domma-cms 0.2.1 → 0.3.0

package/public/js/site.js

@@ -1,204 +1 @@
-/**
- * Public Site - Client-side Domma init
- * Reads config injected by the server and initialises navbar, footer, and features.
- */
-
-$(() => {
-    const nav = window.__CMS_NAV__ || {};
-    const site = window.__CMS_SITE__ || {};
-
-    // Initialise navbar
-    const $navbar = $('#site-navbar');
-    if ($navbar.length && nav.brand) {
-      // Build brand.html when an icon is configured — Domma navbar doesn't natively support data-icon spans
-      const brand = {...nav.brand};
-      if (brand.icon) {
-        let html = `<span data-icon="${brand.icon}" style="width:1.1em;height:1.1em;margin-right:.35em;vertical-align:middle;"></span>`;
-        if (brand.text) html += `<span class="navbar-brand-text">${brand.text}</span>`;
-        brand.html = html;
-      }
-        Domma.elements.navbar('#site-navbar', {
-          brand,
-            items: nav.items || [],
-            variant: nav.variant || 'dark',
-            position: nav.position || 'sticky',
-            collapsible: true
-        });
-      Domma.icons.scan('#site-navbar');
-    }
-
-    // Initialise footer
-    const $footer = $('#site-footer');
-  if ($footer.length) {
-    const social = site.social || {};
-    const SOCIAL_ICONS = {
-      twitter: {
-        label: 'X / Twitter',
-        svg: '<svg viewBox="0 0 24 24" fill="currentColor"><path d="M18.244 2.25h3.308l-7.227 8.26 8.502 11.24H16.17l-4.714-6.231-5.401 6.231H2.742l7.73-8.835L1.254 2.25H8.08l4.259 5.629L18.244 2.25zm-1.161 17.52h1.833L7.084 4.126H5.117z"/></svg>'
-      },
-      facebook: {
-        label: 'Facebook',
-        svg: '<svg viewBox="0 0 24 24" fill="currentColor"><path d="M24 12.073c0-6.627-5.373-12-12-12s-12 5.373-12 12c0 5.99 4.388 10.954 10.125 11.854v-8.385H7.078v-3.47h3.047V9.43c0-3.007 1.792-4.669 4.533-4.669 1.312 0 2.686.235 2.686.235v2.953H15.83c-1.491 0-1.956.925-1.956 1.874v2.25h3.328l-.532 3.47h-2.796v8.385C19.612 23.027 24 18.062 24 12.073z"/></svg>'
-      },
-      instagram: {
-        label: 'Instagram',
-        svg: '<svg viewBox="0 0 24 24" fill="currentColor"><path d="M12 2.163c3.204 0 3.584.012 4.85.07 3.252.148 4.771 1.691 4.919 4.919.058 1.265.069 1.645.069 4.849 0 3.205-.012 3.584-.069 4.849-.149 3.225-1.664 4.771-4.919 4.919-1.266.058-1.644.07-4.85.07-3.204 0-3.584-.012-4.849-.07-3.26-.149-4.771-1.699-4.919-4.92-.058-1.265-.07-1.644-.07-4.849 0-3.204.013-3.583.07-4.849.149-3.227 1.664-4.771 4.919-4.919 1.266-.057 1.645-.069 4.849-.069zM12 0C8.741 0 8.333.014 7.053.072 2.695.272.273 2.69.073 7.052.014 8.333 0 8.741 0 12c0 3.259.014 3.668.072 4.948.2 4.358 2.618 6.78 6.98 6.98C8.333 23.986 8.741 24 12 24c3.259 0 3.668-.014 4.948-.072 4.354-.2 6.782-2.618 6.979-6.98.059-1.28.073-1.689.073-4.948 0-3.259-.014-3.667-.072-4.947-.196-4.354-2.617-6.78-6.979-6.98C15.668.014 15.259 0 12 0zm0 5.838a6.162 6.162 0 100 12.324 6.162 6.162 0 000-12.324zM12 16a4 4 0 110-8 4 4 0 010 8zm6.406-11.845a1.44 1.44 0 100 2.881 1.44 1.44 0 000-2.881z"/></svg>'
-      },
-      linkedin: {
-        label: 'LinkedIn',
-        svg: '<svg viewBox="0 0 24 24" fill="currentColor"><path d="M20.447 20.452h-3.554v-5.569c0-1.328-.027-3.037-1.852-3.037-1.853 0-2.136 1.445-2.136 2.939v5.667H9.351V9h3.414v1.561h.046c.477-.9 1.637-1.85 3.37-1.85 3.601 0 4.267 2.37 4.267 5.455v6.286zM5.337 7.433a2.062 2.062 0 01-2.063-2.065 2.064 2.064 0 112.063 2.065zm1.782 13.019H3.555V9h3.564v11.452zM22.225 0H1.771C.792 0 0 .774 0 1.729v20.542C0 23.227.792 24 1.771 24h20.451C23.2 24 24 23.227 24 22.271V1.729C24 .774 23.2 0 22.222 0h.003z"/></svg>'
-      },
-      github: {
-        label: 'GitHub',
-        svg: '<svg viewBox="0 0 24 24" fill="currentColor"><path d="M12 .297c-6.63 0-12 5.373-12 12 0 5.303 3.438 9.8 8.205 11.385.6.113.82-.258.82-.577 0-.285-.01-1.04-.015-2.04-3.338.724-4.042-1.61-4.042-1.61C4.422 18.07 3.633 17.7 3.633 17.7c-1.087-.744.084-.729.084-.729 1.205.084 1.838 1.236 1.838 1.236 1.07 1.835 2.809 1.305 3.495.998.108-.776.417-1.305.76-1.605-2.665-.3-5.466-1.332-5.466-5.93 0-1.31.465-2.38 1.235-3.22-.135-.303-.54-1.523.105-3.176 0 0 1.005-.322 3.3 1.23.96-.267 1.98-.399 3-.405 1.02.006 2.04.138 3 .405 2.28-1.552 3.285-1.23 3.285-1.23.645 1.653.24 2.873.12 3.176.765.84 1.23 1.91 1.23 3.22 0 4.61-2.805 5.625-5.475 5.92.42.36.81 1.096.81 2.22 0 1.606-.015 2.896-.015 3.286 0 .315.21.69.825.57C20.565 22.092 24 17.592 24 12.297c0-6.627-5.373-12-12-12"/></svg>'
