domma-cms 0.17.0 → 0.21.0

package/server/routes/api/menu-locations.js

@@ -0,0 +1,46 @@
+/**
+ * Menu locations API
+ *
+ * GET /api/menu-locations           — current slot → menu-slug map
+ * PUT /api/menu-locations           — replace the map (validates against registry + menus)
+ * GET /api/menu-locations/registry  — list registered slots (core + plugin-contributed)
+ *
+ * Auth middlewares are accepted as options so tests can supply no-ops without
+ * needing to register `@fastify/jwt` + seed the roles cache. In production the
+ * defaults are the real `authenticate` / `requirePermission` from
+ * middleware/auth.js.
+ */
+import {
+    authenticate as defaultAuthenticate,
+    requirePermission as defaultRequirePermission
+} from '../../middleware/auth.js';
+import {getLocationRegistry, getLocations, setLocations} from '../../services/menus.js';
+import * as cache from '../../services/cache/index.js';
+
+/**
+ * Register the menu-locations routes.
+ *
+ * @param {import('fastify').FastifyInstance} fastify
+ * @param {{authenticate?: Function, requirePermission?: Function}} [opts]
+ * @returns {Promise<void>}
+ */
+export async function menuLocationsRoutes(fastify, opts = {}) {
+    const authenticate      = opts.authenticate      || defaultAuthenticate;
+    const requirePermission = opts.requirePermission || defaultRequirePermission;
+
+    const canRead   = {preHandler: [authenticate, requirePermission('menus', 'read')]};
+    const canUpdate = {preHandler: [authenticate, requirePermission('menus', 'update')]};
+
+    fastify.get('/menu-locations',          canRead, async () => getLocations());
+    fastify.get('/menu-locations/registry', canRead, async () => getLocationRegistry());
+
+    fastify.put('/menu-locations', canUpdate, async (request, reply) => {
+        try {
+            await setLocations(request.body || {});
+            await cache.invalidateTags(['menu-locations', 'nav']);
+            return {success: true};
+        } catch (err) {
+            return reply.status(400).send({error: err.message});
+        }
+    });
+}

