domma-cms 0.3.0 → 0.5.2

package/server/routes/api/plugins.js

@@ -4,12 +4,15 @@
  * PUT /api/plugins/:name        - enable/disable, update settings (admin only)
  * GET /api/plugins/admin-config - sidebar/routes/views for enabled plugins (authenticated)
  */
-import { authenticate, requireAdmin } from '../../middleware/auth.js';
+import { authenticate, requireAdmin, requirePermission } from '../../middleware/auth.js';
 import { discoverPlugins, getPluginStates, savePluginState, getAdminPluginConfig } from '../../services/plugins.js';
 
 export async function pluginsRoutes(fastify) {
+    const canRead   = { preHandler: [authenticate, requirePermission('plugins', 'read')]   };
+    const canUpdate = { preHandler: [authenticate, requirePermission('plugins', 'update')] };
+
     // List all plugins with their current state
-    fastify.get('/plugins', { preHandler: [authenticate, requireAdmin] }, async () => {
+    fastify.get('/plugins', canRead, async () => {
         const manifests = await discoverPlugins();
         const states = getPluginStates();
 
@@ -27,7 +30,7 @@ export async function pluginsRoutes(fastify) {
     });
 
     // Enable/disable or update settings for a plugin
-    fastify.put('/plugins/:name', { preHandler: [authenticate, requireAdmin] }, async (request, reply) => {
+    fastify.put('/plugins/:name', canUpdate, async (request, reply) => {
         const { name } = request.params;
         const { enabled, settings } = request.body || {};
 

