From 721d7f948c305d219601a76e5d38d37cbd8446a6 Mon Sep 17 00:00:00 2001
From: "Thomas F. K. Jorna" <hello@tefkah.com>
Date: Tue, 28 Jan 2025 11:27:36 +0100
Subject: [PATCH 1/9] feat: initial additional token restrictions

---
 .../site/[...ts-rest]/route.ts                |   6 +-
 .../settings/tokens/CreateTokenForm.tsx       |  28 +++-
 .../tokens/CreateTokenFormContext.tsx         |  10 ++
 .../settings/tokens/PermissionField.tsx       | 134 ++++++++++++++----
 .../[communitySlug]/settings/tokens/page.tsx  |  12 +-
 packages/db/src/types/ApiAccessToken.ts       |  12 +-
 6 files changed, 158 insertions(+), 44 deletions(-)
 create mode 100644 core/app/c/[communitySlug]/settings/tokens/CreateTokenFormContext.tsx

diff --git a/core/app/api/v0/c/[communitySlug]/site/[...ts-rest]/route.ts b/core/app/api/v0/c/[communitySlug]/site/[...ts-rest]/route.ts
index 90b3d92ba..d0d4e8382 100644
--- a/core/app/api/v0/c/[communitySlug]/site/[...ts-rest]/route.ts
+++ b/core/app/api/v0/c/[communitySlug]/site/[...ts-rest]/route.ts
@@ -107,12 +107,12 @@ const getAuthorization = async () => {
 		user,
 		authorization: rules.reduce((acc, curr) => {
 			const { scope, constraints, accessType } = curr;
-			if (!constraints) {
-				acc[scope][accessType] = true;
+			if (!curr.constraints) {
+				acc[curr.scope][curr.accessType] = true;
 				return acc;
 			}
 
-			acc[scope][accessType] = constraints ?? true;
+			acc[curr.scope][curr.accessType] = curr.constraints ?? true;
 			return acc;
 		}, baseAuthorizationObject),
 		apiAccessTokenId: validatedAccessToken.id,
diff --git a/core/app/c/[communitySlug]/settings/tokens/CreateTokenForm.tsx b/core/app/c/[communitySlug]/settings/tokens/CreateTokenForm.tsx
index 0f018f663..3636a3f1e 100644
--- a/core/app/c/[communitySlug]/settings/tokens/CreateTokenForm.tsx
+++ b/core/app/c/[communitySlug]/settings/tokens/CreateTokenForm.tsx
@@ -5,7 +5,7 @@ import { zodResolver } from "@hookform/resolvers/zod";
 import { useForm } from "react-hook-form";
 import { z } from "zod";
 
-import type { CreateTokenFormContext } from "db/types";
+import type { CreateTokenFormContext as CreateTokenFormContextType } from "db/types";
 import { ApiAccessScope, apiAccessTokensInitializerSchema } from "db/public";
 import { permissionsSchema } from "db/types";
 import { Button } from "ui/button";
@@ -19,6 +19,7 @@ import { Separator } from "ui/separator";
 
 import { useServerAction } from "~/lib/serverActions";
 import * as actions from "./actions";
+import { CreateTokenFormContext } from "./CreateTokenFormContext";
 import { PermissionField } from "./PermissionField";
 
 export const createTokenFormSchema = apiAccessTokensInitializerSchema
@@ -58,7 +59,7 @@ export const createTokenFormSchema = apiAccessTokensInitializerSchema
 export type CreateTokenFormSchema = z.infer<typeof createTokenFormSchema>;
 export type CreateTokenForm = ReturnType<typeof useForm<CreateTokenFormSchema>>;
 
