domma-cms 0.22.6 → 0.24.0

package/server/routes/api/navigation.js

@@ -1,42 +1,42 @@
-/**
- * Navigation API
- * GET /api/navigation    - get navigation config
- * PUT /api/navigation    - save navigation config
- */
-import {getConfig, saveConfig} from '../../config.js';
-import {authenticate, requirePermission} from '../../middleware/auth.js';
-import * as cache from '../../services/cache/index.js';
-
-export async function navigationRoutes(fastify) {
-    const canRead = {preHandler: [authenticate, requirePermission('navigation', 'read')]};
-    const canUpdate = {preHandler: [authenticate, requirePermission('navigation', 'update')]};
-
-    fastify.get('/navigation', canRead, async () => {
-        return getConfig('navigation');
-    });
-
-    fastify.put('/navigation', canUpdate, async (request, reply) => {
-        const data = request.body;
-        if (!data || typeof data !== 'object') {
-            return reply.status(400).send({ error: 'Invalid navigation data' });
-        }
-        if (!Array.isArray(data.items) && !Array.isArray(data)) {
-            return reply.status(400).send({ error: 'Navigation must be an array of items' });
-        }
-        // Normalise child key: Domma navbar expects `items`, not `children`
-        if (Array.isArray(data.items)) {
-            data.items = data.items.map(item => {
-                const children = item.items || item.children;
-                if (children?.length) {
-                    const { children: _c, ...rest } = item;
-                    return { ...rest, items: children };
-                }
-                const { children: _c, ...rest } = item;
-                return rest;
-            });
-        }
-        saveConfig('navigation', data);
-        await cache.invalidateTags(['nav']);
-        return { success: true };
-    });
-}
+/**
+ * Navigation API
+ * GET /api/navigation    - get navigation config
+ * PUT /api/navigation    - save navigation config
+ */
+import {getConfig, saveConfig} from '../../config.js';
+import {authenticate, requirePermission} from '../../middleware/auth.js';
+import * as cache from '../../services/cache/index.js';
+
+export async function navigationRoutes(fastify) {
+    const canRead = {preHandler: [authenticate, requirePermission('navigation', 'read')]};
+    const canUpdate = {preHandler: [authenticate, requirePermission('navigation', 'update')]};
+
+    fastify.get('/navigation', canRead, async () => {
+        return getConfig('navigation');
+    });
+
+    fastify.put('/navigation', canUpdate, async (request, reply) => {
+        const data = request.body;
+        if (!data || typeof data !== 'object') {
+            return reply.status(400).send({ error: 'Invalid navigation data' });
+        }
+        if (!Array.isArray(data.items) && !Array.isArray(data)) {
+            return reply.status(400).send({ error: 'Navigation must be an array of items' });
+        }
+        // Normalise child key: Domma navbar expects `items`, not `children`
+        if (Array.isArray(data.items)) {
+            data.items = data.items.map(item => {
+                const children = item.items || item.children;
+                if (children?.length) {
+                    const { children: _c, ...rest } = item;
+                    return { ...rest, items: children };
+                }
+                const { children: _c, ...rest } = item;
+                return rest;
+            });
+        }
+        saveConfig('navigation', data);
+        await cache.invalidateTags(['nav']);
+        return { success: true };
+    });
+}

package/server/routes/api/projects.js

@@ -5,9 +5,9 @@
  * GET    /api/projects/:slug                 — full project
  * POST   /api/projects                       — create
  * PUT    /api/projects/:slug                 — edit (slug immutable)
- * DELETE /api/projects/:slug                 — delete (409 if any artefacts tagged)
+ * DELETE /api/projects/:slug                 — delete (403 for core; 409 if any artefacts tagged)
  * GET    /api/projects/:slug/artefacts       — grouped artefacts
- * POST   /api/projects/:slug/untag-all       — escape hatch before delete
+ * POST   /api/projects/:slug/untag-all       — escape hatch before delete (403 for core)
  *
  * Auth middlewares are accepted as DI options so tests can supply no-ops.
  */
@@ -16,6 +16,7 @@ import {
     requirePermission as defaultRequirePermission
 } from '../../middleware/auth.js';
 import {
+    CORE_PROJECT_SLUG,
     createProject,
     deleteProject,
     getArtefactsForProject,
@@ -76,6 +77,9 @@ export async function projectsRoutes(fastify, opts = {}) {
     });
 