package/server/routes/api/settings.js

@@ -1,88 +1,104 @@
-/**
- * Settings API
- * GET  /api/settings            - get site settings
- * PUT  /api/settings            - save site settings
- * POST /api/settings/test-email - send a test email using stored SMTP config
- */
-import { getConfig, saveConfig } from '../../config.js';
-import { authenticate, requirePermission } from '../../middleware/auth.js';
-import nodemailer from 'nodemailer';
-import fs from 'fs/promises';
-import path from 'path';
-import {fileURLToPath} from 'url';
-
-const __dirname = path.dirname(fileURLToPath(import.meta.url));
-const CUSTOM_CSS_FILE = path.resolve(__dirname, '../../../content/custom.css');
-const CUSTOM_CSS_MAX  = 100 * 1024; // 100 KB
-
-export async function settingsRoutes(fastify) {
-    const guard = { preHandler: [authenticate, requirePermission('settings')] };
-
-    fastify.get('/settings', guard, async () => {
-        return getConfig('site');
-    });
-
-    fastify.put('/settings', guard, async (request, reply) => {
-        const data = request.body;
-        if (!data || typeof data !== 'object') {
-            return reply.status(400).send({ error: 'Invalid settings data' });
-        }
-        saveConfig('site', data);
-        return { success: true };
-    });
-
-    fastify.post('/settings/test-email', guard, async (request, reply) => {
-        const smtp = getConfig('site')?.smtp;
-        if (!smtp?.host) {
-            return reply.status(400).send({ error: 'SMTP is not configured. Save your SMTP settings first.' });
-        }
-
-        const transporter = nodemailer.createTransport({
-            host:   smtp.host,
-            port:   smtp.port || 587,
-            secure: smtp.secure || false,
-            auth:   smtp.user ? { user: smtp.user, pass: smtp.pass } : undefined
-        });
-
-        const to = request.body?.to || smtp.fromAddress;
-        if (!to) {
-            return reply.status(400).send({ error: 'No recipient address. Provide "to" in the request body or set a From Address.' });
-        }
-
-        try {
-            await transporter.sendMail({
-                from:    smtp.fromName ? `"${smtp.fromName}" <${smtp.fromAddress}>` : smtp.fromAddress,
-                to,
-                subject: 'Domma CMS — Test Email',
-                text:    'This is a test email sent from Domma CMS to verify your SMTP configuration.',
-                html:    '<p>This is a test email sent from <strong>Domma CMS</strong> to verify your SMTP configuration.</p>'
-            });
-            return { success: true, message: `Test email sent to ${to}` };
-        } catch (err) {
-            return reply.status(500).send({ error: `Failed to send email: ${err.message}` });
-        }
-    });
-
-    // GET /api/settings/custom-css — return current CSS as JSON
-    fastify.get('/settings/custom-css', guard, async () => {
-        try {
-            const css = await fs.readFile(CUSTOM_CSS_FILE, 'utf8');
-            return { css };
-        } catch {
-            return { css: '' };
-        }
-    });
-
-    // PUT /api/settings/custom-css — save CSS to content/custom.css
-    fastify.put('/settings/custom-css', guard, async (request, reply) => {
-        const { css } = request.body || {};
-        if (typeof css !== 'string') {
-            return reply.status(400).send({ error: 'css must be a string.' });
-        }
-        if (Buffer.byteLength(css, 'utf8') > CUSTOM_CSS_MAX) {
-            return reply.status(400).send({ error: 'CSS exceeds the 100 KB limit.' });
-        }
-        await fs.writeFile(CUSTOM_CSS_FILE, css, 'utf8');
-        return { success: true };
-    });
-}
+/**
+ * Settings API
+ * GET  /api/settings            - get site settings
+ * PUT  /api/settings            - save site settings
+ * POST /api/settings/test-email - send a test email using stored SMTP config
+ */
+import {getConfig, saveConfig} from '../../config.js';
+import {authenticate, requirePermission} from '../../middleware/auth.js';
+import nodemailer from 'nodemailer';
+import fs from 'fs/promises';
+import path from 'path';
+import {fileURLToPath} from 'url';
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const CUSTOM_CSS_FILE = path.resolve(__dirname, '../../../content/custom.css');
+const CUSTOM_CSS_MAX  = 100 * 1024; // 100 KB
+
+export async function settingsRoutes(fastify) {
+    const canRead = {preHandler: [authenticate, requirePermission('settings', 'read')]};
+    const canUpdate = {preHandler: [authenticate, requirePermission('settings', 'update')]};
+
+    fastify.get('/settings', canRead, async (request, reply) => {
+        const config = getConfig('site');
+        const safeConfig = { ...config };
+        if (safeConfig.smtp) {
+            safeConfig.smtp = { ...safeConfig.smtp, pass: '' };
+        }
+        return reply.send(safeConfig);
+    });
+
+    fastify.put('/settings', canUpdate, async (request, reply) => {
+        const data = request.body;
+        if (!data || typeof data !== 'object') {
+            return reply.status(400).send({ error: 'Invalid settings data' });
+        }
+        const ALLOWED_KEYS = new Set([
+            'title', 'tagline', 'description', 'logo', 'favicon',
+            'theme', 'adminTheme', 'fontFamily', 'fontSize',
+            'smtp', 'footer', 'analytics', 'social', 'locale',
+            'layoutOptions', 'seo', 'backToTop', 'cookieConsent', 'breadcrumbs', 'autoTheme'
+        ]);
+        const unknownKeys = Object.keys(data).filter(k => !ALLOWED_KEYS.has(k));
+        if (unknownKeys.length > 0) {
+            return reply.status(400).send({ error: `Unknown settings keys: ${unknownKeys.join(', ')}` });
+        }
+        saveConfig('site', data);
+        return { success: true };
+    });
+
+    fastify.post('/settings/test-email', canRead, async (request, reply) => {
+        const smtp = getConfig('site')?.smtp;
+        if (!smtp?.host) {
+            return reply.status(400).send({ error: 'SMTP is not configured. Save your SMTP settings first.' });
+        }
+
+        const transporter = nodemailer.createTransport({
+            host:   smtp.host,
+            port:   smtp.port || 587,
+            secure: smtp.secure || false,
+            auth:   smtp.user ? { user: smtp.user, pass: smtp.pass } : undefined
+        });
+
+        const to = request.body?.to || smtp.fromAddress;
+        if (!to) {
+            return reply.status(400).send({ error: 'No recipient address. Provide "to" in the request body or set a From Address.' });
+        }
+
+        try {
+            await transporter.sendMail({
+                from:    smtp.fromName ? `"${smtp.fromName}" <${smtp.fromAddress}>` : smtp.fromAddress,
+                to,
+                subject: 'Domma CMS — Test Email',
+                text:    'This is a test email sent from Domma CMS to verify your SMTP configuration.',
+                html:    '<p>This is a test email sent from <strong>Domma CMS</strong> to verify your SMTP configuration.</p>'
+            });
+            return { success: true, message: `Test email sent to ${to}` };
+        } catch (err) {
+            return reply.status(500).send({ error: `Failed to send email: ${err.message}` });
+        }
+    });
+
+    // GET /api/settings/custom-css — return current CSS as JSON
+    fastify.get('/settings/custom-css', canUpdate, async () => {
+        try {
+            const css = await fs.readFile(CUSTOM_CSS_FILE, 'utf8');
+            return { css };
+        } catch {
+            return { css: '' };
+        }
+    });
+
+    // PUT /api/settings/custom-css — save CSS to content/custom.css
+    fastify.put('/settings/custom-css', canUpdate, async (request, reply) => {
+        const { css } = request.body || {};
+        if (typeof css !== 'string') {
+            return reply.status(400).send({ error: 'css must be a string.' });
+        }
+        if (Buffer.byteLength(css, 'utf8') > CUSTOM_CSS_MAX) {
+            return reply.status(400).send({ error: 'CSS exceeds the 100 KB limit.' });
+        }
+        await fs.writeFile(CUSTOM_CSS_FILE, css, 'utf8');
+        return { success: true };
+    });
+}