package/server/routes/api/menus.js

@@ -0,0 +1,115 @@
+/**
+ * Menus API
+ *
+ * GET    /api/menus                  — list (metadata only)
+ * GET    /api/menus/:slug            — full menu
+ * POST   /api/menus                  — create
+ * PUT    /api/menus/:slug            — replace
+ * DELETE /api/menus/:slug            — delete (409 if mapped to a slot)
+ * POST   /api/menus/:slug/duplicate  — copy as <slug>-copy
+ *
+ * Auth middlewares are accepted as options so tests can supply no-ops without
+ * needing to register `@fastify/jwt` + seed the roles cache. In production the
+ * defaults are the real `authenticate` / `requirePermission` from
+ * middleware/auth.js.
+ */
+import {
+    authenticate as defaultAuthenticate,
+    requirePermission as defaultRequirePermission
+} from '../../middleware/auth.js';
+import {
+    createMenu,
+    deleteMenu,
+    duplicateMenu,
+    getLocations,
+    getMenu,
+    listMenus,
+    updateMenu
+} from '../../services/menus.js';
+import * as cache from '../../services/cache/index.js';
+
+/**
+ * Register the menus routes.
+ *
+ * @param {import('fastify').FastifyInstance} fastify
+ * @param {{authenticate?: Function, requirePermission?: Function}} [opts]
+ * @returns {Promise<void>}
+ */
+export async function menusRoutes(fastify, opts = {}) {
+    const authenticate      = opts.authenticate      || defaultAuthenticate;
+    const requirePermission = opts.requirePermission || defaultRequirePermission;
+
+    const canRead   = {preHandler: [authenticate, requirePermission('menus', 'read')]};
+    const canCreate = {preHandler: [authenticate, requirePermission('menus', 'create')]};
+    const canUpdate = {preHandler: [authenticate, requirePermission('menus', 'update')]};
+    const canDelete = {preHandler: [authenticate, requirePermission('menus', 'delete')]};
+
+    fastify.get('/menus', canRead, async (request) => {
+        const {canSeeArtefact} = await import('../../services/projects.js');
+        const all = await listMenus();
+        const filtered = [];
+        for (const m of all) {
+            // listMenus returns metadata only; getMenu returns full record with meta
+            const full = await getMenu(m.slug);
+            if (canSeeArtefact(request.user, full)) filtered.push(m);
+        }
+        return filtered;
+    });
+
+    fastify.get('/menus/:slug', canRead, async (request, reply) => {
+        const menu = await getMenu(request.params.slug);
+        if (!menu) return reply.status(404).send({error: 'Menu not found'});
+        const {canSeeArtefact} = await import('../../services/projects.js');
+        if (!canSeeArtefact(request.user, menu)) {
+            return reply.status(403).send({error: 'Access denied for this project'});
+        }
+        return menu;
+    });
+
+    fastify.post('/menus', canCreate, async (request, reply) => {
+        try {
+            const menu = await createMenu(request.body || {});
+            await cache.invalidateTags([`menu:${menu.slug}`, 'nav']);
+            return reply.status(201).send(menu);
+        } catch (err) {
+            const status = /already exists/.test(err.message) ? 409 : 400;
+            return reply.status(status).send({error: err.message});
+        }
+    });
+
+    fastify.put('/menus/:slug', canUpdate, async (request, reply) => {
+        try {
+            const menu = await updateMenu(request.params.slug, request.body || {});
+            await cache.invalidateTags([`menu:${menu.slug}`, 'nav']);
+            return menu;
+        } catch (err) {
+            const status = /not found/.test(err.message) ? 404 : 400;
+            return reply.status(status).send({error: err.message});
+        }
+    });
+
+    fastify.delete('/menus/:slug', canDelete, async (request, reply) => {
+        const map  = await getLocations();
+        const slot = Object.entries(map).find(([, slug]) => slug === request.params.slug)?.[0];
+        if (slot) {
+            return reply.status(409).send({
+                error: `Cannot delete — menu is mapped to slot "${slot}". Unmap it first.`
+            });
+        }
+        const ok = await deleteMenu(request.params.slug);
+        if (!ok) return reply.status(404).send({error: 'Menu not found'});
+        await cache.invalidateTags([`menu:${request.params.slug}`, 'nav']);
+        return {success: true};
+    });
+
+    fastify.post('/menus/:slug/duplicate', canCreate, async (request, reply) => {
+        try {
+            const copy = await duplicateMenu(request.params.slug);
+            await cache.invalidateTags([`menu:${copy.slug}`]);
+            return reply.status(201).send(copy);
+        } catch (err) {
+            const status = /not found/.test(err.message) ? 404 : 400;
+            return reply.status(status).send({error: err.message});
+        }
+    });
+}

package/server/routes/api/navigation.js

@@ -5,6 +5,7 @@
  */
 import {getConfig, saveConfig} from '../../config.js';
 import {authenticate, requirePermission} from '../../middleware/auth.js';
+import * as cache from '../../services/cache/index.js';
 
 export async function navigationRoutes(fastify) {
     const canRead = {preHandler: [authenticate, requirePermission('navigation', 'read')]};
@@ -35,6 +36,7 @@ export async function navigationRoutes(fastify) {
             });
         }
         saveConfig('navigation', data);
+        await cache.invalidateTags(['nav']);
         return { success: true };
     });
 }

package/server/routes/api/pages.js

@@ -22,7 +22,7 @@ export async function pagesRoutes(fastify) {
     fastify.post('/pages/preview', canRead, async (request, reply) => {
     const {markdown} = request.body;
     if (typeof markdown !== 'string') return reply.status(400).send({error: 'markdown must be a string'});
-    const {html} = await parseMarkdown(`---\ntitle: preview\n---\n${markdown}`);
+    const {html} = await parseMarkdown(`---\ntitle: preview\n---\n${markdown}`, {user: request.user || null});
     return {html};
   });
 