     fastify.delete('/projects/:slug', canDelete, async (request, reply) => {
+        if (request.params.slug === CORE_PROJECT_SLUG) {
+            return reply.status(403).send({error: 'Cannot delete the core project'});
+        }
         const grouped = await getArtefactsForProject(request.params.slug);
         const total = Object.values(grouped).reduce((sum, arr) => sum + arr.length, 0);
         if (total > 0) {
@@ -98,6 +102,9 @@ export async function projectsRoutes(fastify, opts = {}) {
     });
 
     fastify.post('/projects/:slug/untag-all', canDelete, async (request, reply) => {
+        if (request.params.slug === CORE_PROJECT_SLUG) {
+            return reply.status(403).send({error: 'Cannot untag the core project — artefacts would immediately resolve back to it'});
+        }
         if (!(await getProject(request.params.slug))) {
             return reply.status(404).send({error: 'Project not found'});
         }

package/server/routes/api/settings.js

@@ -1,141 +1,141 @@
-/**
- * Settings API
- * GET  /api/settings            - get site settings
- * PUT  /api/settings            - save site settings
- * POST /api/settings/test-email - send a test email using stored SMTP config
- */
-import {getConfig, saveConfig} from '../../config.js';
-import {authenticate, requirePermission} from '../../middleware/auth.js';
-import nodemailer from 'nodemailer';
-import fs from 'fs/promises';
-import path from 'path';
-import {fileURLToPath} from 'url';
-import * as cache from '../../services/cache/index.js';
-
-const __dirname = path.dirname(fileURLToPath(import.meta.url));
-const CUSTOM_CSS_FILE = path.resolve(__dirname, '../../../content/custom.css');
-const CONNECTIONS_FILE = path.resolve(__dirname, '../../../config/connections.json');
-const CUSTOM_CSS_MAX = 100 * 1024; // 100 KB
-
-export async function settingsRoutes(fastify) {
-    const canRead = {preHandler: [authenticate, requirePermission('settings', 'read')]};
-    const canUpdate = {preHandler: [authenticate, requirePermission('settings', 'update')]};
-
-    fastify.get('/settings', canRead, async (request, reply) => {
-        const config = getConfig('site');
-        const safeConfig = { ...config };
-        if (safeConfig.smtp) {
-            safeConfig.smtp = { ...safeConfig.smtp, pass: '' };
-        }
-        return reply.send(safeConfig);
-    });
-
-    fastify.put('/settings', canUpdate, async (request, reply) => {
-        const data = request.body;
-        if (!data || typeof data !== 'object') {
-            return reply.status(400).send({ error: 'Invalid settings data' });
-        }
-        const ALLOWED_KEYS = new Set([
-            'title', 'tagline', 'description', 'logo', 'favicon',
-            'theme', 'adminTheme', 'fontFamily', 'fontSize',
-            'smtp', 'footer', 'analytics', 'social', 'locale',
-            'layoutOptions', 'seo', 'backToTop', 'cookieConsent', 'breadcrumbs', 'autoTheme',
-            'adminBrand'
-        ]);
-        const unknownKeys = Object.keys(data).filter(k => !ALLOWED_KEYS.has(k));
-        if (unknownKeys.length > 0) {
-            return reply.status(400).send({ error: `Unknown settings keys: ${unknownKeys.join(', ')}` });
-        }
-        // Merge incoming data with existing config so partial updates (e.g. just adminBrand)
-        // don't wipe unrelated keys. Nested objects get a shallow merge so sub-fields are
-        // preserved even when only some sub-fields are sent.
-        const existing = getConfig('site');
-        const merged = {...existing};
-        for (const [k, v] of Object.entries(data)) {
-            const isPlainObject = v !== null && typeof v === 'object' && !Array.isArray(v);
-            const existingIsPlainObject = existing[k] !== null && typeof existing[k] === 'object' && !Array.isArray(existing[k]);
-            if (isPlainObject && existingIsPlainObject) {
-                merged[k] = {...existing[k], ...v};
-            } else {
-                merged[k] = v;
-            }
-        }
-        // Never erase smtp.pass with the empty string that the GET endpoint injects for safety
-        if (merged.smtp && merged.smtp.pass === '' && existing.smtp?.pass) {
-            merged.smtp = {...merged.smtp, pass: existing.smtp.pass};
-        }
-        saveConfig('site', merged);
-        await cache.invalidateTags(['site']);
-        return { success: true };
-    });
-
-    fastify.post('/settings/test-email', canRead, async (request, reply) => {
-        const smtp = getConfig('site')?.smtp;
-        if (!smtp?.host) {
-            return reply.status(400).send({ error: 'SMTP is not configured. Save your SMTP settings first.' });
