domma-cms 0.8.7 → 0.9.0

package/plugins/todo/collections/todos/schema.json

@@ -0,0 +1,59 @@
+{
+  "slug": "todos",
+  "title": "Todos",
+  "description": "Todo items managed by the Todo plugin.",
+  "plugin": "todo",
+  "fields": [
+    {
+      "name": "text",
+      "label": "Task",
+      "type": "text",
+      "required": true
+    },
+    {
+      "name": "status",
+      "label": "Status",
+      "type": "text",
+      "required": false
+    },
+    {
+      "name": "priority",
+      "label": "Priority",
+      "type": "text",
+      "required": false
+    },
+    {
+      "name": "dueAt",
+      "label": "Due Date",
+      "type": "text",
+      "required": false
+    },
+    {
+      "name": "userId",
+      "label": "User ID",
+      "type": "text",
+      "required": false
+    }
+  ],
+  "api": {
+    "create": {
+      "enabled": true,
+      "access": "admin"
+    },
+    "read": {
+      "enabled": true,
+      "access": "admin"
+    },
+    "update": {
+      "enabled": false,
+      "access": "admin"
+    },
+    "delete": {
+      "enabled": false,
+      "access": "admin"
+    }
+  },
+  "storage": {
+    "adapter": "file"
+  }
+}

package/plugins/todo/plugin.js

@@ -4,44 +4,10 @@ import {
     createEntry,
     updateEntry,
     deleteEntry,
-    getEntry,
-    getCollection,
-    createCollection
+    getEntry
 } from '../../server/services/collections.js';
 
 const SLUG = 'todos';
-const STORAGE = defaultConfig.storage ?? {adapter: 'file'};
-
-const FIELDS = [
-    {name: 'text', label: 'Task', type: 'text', required: true},
-    {name: 'status', label: 'Status', type: 'text', required: false},
-    {name: 'priority', label: 'Priority', type: 'text', required: false},
-    {name: 'dueAt', label: 'Due Date', type: 'text', required: false},
-    {name: 'userId', label: 'User ID', type: 'text', required: false}
-];
-
-/**
- * Lifecycle: create the todos collection (MongoDB-backed) on plugin enable.
- */
-export async function onEnable({services: {collections}}) {
-    const existing = await collections.getCollection(SLUG).catch(() => null);
-    if (existing) return;
-    await collections.createCollection({
-        title: 'Todos',
-        slug: SLUG,
-        description: 'Todo items managed by the Todo plugin.',
-        fields: FIELDS,
-        storage: STORAGE
-    });
-}
-
-/**
- * Lifecycle: remove the todos collection on plugin disable.
- */
-export async function onDisable({services: {collections}}) {
-    await collections.deleteCollection(SLUG).catch(() => {
-    });
-}
 
 /** Flatten a collection entry into the shape the admin view expects. */
 function toTodo(entry) {
@@ -57,19 +23,6 @@ export default async function todoPlugin(fastify, options) {
     const { authenticate } = options.auth;
     const config = {...defaultConfig, ...(options.settings || {})};
     const scope = config.scope ?? 'user';
-    const storage = config.storage ?? STORAGE;
-
-    // Auto-create the collection if it doesn't exist yet.
-    const existing = await getCollection(SLUG).catch(() => null);
-    if (!existing) {
-        await createCollection({
-            title: 'Todos',
-            slug: SLUG,
-            description: 'Todo items managed by the Todo plugin.',
-            fields: FIELDS,
-            storage
-        }).catch(err => fastify.log.warn(`[todo] Collection setup: ${err.message}`));
-    }
 
     function userId(request) {
         return scope === 'user' ? (request.user?.id ?? request.user?.sub ?? null) : null;

package/server/routes/api/blocks.js

@@ -6,20 +6,8 @@
  * PUT    /api/blocks/:name   - create or update block
  * DELETE /api/blocks/:name   - delete block
  */
-import path from 'path';
-import fs from 'fs/promises';
-import {fileURLToPath} from 'url';
 import {authenticate, requirePermission} from '../../middleware/auth.js';
-
-const __dirname = path.dirname(fileURLToPath(import.meta.url));
-const ROOT = path.resolve(__dirname, '../../..');
-const BLOCKS_DIR = path.join(ROOT, 'content', 'blocks');
-
-const NAME_RE = /^[a-z0-9][a-z0-9-]*$/;
-
-function blockPath(name) {
-    return path.join(BLOCKS_DIR, `${name}.html`);
-}
+import {deleteBlock, getBlock, listBlocks, saveBlock} from '../../services/blocks.js';
 
 export async function blocksRoutes(fastify) {
     const canRead = {preHandler: [authenticate, requirePermission('pages', 'read')]};
@@ -28,57 +16,45 @@ export async function blocksRoutes(fastify) {
 
