Add approval workflow enforcement for page creation by editors #22

Merged

Copilot merged 5 commits from copilot/add-approval-workflow-restriction into main

2025-11-20 20:10:23 -06:00

Copilot commented

2025-11-19 16:37:46 -06:00

(Migrated from github.com)

When approval workflow is enabled, editors can now edit existing pages (requiring approval), but they could still create new published pages directly, bypassing the workflow entirely.

Changes

Backend (routes/pages.js)

Modified POST / to check approval workflow setting and create pages with is_published = false for editors when enabled
Added GET /unpublished/list - returns unpublished pages (admins see all, editors see own)
Added POST /:slug/publish - admin-only endpoint to publish pending pages
Added POST /:slug/reject - admin-only endpoint to reject and delete pending pages
Updated GET /:slug visibility logic: admins see all pages, editors see published + own unpublished, viewers see published only

Frontend

UnpublishedPages.jsx - new component for reviewing/approving pending pages
PageEditor.jsx - added handling for requires_approval response flag with user feedback
Header.jsx - added "Unpublished" navigation button
api.js - added getUnpublished(), publish(), reject() methods

Example flow:

// Editor creates page with approval enabled
POST /api/pages
→ Response: { ...page, is_published: false, requires_approval: true }

// Admin reviews and publishes
POST /api/pages/my-page/publish
→ Updates is_published = true, page becomes visible

Permission Matrix

Role	Create Published	View Own Unpublished	View All Unpublished	Publish
Admin	Always	✓	✓	✓
Editor	Only if disabled	✓	✗	✗
Viewer	✗	✗	✗	✗

Admins bypass approval workflow; their pages publish immediately regardless of setting.

Original prompt

Add the below functionality: when the approval workflow is enabled, editors cannot publish pages, each page they create must get approved by an admin

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

When approval workflow is enabled, editors can now edit existing pages (requiring approval), but they could still create new published pages directly, bypassing the workflow entirely. ## Changes **Backend (`routes/pages.js`)** - Modified `POST /` to check approval workflow setting and create pages with `is_published = false` for editors when enabled - Added `GET /unpublished/list` - returns unpublished pages (admins see all, editors see own) - Added `POST /:slug/publish` - admin-only endpoint to publish pending pages - Added `POST /:slug/reject` - admin-only endpoint to reject and delete pending pages - Updated `GET /:slug` visibility logic: admins see all pages, editors see published + own unpublished, viewers see published only **Frontend** - `UnpublishedPages.jsx` - new component for reviewing/approving pending pages - `PageEditor.jsx` - added handling for `requires_approval` response flag with user feedback - `Header.jsx` - added "Unpublished" navigation button - `api.js` - added `getUnpublished()`, `publish()`, `reject()` methods **Example flow:** ```javascript // Editor creates page with approval enabled POST /api/pages → Response: { ...page, is_published: false, requires_approval: true } // Admin reviews and publishes POST /api/pages/my-page/publish → Updates is_published = true, page becomes visible ``` ## Permission Matrix | Role | Create Published | View Own Unpublished | View All Unpublished | Publish | |--------|------------------|---------------------|---------------------|---------| | Admin | Always | ✓ | ✓ | ✓ | | Editor | Only if disabled | ✓ | ✗ | ✗ | | Viewer | ✗ | ✗ | ✗ | ✗ | Admins bypass approval workflow; their pages publish immediately regardless of setting.  <details> <summary>Original prompt</summary> > Add the below functionality: when the approval workflow is enabled, editors cannot publish pages, each page they create must get approved by an admin </details>  --- 💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more [Copilot coding agent tips](https://gh.io/copilot-coding-agent-tips) in the docs.

SluberskiHomeLab (Migrated from github.com) reviewed

2025-11-19 16:37:46 -06:00