-      },
-      youtube: {
-        label: 'YouTube',
-        svg: '<svg viewBox="0 0 24 24" fill="currentColor"><path d="M23.495 6.205a3.007 3.007 0 00-2.088-2.088c-1.87-.501-9.396-.501-9.396-.501s-7.507-.01-9.396.501A3.007 3.007 0 00.527 6.205a31.247 31.247 0 00-.522 5.805 31.247 31.247 0 00.522 5.783 3.007 3.007 0 002.088 2.088c1.868.502 9.396.502 9.396.502s7.506 0 9.396-.502a3.007 3.007 0 002.088-2.088 31.247 31.247 0 00.5-5.783 31.247 31.247 0 00-.5-5.805zM9.609 15.601V8.408l6.264 3.602z"/></svg>'
-      }
-    };
-
-    let html = '<div class="footer-inner container">';
-
-    if (site.footer) {
-      const footer = site.footer;
-      html += `<p>${footer.copyright || ''}</p>`;
-      if (footer.links?.length) {
-        html += `<nav class="footer-links">`;
-        footer.links.forEach(link => {
-          html += `<a href="${link.url}">${link.text}</a>`;
-        });
-        html += `</nav>`;
-      }
-      const activeSocial = Object.keys(SOCIAL_ICONS).filter(k => social[k]);
-      if (activeSocial.length) {
-        html += `<div class="footer-social">`;
-        activeSocial.forEach(k => {
-          const {label, svg} = SOCIAL_ICONS[k];
-          html += `<a href="${social[k]}" target="_blank" rel="noopener noreferrer" aria-label="${label}" class="footer-social-link">${svg}</a>`;
-        });
-        html += `</div>`;
-      }
-    }
-
-    const storedPref = S.get('reduced_motion');
-    const motionOn = storedPref !== null
-      ? !!storedPref
-      : !!(window.matchMedia && window.matchMedia('(prefers-reduced-motion: reduce)').matches);
-    html += `<label class="form-switch footer-motion-switch" title="Reduce motion">` +
-      `<input type="checkbox" class="form-switch-input" id="dm-motion-switch"${motionOn ? ' checked' : ''}>` +
-      `<span class="form-switch-label">Reduce motion</span>` +
-      `</label>`;
-
-    html += '</div>';
-        $footer.html(html, { safe: false });
-
-    document.getElementById('dm-motion-switch').addEventListener('change', function () {
-      S.set('reduced_motion', this.checked);
-      window.location.reload();
-    });
-    }
-
-    // Initialise sidebar (auto-generate from headings if enabled)
-    const $sidebar = $('#site-sidebar');
-    if ($sidebar.length) {
-        Domma.elements.sidebar('#site-sidebar', {
-            autoGenerate: true,
-            selector: 'h2, h3',
-            collapsible: false,
-            push: true,
-            contentSelector: '.site-content'
-        });
-    }
-
-    // Icons
-    Domma.icons.scan();
-
-  // -------------------------------------------------------
-  // Auto-initialise Domma components inside page content
-  // -------------------------------------------------------
-  const $pageBody = $('.page-body');
-  if ($pageBody.length) {
-
-    // Accordion — reads data-multi attribute set by [accordion multiple="true"] shortcode
-    $pageBody.find('.accordion').each(function () {
-      Domma.elements.accordion(this, {
-        allowMultiple: this.dataset.multi === 'true'
-      });
-    });
-
-    // Tabs
-    $pageBody.find('.tabs').each(function () {
-      Domma.elements.tabs(this);
-    });
-
-    // Carousel — reads data attributes set by [carousel] shortcode
-    $pageBody.find('.carousel').each(function () {
-      Domma.elements.carousel(this, {
-        autoplay: this.dataset.autoplay === 'true',
-        interval: parseInt(this.dataset.interval, 10) || 5000,
-        loop: this.dataset.loop !== 'false',
-        animation: this.dataset.animation || 'slide'
-      });
-    });
-
-    // Countdown — initialises .dm-countdown elements via E.timer()
-    $pageBody.find('.dm-countdown').each(function () {
-      const opts = {autoStart: true};
-      if (this.dataset.to) opts.targetDate = new Date(this.dataset.to);
-      if (this.dataset.duration) opts.duration = parseInt(this.dataset.duration, 10);
-      if (this.dataset.format) opts.format = this.dataset.format;
-      Domma.elements.timer(this, opts);
-    });
-
-    // Tooltips
-    $pageBody.find('[data-tooltip]').each(function () {
-      Domma.elements.tooltip(this, {
-        content: $(this).data('tooltip'),
-        position: $(this).data('tooltip-position') || 'top'
-      });
-    });
-
-    // Collapsible cards
-    $pageBody.find('.card[data-collapsible]').each(function () {
