Compare commits
2 Commits
todo/mvp1-
...
todo/mvp1-
| Author | SHA1 | Date | |
|---|---|---|---|
741883465c
|
|||
|
7a82934fe7
|
16
TODO.md
16
TODO.md
@@ -145,13 +145,13 @@ This file is the single source of truth for roadmap and delivery progress.
|
||||
- [x] [P1] Artwork refinement fields (medium, dimensions, year, framing, availability, price visibility)
|
||||
- [x] [P1] Artwork rendition management (thumbnail, card, full, retina/custom sizes)
|
||||
- [x] [P1] Type-specific processing presets (artwork/banner/promo/video/gif) with validation rules
|
||||
- [ ] [P1] Users management (invite, roles, status)
|
||||
- [ ] [P1] Disable/ban user function and enforcement in auth/session checks
|
||||
- [~] [P1] Owner/support protection rules in user management actions (cannot delete/demote)
|
||||
- [~] [P1] Commissions management (request intake, owner, due date, notes, linked customer, linked artworks)
|
||||
- [~] [P1] Customer records (contact profile, notes, consent flags, recurrence marker)
|
||||
- [~] [P1] Customer-to-commission linkage and reuse workflow (no re-entry for recurring customers)
|
||||
- [~] [P1] Kanban workflow for commissions (new, scoped, in-progress, review, done)
|
||||
- [x] [P1] Users management (invite, roles, status)
|
||||
- [x] [P1] Disable/ban user function and enforcement in auth/session checks
|
||||
- [x] [P1] Owner/support protection rules in user management actions (cannot delete/demote)
|
||||
- [x] [P1] Commissions management (request intake, owner, due date, notes, linked customer, linked artworks)
|
||||
- [x] [P1] Customer records (contact profile, notes, consent flags, recurrence marker)
|
||||
- [x] [P1] Customer-to-commission linkage and reuse workflow (no re-entry for recurring customers)
|
||||
- [x] [P1] Kanban workflow for commissions (new, scoped, in-progress, review, done)
|
||||
- [x] [P1] Header banner management (message, CTA, active window)
|
||||
- [~] [P1] Announcements management (prominent site notices with schedule, priority, and audience targeting)
|
||||
- [~] [P2] News/blog editorial workflow (draft/review/publish, authoring metadata)
|
||||
@@ -367,6 +367,8 @@ This file is the single source of truth for roadmap and delivery progress.
|
||||
- [2026-02-12] Media type presets baseline completed in upload API: server-side validation now uses shared per-type rules (mime + max size) for `artwork/banner/promotion/video/gif/generic`, with optional env cap override via `CMS_MEDIA_UPLOAD_MAX_BYTES`.
|
||||
- [2026-02-12] Page builder reusable blocks completed: admin block editor now supports full field editing + ordering controls for hero/rich-text/gallery/cta/form/price-cards; public renderer includes form-link behavior for `contact`/`commission` keys.
|
||||
- [2026-02-12] Navigation management completed: admin `/navigation` now supports menu update/delete controls, nested item parent selection via menu-local dropdown, and full order/visibility updates across menus and items.
|
||||
- [2026-02-12] Users management baseline completed: admin `/users` now supports managed user creation, role changes (`admin/editor/manager`), status changes (ban/unban), and protected/system guardrails for role-change/delete/ban actions.
|
||||
- [2026-02-12] Commissions management completed: admin kanban cards now include inline detail editing (assignee/customer/budget/due date/notes), linked-artwork references via `linkedArtworkIds`, and creation/edit flows use assignable users instead of raw ID entry.
|
||||
- [2026-02-12] Public UX pass: commission request flow now reports explicit invalid budget range errors, and header navigation now falls back to localized defaults (`home`, `portfolio`, `news`, `commissions`) when no CMS menu exists; seed data now creates those default menu entries.
|
||||
- [2026-02-12] Added `e2e/public-rendering.pw.ts` web coverage for fallback navigation visibility, portfolio routes, and commission submission validation (invalid budget range + successful submission path).
|
||||
- [2026-02-12] Testing execution is temporarily paused for delivery velocity: root test scripts are stubbed and CI test steps are disabled; all testing backlog is consolidated under `MVP 3: Testing and Quality`.
