return { html };
+    });
+
     fastify.post('/collections/:slug/public', async (request, reply) => {
         const schema = await getCollection(request.params.slug);
         if (!schema) return reply.status(404).send({ error: 'Collection not found' });

package/server/routes/api/forms.js

@@ -34,6 +34,161 @@ import {
 import {getConfig} from '../../config.js';
 import {authenticate, requireAdmin, requirePermission} from '../../middleware/auth.js';
 import {hooks} from '../../services/hooks.js';
+import {saveMedia} from '../../services/content.js';
+import {v4 as uuidv4} from 'uuid';
+
+/**
+ * Detect form↔collection mismatches at save time so admins know BEFORE
+ * users hit silent rejection. Returns an array of human-readable warning
+ * strings — empty when the form lines up cleanly with its target collection.
+ *
+ * Checks performed:
+ *   - Target collection exists (otherwise every submission goes nowhere)
+ *   - Every required collection field has a matching form field
+ *   - Every form field references a known collection field (typos)
+ *
+ * @param {object} form - The just-saved form definition
+ * @returns {Promise<string[]>}
+ */
+async function detectFormCollectionMismatch(form) {
+    const warnings = [];
+    const colAction = form?.actions?.collection;
+    const targetSlug = (colAction?.enabled && colAction.slug) ? colAction.slug : form?.slug;
+    if (!targetSlug) return warnings;
+
+    let collection;
+    try {
+        collection = await getCollection(targetSlug);
+    } catch {
+        return warnings;
+    }
+    if (!collection) {
+        warnings.push(`Target collection "${targetSlug}" does not exist — submissions will fail. Either create the collection or change the form's target.`);
+        return warnings;
+    }
+
+    const formFieldNames = new Set((form.fields || []).map(f => f.name).filter(Boolean));
+    const colFieldNames  = new Set((collection.fields || []).map(f => f.name));
+
+    // Missing-required: collection requires X but form doesn't collect X
+    const missingRequired = (collection.fields || [])
+        .filter(f => f.required)
+        .filter(f => !formFieldNames.has(f.name))
+        .map(f => f.label || f.name);
+    if (missingRequired.length) {
+        warnings.push(`The "${targetSlug}" collection requires fields the form does not collect: ${missingRequired.join(', ')}. Submissions will be rejected with "X is required". Either mark these fields as not required on the collection, add them to the form, or set them via an action's createInCollection step.`);
+    }
+
+    // Unknown fields: form sends X but collection has no such field (typo / drift)
+    const unknown = [...formFieldNames].filter(n => !colFieldNames.has(n));
+    if (unknown.length) {
+        warnings.push(`The form has fields the "${targetSlug}" collection doesn't define: ${unknown.join(', ')}. These values will be stored but won't be validated, indexed, or displayed in [collection] blocks unless you add matching fields to the collection.`);
+    }
+
+    return warnings;
+}
+
+/**
+ * Sanitise a user-supplied filename:
+ *   - strip path separators and traversal markers
+ *   - keep only `[a-z0-9._-]`, lower-case
+ *   - prepend an 8-char uuid prefix so concurrent uploads of the same name
+ *     don't overwrite each other
+ *
+ * @param {string} raw
+ * @returns {string}
+ */
+function safeFilename(raw) {
+    const cleaned = String(raw || 'upload')
+        .toLowerCase()
+        .replace(/[^\w.-]+/g, '-')
+        .replace(/-+/g, '-')
+        .replace(/^[-.]+|[-.]+$/g, '')
+        .slice(0, 200) || 'upload';
+    const prefix = uuidv4().slice(0, 8);
+    return `${prefix}-${cleaned}`;
+}
+
+/**
+ * Check a multipart file part against a form's `type: file` field config.
+ *
+ * @param {object} fieldCfg    - The form-field definition
+ * @param {object} part        - Multipart part (mimetype, filename)
+ * @param {number} size        - Buffer length in bytes
+ * @returns {string|null}      - Error message, or null if OK
+ */
+function validateUpload(fieldCfg, part, size) {
+    const cfg = fieldCfg?.file || {};
+    const max = Number(cfg.maxSize) || 5 * 1024 * 1024;     // 5 MB default
+    if (size > max) {
+        return `"${fieldCfg.label || fieldCfg.name}" file is too large (max ${Math.round(max / 1024)} KB).`;
+    }
+    const accept = String(cfg.accept || '').trim();
+    if (accept) {
+        // Comma-separated list of mime types, allowing wildcards like image/*
+        const patterns = accept.split(',').map(s => s.trim()).filter(Boolean);
+        const mime     = part.mimetype || '';
+        const ok = patterns.some(p => {
+            if (p.endsWith('/*')) return mime.startsWith(p.slice(0, -1));
+            return p === mime;
+        });
+        if (!ok) {
+            return `"${fieldCfg.label || fieldCfg.name}" file type "${mime}" not allowed (expected: ${accept}).`;
+        }
+    }
+    return null;
+}
+
+/**
+ * Drain a multipart request into a JSON-shaped body. Text parts become string
+ * values; file parts are validated against the matching form field, saved to
+ * `content/media/`, and replaced by a `{ url, name, size, mime }` reference.
+ *
+ * Throws on validation failure (caller handles HTTP 400). Files are streamed
+ * into memory up to fastify-multipart's configured limit — fine for the
+ * resume-pdf / portrait-photo scale; large uploads should still use the admin
+ * media flow.
+ *
+ * @param {import('fastify').FastifyRequest} request
+ * @param {object} form
+ * @returns {Promise<object>}
+ */
+async function parseMultipartForm(request, form) {
+    const out = {};
+    const fileFields = new Map(
+        (form.fields || []).filter(f => f.type === 'file').map(f => [f.name, f])
+    );
+
+    for await (const part of request.parts()) {
+        if (part.type === 'file') {
+            const fieldCfg = fileFields.get(part.fieldname);
+            if (!fieldCfg) {
+                // Unknown file field — drain and skip rather than 400, so a
+                // form that gains a file input later doesn't reject older
+                // submissions in-flight from a stale page.
+                for await (const _ of part.file) { /* drain */ }
+                continue;
+            }
+            const chunks = [];
+            for await (const chunk of part.file) chunks.push(chunk);
+            const buffer = Buffer.concat(chunks);
+            const err    = validateUpload(fieldCfg, part, buffer.length);
+            if (err) throw new Error(err);
+            if (buffer.length === 0) continue;     // empty file input — skip
+            const saved = await saveMedia(safeFilename(part.filename), buffer);
+            out[part.fieldname] = {
+                url:  saved.url,
+                name: part.filename,
+                size: buffer.length,
+                mime: part.mimetype
+            };
+        } else {
+            // Text field — last value wins on duplicates (browser-standard).
+            out[part.fieldname] = part.value;
+        }
+    }
+    return out;
+}
 