-      const header = this.querySelector('.card-header');
-      if (header) {
-        header.addEventListener('click', () => this.classList.toggle('is-collapsed'));
-      }
-    });
-
-    // Slideover triggers — wired from [slideover] shortcode
-    $pageBody.find('.dm-so-trigger').each(function () {
-      this.addEventListener('click', () => {
-        const targetId = this.dataset.soTarget;
-        const contentEl = document.getElementById(targetId);
-        if (!contentEl) return;
-        const so = E.slideover({
-          title: contentEl.dataset.soTitle || '',
-          size: contentEl.dataset.soSize || 'md',
-          position: contentEl.dataset.soPosition || 'right'
-        });
-        contentEl.style.display = '';
-        so.setContent(contentEl);
-        so.open();
-      });
-    });
-  }
-
-  // DConfig — merge window.__CMS_DCONFIG__ (editor section) with inline [dconfig] shortcodes
-  // Inline shortcodes win on selector conflict (assigned last via Object.assign)
-  if (typeof $.setup === 'function') {
-    const merged = Object.assign({}, window.__CMS_DCONFIG__ || {});
-    document.querySelectorAll('.dm-page-config[data-config]').forEach(el => {
-      try {
-        const decoded = atob(el.dataset.config);
-        const parsed = JSON.parse(decoded);
-        Object.assign(merged, parsed);
-      } catch { /* skip malformed blocks */
-      }
-    });
-    if (Object.keys(merged).length) {
-      $.setup(merged);
-    }
-  }
-});
+$(()=>{const r=window.__CMS_NAV__||{},h=window.__CMS_SITE__||{};if($("#site-navbar").length&&r.brand){const t={...r.brand};if(t.icon){let a=`<span data-icon="${t.icon}" style="width:1.1em;height:1.1em;margin-right:.35em;vertical-align:middle;"></span>`;t.text&&(a+=`<span class="navbar-brand-text">${t.text}</span>`),t.html=a}Domma.elements.navbar("#site-navbar",{brand:t,items:r.items||[],variant:r.variant||"dark",position:r.position||"sticky",collapsible:!0}),Domma.icons.scan("#site-navbar")}const m=$("#site-footer");if(m.length){const t=h.social||{},a={twitter:{label:"X / Twitter",svg:'<svg viewBox="0 0 24 24" fill="currentColor"><path d="M18.244 2.25h3.308l-7.227 8.26 8.502 11.24H16.17l-4.714-6.231-5.401 6.231H2.742l7.73-8.835L1.254 2.25H8.08l4.259 5.629L18.244 2.25zm-1.161 17.52h1.833L7.084 4.126H5.117z"/></svg>'},facebook:{label:"Facebook",svg:'<svg viewBox="0 0 24 24" fill="currentColor"><path d="M24 12.073c0-6.627-5.373-12-12-12s-12 5.373-12 12c0 5.99 4.388 10.954 10.125 11.854v-8.385H7.078v-3.47h3.047V9.43c0-3.007 1.792-4.669 4.533-4.669 1.312 0 2.686.235 2.686.235v2.953H15.83c-1.491 0-1.956.925-1.956 1.874v2.25h3.328l-.532 3.47h-2.796v8.385C19.612 23.027 24 18.062 24 12.073z"/></svg>'},instagram:{label:"Instagram",svg:'<svg viewBox="0 0 24 24" fill="currentColor"><path d="M12 2.163c3.204 0 3.584.012 4.85.07 3.252.148 4.771 1.691 4.919 4.919.058 1.265.069 1.645.069 4.849 0 3.205-.012 3.584-.069 4.849-.149 3.225-1.664 4.771-4.919 4.919-1.266.058-1.644.07-4.85.07-3.204 0-3.584-.012-4.849-.07-3.26-.149-4.771-1.699-4.919-4.92-.058-1.265-.07-1.644-.07-4.849 0-3.204.013-3.583.07-4.849.149-3.227 1.664-4.771 4.919-4.919 1.266-.057 1.645-.069 4.849-.069zM12 0C8.741 0 8.333.014 7.053.072 2.695.272.273 2.69.073 7.052.014 8.333 0 8.741 0 12c0 3.259.014 3.668.072 4.948.2 4.358 2.618 6.78 6.98 6.98C8.333 23.986 8.741 24 12 24c3.259 0 3.668-.014 4.948-.072 4.354-.2 6.782-2.618 6.979-6.98.059-1.28.073-1.689.073-4.948 0-3.259-.014-3.667-.072-4.947-.196-4.354-2.617-6.78-6.979-6.98C15.668.014 15.259 0 12 0zm0 5.838a6.162 6.162 0 100 12.324 6.162 6.162 0 000-12.324zM12 16a4 4 0 110-8 4 4 0 010 8zm6.406-11.845a1.44 1.44 0 100 2.881 1.44 1.44 0 000-2.881z"/></svg>'},linkedin:{label:"LinkedIn",svg:'<svg viewBox="0 0 24 24" fill="currentColor"><path d="M20.447 20.452h-3.554v-5.569c0-1.328-.027-3.037-1.852-3.037-1.853 0-2.136 1.445-2.136 2.939v5.667H9.351V9h3.414v1.561h.046c.477-.9 1.637-1.85 3.37-1.85 3.601 0 4.267 2.37 4.267 5.455v6.286zM5.337 7.433a2.062 2.062 0 01-2.063-2.065 2.064 2.064 0 112.063 2.065zm1.782 13.019H3.555V9h3.564v11.452zM22.225 0H1.771C.792 0 0 .774 0 1.729v20.542C0 23.227.792 24 1.771 24h20.451C23.2 24 24 23.227 24 22.271V1.729C24 .774 23.2 0 22.222 0h.003z"/></svg>'},github:{label:"GitHub",svg:'<svg viewBox="0 0 24 24" fill="currentColor"><path d="M12 .297c-6.63 0-12 5.373-12 12 0 5.303 3.438 9.8 8.205 11.385.6.113.82-.258.82-.577 0-.285-.01-1.04-.015-2.04-3.338.724-4.042-1.61-4.042-1.61C4.422 