|
||||
|
||||
@@ -2,8 +2,11 @@ import {
|
||||
commissionKanbanOrder,
|
||||
createCommission,
|
||||
createCustomer,
|
||||
db,
|
||||
listArtworks,
|
||||
listCommissions,
|
||||
listCustomers,
|
||||
updateCommission,
|
||||
updateCommissionStatus,
|
||||
} from "@cms/db"
|
||||
import { Button } from "@cms/ui/button"
|
||||
@@ -67,6 +70,19 @@ function readNullableDate(formData: FormData, field: string): Date | null {
|
||||
return parsed
|
||||
}
|
||||
|
||||
function readUuidList(formData: FormData, field: string): string[] {
|
||||
const raw = readInputString(formData, field)
|
||||
|
||||
if (!raw) {
|
||||
return []
|
||||
}
|
||||
|
||||
return raw
|
||||
.split(",")
|
||||
.map((entry) => entry.trim())
|
||||
.filter((entry) => entry.length > 0)
|
||||
}
|
||||
|
||||
function redirectWithState(params: { notice?: string; error?: string }) {
|
||||
const query = new URLSearchParams()
|
||||
|
||||
@@ -124,6 +140,7 @@ async function createCommissionAction(formData: FormData) {
|
||||
status: readInputString(formData, "status"),
|
||||
customerId: readNullableString(formData, "customerId"),
|
||||
assignedUserId: readNullableString(formData, "assignedUserId"),
|
||||
linkedArtworkIds: readUuidList(formData, "linkedArtworkIds"),
|
||||
budgetMin: readNullableNumber(formData, "budgetMin"),
|
||||
budgetMax: readNullableNumber(formData, "budgetMax"),
|
||||
dueAt: readNullableDate(formData, "dueAt"),
|
||||
@@ -136,6 +153,35 @@ async function createCommissionAction(formData: FormData) {
|
||||
redirectWithState({ notice: "Commission created." })
|
||||
}
|
||||
|
||||
async function updateCommissionAction(formData: FormData) {
|
||||
"use server"
|
||||
|
||||
await requirePermissionForRoute({
|
||||
nextPath: "/commissions",
|
||||
permission: "commissions:write",
|
||||
scope: "own",
|
||||
})
|
||||
|
||||
try {
|
||||
await updateCommission({
|
||||
id: readInputString(formData, "id"),
|
||||
title: readInputString(formData, "title"),
|
||||
description: readNullableString(formData, "description"),
|
||||
customerId: readNullableString(formData, "customerId"),
|
||||
assignedUserId: readNullableString(formData, "assignedUserId"),
|
||||
linkedArtworkIds: readUuidList(formData, "linkedArtworkIds"),
|
||||
budgetMin: readNullableNumber(formData, "budgetMin"),
|
||||
budgetMax: readNullableNumber(formData, "budgetMax"),
|
||||
dueAt: readNullableDate(formData, "dueAt"),
|
||||
})
|
||||
} catch {
|
||||
redirectWithState({ error: "Failed to update commission details." })
|
||||
}
|
||||
|
||||
revalidatePath("/commissions")
|
||||
redirectWithState({ notice: "Commission updated." })
|
||||
}
|
||||
|
||||
async function updateCommissionStatusAction(formData: FormData) {
|
||||
"use server"
|
||||
|
||||
@@ -166,6 +212,14 @@ function formatDate(value: Date | null) {
|
||||
return value.toLocaleDateString("en-US")
|
||||
}
|
||||
|
||||
function formatDateInput(value: Date | null) {
|
||||
if (!value) {
|
||||
return ""
|
||||
}
|
||||
|
||||
return value.toISOString().slice(0, 10)
|
||||
}
|
||||
|
||||
export default async function CommissionsManagementPage({
|
||||
searchParams,
|
||||
}: {
|
||||
@@ -177,10 +231,22 @@ export default async function CommissionsManagementPage({
|
||||
scope: "own",
|
||||
})
|
||||
|
||||
const [resolvedSearchParams, customers, commissions] = await Promise.all([
|
||||
const [resolvedSearchParams, customers, commissions, assignees, artworks] = await Promise.all([
|
||||
searchParams,
|
||||
listCustomers(200),
|
||||
listCommissions(300),
|
||||
db.user.findMany({
|
||||
where: {
|
||||
isBanned: false,
|
||||
},
|
||||
orderBy: [{ createdAt: "asc" }],
|
||||
select: {
|
||||
id: true,
|
||||
name: true,
|
||||
username: true,
|
||||
},
|
||||
}),
|
||||
listArtworks(300),
|
||||
])
|
||||
|
||||
const notice = readFirstValue(resolvedSearchParams.notice)
|
||||
@@ -309,11 +375,18 @@ export default async function CommissionsManagementPage({
|
||||
</div>
|
||||
<div className="grid gap-3 md:grid-cols-3">
|
||||
<label className="space-y-1">
|
||||
<span className="text-xs text-neutral-600">Assigned user id</span>
|
||||
<input
|
||||
<span className="text-xs text-neutral-600">Assigned user</span>
|
||||
<select
|
||||
name="assignedUserId"
|
||||
className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
|
||||
/>
|
||||
>
|
||||
<option value="">(none)</option>
|
||||
{assignees.map((assignee) => (
|
||||
<option key={assignee.id} value={assignee.id}>
|
||||
{assignee.name} @{assignee.username ?? "no-user"}
|
||||
</option>
|
||||
))}