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
 const ROOT = path.resolve(__dirname, '..', '..', '..');
@@ -84,19 +239,27 @@ export async function formsRoutes(fastify) {
     // -----------------------------------------------------------------------
     // GET /forms — list all form definitions with submission counts
     // -----------------------------------------------------------------------
-    fastify.get('/forms', canRead, async () => {
+    fastify.get('/forms', canRead, async (request) => {
+        const {canSeeArtefact} = await import('../../services/projects.js');
         const forms = await listForms();
         const result = await Promise.all(forms.map(async form => {
             let submissionCount = 0;
             try {
-                const entries = await listEntries(form.slug);
-                submissionCount = entries.length;
+                // listEntries returns { entries, total, page, limit } — total is the
+                // unpaginated count which is what we want for the badge here.
+                const r = await listEntries(form.slug, { limit: 0 });
+                submissionCount = r.total ?? (r.entries || []).length;
             } catch {
                 // collection may not exist yet
             }
-            return { ...form, submissionCount };
+            // listForms returns metadata only; readForm returns full record with meta
+            let full = null;
+            try { full = await readForm(form.slug); } catch { /* skip */ }
+            return { form: { ...form, submissionCount }, full };
         }));
-        return result;
+        return result
+            .filter(({ full }) => canSeeArtefact(request.user, full))
+            .map(({ form }) => form);
     });
 