package/server/routes/api/users.js

@@ -6,22 +6,21 @@
  * PUT    /api/users/:id  - update user (admin, manager — manager cannot edit admin)
  * DELETE /api/users/:id  - delete user (admin, manager — manager cannot delete admin, no self-delete)
  */
-import { authenticate, requirePermission, canManageUser } from '../../middleware/auth.js';
-import { getPermissionsFor } from '../../services/userTypes.js';
-import {
-    listUsers,
-    getUserById,
-    createUser,
-    updateUser,
-    deleteUser
-} from '../../services/users.js';
+import {authenticate, canManageUser, requirePermission} from '../../middleware/auth.js';
+import {getPermissionsFor} from '../../services/roles.js';
+import {createUser, deleteUser, getUserById, listUsers, updateUser} from '../../services/users.js';
+import {getProfile, listProfiles, updateProfile} from '../../services/userProfiles.js';
 
 export async function usersRoutes(fastify) {
-    const guard = [authenticate, requirePermission('users')];
+    const canRead = [authenticate, requirePermission('users', 'read')];
+    const canCreate = [authenticate, requirePermission('users', 'create')];
+    const canUpdate = [authenticate, requirePermission('users', 'update')];
+    const canDelete = [authenticate, requirePermission('users', 'delete')];
 
     // List all users
-    fastify.get('/users', { preHandler: guard }, async () => {
-        return listUsers();
+    fastify.get('/users', {preHandler: canRead}, async () => {
+        const [users, profiles] = await Promise.all([listUsers(), listProfiles()]);
+        return users.map(u => ({...u, profile: profiles.get(u.id) || {}}));
     });
 
     // Get single user (admin, manager, or the user themselves)
@@ -30,7 +29,7 @@ export async function usersRoutes(fastify) {
         const actor = request.user;
 
         const isSelf = actor.id === id;
-        const canManage = getPermissionsFor('users').includes(actor.role);
+        const canManage = getPermissionsFor('users', 'read').includes(actor.role);
 
         if (!isSelf && !canManage) {
             return reply.code(403).send({ error: 'Forbidden' });
@@ -38,11 +37,12 @@ export async function usersRoutes(fastify) {
 
         const user = await getUserById(id);
         if (!user) return reply.status(404).send({ error: 'User not found' });
-        return user;
+        const profileEntry = await getProfile(id);
+        return {...user, profile: profileEntry?.data || {}};
     });
 
     // Create user
-    fastify.post('/users', { preHandler: guard }, async (request, reply) => {
+    fastify.post('/users', {preHandler: canCreate}, async (request, reply) => {
         const { name, email, password, role } = request.body || {};
         if (!name || !email || !password) {
             return reply.status(400).send({ error: 'name, email and password are required' });
@@ -65,7 +65,7 @@ export async function usersRoutes(fastify) {
     });
 
     // Update user
-    fastify.put('/users/:id', { preHandler: guard }, async (request, reply) => {
+    fastify.put('/users/:id', {preHandler: canUpdate}, async (request, reply) => {
         const { id } = request.params;
         const actor = request.user;
 
@@ -82,12 +82,20 @@ export async function usersRoutes(fastify) {
             return reply.code(403).send({ error: 'You cannot assign that role' });
         }
 
-        const user = await updateUser(id, updates);
-        return user;
+        // Strip profile from core updates and handle separately
+        const {profile, ...coreUpdates} = updates;
+        const user = await updateUser(id, coreUpdates);
+
+        if (profile && typeof profile === 'object') {
+            await updateProfile(id, profile);
+        }
+
+        const profileEntry = await getProfile(id);
+        return {...user, profile: profileEntry?.data || {}};
     });
 
     // Delete user
-    fastify.delete('/users/:id', { preHandler: guard }, async (request, reply) => {
+    fastify.delete('/users/:id', {preHandler: canDelete}, async (request, reply) => {
         const { id } = request.params;
         const actor = request.user;
 