18.07 3.633 17.7 3.633 17.7c-1.087-.744.084-.729.084-.729 1.205.084 1.838 1.236 1.838 1.236 1.07 1.835 2.809 1.305 3.495.998.108-.776.417-1.305.76-1.605-2.665-.3-5.466-1.332-5.466-5.93 0-1.31.465-2.38 1.235-3.22-.135-.303-.54-1.523.105-3.176 0 0 1.005-.322 3.3 1.23.96-.267 1.98-.399 3-.405 1.02.006 2.04.138 3 .405 2.28-1.552 3.285-1.23 3.285-1.23.645 1.653.24 2.873.12 3.176.765.84 1.23 1.91 1.23 3.22 0 4.61-2.805 5.625-5.475 5.92.42.36.81 1.096.81 2.22 0 1.606-.015 2.896-.015 3.286 0 .315.21.69.825.57C20.565 22.092 24 17.592 24 12.297c0-6.627-5.373-12-12-12"/></svg>'},youtube:{label:"YouTube",svg:'<svg viewBox="0 0 24 24" fill="currentColor"><path d="M23.495 6.205a3.007 3.007 0 00-2.088-2.088c-1.87-.501-9.396-.501-9.396-.501s-7.507-.01-9.396.501A3.007 3.007 0 00.527 6.205a31.247 31.247 0 00-.522 5.805 31.247 31.247 0 00.522 5.783 3.007 3.007 0 002.088 2.088c1.868.502 9.396.502 9.396.502s7.506 0 9.396-.502a3.007 3.007 0 002.088-2.088 31.247 31.247 0 00.5-5.783 31.247 31.247 0 00-.5-5.805zM9.609 15.601V8.408l6.264 3.602z"/></svg>'}};let e='<div class="footer-inner container">';if(h.footer){const c=h.footer;e+=`<p>${c.copyright||""}</p>`,c.links?.length&&(e+='<nav class="footer-links">',c.links.forEach(o=>{e+=`<a href="${o.url}">${o.text}</a>`}),e+="</nav>");const l=Object.keys(a).filter(o=>t[o]);l.length&&(e+='<div class="footer-social">',l.forEach(o=>{const{label:s,svg:g}=a[o];e+=`<a href="${t[o]}" target="_blank" rel="noopener noreferrer" aria-label="${s}" class="footer-social-link">${g}</a>`}),e+="</div>")}const i=S.get("reduced_motion"),f=i!==null?!!i:!!(window.matchMedia&&window.matchMedia("(prefers-reduced-motion: reduce)").matches);e+=`<label class="form-switch footer-motion-switch" title="Reduce motion"><input type="checkbox" class="form-switch-input" id="dm-motion-switch"${f?" checked":""}><span class="form-switch-label">Reduce motion</span></label>`,e+="</div>",m.html(e,{safe:!1}),document.getElementById("dm-motion-switch").addEventListener("change",function(){S.set("reduced_motion",this.checked),window.location.reload()})}$("#site-sidebar").length&&Domma.elements.sidebar("#site-sidebar",{autoGenerate:!0,selector:"h2, h3",collapsible:!1,push:!0,contentSelector:".site-content"}),Domma.icons.scan();const n=$(".page-body");if(n.length&&(n.find(".accordion").each(function(){Domma.elements.accordion(this,{allowMultiple:this.dataset.multi==="true"})}),n.find(".tabs").each(function(){Domma.elements.tabs(this)}),n.find(".carousel").each(function(){Domma.elements.carousel(this,{autoplay:this.dataset.autoplay==="true",interval:parseInt(this.dataset.interval,10)||5e3,loop:this.dataset.loop!=="false",animation:this.dataset.animation||"slide"})}),n.find(".dm-countdown").each(function(){const t={autoStart:!0};this.dataset.to&&(t.targetDate=new Date(this.dataset.to)),this.dataset.duration&&(t.duration=parseInt(this.dataset.duration,10)),this.dataset.format&&(t.format=this.dataset.format),Domma.elements.timer(this,t)}),n.find("[data-tooltip]").each(function(){Domma.elements.tooltip(this,{content:$(this).data("tooltip"),position:$(this).data("tooltip-position")||"top"})}),n.find(".card[data-collapsible]").each(function(){const t=this.querySelector(".card-header");t&&t.addEventListener("click",()=>this.classList.toggle("is-collapsed"))}),n.find(".dm-so-trigger").each(function(){this.addEventListener("click",()=>{const t=this.dataset.soTarget,a=document.getElementById(t);if(!a)return;const e=E.slideover({title:a.dataset.soTitle||"",size:a.dataset.soSize||"md",position:a.dataset.soPosition||"right"});a.style.display="",e.setContent(a),e.open()})})),typeof $.setup=="function"){const t=Object.assign({},window.__CMS_DCONFIG__||{});if(document.querySelectorAll(".dm-page-config[data-config]").forEach(a=>{try{const e=atob(a.dataset.config),i=JSON.parse(e);Object.assign(t,i)}catch{}}),Object.keys(t).length){const a={};for(const[e,i]of Object.entries(t)){const f=i?.events?.click,{confirm:c,toast:l,alert:o,...s}=f||{};c||l||o?($(e).on("click",async function(v){if(v.preventDefault(),!(c&&!await E.confirm(c))){if(s.target){const d=$(s.target);s.toggleClass&&d.toggleClass(s.toggleClass),s.addClass&&d.addClass(s.addClass),s.removeClass&&d.removeClass(s.removeClass)}s.href&&(window.location.href=s.href),l&&E.toast(l,{type:s.toastType||"success"}),o&&E.alert(o)}}),Object.keys(s).length&&(a[e]={...i,events:{...i.events,click:s}})):a[e]=i}$.setup(a)}}});