package/server/routes/api/projects.js

@@ -0,0 +1,107 @@
+/**
+ * Projects API
+ *
+ * GET    /api/projects                       — list visible projects
+ * GET    /api/projects/:slug                 — full project
+ * POST   /api/projects                       — create
+ * PUT    /api/projects/:slug                 — edit (slug immutable)
+ * DELETE /api/projects/:slug                 — delete (409 if any artefacts tagged)
+ * GET    /api/projects/:slug/artefacts       — grouped artefacts
+ * POST   /api/projects/:slug/untag-all       — escape hatch before delete
+ *
+ * Auth middlewares are accepted as DI options so tests can supply no-ops.
+ */
+import {
+    authenticate as defaultAuthenticate,
+    requirePermission as defaultRequirePermission
+} from '../../middleware/auth.js';
+import {
+    createProject,
+    deleteProject,
+    getArtefactsForProject,
+    getProject,
+    listProjectsForUser,
+    untagAllForProject,
+    updateProject
+} from '../../services/projects.js';
+import * as cache from '../../services/cache/index.js';
+
+/**
+ * Register the projects routes.
+ *
+ * @param {import('fastify').FastifyInstance} fastify
+ * @param {{authenticate?: Function, requirePermission?: Function}} [opts]
+ * @returns {Promise<void>}
+ */
+export async function projectsRoutes(fastify, opts = {}) {
+    const authenticate      = opts.authenticate      || defaultAuthenticate;
+    const requirePermission = opts.requirePermission || defaultRequirePermission;
+
+    const canRead   = {preHandler: [authenticate, requirePermission('projects', 'read')]};
+    const canCreate = {preHandler: [authenticate, requirePermission('projects', 'create')]};
+    const canUpdate = {preHandler: [authenticate, requirePermission('projects', 'update')]};
+    const canDelete = {preHandler: [authenticate, requirePermission('projects', 'delete')]};
+
+    fastify.get('/projects', canRead, async (request) => {
+        return listProjectsForUser(request.user);
+    });
+
+    fastify.get('/projects/:slug', canRead, async (request, reply) => {
+        const project = await getProject(request.params.slug);
+        if (!project) return reply.status(404).send({error: 'Project not found'});
+        return project;
+    });
+
+    fastify.post('/projects', canCreate, async (request, reply) => {
+        try {
+            const project = await createProject(request.body || {});
+            await cache.invalidateTags(['projects']);
+            return reply.status(201).send(project);
+        } catch (err) {
+            const status = /already exists/.test(err.message) ? 409 : 400;
+            return reply.status(status).send({error: err.message});
+        }
+    });
+
+    fastify.put('/projects/:slug', canUpdate, async (request, reply) => {
+        try {
+            const project = await updateProject(request.params.slug, request.body || {});
+            await cache.invalidateTags(['projects', `project:${request.params.slug}`]);
+            return project;
+        } catch (err) {
+            const status = /not found/.test(err.message) ? 404 : 400;
+            return reply.status(status).send({error: err.message});
+        }
+    });
+
+    fastify.delete('/projects/:slug', canDelete, async (request, reply) => {
+        const grouped = await getArtefactsForProject(request.params.slug);
+        const total = Object.values(grouped).reduce((sum, arr) => sum + arr.length, 0);
+        if (total > 0) {
+            return reply.status(409).send({
+                error: `Cannot delete — ${total} artefacts still tagged with this project`,
+                artefacts: Object.fromEntries(Object.entries(grouped).map(([k, v]) => [k, v.length]))
+            });
+        }
+        const ok = await deleteProject(request.params.slug);
+        if (!ok) return reply.status(404).send({error: 'Project not found'});
+        await cache.invalidateTags(['projects', `project:${request.params.slug}`]);
+        return {success: true};
+    });
+
+    fastify.get('/projects/:slug/artefacts', canRead, async (request, reply) => {
+        if (!(await getProject(request.params.slug))) {
+            return reply.status(404).send({error: 'Project not found'});
+        }
+        return getArtefactsForProject(request.params.slug);
+    });
+
+    fastify.post('/projects/:slug/untag-all', canDelete, async (request, reply) => {
+        if (!(await getProject(request.params.slug))) {
+            return reply.status(404).send({error: 'Project not found'});
+        }
+        const counts = await untagAllForProject(request.params.slug);
+        await cache.invalidateTags(['projects', `project:${request.params.slug}`]);
+        return {success: true, untagged: counts};
+    });
+}