-        }
-
-        const transporter = nodemailer.createTransport({
-            host:   smtp.host,
-            port:   smtp.port || 587,
-            secure: smtp.secure || false,
-            auth:   smtp.user ? { user: smtp.user, pass: smtp.pass } : undefined
-        });
-
-        const to = request.body?.to || smtp.fromAddress;
-        if (!to) {
-            return reply.status(400).send({ error: 'No recipient address. Provide "to" in the request body or set a From Address.' });
-        }
-
-        try {
-            await transporter.sendMail({
-                from:    smtp.fromName ? `"${smtp.fromName}" <${smtp.fromAddress}>` : smtp.fromAddress,
-                to,
-                subject: 'Domma CMS — Test Email',
-                text:    'This is a test email sent from Domma CMS to verify your SMTP configuration.',
-                html:    '<p>This is a test email sent from <strong>Domma CMS</strong> to verify your SMTP configuration.</p>'
-            });
-            return { success: true, message: `Test email sent to ${to}` };
-        } catch (err) {
-            return reply.status(500).send({ error: `Failed to send email: ${err.message}` });
-        }
-    });
-
-    // GET /api/settings/db-status — returns whether MongoDB connections are configured
-    fastify.get('/settings/db-status', canRead, async () => {
-        try {
-            const raw = await fs.readFile(CONNECTIONS_FILE, 'utf8');
-            const connections = JSON.parse(raw);
-            const names = Object.keys(connections).filter(k =>
-                connections[k]?.type === 'mongodb' && connections[k]?.uri
-            );
-            return {configured: names.length > 0, connections: names};
-        } catch {
-            return {configured: false, connections: []};
-        }
-    });
-
-    // GET /api/settings/custom-css — return current CSS as JSON
-    fastify.get('/settings/custom-css', canUpdate, async () => {
-        try {
-            const css = await fs.readFile(CUSTOM_CSS_FILE, 'utf8');
-            return { css };
-        } catch {
-            return { css: '' };
-        }
-    });
-
-    // PUT /api/settings/custom-css — save CSS to content/custom.css
-    fastify.put('/settings/custom-css', canUpdate, async (request, reply) => {
-        const { css } = request.body || {};
-        if (typeof css !== 'string') {
-            return reply.status(400).send({ error: 'css must be a string.' });
-        }
-        if (Buffer.byteLength(css, 'utf8') > CUSTOM_CSS_MAX) {
-            return reply.status(400).send({ error: 'CSS exceeds the 100 KB limit.' });
-        }
-        await fs.writeFile(CUSTOM_CSS_FILE, css, 'utf8');
-        await cache.invalidateTags(['site']);
-        return { success: true };
-    });
-}
+/**
+ * Settings API
+ * GET  /api/settings            - get site settings
+ * PUT  /api/settings            - save site settings
+ * POST /api/settings/test-email - send a test email using stored SMTP config
+ */
+import {getConfig, saveConfig} from '../../config.js';
+import {authenticate, requirePermission} from '../../middleware/auth.js';
+import nodemailer from 'nodemailer';
+import fs from 'fs/promises';
+import path from 'path';
+import {fileURLToPath} from 'url';
+import * as cache from '../../services/cache/index.js';
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const CUSTOM_CSS_FILE = path.resolve(__dirname, '../../../content/custom.css');
+const CONNECTIONS_FILE = path.resolve(__dirname, '../../../config/connections.json');
+const CUSTOM_CSS_MAX = 100 * 1024; // 100 KB
+
+export async function settingsRoutes(fastify) {
+    const canRead = {preHandler: [authenticate, requirePermission('settings', 'read')]};
+    const canUpdate = {preHandler: [authenticate, requirePermission('settings', 'update')]};
+
+    fastify.get('/settings', canRead, async (request, reply) => {
+        const config = getConfig('site');
+        const safeConfig = { ...config };
+        if (safeConfig.smtp) {
+            safeConfig.smtp = { ...safeConfig.smtp, pass: '' };
+        }
+        return reply.send(safeConfig);
+    });
+
+    fastify.put('/settings', canUpdate, async (request, reply) => {
+        const data = request.body;
+        if (!data || typeof data !== 'object') {
+            return reply.status(400).send({ error: 'Invalid settings data' });
+        }
+        const ALLOWED_KEYS = new Set([
+            'title', 'tagline', 'description', 'logo', 'favicon',
+            'theme', 'adminTheme', 'fontFamily', 'fontSize',
+            'smtp', 'footer', 'analytics', 'social', 'locale',