     // List all blocks
     fastify.get('/blocks', canRead, async () => {
-        await fs.mkdir(BLOCKS_DIR, {recursive: true});
-        const files = await fs.readdir(BLOCKS_DIR);
-        const blocks = [];
-        for (const file of files.filter(f => f.endsWith('.html'))) {
-            const name = file.slice(0, -5);
-            const stat = await fs.stat(path.join(BLOCKS_DIR, file)).catch(() => null);
-            blocks.push({
-                name,
-                size: stat?.size ?? 0,
-                updatedAt: stat?.mtime?.toISOString() ?? null
-            });
-        }
-        return blocks.sort((a, b) => a.name.localeCompare(b.name));
+        return listBlocks();
     });
 
     // Get single block
     fastify.get('/blocks/:name', canRead, async (request, reply) => {
         const {name} = request.params;
-        if (!NAME_RE.test(name)) return reply.status(400).send({error: 'Invalid block name'});
-
         try {
-            const content = await fs.readFile(blockPath(name), 'utf8');
-            return {name, content};
-        } catch {
-            return reply.status(404).send({error: 'Block not found'});
+            return await getBlock(name);
+        } catch (err) {
+            if (err.code === 'INVALID_NAME') return reply.status(400).send({error: err.message});
+            if (err.code === 'ENOENT') return reply.status(404).send({error: 'Block not found'});
+            throw err;
         }
     });
 
     // Create or update block
     fastify.put('/blocks/:name', canUpdate, async (request, reply) => {
         const {name} = request.params;
-        if (!NAME_RE.test(name)) return reply.status(400).send({error: 'Invalid block name. Use lowercase letters, digits, and hyphens only.'});
-
-        const {content} = request.body || {};
+        const {content, bundled} = request.body || {};
         if (typeof content !== 'string') return reply.status(400).send({error: 'content (string) is required'});
 
-        await fs.mkdir(BLOCKS_DIR, {recursive: true});
-        await fs.writeFile(blockPath(name), content, 'utf8');
-        return {success: true, name};
+        try {
+            return await saveBlock(name, content, {bundled: !!bundled});
+        } catch (err) {
+            if (err.code === 'INVALID_NAME') return reply.status(400).send({error: err.message});
+            throw err;
+        }
     });
 
     // Delete block
     fastify.delete('/blocks/:name', canDelete, async (request, reply) => {
         const {name} = request.params;
-        if (!NAME_RE.test(name)) return reply.status(400).send({error: 'Invalid block name'});
-
         try {
-            await fs.unlink(blockPath(name));
+            await deleteBlock(name);
             return reply.status(204).send();
-        } catch {
-            return reply.status(404).send({error: 'Block not found'});
+        } catch (err) {
+            if (err.code === 'INVALID_NAME') return reply.status(400).send({error: err.message});
+            if (err.code === 'ENOENT') return reply.status(404).send({error: 'Block not found'});
+            throw err;
         }
     });
 }

package/server/routes/api/forms.js

@@ -456,10 +456,17 @@ export async function formsRoutes(fastify) {
 
         hooks.emit('form:submitted', {slug, entryId: entry?.id || null, data, formTitle: form.title});
 
+        // Template interpolation for successRedirect
+        let redirect = settings.successRedirect || null;
+        if (redirect && entry?.id) {
+            redirect = redirect.replace(/\{\{entryId\}\}/g, entry.id);
+        }
+
         return {
             ok:       true,
+            entryId:  entry?.id || null,
             message:  settings.successMessage  || 'Thank you for your submission.',
-            redirect: settings.successRedirect || null
+            redirect: redirect
         };
     });
 

package/server/services/blocks.js

@@ -1,9 +1,9 @@
 /**
  * Blocks Service
- * Seeds default block templates for built-in forms.
- * Never overwrites existing files — user customisations are preserved.
+ * CRUD operations and seeding for reusable HTML block templates in content/blocks/.
+ * Never overwrites existing files during seeding — user customisations are preserved.
  */
-import {access, writeFile} from 'fs/promises';
+import fs from 'fs/promises';
 import path from 'path';
 import {fileURLToPath} from 'url';
 
@@ -19,10 +19,10 @@ const BLOCKS_DIR = path.resolve(__dirname, '../../content/blocks');
 async function seedBlock(name, content) {
     const filePath = path.join(BLOCKS_DIR, `${name}.html`);
     try {
-        await access(filePath);
+        await fs.access(filePath);
         // File exists — leave it alone
     } catch {
-        await writeFile(filePath, content.trim() + '\n', 'utf8');
+        await fs.writeFile(filePath, content.trim() + '\n', 'utf8');
     }
 }
 
@@ -145,6 +145,125 @@ const BLOCKS = {
 
 };
 