|
||||
</select>
|
||||
</label>
|
||||
<label className="space-y-1">
|
||||
<span className="text-xs text-neutral-600">Budget min</span>
|
||||
@@ -344,6 +417,14 @@ export default async function CommissionsManagementPage({
|
||||
className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
|
||||
/>
|
||||
</label>
|
||||
<label className="space-y-1">
|
||||
<span className="text-xs text-neutral-600">Linked artwork IDs (comma separated)</span>
|
||||
<textarea
|
||||
name="linkedArtworkIds"
|
||||
rows={2}
|
||||
className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
|
||||
/>
|
||||
</label>
|
||||
<Button type="submit">Create commission</Button>
|
||||
</form>
|
||||
</article>
|
||||
@@ -383,6 +464,9 @@ export default async function CommissionsManagementPage({
|
||||
<p className="text-xs text-neutral-600">
|
||||
{commission.customer?.name ?? "No customer"}
|
||||
</p>
|
||||
<p className="text-xs text-neutral-500">
|
||||
Assignee: {commission.assignedUser?.name ?? "none"}
|
||||
</p>
|
||||
<p className="text-xs text-neutral-500">
|
||||
Due: {formatDate(commission.dueAt)}
|
||||
</p>
|
||||
@@ -406,6 +490,99 @@ export default async function CommissionsManagementPage({
|
||||
Move
|
||||
</button>
|
||||
</div>
|
||||
<details className="mt-2 rounded border border-neutral-200 p-2 text-xs">
|
||||
<summary className="cursor-pointer text-neutral-700">
|
||||
Edit details
|
||||
</summary>
|
||||
<form action={updateCommissionAction} className="mt-2 space-y-2">
|
||||
<input type="hidden" name="id" value={commission.id} />
|
||||
<input
|
||||
name="title"
|
||||
defaultValue={commission.title}
|
||||
className="w-full rounded border border-neutral-300 px-2 py-1"
|
||||
/>
|
||||
<textarea
|
||||
name="description"
|
||||
rows={2}
|
||||
defaultValue={commission.description ?? ""}
|
||||
className="w-full rounded border border-neutral-300 px-2 py-1"
|
||||
/>
|
||||
<select
|
||||
name="customerId"
|
||||
defaultValue={commission.customerId ?? ""}
|
||||
className="w-full rounded border border-neutral-300 px-2 py-1"
|
||||
>
|
||||
<option value="">(no customer)</option>
|
||||
{customers.map((customer) => (
|
||||
<option
|
||||
key={`${commission.id}-customer-${customer.id}`}
|
||||
value={customer.id}
|
||||
>
|
||||
{customer.name}
|
||||
</option>
|
||||
))}
|
||||
</select>
|
||||
<select
|
||||
name="assignedUserId"
|
||||
defaultValue={commission.assignedUserId ?? ""}
|
||||
className="w-full rounded border border-neutral-300 px-2 py-1"
|
||||
>
|
||||
<option value="">(no assignee)</option>
|
||||
{assignees.map((assignee) => (
|
||||
<option
|
||||
key={`${commission.id}-assignee-${assignee.id}`}
|
||||
value={assignee.id}
|
||||
>
|
||||
{assignee.name}
|
||||
</option>
|
||||
))}
|
||||
</select>
|
||||
<div className="grid grid-cols-2 gap-2">
|
||||
<input
|
||||
name="budgetMin"
|
||||
type="number"
|
||||
min={0}
|
||||
step="0.01"
|
||||
defaultValue={commission.budgetMin ?? ""}
|
||||
placeholder="Budget min"
|
||||
className="rounded border border-neutral-300 px-2 py-1"
|
||||
/>
|
||||
<input
|
||||
name="budgetMax"
|
||||
type="number"
|
||||
min={0}
|
||||
step="0.01"
|
||||
defaultValue={commission.budgetMax ?? ""}
|
||||
placeholder="Budget max"
|
||||
className="rounded border border-neutral-300 px-2 py-1"
|
||||
/>
|
||||
</div>
|
||||
<input
|
||||
name="dueAt"
|
||||
type="date"
|
||||
defaultValue={formatDateInput(commission.dueAt)}
|
||||
className="w-full rounded border border-neutral-300 px-2 py-1"
|
||||
/>
|
||||
<textarea
|
||||
name="linkedArtworkIds"
|
||||
rows={2}
|
||||
defaultValue={commission.linkedArtworkIds.join(",")}
|
||||
placeholder="Artwork IDs"
|
||||
className="w-full rounded border border-neutral-300 px-2 py-1"
|
||||
/>
|
||||
<button
|
||||
type="submit"
|
||||
className="rounded border border-neutral-300 px-2 py-1 text-xs"
|
||||
>
|
||||
Save details
|
||||
</button>
|
||||
</form>
|
||||
</details>
|
||||
{commission.linkedArtworkIds.length > 0 ? (
|
||||
<p className="mt-2 text-[11px] text-neutral-500">
|
||||
Linked artworks: {commission.linkedArtworkIds.length}
|
||||
</p>
|
||||
) : null}
|
||||
</form>
|
||||
))
|
||||
)}
|
||||
@@ -449,6 +626,24 @@ export default async function CommissionsManagementPage({
|
||||
</table>
|
||||
</div>
|
||||
</section>
|
||||
|
||||
<section className="rounded-xl border border-neutral-200 p-6">
|
||||
<h2 className="text-xl font-medium">Artwork Reference</h2>
|
||||
<p className="mt-1 text-sm text-neutral-600">
|
||||
Use these IDs when linking artworks to commissions.