package/scripts/setup.js

@@ -38,10 +38,10 @@ const THEMES = [
     'royal-dark',     'royal-light',
     'lemon-dark',     'lemon-light',
     'silver-dark',    'silver-light',
-  'grayve-dark', 'grayve-light',
-  'christmas-dark', 'christmas-light',
-  'unicorn-dark', 'unicorn-light',
-  'dreamy-dark', 'dreamy-light',
+    'grayve-dark', 'grayve-light',
+    'christmas-dark', 'christmas-light',
+    'unicorn-dark', 'unicorn-light',
+    'dreamy-dark', 'dreamy-light',
 ];
 
 // ---------------------------------------------------------------------------

package/server/middleware/auth.js

@@ -1,22 +1,9 @@
 /**
  * Authentication Middleware
  * JWT-based authentication with role guards for Domma CMS.
+ * Role data is read from the userTypes cache (not config.auth.roles).
  */
-import { config } from '../config.js';
-
-const { roles } = config.auth;
-
-/**
- * Role hierarchy ordered from most to least privileged.
- * Used by canManageUser() to compare privilege levels.
- */
-export const ROLE_HIERARCHY = Object.entries(roles)
-    .sort((a, b) => a[1].level - b[1].level)
-    .map(([key]) => key);
-
-export const ROLES = Object.fromEntries(
-    Object.entries(roles).map(([key]) => [key.toUpperCase(), key])
-);
+import { getRoleLevel, getRoleHierarchy, getPermissionsFor } from '../services/userTypes.js';
 
 /**
  * Verify JWT Bearer token. Populates request.user on success.
@@ -67,7 +54,35 @@ export function requireRole(allowedRoles) {
 }
 