package/server/routes/api/scaffold.js

@@ -0,0 +1,86 @@
+/**
+ * Scaffold API — list bundled recipes and apply one to create a working CRUD
+ * system (Collection + Form + Actions) in a single call.
+ *
+ * Admin-only — these endpoints can create resources, so they require the same
+ * permission tier as collection/form management. The `apply` endpoint is
+ * non-atomic across recipe pieces but returns a clear summary of what was
+ * created vs. skipped so the caller can clean up if needed.
+ *
+ * Endpoints:
+ *   GET  /api/scaffold/recipes          — list bundled recipes (name, description, options)
+ *   POST /api/scaffold/apply            — apply one recipe with caller-provided option overrides
+ */
+import {applyRecipe, getRecipe, listRecipes} from '../../services/scaffolder.js';
+import {authenticate, requirePermission} from '../../middleware/auth.js';
+
+export async function scaffoldRoutes(fastify) {
+    // Scaffolding creates collections + forms + actions, so we require both
+    // collections.create and forms.create permissions. The cheap check is to
+    // gate on collections.create — anyone with that should already be a
+    // privileged role; we add forms.create on top as a belt-and-braces.
+    const canScaffold = {preHandler: [authenticate, requirePermission('collections', 'create')]};
+
+    /*
+     * GET /api/scaffold/recipes
+     *
+     * Returns the list of bundled recipes available to scaffold. Each entry
+     * exposes just enough metadata for the picker UI to render: name,
+     * description, icon, and the options schema (with defaults and hints).
+     *
+     * Response: { recipes: [{slug, name, description, icon, options}, ...] }
+     */
+    fastify.get('/scaffold/recipes', canScaffold, async () => {
+        const recipes = await listRecipes();
+        return { recipes };
+    });
+
+    /*
+     * GET /api/scaffold/recipes/:slug
+     *
+     * Returns the full recipe document — useful for a preview view that wants
+     * to show the user exactly what will be created before they click Apply.
+     */
+    fastify.get('/scaffold/recipes/:slug', canScaffold, async (request, reply) => {
+        const recipe = await getRecipe(request.params.slug);
+        if (!recipe) return reply.status(404).send({ error: 'Recipe not found' });
+        return recipe;
+    });
+
+    /*
+     * POST /api/scaffold/apply
+     *
+     * Body: { recipe: <slug>, options?: { collectionSlug, formSlug, actionPrefix, ... } }
+     *
+     * Pre-flight: refuses if any target slug already exists (HTTP 409 with the
+     * conflict list in `conflicts`). On success, returns a summary describing
+     * what got created, what was skipped (e.g. Mongo-gated actions in file
+     * mode), and any non-fatal warnings.
+     *
+     * Response:
+     *   { created: {collection, form, actions: [...]}, skipped: [...], warnings: [...], snippet: string|null }
+     *
+     * The `snippet` is a Markdown fragment the caller can insert at the
+     * cursor position in the page editor — typically the [form] + [collection]
+     * combination needed to see the new system on a page immediately.
+     */
+    fastify.post('/scaffold/apply', canScaffold, async (request, reply) => {
+        const {recipe, options} = request.body || {};
+        if (!recipe || typeof recipe !== 'string') {
+            return reply.status(400).send({ error: 'recipe slug is required' });
+        }
+
+        try {
+            const result = await applyRecipe(recipe, {
+                options:   options || {},
+                createdBy: request.user?.id || null
+            });
+            return result;
+        } catch (err) {
+            if (err.statusCode === 409 && Array.isArray(err.conflicts)) {
+                return reply.status(409).send({ error: err.message, conflicts: err.conflicts });
+            }
+            return reply.status(400).send({ error: err.message });
+        }
+    });
+}