|
||||
</p>
|
||||
<div className="mt-3 max-h-64 overflow-auto rounded border border-neutral-200 p-3 text-xs">
|
||||
{artworks.length === 0 ? (
|
||||
<p className="text-neutral-500">No artworks available.</p>
|
||||
) : (
|
||||
artworks.map((artwork) => (
|
||||
<p key={artwork.id} className="font-mono text-neutral-700">
|
||||
{artwork.id} - {artwork.title}
|
||||
</p>
|
||||
))
|
||||
)}
|
||||
</div>
|
||||
</section>
|
||||
</AdminShell>
|
||||
)
|
||||
}
|
||||
|
||||
@@ -1,34 +1,425 @@
|
||||
import { AdminSectionPlaceholder } from "@/components/admin-section-placeholder"
|
||||
import { hasPermission, normalizeRole, type Role } from "@cms/content/rbac"
|
||||
import { db } from "@cms/db"
|
||||
import { Button } from "@cms/ui/button"
|
||||
import { revalidatePath } from "next/cache"
|
||||
import { headers } from "next/headers"
|
||||
import { redirect } from "next/navigation"
|
||||
|
||||
import { AdminShell } from "@/components/admin-shell"
|
||||
import {
|
||||
auth,
|
||||
canDeleteUserAccount,
|
||||
createManagedUserAccount,
|
||||
enforceOwnerInvariant,
|
||||
} from "@/lib/auth/server"
|
||||
import { requirePermissionForRoute } from "@/lib/route-guards"
|
||||
|
||||
export const dynamic = "force-dynamic"
|
||||
|
||||
export default async function UsersManagementPage() {
|
||||
const MANAGED_ROLES: Role[] = ["admin", "editor", "manager"]
|
||||
|
||||
type SearchParamsInput = Record<string, string | string[] | undefined>
|
||||
|
||||
function readFirstValue(value: string | string[] | undefined): string | null {
|
||||
if (Array.isArray(value)) {
|
||||
return value[0] ?? null
|
||||
}
|
||||
|
||||
return value ?? null
|
||||
}
|
||||
|
||||
function readInputString(formData: FormData, field: string): string {
|
||||
const value = formData.get(field)
|
||||
return typeof value === "string" ? value.trim() : ""
|
||||
}
|
||||
|
||||
function redirectWithState(params: { notice?: string; error?: string }) {
|
||||
const query = new URLSearchParams()
|
||||
|
||||
if (params.notice) {
|
||||
query.set("notice", params.notice)
|
||||
}
|
||||
|
||||
if (params.error) {
|
||||
query.set("error", params.error)
|
||||
}
|
||||
|
||||
const value = query.toString()
|
||||
redirect(value ? `/users?${value}` : "/users")
|
||||
}
|
||||
|
||||
async function createUserAction(formData: FormData) {
|
||||
"use server"
|
||||
|
||||
await requirePermissionForRoute({
|
||||
nextPath: "/users",
|
||||
permission: "users:write",
|
||||
scope: "team",
|
||||
})
|
||||
|
||||
const role = normalizeRole(readInputString(formData, "role"))
|
||||
|
||||
if (!role || !MANAGED_ROLES.includes(role)) {
|
||||
return redirectWithState({ error: "Invalid role for managed user creation." })
|
||||
}
|
||||
|
||||
try {
|
||||
await createManagedUserAccount({
|
||||
email: readInputString(formData, "email"),
|
||||
username: readInputString(formData, "username") || undefined,
|
||||
name: readInputString(formData, "name"),
|
||||
password: readInputString(formData, "password"),
|
||||
role,
|
||||
})
|
||||
} catch (error) {
|
||||
const message = error instanceof Error ? error.message : "Failed to create user."