+            'layoutOptions', 'seo', 'backToTop', 'cookieConsent', 'breadcrumbs', 'autoTheme',
+            'adminBrand'
+        ]);
+        const unknownKeys = Object.keys(data).filter(k => !ALLOWED_KEYS.has(k));
+        if (unknownKeys.length > 0) {
+            return reply.status(400).send({ error: `Unknown settings keys: ${unknownKeys.join(', ')}` });
+        }
+        // Merge incoming data with existing config so partial updates (e.g. just adminBrand)
+        // don't wipe unrelated keys. Nested objects get a shallow merge so sub-fields are
+        // preserved even when only some sub-fields are sent.
+        const existing = getConfig('site');
+        const merged = {...existing};
+        for (const [k, v] of Object.entries(data)) {
+            const isPlainObject = v !== null && typeof v === 'object' && !Array.isArray(v);
+            const existingIsPlainObject = existing[k] !== null && typeof existing[k] === 'object' && !Array.isArray(existing[k]);
+            if (isPlainObject && existingIsPlainObject) {
+                merged[k] = {...existing[k], ...v};
+            } else {
+                merged[k] = v;
+            }
+        }
+        // Never erase smtp.pass with the empty string that the GET endpoint injects for safety
+        if (merged.smtp && merged.smtp.pass === '' && existing.smtp?.pass) {
+            merged.smtp = {...merged.smtp, pass: existing.smtp.pass};
+        }
+        saveConfig('site', merged);
+        await cache.invalidateTags(['site']);
+        return { success: true };
+    });
+
+    fastify.post('/settings/test-email', canRead, async (request, reply) => {
+        const smtp = getConfig('site')?.smtp;
+        if (!smtp?.host) {
+            return reply.status(400).send({ error: 'SMTP is not configured. Save your SMTP settings first.' });
+        }
+
+        const transporter = nodemailer.createTransport({
+            host:   smtp.host,
+            port:   smtp.port || 587,
+            secure: smtp.secure || false,
+            auth:   smtp.user ? { user: smtp.user, pass: smtp.pass } : undefined
+        });
+
+        const to = request.body?.to || smtp.fromAddress;
+        if (!to) {
+            return reply.status(400).send({ error: 'No recipient address. Provide "to" in the request body or set a From Address.' });
+        }
+
+        try {
+            await transporter.sendMail({
+                from:    smtp.fromName ? `"${smtp.fromName}" <${smtp.fromAddress}>` : smtp.fromAddress,
+                to,
+                subject: 'Domma CMS — Test Email',
+                text:    'This is a test email sent from Domma CMS to verify your SMTP configuration.',
+                html:    '<p>This is a test email sent from <strong>Domma CMS</strong> to verify your SMTP configuration.</p>'
+            });
+            return { success: true, message: `Test email sent to ${to}` };
+        } catch (err) {
+            return reply.status(500).send({ error: `Failed to send email: ${err.message}` });
+        }
+    });
+
+    // GET /api/settings/db-status — returns whether MongoDB connections are configured
+    fastify.get('/settings/db-status', canRead, async () => {
+        try {
+            const raw = await fs.readFile(CONNECTIONS_FILE, 'utf8');
+            const connections = JSON.parse(raw);
+            const names = Object.keys(connections).filter(k =>
+                connections[k]?.type === 'mongodb' && connections[k]?.uri
+            );
+            return {configured: names.length > 0, connections: names};
+        } catch {
+            return {configured: false, connections: []};
+        }
+    });
+
+    // GET /api/settings/custom-css — return current CSS as JSON
+    fastify.get('/settings/custom-css', canUpdate, async () => {
+        try {
+            const css = await fs.readFile(CUSTOM_CSS_FILE, 'utf8');
+            return { css };
+        } catch {
+            return { css: '' };
+        }
+    });
+
+    // PUT /api/settings/custom-css — save CSS to content/custom.css
+    fastify.put('/settings/custom-css', canUpdate, async (request, reply) => {
+        const { css } = request.body || {};
+        if (typeof css !== 'string') {
+            return reply.status(400).send({ error: 'css must be a string.' });
+        }
+        if (Buffer.byteLength(css, 'utf8') > CUSTOM_CSS_MAX) {
+            return reply.status(400).send({ error: 'CSS exceeds the 100 KB limit.' });
+        }
+        await fs.writeFile(CUSTOM_CSS_FILE, css, 'utf8');
+        await cache.invalidateTags(['site']);
+        return { success: true };
+    });
+}