package/server/routes/api/settings.js

@@ -10,6 +10,7 @@ import nodemailer from 'nodemailer';
 import fs from 'fs/promises';
 import path from 'path';
 import {fileURLToPath} from 'url';
+import * as cache from '../../services/cache/index.js';
 
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
 const CUSTOM_CSS_FILE = path.resolve(__dirname, '../../../content/custom.css');
@@ -64,6 +65,7 @@ export async function settingsRoutes(fastify) {
             merged.smtp = {...merged.smtp, pass: existing.smtp.pass};
         }
         saveConfig('site', merged);
+        await cache.invalidateTags(['site']);
         return { success: true };
     });
 
@@ -133,6 +135,7 @@ export async function settingsRoutes(fastify) {
             return reply.status(400).send({ error: 'CSS exceeds the 100 KB limit.' });
         }
         await fs.writeFile(CUSTOM_CSS_FILE, css, 'utf8');
+        await cache.invalidateTags(['site']);
         return { success: true };
     });
 }

package/server/routes/api/sidebar.js

@@ -0,0 +1,23 @@
+/**
+ * Admin sidebar API
+ *
+ * GET /api/sidebar/registered-items — plugin-registered sidebar items
+ *
+ * Auth middlewares are accepted as DI options so tests can supply no-ops.
+ */
+import {
+    authenticate as defaultAuthenticate,
+    requirePermission as defaultRequirePermission
+} from '../../middleware/auth.js';
+import {getRegisteredSidebarItems} from '../../services/hooks.js';
+
+export async function sidebarRoutes(fastify, opts = {}) {
+    const authenticate      = opts.authenticate      || defaultAuthenticate;
+    const requirePermission = opts.requirePermission || defaultRequirePermission;
+
+    const canRead = {preHandler: [authenticate, requirePermission('menus', 'read')]};
+
+    fastify.get('/sidebar/registered-items', canRead, async () => {
+        return getRegisteredSidebarItems();
+    });
+}

package/server/routes/api/users.js

@@ -18,9 +18,13 @@ export async function usersRoutes(fastify) {
     const canDelete = [authenticate, requirePermission('users', 'delete')];
 
     // List all users
-    fastify.get('/users', {preHandler: canRead}, async () => {
+    fastify.get('/users', {preHandler: canRead}, async (request) => {
+        const {canSeeArtefact} = await import('../../services/projects.js');
         const [users, profiles] = await Promise.all([listUsers(), listProfiles()]);
-        return users.map(u => ({...u, profile: profiles.get(u.id) || {}}));
+        // User records carry meta.project directly; filter against the raw record
+        return users
+            .filter(u => canSeeArtefact(request.user, u))
+            .map(u => ({...u, profile: profiles.get(u.id) || {}}));
     });
 
     // Get single user (admin, manager, or the user themselves)
@@ -55,12 +59,22 @@ export async function usersRoutes(fastify) {
         }
 
         const targetRole = role || 'user';
-        if (!canManageUser(request.user.role, targetRole)) {
+        // Pass the full actor object so multi-role privilege is evaluated;
+        // for the prospective target we only have a primary role here.
+        if (!canManageUser(request.user, targetRole)) {
             return reply.code(403).send({ error: 'You cannot create a user with that role' });
         }
+        // Additional-roles privilege guard — actor must be able to manage EVERY role
+        // they're trying to assign, not just the primary.
+        const requestedAdditional = Array.isArray(request.body?.additionalRoles) ? request.body.additionalRoles : [];
+        for (const r of requestedAdditional) {
+            if (!canManageUser(request.user, r)) {
+                return reply.code(403).send({ error: `You cannot assign the additional role "${r}"` });
+            }
+        }
 
         try {
-            const user = await createUser({ name, email, password, role: targetRole });
+            const user = await createUser({ name, email, password, role: targetRole, additionalRoles: requestedAdditional });
             return reply.status(201).send(user);
         } catch (err) {
             return reply.status(409).send({ error: err.message });
@@ -75,15 +89,26 @@ export async function usersRoutes(fastify) {
         const target = await getUserById(id);
         if (!target) return reply.status(404).send({ error: 'User not found' });
 