 /**
- * Shorthand preHandler — admin only.
+ * Return a preHandler that checks the current user's role has access to a resource.
+ * Reads from the userTypes cache at request time — reflects live role changes.
+ *
+ * @param {string} resource - Resource key (e.g. 'pages', 'users')
+ * @returns {Function}
+ */
+export function requirePermission(resource) {
+    return async (request, reply) => {
+        if (!request.user) {
+            return reply.code(401).send({
+                statusCode: 401,
+                error: 'Unauthorised',
+                message: 'Authentication required'
+            });
+        }
+
+        const allowed = getPermissionsFor(resource);
+        if (!allowed.includes(request.user.role)) {
+            return reply.code(403).send({
+                statusCode: 403,
+                error: 'Forbidden',
+                message: 'Insufficient permissions'
+            });
+        }
+    };
+}
+
+/**
+ * Shorthand preHandler — level-0 role (admin) only.
  *
  * @param {FastifyRequest} request
  * @param {FastifyReply} reply
@@ -77,21 +92,29 @@ export async function requireAdmin(request, reply) {
     if (!request.user) {
         return reply.code(401).send({ statusCode: 401, error: 'Unauthorised', message: 'Authentication required' });
     }
-    if (request.user.role !== 'admin') {
+    if (getRoleLevel(request.user.role) !== 0) {
         return reply.code(403).send({ statusCode: 403, error: 'Forbidden', message: 'Admin access required' });
     }
 }
 
 /**
  * Determine whether an actor can manage a target user.
- * Managers cannot create, edit, or delete admins.
+ * Managers cannot create, edit, or delete users with a lower level number (higher privilege).
  *
  * @param {string} actorRole - Role of the user performing the action
  * @param {string} targetRole - Role of the user being acted upon
  * @returns {boolean}
  */
 export function canManageUser(actorRole, targetRole) {
-    const actorLevel = roles[actorRole]?.level ?? Infinity;
-    const targetLevel = roles[targetRole]?.level ?? Infinity;
-    return actorLevel < targetLevel;
+    return getRoleLevel(actorRole) < getRoleLevel(targetRole);
+}
+
+/**
+ * Return role names ordered from most to least privileged.
+ * Computed from the userTypes cache.
+ *
+ * @returns {string[]}
+ */
+export function getRoleHierarchyList() {
+    return getRoleHierarchy();
 }

package/server/routes/api/auth.js

@@ -5,21 +5,40 @@
  * POST /api/auth/login         - { email, password } → { token, refreshToken, user }
  * GET  /api/auth/me            - return current user from token
  * POST /api/auth/refresh       - { refreshToken } → { token }
+ * POST /api/auth/logout        - { refreshToken } → { ok: true } — blacklists the refresh token
  */
-import { config } from '../../config.js';
-import { authenticate } from '../../middleware/auth.js';
+import {config} from '../../config.js';
+import {authenticate} from '../../middleware/auth.js';
 import {
-    countUsers,
-    createUser,
-    getUserByEmail,
-    getUserById,
-    touchLastLogin,
-    validatePassword
+  countUsers,
+  createUser,
+  getUserByEmail,
+  getUserById,
+  touchLastLogin,
+  validatePassword
 } from '../../services/users.js';
 
 const { accessTokenExpiry, refreshTokenExpiry } = config.auth;
 
+/** In-memory blacklist of invalidated refresh tokens (cleared on server restart). */
+const blacklistedRefreshTokens = new Set();
+
+// Purge expired tokens every 15 minutes to avoid unbounded growth.
+setInterval(() => {
+  for (const token of blacklistedRefreshTokens) {
+    try {
+      fastifyRef.jwt.verify(token);
+    } catch {
+      blacklistedRefreshTokens.delete(token);
+    }
+  }
+}, 15 * 60 * 1000);
+
+/** Holds the fastify instance once routes are registered (needed by the cleanup interval). */
+let fastifyRef;
+
 export async function authRoutes(fastify) {
+  fastifyRef = fastify;
     // GET /api/auth/setup-status
     fastify.get('/auth/setup-status', async () => {
         const count = await countUsers();
@@ -77,6 +96,13 @@ export async function authRoutes(fastify) {
         return user;
     });
 
+  // POST /api/auth/logout — blacklists the refresh token (fire-and-forget safe: no auth required)
+  fastify.post('/auth/logout', async (request) => {
+    const {refreshToken} = request.body || {};
+    if (refreshToken) blacklistedRefreshTokens.add(refreshToken);
+    return {ok: true};
+  });
+
     // POST /api/auth/refresh
     fastify.post('/auth/refresh', async (request, reply) => {
         const { refreshToken } = request.body || {};
@@ -84,6 +110,10 @@ export async function authRoutes(fastify) {
             return reply.status(400).send({ error: 'refreshToken is required' });
         }
 
+      if (blacklistedRefreshTokens.has(refreshToken)) {
+        return reply.status(401).send({error: 'Refresh token has been revoked'});
+      }
+
         let payload;
         try {
             payload = fastify.jwt.verify(refreshToken);

package/server/routes/api/collections.js

@@ -28,8 +28,8 @@ import {
     listEntries, getEntry, createEntry, updateEntry, deleteEntry, clearEntries,
     exportEntries, importEntries
 } from '../../services/collections.js';
-import { authenticate, requireRole } from '../../middleware/auth.js';
-import { config } from '../../config.js';
+import { authenticate, requirePermission } from '../../middleware/auth.js';
+import { getRoleLevel, invalidate as invalidateUserTypes } from '../../services/userTypes.js';
 