|
||||
redirectWithState({ error: message })
|
||||
}
|
||||
|
||||
revalidatePath("/users")
|
||||
redirectWithState({ notice: "User account created." })
|
||||
}
|
||||
|
||||
async function updateUserRoleAction(formData: FormData) {
|
||||
"use server"
|
||||
|
||||
await requirePermissionForRoute({
|
||||
nextPath: "/users",
|
||||
permission: "users:manage_roles",
|
||||
scope: "global",
|
||||
})
|
||||
|
||||
const userId = readInputString(formData, "userId")
|
||||
const role = normalizeRole(readInputString(formData, "role"))
|
||||
|
||||
if (!role || !MANAGED_ROLES.includes(role)) {
|
||||
return redirectWithState({ error: "Only admin/editor/manager can be assigned here." })
|
||||
}
|
||||
|
||||
const user = await db.user.findUnique({
|
||||
where: { id: userId },
|
||||
select: { id: true, isProtected: true, isSystem: true },
|
||||
})
|
||||
|
||||
if (!user) {
|
||||
return redirectWithState({ error: "User not found." })
|
||||
}
|
||||
|
||||
if (user.isProtected || user.isSystem) {
|
||||
return redirectWithState({ error: "Protected/system users cannot be role-edited." })
|
||||
}
|
||||
|
||||
try {
|
||||
await db.user.update({
|
||||
where: { id: userId },
|
||||
data: { role },
|
||||
})
|
||||
await enforceOwnerInvariant()
|
||||
} catch {
|
||||
redirectWithState({ error: "Failed to update user role." })
|
||||
}
|
||||
|
||||
revalidatePath("/users")
|
||||
redirectWithState({ notice: "User role updated." })
|
||||
}
|
||||
|
||||
async function updateUserBanAction(formData: FormData) {
|
||||
"use server"
|
||||
|
||||
await requirePermissionForRoute({
|
||||
nextPath: "/users",
|
||||
permission: "users:write",
|
||||
scope: "team",
|
||||
})
|
||||
|
||||
const userId = readInputString(formData, "userId")
|
||||
const isBanned = readInputString(formData, "isBanned") === "true"
|
||||
|
||||
const user = await db.user.findUnique({
|
||||
where: { id: userId },
|
||||
select: { id: true, isProtected: true, isSystem: true },
|
||||
})
|
||||
|
||||
if (!user) {
|
||||
return redirectWithState({ error: "User not found." })
|
||||
}
|
||||
|
||||
if ((user.isProtected || user.isSystem) && isBanned) {
|
||||
return redirectWithState({ error: "Protected/system users cannot be banned." })
|
||||
}
|
||||
|
||||
try {
|
||||
await db.user.update({
|
||||
where: { id: userId },
|
||||
data: { isBanned },
|
||||
})
|
||||
await enforceOwnerInvariant()
|
||||
} catch {
|
||||
redirectWithState({ error: "Failed to update user status." })
|
||||
}
|
||||
|
||||
revalidatePath("/users")
|
||||
redirectWithState({ notice: isBanned ? "User banned." : "User unbanned." })
|
||||
}
|
||||
|
||||
async function deleteUserAction(formData: FormData) {
|
||||
"use server"
|
||||
|
||||
await requirePermissionForRoute({
|
||||
nextPath: "/users",
|
||||
permission: "users:write",
|
||||
scope: "team",
|
||||
})
|
||||
|
||||
const userId = readInputString(formData, "userId")
|
||||
const isAllowed = await canDeleteUserAccount(userId)
|
||||
|
||||
if (!isAllowed) {
|
||||
return redirectWithState({
|
||||
error: "User cannot be deleted due to protection or owner constraints.",
|
||||
})
|
||||
}
|
||||
|
||||
try {
|
||||
await db.user.delete({
|
||||
where: { id: userId },
|
||||
})
|
||||
await enforceOwnerInvariant()
|
||||
} catch {
|
||||
redirectWithState({ error: "Failed to delete user." })
|
||||
}
|
||||
|
||||
revalidatePath("/users")
|
||||
redirectWithState({ notice: "User deleted." })
|
||||
}
|
||||
|
||||
export default async function UsersManagementPage({
|
||||
searchParams,
|
||||
}: {
|
||||
searchParams: Promise<SearchParamsInput>
|
||||
}) {
|
||||
const role = await requirePermissionForRoute({
|
||||
nextPath: "/users",
|
||||
permission: "users:read",
|
||||
scope: "own",
|
||||
})
|
||||
|
||||
const session = await auth.api
|
||||
.getSession({
|
||||
headers: await headers(),
|
||||
})
|
||||
.catch(() => null)
|
||||
const viewerId = session?.user?.id ?? null
|
||||
const canWriteUsers = hasPermission(role, "users:write", "team")
|
||||
const canManageRoles = hasPermission(role, "users:manage_roles", "global")
|
||||
const canReadGlobal = hasPermission(role, "users:read", "global")
|
||||
|
||||
const [resolvedSearchParams, users] = await Promise.all([
|
||||
searchParams,
|
||||
db.user.findMany({
|
||||
where: canReadGlobal
|
||||
? undefined
|
||||
: viewerId
|
||||
? {
|
||||
id: viewerId,
|
||||
}
|
||||
: {
|
||||
id: "__none__",
|
||||
},
|
||||
orderBy: [{ createdAt: "desc" }],
|
||||
select: {
|
||||
id: true,
|
||||
email: true,
|
||||
username: true,
|
||||
name: true,
|
||||
role: true,
|
||||
isBanned: true,
|
||||
isSystem: true,
|
||||
isHidden: true,
|
||||
isProtected: true,
|
||||
createdAt: true,
|
||||
},
|
||||
}),
|
||||
])
|
||||
|
||||
const notice = readFirstValue(resolvedSearchParams.notice)
|
||||
const error = readFirstValue(resolvedSearchParams.error)
|
||||
|
||||
return (
|
||||
<AdminShell
|
||||
role={role}
|
||||
activePath="/users"
|
||||
badge="Admin App"
|
||||
title="Users"
|
||||
description="Prepare user lifecycle and role management operations."