     // -----------------------------------------------------------------------
@@ -165,18 +328,25 @@ export async function formsRoutes(fastify) {
             fastify.log.warn(`[forms] Could not auto-create collection "${slug}": ${err.message}`);
         }
 
-        return reply.status(201).send(form);
+        const warnings = await detectFormCollectionMismatch(form);
+        return reply.status(201).send(warnings.length ? { ...form, warnings } : form);
     });
 
     // -----------------------------------------------------------------------
     // GET /forms/:slug — get single form (admin, includes actions)
     // -----------------------------------------------------------------------
     fastify.get('/forms/:slug', canRead, async (request, reply) => {
+        let form;
         try {
-            return await readForm(request.params.slug);
+            form = await readForm(request.params.slug);
         } catch {
             return reply.status(404).send({ error: 'Form not found.' });
         }
+        const {canSeeArtefact} = await import('../../services/projects.js');
+        if (!canSeeArtefact(request.user, form)) {
+            return reply.status(403).send({ error: 'Access denied for this project' });
+        }
+        return form;
     });
 
     // -----------------------------------------------------------------------
@@ -213,7 +383,13 @@ export async function formsRoutes(fastify) {
             updatedAt: new Date().toISOString()
         };
         await writeForm(slug, updated);
-        return updated;
+
+        // Non-blocking warnings: check the form's fields against its target
+        // collection's required fields. Missing-required-on-form would cause
+        // every submission to fail server-side validation — admin gets a
+        // heads-up here so they can fix it BEFORE users hit silent rejection.
+        const warnings = await detectFormCollectionMismatch(updated);
+        return warnings.length ? { ...updated, warnings } : updated;
     });
 
     // -----------------------------------------------------------------------
@@ -235,8 +411,11 @@ export async function formsRoutes(fastify) {
     fastify.get('/forms/:slug/submissions', canRead, async (request, reply) => {
         const { slug } = request.params;
         try {
-            const entries = await listEntries(slug);
-            return entries.slice().reverse();
+            // listEntries returns { entries, total, page, limit } — unwrap to
+            // the array. Newest-first is the conventional display order for
+            // submission lists.
+            const { entries } = await listEntries(slug, { limit: 0 });
+            return [...entries].reverse();
         } catch {
             return reply.status(404).send({ error: 'Collection not found for this form.' });
         }
@@ -255,7 +434,8 @@ export async function formsRoutes(fastify) {
         }
         let entries = [];
         try {
-            entries = await listEntries(slug);
+            const r = await listEntries(slug, { limit: 0 });
+            entries = r.entries || [];
         } catch {
             // empty collection
         }
@@ -278,7 +458,8 @@ export async function formsRoutes(fastify) {
         }
         let entries = [];
         try {
-            entries = await listEntries(slug);
+            const r = await listEntries(slug, { limit: 0 });
+            entries = r.entries || [];
         } catch {
             // empty
         }
@@ -313,9 +494,20 @@ export async function formsRoutes(fastify) {
         return { ok: true };
     });
 
-    // -----------------------------------------------------------------------
-    // POST /forms/submit/:slug — public form submission
-    // -----------------------------------------------------------------------
+    /*
+     * POST /forms/submit/:slug — public form submission.
+     *
+     * Authentication is OPTIONAL: when a valid JWT is present the submitter
+     * is captured as the entry's `createdBy` and passed into any triggered
+     * action's template context (as `{{user.id}}`, `{{user.email}}`, etc.).
+     * Anonymous submissions still work — `createdBy` is null and actions
+     * receive an empty user. This is what makes the apply/bookmark patterns
+     * work without forcing every form to be auth-only:
+     *
+     *   - Anonymous contact form → submitted by guest, user=null
+     *   - "Apply for job" form    → submitted by candidate, action's
+     *     createInCollection step stamps the application with their id
+     */
     fastify.post('/forms/submit/:slug', async (request, reply) => {
         const { slug } = request.params;
         let form;
@@ -325,9 +517,35 @@ export async function formsRoutes(fastify) {
             return reply.status(404).send({ error: 'Form not found.' });
         }
 