+// ---------------------------------------------------------------------------
+// Validation
+// ---------------------------------------------------------------------------
+
+/** Block names must be lowercase alphanumeric + hyphens, no path traversal. */
+const NAME_RE = /^[a-z0-9][a-z0-9-]*$/;
+
+function assertValidName(name) {
+    if (!NAME_RE.test(name)) {
+        const err = new Error('Invalid block name. Use lowercase letters, digits, and hyphens only.');
+        err.code = 'INVALID_NAME';
+        throw err;
+    }
+}
+
+function blockFilePath(name) {
+    return path.join(BLOCKS_DIR, `${name}.html`);
+}
+
+// ---------------------------------------------------------------------------
+// CRUD service functions
+// ---------------------------------------------------------------------------
+
+/**
+ * List all blocks in the blocks directory.
+ *
+ * @returns {Promise<Array<{name: string, size: number, updatedAt: string|null}>>}
+ */
+export async function listBlocks() {
+    await fs.mkdir(BLOCKS_DIR, {recursive: true});
+    const files = await fs.readdir(BLOCKS_DIR);
+    const blocks = [];
+    for (const file of files.filter(f => f.endsWith('.html'))) {
+        const name = file.slice(0, -5);
+        const fileStat = await fs.stat(path.join(BLOCKS_DIR, file)).catch(() => null);
+        let bundled = false;
+        try {
+            const meta = JSON.parse(await fs.readFile(path.join(BLOCKS_DIR, `${name}.meta.json`), 'utf8'));
+            bundled = !!meta.bundled;
+        } catch { /* no meta file */ }
+        blocks.push({
+            name,
+            size: fileStat?.size ?? 0,
+            updatedAt: fileStat?.mtime?.toISOString() ?? null,
+            bundled,
+        });
+    }
+    return blocks.sort((a, b) => a.name.localeCompare(b.name));
+}
+
+/**
+ * Read a single block's content by name.
+ *
+ * @param {string} name - Block name (without .html extension)
+ * @returns {Promise<{name: string, content: string}>}
+ * @throws {Error} With code INVALID_NAME or ENOENT when not found
+ */
+export async function getBlock(name) {
+    assertValidName(name);
+    try {
+        const content = await fs.readFile(blockFilePath(name), 'utf8');
+        let bundled = false;
+        try {
+            const meta = JSON.parse(await fs.readFile(path.join(BLOCKS_DIR, `${name}.meta.json`), 'utf8'));
+            bundled = !!meta.bundled;
+        } catch { /* no meta file */ }
+        return {name, content, bundled};
+    } catch (err) {
+        if (err.code === 'ENOENT') {
+            const notFound = new Error('Block not found');
+            notFound.code = 'ENOENT';
+            throw notFound;
+        }
+        throw err;
+    }
+}
+
+/**
+ * Create or update a block file (upsert).
+ *
+ * @param {string} name    - Block name (without .html extension)
+ * @param {string} content - HTML template content
+ * @returns {Promise<{success: boolean, name: string}>}
+ * @throws {Error} With code INVALID_NAME on bad name
+ */
+export async function saveBlock(name, content, {bundled} = {}) {
+    assertValidName(name);
+    await fs.mkdir(BLOCKS_DIR, {recursive: true});
+    await fs.writeFile(blockFilePath(name), content, 'utf8');
+    const metaPath = path.join(BLOCKS_DIR, `${name}.meta.json`);
+    if (bundled) {
+        await fs.writeFile(metaPath, JSON.stringify({bundled: true}, null, 2) + '\n', 'utf8');
+    } else {
+        await fs.unlink(metaPath).catch(() => {});
+    }
+    return {success: true, name};
+}
+
+/**
+ * Delete a block file.
+ *
+ * @param {string} name - Block name (without .html extension)
+ * @returns {Promise<void>}
+ * @throws {Error} With code INVALID_NAME or ENOENT when not found
+ */
+export async function deleteBlock(name) {
+    assertValidName(name);
+    try {
+        await fs.unlink(blockFilePath(name));
+    } catch (err) {
+        if (err.code === 'ENOENT') {
+            const notFound = new Error('Block not found');
+            notFound.code = 'ENOENT';
+            throw notFound;
+        }
+        throw err;
+    }
+}
+
 // ---------------------------------------------------------------------------
 // Public API
 // ---------------------------------------------------------------------------

package/server/services/collections.js

@@ -36,7 +36,13 @@ function slugify(str) {
 
 async function readSchema(slug) {
     const raw = await fs.readFile(schemaPath(slug), 'utf8');
-    return JSON.parse(raw);
+    const schema = JSON.parse(raw);
+    // Normalise legacy 'preset' flag — both mean "bundled with fresh installs"
+    if (schema.preset && !schema.bundled) {
+        schema.bundled = true;
+        delete schema.preset;
+    }
+    return schema;
 }
 