|
||||
description="Manage internal users, roles, and account status."
|
||||
>
|
||||
<AdminSectionPlaceholder
|
||||
feature="Users Management"
|
||||
summary="This route sets the guardrail and UX entrypoint for role assignment, status, and invitation flows."
|
||||
requiredPermission="users:read (own)"
|
||||
nextSteps={[
|
||||
"Add user list, filter, and detail views.",
|
||||
"Add role and permission editing actions with owner/support safety rules.",
|
||||
"Add disable/ban and invite workflows.",
|
||||
]}
|
||||
/>
|
||||
{notice ? (
|
||||
<section className="rounded-xl border border-emerald-300 bg-emerald-50 px-4 py-3 text-sm text-emerald-800">
|
||||
{notice}
|
||||
</section>
|
||||
) : null}
|
||||
{error ? (
|
||||
<section className="rounded-xl border border-red-300 bg-red-50 px-4 py-3 text-sm text-red-800">
|
||||
{error}
|
||||
</section>
|
||||
) : null}
|
||||
|
||||
{canWriteUsers ? (
|
||||
<section className="rounded-xl border border-neutral-200 p-6">
|
||||
<h2 className="text-xl font-medium">Create managed user</h2>
|
||||
<form action={createUserAction} className="mt-4 grid gap-3 md:grid-cols-2 lg:grid-cols-3">
|
||||
<input
|
||||
name="name"
|
||||
required
|
||||
placeholder="Name"
|
||||
className="rounded border border-neutral-300 px-3 py-2 text-sm"
|
||||
/>
|
||||
<input
|
||||
name="email"
|
||||
required
|
||||
type="email"
|
||||
placeholder="Email"
|
||||
className="rounded border border-neutral-300 px-3 py-2 text-sm"
|
||||
/>
|
||||
<input
|
||||
name="username"
|
||||
placeholder="Username (optional)"
|
||||
className="rounded border border-neutral-300 px-3 py-2 text-sm"
|
||||
/>
|
||||
<input
|
||||
name="password"
|
||||
required
|
||||
type="password"
|
||||
placeholder="Temporary password"
|
||||
className="rounded border border-neutral-300 px-3 py-2 text-sm"
|
||||
/>
|
||||
<select
|
||||
name="role"
|
||||
defaultValue="editor"
|
||||
className="rounded border border-neutral-300 px-3 py-2 text-sm"
|
||||
>
|
||||
<option value="editor">editor</option>
|
||||
<option value="manager">manager</option>
|
||||
<option value="admin">admin</option>
|
||||
</select>
|
||||
<div className="md:col-span-2 lg:col-span-3">
|
||||
<Button type="submit">Create user</Button>
|
||||
</div>
|
||||
</form>
|
||||
</section>
|
||||
) : null}
|
||||
|
||||
<section className="rounded-xl border border-neutral-200 p-6">
|
||||
<h2 className="text-xl font-medium">User accounts</h2>
|
||||
<div className="mt-4 overflow-x-auto">
|
||||
<table className="min-w-full text-left text-sm">
|
||||
<thead className="text-xs uppercase tracking-wide text-neutral-500">
|
||||
<tr>
|
||||
<th className="py-2 pr-4">User</th>
|
||||
<th className="py-2 pr-4">Role</th>
|
||||
<th className="py-2 pr-4">Status</th>
|
||||
<th className="py-2 pr-4">Flags</th>
|
||||
<th className="py-2 pr-4">Created</th>
|
||||
<th className="py-2 pr-4">Actions</th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
{users.length === 0 ? (
|
||||
<tr>
|
||||
<td className="py-3 text-neutral-500" colSpan={6}>
|
||||
No users found.