-        if (!canManageUser(actor.role, target.role)) {
+        if (!canManageUser(actor, target)) {
             return reply.code(403).send({ error: 'You cannot edit a user with that role' });
         }
 
         const updates = request.body || {};
         // Prevent role escalation beyond what the actor can manage
-        if (updates.role && !canManageUser(actor.role, updates.role)) {
+        if (updates.role && !canManageUser(actor, updates.role)) {
             return reply.code(403).send({ error: 'You cannot assign that role' });
         }
+        // Same check for any additionalRoles being assigned
+        if (Array.isArray(updates.additionalRoles)) {
+            for (const r of updates.additionalRoles) {
+                if (!canManageUser(actor, r)) {
+                    return reply.code(403).send({ error: `You cannot assign the additional role "${r}"` });
+                }
+            }
+            // Strip duplicates / primary collisions before persisting
+            const primary = updates.role || target.role;
+            updates.additionalRoles = updates.additionalRoles.filter(r => r && r !== primary);
+        }
 
         // Strip profile from core updates and handle separately
         const {profile, ...coreUpdates} = updates;
@@ -109,7 +134,7 @@ export async function usersRoutes(fastify) {
         const target = await getUserById(id);
         if (!target) return reply.status(404).send({ error: 'User not found' });
 
-        if (!canManageUser(actor.role, target.role)) {
+        if (!canManageUser(actor, target)) {
             return reply.code(403).send({ error: 'You cannot delete a user with that role' });
         }
 

package/server/routes/api/views.js

@@ -16,6 +16,7 @@
 import {createView, deleteView, executeView, getView, listViews, updateView} from '../../services/views.js';
 import {authenticate, requirePermission} from '../../middleware/auth.js';
 import {getRoleLevel} from '../../services/roles.js';
+import {getEffectiveLevel} from '../../services/userRoles.js';
 
 export async function viewsRoutes(fastify) {
     const canRead = {preHandler: [authenticate, requirePermission('views', 'read')]};
@@ -29,7 +30,10 @@ export async function viewsRoutes(fastify) {
 
     fastify.get('/views', canRead, async (request, reply) => {
         try {
-            return await listViews();
+            const {canSeeArtefact} = await import('../../services/projects.js');
+            const all = await listViews();
+            // listViews returns full records with meta inline — filter directly
+            return all.filter(v => canSeeArtefact(request.user, v));
         } catch (err) {
             return reply.status(503).send({ error: err.message });
         }
@@ -60,6 +64,10 @@ export async function viewsRoutes(fastify) {
         try {
             const view = await getView(request.params.slug);
             if (!view) return reply.status(404).send({ error: 'View not found' });
+            const {canSeeArtefact} = await import('../../services/projects.js');
+            if (!canSeeArtefact(request.user, view)) {
+                return reply.status(403).send({ error: 'Access denied for this project' });
+            }
             return view;
         } catch (err) {
             return reply.status(503).send({ error: err.message });
@@ -126,7 +134,7 @@ export async function viewsRoutes(fastify) {
 
             const user          = request.user;
             const allowedRoles  = view.access?.roles || ['admin', 'super-admin'];
-            const userLevel     = getRoleLevel(user?.role);
+            const userLevel     = getEffectiveLevel(user);
             const minAllowed    = Math.min(...allowedRoles.map(r => getRoleLevel(r)));
 
             if (userLevel > minAllowed) {