Emdash source with visual editor image upload fix

Fixes: 1. media.ts: wrap placeholder generation in try-catch 2. toolbar.ts: check r.ok, display error message in popover
2026-05-03 10:44:54 +07:00
parent 78f81bebb6
commit 2d1be52177
2352 changed files with 662964 additions and 0 deletions
--- a/packages/cloudflare/tests/db/do-playground-routes.test.ts
+++ b/packages/cloudflare/tests/db/do-playground-routes.test.ts
@@ -0,0 +1,97 @@
+import { describe, it, expect } from "vitest";
+
+import { isBlockedInPlayground } from "../../src/db/do-playground-routes.js";
+
+describe("isBlockedInPlayground", () => {
+	describe("blocked routes", () => {
+		it.each([
+			// Auth routes
+			"/_emdash/api/auth/",
+			"/_emdash/api/auth/passkey/options",
+			"/_emdash/api/auth/passkey/verify",
+			"/_emdash/api/auth/dev-bypass",
+			"/_emdash/api/auth/magic-link/send",
+			"/_emdash/api/auth/logout",
+			// Setup routes
+			"/_emdash/api/setup/",
+			"/_emdash/api/setup/status",
+			"/_emdash/api/setup/admin",
+			"/_emdash/api/setup/dev-bypass",
+			// OAuth routes
+			"/_emdash/api/oauth/",
+			"/_emdash/api/oauth/authorize",
+			"/_emdash/api/oauth/token",
+			// Token management
+			"/_emdash/api/tokens/",
+			"/_emdash/api/tokens/abc123",
+			// User invite
+			"/_emdash/api/users/invite",
+			// Plugin install/marketplace
+			"/_emdash/api/plugins/install",
+			"/_emdash/api/plugins/marketplace",
+			"/_emdash/api/plugins/marketplace/featured",
+			// Media upload (abuse vector)
+			"/_emdash/api/media/upload",
+			// Snapshot export
+			"/_emdash/api/snapshot",
+			"/_emdash/api/snapshot?drafts=true",
+		])("blocks %s", (path: string) => {
+			expect(isBlockedInPlayground(path)).toBe(true);
+		});
+	});
+
+	describe("allowed routes", () => {
+		it.each([
+			// Site pages
+			"/",
+			"/blog/my-post",
+			"/about",
+			"/sitemap.xml",
+			// Admin UI
+			"/_emdash/admin",
+			"/_emdash/admin/content",
+			"/_emdash/admin/content/posts",
+			"/_emdash/admin/settings",
+			"/_emdash/admin/media",
+			"/_emdash/admin/schema",
+			// Auth allowlist (admin UI needs /auth/me)
+			"/_emdash/api/auth/me",
+			// Content CRUD (the whole point of the playground)
+			"/_emdash/api/content/posts",
+			"/_emdash/api/content/posts/abc123",
+			// Schema editing
+			"/_emdash/api/schema",
+			"/_emdash/api/schema/collections",
+			"/_emdash/api/schema/collections/posts/fields",
+			// Taxonomies
+			"/_emdash/api/taxonomies",
+			"/_emdash/api/taxonomies/category/terms",
+			// Menus
+			"/_emdash/api/menus",
+			"/_emdash/api/menus/primary/items",
+			// Widgets
+			"/_emdash/api/widgets",
+			// Search
+			"/_emdash/api/search",
+			"/_emdash/api/search/suggest",
+			// Settings (read/write)
+			"/_emdash/api/settings",
+			// Dashboard
+			"/_emdash/api/dashboard",
+			// Manifest
+			"/_emdash/api/manifest",
+			// Media listing (not upload)
+			"/_emdash/api/media",
+			"/_emdash/api/media/abc123",
+			"/_emdash/api/media/file/image.jpg",
+			// Users list (not invite)
+			"/_emdash/api/users",
+			"/_emdash/api/users/abc123",
+			// Plugin list (not install/marketplace)
+			"/_emdash/api/plugins",
+			"/_emdash/api/plugins/my-plugin",
+		])("allows %s", (path: string) => {
+			expect(isBlockedInPlayground(path)).toBe(false);
+		});
+	});
+});