|
||||
</td>
|
||||
</tr>
|
||||
) : (
|
||||
users.map((user) => (
|
||||
<tr key={user.id} className="border-t border-neutral-200 align-top">
|
||||
<td className="py-3 pr-4">
|
||||
<p className="font-medium">{user.name}</p>
|
||||
<p className="text-xs text-neutral-600">{user.email}</p>
|
||||
<p className="text-xs text-neutral-500">@{user.username ?? "no-username"}</p>
|
||||
</td>
|
||||
<td className="py-3 pr-4">{user.role}</td>
|
||||
<td className="py-3 pr-4">{user.isBanned ? "banned" : "active"}</td>
|
||||
<td className="py-3 pr-4 text-xs text-neutral-600">
|
||||
{user.isProtected ? "protected " : ""}
|
||||
{user.isSystem ? "system " : ""}
|
||||
{user.isHidden ? "hidden" : ""}
|
||||
</td>
|
||||
<td className="py-3 pr-4 text-xs text-neutral-600">
|
||||
{user.createdAt.toLocaleString("en-US")}
|
||||
</td>
|
||||
<td className="py-3 pr-4">
|
||||
<div className="grid min-w-56 gap-2">
|
||||
{canManageRoles ? (
|
||||
<form action={updateUserRoleAction} className="flex gap-2">
|
||||
<input type="hidden" name="userId" value={user.id} />
|
||||
<select
|
||||
name="role"
|
||||
defaultValue={
|
||||
MANAGED_ROLES.includes(user.role as Role) ? user.role : "editor"
|
||||
}
|
||||
disabled={user.isProtected || user.isSystem}
|
||||
className="w-full rounded border border-neutral-300 px-2 py-1 text-xs"
|
||||
>
|
||||
<option value="editor">editor</option>
|
||||
<option value="manager">manager</option>
|
||||
<option value="admin">admin</option>
|
||||
</select>
|
||||
<Button
|
||||
type="submit"
|
||||
size="sm"
|
||||
variant="secondary"
|
||||
disabled={user.isProtected || user.isSystem}
|
||||
>
|
||||
Role
|
||||
</Button>
|
||||
</form>
|
||||
) : null}
|
||||
|
||||
{canWriteUsers ? (
|
||||
<form action={updateUserBanAction} className="flex gap-2">
|
||||
<input type="hidden" name="userId" value={user.id} />
|
||||
<select
|
||||
name="isBanned"
|
||||
defaultValue={user.isBanned ? "true" : "false"}
|
||||
disabled={user.isProtected || user.isSystem}
|
||||
className="w-full rounded border border-neutral-300 px-2 py-1 text-xs"
|
||||
>
|
||||
<option value="false">active</option>
|
||||
<option value="true">banned</option>
|
||||
</select>
|
||||
<Button
|
||||
type="submit"
|
||||
size="sm"
|
||||
variant="secondary"
|
||||
disabled={user.isProtected || user.isSystem}
|
||||
>
|
||||
Status
|
||||
</Button>
|
||||
</form>
|
||||
) : null}
|
||||
|
||||
{canWriteUsers ? (
|
||||
<form action={deleteUserAction}>
|
||||
<input type="hidden" name="userId" value={user.id} />
|
||||
<button
|
||||
type="submit"
|
||||
disabled={user.isProtected || user.isSystem}
|
||||
className="rounded border border-red-300 px-3 py-1.5 text-xs text-red-700 disabled:cursor-not-allowed disabled:opacity-50"
|
||||
>
|
||||
Delete user
|
||||
</button>
|
||||
</form>
|
||||
) : null}
|
||||
</div>
|
||||
</td>
|
||||
</tr>
|
||||
))
|
||||
)}
|
||||
</tbody>
|
||||
</table>
|
||||
</div>
|
||||
</section>
|
||||
</AdminShell>
|
||||
)
|
||||
}
|
||||
|
||||
@@ -375,6 +375,63 @@ export async function ensureSupportUserBootstrap(): Promise<void> {
|
||||
}
|
||||
}
|
||||
|
||||
const MANAGED_USER_ROLE_ALLOWLIST = new Set<Role>(["admin", "editor", "manager"])
|
||||
|
||||
export async function createManagedUserAccount(input: {
|
||||
email: string
|
||||
username?: string | null
|
||||
name: string
|
||||
password: string
|
||||
role: string
|
||||
}): Promise<{ id: string; email: string; username: string | null; role: string }> {
|
||||
const normalizedEmail = input.email.trim().toLowerCase()
|
||||
const normalizedRole = normalizeRole(input.role)
|
||||
|
||||
if (!normalizedRole || !MANAGED_USER_ROLE_ALLOWLIST.has(normalizedRole)) {
|
||||
throw new Error("Unsupported role for managed user account")
|
||||
}
|
||||
|
||||
const existing = await db.user.findUnique({
|
||||
where: { email: normalizedEmail },
|
||||
select: { id: true, isProtected: true, isSystem: true },
|
||||
})
|
||||
|
||||
if (existing) {
|
||||
if (existing.isProtected || existing.isSystem) {
|
||||
throw new Error("Cannot mutate protected/system account via managed user provisioning")
|
||||
}
|
||||
|
||||
throw new Error("A user with this email already exists")
|
||||
}
|
||||
|
||||
const preferredUsername =
|
||||
normalizeUsernameCandidate(input.username) ??
|
||||
normalizeUsernameCandidate(extractEmailLocalPart(normalizedEmail)) ??