 /**
  * Resolve the role level number for a named role.
@@ -38,7 +38,7 @@ import { config } from '../../config.js';
  * @returns {number}
  */
 function roleLevel(roleName) {
-    return config.auth.roles[roleName]?.level ?? 99;
+    return getRoleLevel(roleName);
 }
 
 /**
@@ -76,7 +76,7 @@ async function checkPublicAccess(schema, operation, request, reply) {
 }
 
 export async function collectionsRoutes(fastify) {
-    const guard = { preHandler: [authenticate, requireRole(config.auth.permissions.collections)] };
+    const guard = { preHandler: [authenticate, requirePermission('collections')] };
 
     // -------------------------------------------------------------------------
     // Collection CRUD (schema management)
@@ -112,6 +112,9 @@ export async function collectionsRoutes(fastify) {
     });
 
     fastify.delete('/collections/:slug', guard, async (request, reply) => {
+        if (request.params.slug === 'user-types') {
+            return reply.status(403).send({ error: 'Cannot delete a preset collection' });
+        }
         try {
             await deleteCollection(request.params.slug);
             return { success: true };
@@ -150,6 +153,7 @@ export async function collectionsRoutes(fastify) {
                 createdBy: user?.id || null,
                 source:    'admin'
             });
+            if (request.params.slug === 'user-types') await invalidateUserTypes();
             return reply.status(201).send(entry);
         } catch (err) {
             return reply.status(400).send({ error: err.message });
@@ -158,7 +162,9 @@ export async function collectionsRoutes(fastify) {
 
     fastify.put('/collections/:slug/entries/:id', guard, async (request, reply) => {
         try {
-            return await updateEntry(request.params.slug, request.params.id, request.body?.data || {});
+            const entry = await updateEntry(request.params.slug, request.params.id, request.body?.data || {});
+            if (request.params.slug === 'user-types') await invalidateUserTypes();
+            return entry;
         } catch (err) {
             const status = err.message === 'Entry not found' ? 404 : 400;
             return reply.status(status).send({ error: err.message });
@@ -166,8 +172,15 @@ export async function collectionsRoutes(fastify) {
     });
 
     fastify.delete('/collections/:slug/entries/:id', guard, async (request, reply) => {
+        if (request.params.slug === 'user-types') {
+            const entry = await getEntry('user-types', request.params.id);
+            if (entry?.data?.level === 0) {
+                return reply.status(403).send({ error: 'Cannot delete the root admin role' });
+            }
+        }
         try {
             await deleteEntry(request.params.slug, request.params.id);
+            if (request.params.slug === 'user-types') await invalidateUserTypes();
             return { success: true };
         } catch (err) {
             return reply.status(404).send({ error: err.message });

package/server/routes/api/layouts.js

@@ -3,12 +3,11 @@
  * GET /api/layouts       - get all layout presets
  * PUT /api/layouts       - save layout presets
  */
-import { getConfig, saveConfig } from '../../config.js';
-import { authenticate, requireRole } from '../../middleware/auth.js';
-import { config } from '../../config.js';
+import {getConfig, saveConfig} from '../../config.js';
+import {authenticate, requirePermission} from '../../middleware/auth.js';
 
 export async function layoutsRoutes(fastify) {
-    const guard = { preHandler: [authenticate, requireRole(config.auth.permissions.layouts)] };
+    const guard = { preHandler: [authenticate, requirePermission('layouts')] };
 
     fastify.get('/layouts', guard, async () => {
         return getConfig('presets');
@@ -22,4 +21,19 @@ export async function layoutsRoutes(fastify) {
         saveConfig('presets', data);
         return { success: true };
     });
+
+  fastify.get('/layouts/options', guard, async () => {
+    return getConfig('site')?.layoutOptions ?? {spacerSize: 8};
+  });
+
+  fastify.put('/layouts/options', guard, async (request, reply) => {
+    const data = request.body;
+    if (!data || typeof data !== 'object') {
+      return reply.status(400).send({error: 'Invalid layout options'});
+    }
+    const site = getConfig('site');
+    site.layoutOptions = {...site.layoutOptions, ...data};
+    saveConfig('site', site);
+    return {success: true};
+  });
 }

package/server/routes/api/media.js

@@ -7,8 +7,7 @@
 import path from 'path';
 import {deleteMedia, listMedia, renameMedia, saveMedia} from '../../services/content.js';
 import {getImageInfo, isEditableImage, transformImage} from '../../services/images.js';
-import {authenticate, requireRole} from '../../middleware/auth.js';
-import {config} from '../../config.js';
+import {authenticate, requirePermission} from '../../middleware/auth.js';
 