-        const body     = request.body || {};
+        // Multipart parsing — when the request is multipart (file uploads),
+        // we walk parts ourselves: text fields go into `body`, file parts are
+        // validated against the form's field config and saved to /content/media,
+        // then their { url, name, size, mime } reference object lands in `body`
+        // under the field name. Downstream code sees a uniform JSON-shaped body.
+        let body = request.body || {};
+        if (request.isMultipart && request.isMultipart()) {
+            try {
+                body = await parseMultipartForm(request, form);
+            } catch (err) {
+                return reply.status(400).send({ error: err.message });
+            }
+        }
         const settings = form.settings || {};
 
+        // Best-effort auth — never reject, just enrich.
+        let submittingUser = null;
+        try {
+            const decoded = await request.jwtVerify();
+            if (decoded.type === 'access') {
+                submittingUser = {
+                    id:    decoded.id,
+                    name:  decoded.name,
+                    email: decoded.email,
+                    role:  decoded.role
+                };
+            }
+        } catch { /* anonymous submission */ }
+
         // Honeypot check — silently accept if filled (bot detected)
         if (settings.honeypot && body._hp) {
             return { ok: true, message: settings.successMessage, redirect: settings.successRedirect || null };
@@ -397,17 +615,42 @@ export async function formsRoutes(fastify) {
             }
         }
 
-        // Store in collection (sole submission store)
+        // Store in collection (sole submission store).
+        //
+        // CRITICAL: collection write failure is the difference between "your
+        // submission was saved" and "your submission disappeared into thin air".
+        // We MUST surface the error to the user rather than logging a warning
+        // and returning success — anything else is a silent-data-loss bug.
+        // (Email / webhook / action failures downstream are still treated as
+        // non-fatal — they fire AFTER the entry is persisted, so even a partial
+        // delivery has the original submission safely stored.)
         const collectionAction = form.actions?.collection;
         const targetSlug = (collectionAction?.enabled && collectionAction.slug) ? collectionAction.slug : slug;
         let entry = null;
         try {
             const col = await getCollection(targetSlug);
             if (col) {
-                entry = await createEntry(targetSlug, data, { source: `form:${slug}` });
+                entry = await createEntry(targetSlug, data, {
+                    source:    `form:${slug}`,
+                    createdBy: submittingUser?.id || null
+                });
+            } else {
+                // Target collection doesn't exist — admin misconfiguration.
+                // Better to fail loudly than silently lose submissions.
+                fastify.log.warn(`[forms] Submission for "${slug}" had no target collection "${targetSlug}"`);
+                return reply.status(500).send({
+                    error: `Submission not saved — target collection "${targetSlug}" does not exist. Please contact the site administrator.`
+                });
             }
         } catch (err) {
-            fastify.log.warn(`[forms] Collection write failed for "${slug}": ${err.message}`);
+            fastify.log.warn(`[forms] Collection write failed for "${slug}" → "${targetSlug}": ${err.message}`);
+            // Distinguish validation errors (user-actionable) from other
+            // failures (admin needs to look) so the message helps the right
+            // person. Validation errors typically start with "Validation failed:".
+            const msg = err.message.startsWith('Validation failed')
+                ? err.message.replace('Validation failed: ', '')
+                : `Submission could not be saved: ${err.message}`;
+            return reply.status(400).send({ error: msg });
         }
 
         // Email action
@@ -444,11 +687,13 @@ export async function formsRoutes(fastify) {
             }
         }
 
-        // CMS Action trigger
+        // CMS Action trigger — forwards the authenticated submitter so
+        // action steps can interpolate {{user.id}}, {{user.email}}, etc.
+        // (Anonymous submissions still trigger the action with user={}.)
         const actionSlug = form.settings?.actionSlug;
         if (actionSlug && entry) {
             try {
-                await executeAction(actionSlug, entry.id, { user: null });
+                await executeAction(actionSlug, entry.id, { user: submittingUser });
             } catch (err) {
                 fastify.log.warn(`[forms] Action "${actionSlug}" failed for form "${slug}": ${err.message}`);
             }