fix(content): route collection create/update/delete through step-up#72
Merged
Conversation
Creating, updating, or deleting a content collection POSTs/PATCHes/DELETEs
the step-up-gated data-tables endpoints (they change the public route
surface). The Content page called the workspace mutations directly without
useStepUp, so for accounts with step-up auth (or MFA) enabled the server's
`401 { error: 'step_up_required' }` leaked into the dialog as raw red text
instead of opening the password re-entry dialog.
Mirror the Data page: wrap all three collection mutations in runStepUp, and
have both collection dialogs swallow `step_up_cancelled` so backing out of
the prompt is a silent no-op. Update/delete now bypass withEntryOp (whose
generic catch would surface the cancellation as an error).
Adds contentCollectionStepUp.test.tsx covering the create → step-up → retry
flow and asserting the raw error code never reaches the UI.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What changed
Creating, updating, or deleting a content collection hits the step-up-gated data-tables endpoints (
POST/PATCH/DELETE /admin/api/cms/data/tables— they change the site's public route surface). The Content page called the workspace mutations directly, withoutuseStepUp, while the Data page wraps the equivalent table mutations inrunStepUp.So for any account with step-up auth (or MFA) enabled, the server's
401 { error: 'step_up_required' }leaked straight into the collection dialog as raw red text (step_up_required) instead of opening the password re-entry dialog.This wires the Content page to the same step-up flow as the Data page:
ContentPagenow usesuseStepUp()and wraps create / update / delete collection mutations inrunStepUp(...).ContentCollectionCreateDialog,ContentCollectionSettingsDialog) swallowstep_up_cancelled, so backing out of the prompt is a silent no-op — matchingNewTableDialog.withEntryOp, whose generic catch would otherwise surface the cancellation as a visible error.Why
Bug reproduces on the latest deployed image (present on
main). It only triggers for users with step-up/MFA enabled, which is why it wasn't caught earlier.Impact
Users with step-up auth can now create, rename/edit, and delete content collections — the password dialog appears and the action retries on success. No change for users with step-up disabled.
Verification
bun run build(tsc + vite) — cleanbun run lint— cleanbun test src/__tests__/admin/data/contentCollectionStepUp.test.tsx src/__tests__/admin/data/dataTableStepUp.test.tsx— passbun test src/__tests__/data/contentAdmin.test.tsx— 23 passAdds
contentCollectionStepUp.test.tsxcovering create → step-up dialog → retry, asserting the rawstep_up_requiredcode never reaches the UI.🤖 Generated with Claude Code