package/server/routes/api/views.js

@@ -0,0 +1,148 @@
+/**
+ * Views API (Pro — requires MongoDB)
+ *
+ * Admin endpoints (authenticated + views permission):
+ * GET    /views                     - List all view configs
+ * POST   /views                     - Create view config
+ * GET    /views/:slug               - Get view config
+ * PUT    /views/:slug               - Update view config
+ * DELETE /views/:slug               - Delete view config
+ * GET    /views/:slug/execute       - Execute view (admin)
+ * GET    /views/collection/:slug    - List views targeting a collection
+ *
+ * Public endpoint (role-checked per view access config):
+ * GET    /views/:slug/public        - Execute view publicly
+ */
+import {createView, deleteView, executeView, getView, listViews, updateView} from '../../services/views.js';
+import {authenticate, requirePermission} from '../../middleware/auth.js';
+import {getRoleLevel} from '../../services/roles.js';
+
+export async function viewsRoutes(fastify) {
+    const canRead = {preHandler: [authenticate, requirePermission('views', 'read')]};
+    const canCreate = {preHandler: [authenticate, requirePermission('views', 'create')]};
+    const canUpdate = {preHandler: [authenticate, requirePermission('views', 'update')]};
+    const canDelete = {preHandler: [authenticate, requirePermission('views', 'delete')]};
+
+    // -------------------------------------------------------------------------
+    // Admin CRUD
+    // -------------------------------------------------------------------------
+
+    fastify.get('/views', canRead, async (request, reply) => {
+        try {
+            return await listViews();
+        } catch (err) {
+            return reply.status(503).send({ error: err.message });
+        }
+    });
+
+    fastify.post('/views', canCreate, async (request, reply) => {
+        try {
+            const view = await createView(request.body || {}, request.user?.id || null);
+            return reply.status(201).send(view);
+        } catch (err) {
+            const status = err.message.includes('already exists') ? 409 : 400;
+            return reply.status(status).send({ error: err.message });
+        }
+    });
+
+    // Static sub-routes must be declared before the parameterised :slug route
+    // so Fastify's radix router gives them priority.
+    fastify.get('/views/collection/:collectionSlug', canRead, async (request, reply) => {
+        try {
+            const allViews = await listViews();
+            return allViews.filter(v => v.pipeline?.source === request.params.collectionSlug);
+        } catch (err) {
+            return reply.status(503).send({ error: err.message });
+        }
+    });
+
+    fastify.get('/views/:slug', canRead, async (request, reply) => {
+        try {
+            const view = await getView(request.params.slug);
+            if (!view) return reply.status(404).send({ error: 'View not found' });
+            return view;
+        } catch (err) {
+            return reply.status(503).send({ error: err.message });
+        }
+    });
+
+    fastify.put('/views/:slug', canUpdate, async (request, reply) => {
+        try {
+            return await updateView(request.params.slug, request.body || {});
+        } catch (err) {
+            const status = err.message.includes('not found') ? 404 : 400;
+            return reply.status(status).send({ error: err.message });
+        }
+    });
+
+    fastify.delete('/views/:slug', canDelete, async (request, reply) => {
+        try {
+            await deleteView(request.params.slug);
+            return { success: true };
+        } catch (err) {
+            const status = err.message.includes('not found') ? 404 : 400;
+            return reply.status(status).send({ error: err.message });
+        }
+    });
+
+    // -------------------------------------------------------------------------
+    // Execute (admin)
+    // -------------------------------------------------------------------------
+
+    fastify.get('/views/:slug/execute', canRead, async (request, reply) => {
+        const { page, limit } = request.query;
+        try {
+            return await executeView(request.params.slug, {
+                page:  parseInt(page,  10) || 1,
+                limit: parseInt(limit, 10) || 25,
+                user: request.user || null
+            });
+        } catch (err) {
+            const status = err.message.includes('not found') ? 404 : 400;
+            return reply.status(status).send({ error: err.message });
+        }
+    });
+
+    // -------------------------------------------------------------------------
+    // Public execute (role-checked per view access config)
+    // -------------------------------------------------------------------------
+
+    fastify.get('/views/:slug/public', async (request, reply) => {
+        let view;
+        try {
+            view = await getView(request.params.slug);
+        } catch (err) {
+            return reply.status(503).send({ error: err.message });
+        }
+
+        if (!view) return reply.status(404).send({ error: 'View not found' });
+
+        if (!view.access?.public) {
+            try {
+                await request.jwtVerify();
+            } catch {
+                return reply.status(401).send({ error: 'Unauthorised' });
+            }
+
+            const user          = request.user;
+            const allowedRoles  = view.access?.roles || ['admin'];
+            const userLevel     = getRoleLevel(user?.role);
+            const minAllowed    = Math.min(...allowedRoles.map(r => getRoleLevel(r)));
+
+            if (userLevel > minAllowed) {
+                return reply.status(403).send({ error: 'Insufficient permissions' });
+            }
+        }
+
+        const { page, limit } = request.query;
+        try {
+            return await executeView(view.slug, {
+                page:  parseInt(page,  10) || 1,
+                limit: parseInt(limit, 10) || 25,
+                user: request.user || null
+            });
+        } catch (err) {
+            return reply.status(400).send({ error: err.message });
+        }
+    });
+}