 async function writeSchema(schema) {
@@ -115,7 +121,7 @@ export async function getCollection(slug) {
  * @returns {Promise<object>} Created schema
  * @throws {Error} If a collection with that slug already exists
  */
-export async function createCollection({title, slug, description = '', fields = [], api = {}, storage}) {
+export async function createCollection({title, slug, description = '', fields = [], api = {}, storage, bundled, plugin}) {
     await ensureDir();
     const finalSlug = slug ? slugify(slug) : slugify(title);
     if (!finalSlug) throw new Error('Could not derive a slug from the title');
@@ -133,6 +139,8 @@ export async function createCollection({title, slug, description = '', fields =
         slug: finalSlug,
         title: title.trim(),
         description: description.trim(),
+        ...(bundled ? {bundled: true} : {}),
+        ...(plugin ? {plugin} : {}),
         fields,
         api: { ...defaultApiAccess(), ...api },
         storage: storage || {adapter: 'file'},
@@ -157,14 +165,20 @@ export async function updateCollection(slug, updates) {
     const schema = await getCollection(slug);
     if (!schema) throw new Error(`Collection "${slug}" not found`);
 
-    const { slug: _ignore, createdAt, ...rest } = updates;
+    const { slug: _ignore, createdAt, plugin: _plugin, bundled: _bundled, ...rest } = updates;
     const updated = {
         ...schema,
         ...rest,
+        // bundled is user-editable — set from update, omit if falsy
+        ...(updates.bundled ? {bundled: true} : {}),
+        // plugin is ownership metadata — never overwrite from updates
+        ...(schema.plugin ? {plugin: schema.plugin} : {}),
         slug,
         createdAt: schema.createdAt,
         updatedAt: new Date().toISOString()
     };
+    // Clear bundled from schema if it was unchecked (schema spread may have preserved old value)
+    if (!updates.bundled) delete updated.bundled;
 
     await writeSchema(updated);
 

package/server/services/forms.js

@@ -90,6 +90,84 @@ export function slugify(str) {
     return str.toLowerCase().replace(/[^a-z0-9]+/g, '-').replace(/^-|-$/g, '');
 }
 
+/**
+ * Get a single form definition by slug (alias for readForm).
+ *
+ * @param {string} slug
+ * @returns {Promise<object>}
+ * @throws {Error} If the form file does not exist or cannot be parsed.
+ */
+export async function getForm(slug) {
+    return readForm(slug);
+}
+
+/**
+ * Create a new form definition and write it to disk.
+ *
+ * @param {object} data - Form definition data
+ * @param {string} data.title - Form title (required if no slug)
+ * @param {string} [data.slug] - Explicit slug (derived from title if omitted)
+ * @param {string} [data.description]
+ * @param {Array}  [data.fields]
+ * @param {object} [data.settings]
+ * @param {object} [data.actions]
+ * @returns {Promise<object>} The created form object
+ * @throws {Error} If title is missing, slug cannot be derived, or a form with the slug already exists.
+ */
+export async function createForm(data) {
+    const { title, slug: rawSlug, description = '', fields = [], settings = {}, actions = {}, plugin } = data || {};
+
+    if (!title?.trim() && !rawSlug?.trim()) {
+        throw new Error('A title or slug is required to create a form.');
+    }
+
+    const slug = rawSlug ? slugify(rawSlug) : slugify(title);
+    if (!slug) {
+        throw new Error('Could not derive a valid slug from the provided title or slug.');
+    }
+
+    // Throw if a form with this slug already exists
+    try {
+        await readForm(slug);
+        const err = new Error(`Form with slug "${slug}" already exists`);
+        err.code = 'FORM_ALREADY_EXISTS';
+        throw err;
+    } catch (err) {
+        if (err.code === 'FORM_ALREADY_EXISTS') throw err;
+        // File not found — safe to proceed
+    }
+
+    const now = new Date().toISOString();
+    const trimmedTitle = title ? title.trim() : slug;
+
+    const form = {
+        slug,
+        title: trimmedTitle,
+        description,
+        ...(plugin ? {plugin} : {}),
+        fields: Array.isArray(fields) ? fields : [],
+        settings: {
+            submitText: 'Submit',
+            successMessage: 'Thank you for your submission.',
+            layout: 'stacked',
+            honeypot: true,
+            rateLimitPerMinute: 3,
+            ...settings
+        },
+        actions: {
+            email:      { enabled: false, recipients: '', subjectPrefix: `[${trimmedTitle}]` },
+            webhook:    { enabled: false, url: '', method: 'POST' },
+            collection: { enabled: true, slug },
+            ...actions
+        },
+        createdAt: now,
+        updatedAt: now
+    };
+
+    await writeForm(slug, form);
+    return form;
+}
+
 /** System collections that should never have an auto-generated public form. */
 const NO_FORM_SLUGS = new Set(['roles', 'user-profiles']);