|
||||
"user"
|
||||
|
||||
await ensureCredentialUser({
|
||||
email: normalizedEmail,
|
||||
username: preferredUsername,
|
||||
name: input.name.trim(),
|
||||
password: input.password,
|
||||
role: normalizedRole,
|
||||
isHidden: false,
|
||||
isSystem: false,
|
||||
isProtected: false,
|
||||
})
|
||||
|
||||
const created = await db.user.findUnique({
|
||||
where: { email: normalizedEmail },
|
||||
select: { id: true, email: true, username: true, role: true },
|
||||
})
|
||||
|
||||
if (!created) {
|
||||
throw new Error("Managed user provisioning failed")
|
||||
}
|
||||
|
||||
return created
|
||||
}
|
||||
|
||||
const DEFAULT_E2E_ADMIN_EMAIL = "e2e-admin@cms.local"
|
||||
const DEFAULT_E2E_ADMIN_USERNAME = "e2e-admin"
|
||||
const DEFAULT_E2E_ADMIN_PASSWORD = "e2e-admin-password"
|
||||
|
||||
@@ -23,7 +23,21 @@ export const createCommissionInputSchema = z.object({
|
||||
description: z.string().max(4000).nullable().optional(),
|
||||
status: commissionStatusSchema.default("new"),
|
||||
customerId: z.string().uuid().nullable().optional(),
|
||||
assignedUserId: z.string().max(120).nullable().optional(),
|
||||
assignedUserId: z.string().uuid().nullable().optional(),
|
||||
linkedArtworkIds: z.array(z.string().uuid()).default([]),
|
||||
budgetMin: z.number().nonnegative().nullable().optional(),
|
||||
budgetMax: z.number().nonnegative().nullable().optional(),
|
||||
dueAt: z.date().nullable().optional(),
|
||||
})
|
||||
|
||||
export const updateCommissionInputSchema = z.object({
|
||||
id: z.string().uuid(),
|
||||
title: z.string().min(1).max(180).optional(),
|
||||
description: z.string().max(4000).nullable().optional(),
|
||||
status: commissionStatusSchema.optional(),
|
||||
customerId: z.string().uuid().nullable().optional(),
|
||||
assignedUserId: z.string().uuid().nullable().optional(),
|
||||
linkedArtworkIds: z.array(z.string().uuid()).optional(),
|
||||
budgetMin: z.number().nonnegative().nullable().optional(),
|
||||
budgetMax: z.number().nonnegative().nullable().optional(),
|
||||
dueAt: z.date().nullable().optional(),
|
||||
@@ -57,6 +71,7 @@ export const updateCommissionStatusInputSchema = z.object({
|
||||
export type CommissionStatus = z.infer<typeof commissionStatusSchema>
|
||||
export type CreateCustomerInput = z.infer<typeof createCustomerInputSchema>
|
||||
export type CreateCommissionInput = z.infer<typeof createCommissionInputSchema>
|
||||
export type UpdateCommissionInput = z.infer<typeof updateCommissionInputSchema>
|
||||
export type CreatePublicCommissionRequestInput = z.infer<
|
||||
typeof createPublicCommissionRequestInputSchema
|
||||
>
|
||||
|
||||
@@ -0,0 +1,2 @@
|
||||
ALTER TABLE "Commission"
|
||||
ADD COLUMN "linkedArtworkIds" TEXT[] NOT NULL DEFAULT ARRAY[]::TEXT[];
|
||||
@@ -386,6 +386,7 @@ model Commission {
|
||||
status String
|
||||
customerId String?
|
||||
assignedUserId String?
|
||||
linkedArtworkIds String[] @default([])
|
||||
budgetMin Float?
|
||||
budgetMax Float?
|
||||
dueAt DateTime?
|
||||
|
||||
@@ -3,6 +3,7 @@ import {
|
||||
createCommissionInputSchema,
|
||||
createCustomerInputSchema,
|
||||
createPublicCommissionRequestInputSchema,
|
||||
updateCommissionInputSchema,
|
||||
updateCommissionStatusInputSchema,
|
||||
} from "@cms/content"
|
||||
|
||||
@@ -57,6 +58,16 @@ export async function createCommission(input: unknown) {
|
||||
})
|
||||
}
|
||||
|
||||
export async function updateCommission(input: unknown) {
|
||||
const payload = updateCommissionInputSchema.parse(input)
|
||||
const { id, ...data } = payload
|
||||
|
||||
return db.commission.update({
|
||||
where: { id },
|
||||
data,
|
||||
})
|
||||
}
|
||||
|
||||
export async function createPublicCommissionRequest(input: unknown) {
|
||||
const payload = createPublicCommissionRequestInputSchema.parse(input)
|
||||
const normalizedEmail = payload.customerEmail.trim().toLowerCase()
|
||||
|
||||
@@ -14,6 +14,7 @@ export {
|
||||
createPublicCommissionRequest,
|
||||
listCommissions,
|
||||
listCustomers,
|
||||
updateCommission,
|
||||
updateCommissionStatus,
|
||||
} from "./commissions"
|
||||
export {
|
||||
|
||||
Reference in New Issue
Block a user