Skip to content

fix(content): route collection create/update/delete through step-up#72

Merged
DavidBabinec merged 1 commit into
mainfrom
fix/content-collection-step-up
Jun 17, 2026
Merged

fix(content): route collection create/update/delete through step-up#72
DavidBabinec merged 1 commit into
mainfrom
fix/content-collection-step-up

Conversation

@DavidBabinec

Copy link
Copy Markdown
Contributor

What changed

Creating, updating, or deleting a content collection hits the step-up-gated data-tables endpoints (POST/PATCH/DELETE /admin/api/cms/data/tables — they change the site's public route surface). The Content page called the workspace mutations directly, without useStepUp, while the Data page wraps the equivalent table mutations in runStepUp.

So for any account with step-up auth (or MFA) enabled, the server's 401 { error: 'step_up_required' } leaked straight into the collection dialog as raw red text (step_up_required) instead of opening the password re-entry dialog.

This wires the Content page to the same step-up flow as the Data page:

  • ContentPage now uses useStepUp() and wraps create / update / delete collection mutations in runStepUp(...).
  • Both collection dialogs (ContentCollectionCreateDialog, ContentCollectionSettingsDialog) swallow step_up_cancelled, so backing out of the prompt is a silent no-op — matching NewTableDialog.
  • Update/delete now bypass withEntryOp, whose generic catch would otherwise surface the cancellation as a visible error.

Why

Bug reproduces on the latest deployed image (present on main). It only triggers for users with step-up/MFA enabled, which is why it wasn't caught earlier.

Impact

Users with step-up auth can now create, rename/edit, and delete content collections — the password dialog appears and the action retries on success. No change for users with step-up disabled.

Verification

  • bun run build (tsc + vite) — clean
  • bun run lint — clean
  • bun test src/__tests__/admin/data/contentCollectionStepUp.test.tsx src/__tests__/admin/data/dataTableStepUp.test.tsx — pass
  • bun test src/__tests__/data/contentAdmin.test.tsx — 23 pass

Adds contentCollectionStepUp.test.tsx covering create → step-up dialog → retry, asserting the raw step_up_required code never reaches the UI.

🤖 Generated with Claude Code

Creating, updating, or deleting a content collection POSTs/PATCHes/DELETEs
the step-up-gated data-tables endpoints (they change the public route
surface). The Content page called the workspace mutations directly without
useStepUp, so for accounts with step-up auth (or MFA) enabled the server's
`401 { error: 'step_up_required' }` leaked into the dialog as raw red text
instead of opening the password re-entry dialog.

Mirror the Data page: wrap all three collection mutations in runStepUp, and
have both collection dialogs swallow `step_up_cancelled` so backing out of
the prompt is a silent no-op. Update/delete now bypass withEntryOp (whose
generic catch would surface the cancellation as an error).

Adds contentCollectionStepUp.test.tsx covering the create → step-up → retry
flow and asserting the raw error code never reaches the UI.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@DavidBabinec DavidBabinec marked this pull request as ready for review June 17, 2026 12:34
@DavidBabinec DavidBabinec merged commit 34b70f1 into main Jun 17, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

1 participant