 // Safe filename: strip path traversal and restrict to alphanumeric + safe chars
 function sanitiseFilename(name) {
@@ -16,7 +15,7 @@ function sanitiseFilename(name) {
 }
 
 export async function mediaRoutes(fastify) {
-    const guard = { preHandler: [authenticate, requireRole(config.auth.permissions.media)] };
+    const guard = { preHandler: [authenticate, requirePermission('media')] };
 
     fastify.get('/media', guard, async () => {
         return listMedia();

package/server/routes/api/navigation.js

@@ -4,11 +4,10 @@
  * PUT /api/navigation    - save navigation config
  */
 import { getConfig, saveConfig } from '../../config.js';
-import { authenticate, requireRole } from '../../middleware/auth.js';
-import { config } from '../../config.js';
+import { authenticate, requirePermission } from '../../middleware/auth.js';
 
 export async function navigationRoutes(fastify) {
-    const guard = { preHandler: [authenticate, requireRole(config.auth.permissions.navigation)] };
+    const guard = { preHandler: [authenticate, requirePermission('navigation')] };
 
     fastify.get('/navigation', guard, async () => {
         return getConfig('navigation');

package/server/routes/api/pages.js

@@ -8,11 +8,11 @@
  */
 import {createPage, deletePage, getPage, listPages, renamePage, updatePage} from '../../services/content.js';
 import {parseMarkdown} from '../../services/markdown.js';
-import {authenticate, requireRole} from '../../middleware/auth.js';
-import {config, getConfig, saveConfig} from '../../config.js';
+import {authenticate, requirePermission} from '../../middleware/auth.js';
+import {getConfig, saveConfig} from '../../config.js';
 
 export async function pagesRoutes(fastify) {
-    const guard = { preHandler: [authenticate, requireRole(config.auth.permissions.pages)] };
+    const guard = { preHandler: [authenticate, requirePermission('pages')] };
 
   // Render markdown preview (shortcodes + sanitize, no frontmatter)
   fastify.post('/pages/preview', guard, async (request, reply) => {

package/server/routes/api/settings.js

@@ -5,8 +5,7 @@
  * POST /api/settings/test-email - send a test email using stored SMTP config
  */
 import { getConfig, saveConfig } from '../../config.js';
-import { authenticate, requireRole } from '../../middleware/auth.js';
-import { config } from '../../config.js';
+import { authenticate, requirePermission } from '../../middleware/auth.js';
 import nodemailer from 'nodemailer';
 import fs from 'fs/promises';
 import path from 'path';
@@ -17,7 +16,7 @@ const CUSTOM_CSS_FILE = path.resolve(__dirname, '../../../content/custom.css');
 const CUSTOM_CSS_MAX  = 100 * 1024; // 100 KB
 
 export async function settingsRoutes(fastify) {
-    const guard = { preHandler: [authenticate, requireRole(config.auth.permissions.settings)] };
+    const guard = { preHandler: [authenticate, requirePermission('settings')] };
 
     fastify.get('/settings', guard, async () => {
         return getConfig('site');

package/server/routes/api/users.js

@@ -6,8 +6,8 @@
  * PUT    /api/users/:id  - update user (admin, manager — manager cannot edit admin)
  * DELETE /api/users/:id  - delete user (admin, manager — manager cannot delete admin, no self-delete)
  */
-import { authenticate, requireRole, canManageUser } from '../../middleware/auth.js';
-import { config } from '../../config.js';
+import { authenticate, requirePermission, canManageUser } from '../../middleware/auth.js';
+import { getPermissionsFor } from '../../services/userTypes.js';
 import {
     listUsers,
     getUserById,
@@ -16,10 +16,8 @@ import {
     deleteUser
 } from '../../services/users.js';
 
-const { permissions } = config.auth;
-
 export async function usersRoutes(fastify) {
-    const guard = [authenticate, requireRole(permissions.users)];
+    const guard = [authenticate, requirePermission('users')];
 
     // List all users
     fastify.get('/users', { preHandler: guard }, async () => {
@@ -32,7 +30,7 @@ export async function usersRoutes(fastify) {
         const actor = request.user;
 
         const isSelf = actor.id === id;
-        const canManage = permissions.users.includes(actor.role);
+        const canManage = getPermissionsFor('users').includes(actor.role);
 
         if (!isSelf && !canManage) {
             return reply.code(403).send({ error: 'Forbidden' });

package/server/routes/public.js

@@ -7,6 +7,7 @@
 import {getPage} from '../services/content.js';
 import {renderPage} from '../services/renderer.js';
 import {config} from '../config.js';
+import { getRoleLevel } from '../services/userTypes.js';
 
 export async function publicRoutes(fastify) {
     // Admin panel: serve index.html for all /admin/* paths (SPA fallback)
@@ -56,9 +57,8 @@ export async function publicRoutes(fastify) {
         } catch { /* no token — treat as unauthenticated */
         }
 
-        const roles = config.auth.roles;
-        const userLevel = roles[userRole]?.level ?? Infinity;
-        const requiredLevel = roles[page.visibility]?.level ?? 0;
+        const userLevel    = getRoleLevel(userRole);
+        const requiredLevel = getRoleLevel(page.visibility) === Infinity ? 0 : getRoleLevel(page.visibility);
 
         if (userLevel > requiredLevel) {
           reply.status(403);