-export const CreateTokenForm = ({ context }: { context: CreateTokenFormContext }) => {
+export const CreateTokenForm = () => {
 	const form = useForm<CreateTokenFormSchema>({
 		resolver: zodResolver(createTokenFormSchema),
 		defaultValues: {
@@ -140,7 +141,6 @@ export const CreateTokenForm = ({ context }: { context: CreateTokenFormContext }
 														key={scope}
 														name={scope}
 														form={form}
-														context={context}
 														prettyName={`${scope[0].toUpperCase()}${scope.slice(1)}`}
 													/>
 												</React.Fragment>
@@ -194,3 +194,25 @@ export const CreateTokenForm = ({ context }: { context: CreateTokenFormContext }
 		</Form>
 	);
 };
+
+/**
+ * Exported here instead of just importing CreateTokenFormContext.tsx
+ * in page.tsx, because doing so triggers the following strange error
+ *
+ * React.jsx: type is invalid -- expected a string (for built-in components)
+ * or a class/function (for composite components) but got: undefined.
+ * You likely forgot to export your component from the file it's defined in,
+ * or you might have mixed up default and named imports
+ */
+export const CreateTokenFormWithContext = ({ stages, pubTypes }: CreateTokenFormContextType) => {
+	return (
+		<CreateTokenFormContext.Provider
+			value={{
+				stages,
+				pubTypes,
+			}}
+		>
+			<CreateTokenForm />
+		</CreateTokenFormContext.Provider>
+	);
+};
diff --git a/core/app/c/[communitySlug]/settings/tokens/CreateTokenFormContext.tsx b/core/app/c/[communitySlug]/settings/tokens/CreateTokenFormContext.tsx
new file mode 100644
index 000000000..a7bdd2275
--- /dev/null
+++ b/core/app/c/[communitySlug]/settings/tokens/CreateTokenFormContext.tsx
@@ -0,0 +1,10 @@
+"use client";
+
+import { createContext } from "react";
+
+import type { CreateTokenFormContext as CreateTokenFormContextType } from "db/types";
+
+export const CreateTokenFormContext = createContext<CreateTokenFormContextType>({
+	stages: [],
+	pubTypes: [],
+});
diff --git a/core/app/c/[communitySlug]/settings/tokens/PermissionField.tsx b/core/app/c/[communitySlug]/settings/tokens/PermissionField.tsx
index 36972ddd4..5be2eab62 100644
--- a/core/app/c/[communitySlug]/settings/tokens/PermissionField.tsx
+++ b/core/app/c/[communitySlug]/settings/tokens/PermissionField.tsx
@@ -2,10 +2,10 @@
 
 import type { ControllerRenderProps } from "react-hook-form";
 
-import { createContext, useContext, useMemo } from "react";
+import { useContext, useMemo } from "react";
 
-import type { ApiAccessScope } from "db/public";
-import type { ApiAccessPermissionConstraintsInput, CreateTokenFormContext } from "db/types";
+import type { ApiAccessScope, PubTypesId, StagesId } from "db/public";
+import type { ApiAccessPermissionConstraintsInput } from "db/types";
 import { ApiAccessType } from "db/public";
 import { Button } from "ui/button";
 import { Checkbox } from "ui/checkbox";
@@ -14,6 +14,7 @@ import { MultiSelect } from "ui/multi-select";
 import { Popover, PopoverContent, PopoverTrigger } from "ui/popover";
 
 import type { CreateTokenForm, CreateTokenFormSchema } from "./CreateTokenForm";
+import { CreateTokenFormContext } from "./CreateTokenFormContext";
 
 /**
  * This is a type for a configuration object for form fields. It allows you to specify
@@ -123,19 +124,96 @@ type ScopesWithOnlyNormalConstraints<
 
 type CustomConstraintFormElement<Value> = (props: {
 	value: boolean | Value;
-	onChange: (...args: any[]) => void;
+	onChange: (value: boolean | Value) => void;
 }) => React.ReactNode;
 
-const CreateTokenFormContextContext = createContext<CreateTokenFormContext>({ stages: [] });
-
 /**
  * Here you configure the specific form elements for each permission type
  */
 const permissionContraintMap: PermissionContraintMap = {
 	community: null,
 	pub: {
+		[ApiAccessType.read]: ({ value, onChange }) => {
+			const context = useContext(CreateTokenFormContext);
+			return (
+				<div className="flex flex-col gap-2">
+					<h3 className="font-semibold">Stages</h3>
+					<span className="text-xs text-muted-foreground">
+						Select the stages this token can read Pubs from
+					</span>
+					<MultiSelect
+						variant="inverted"
+						options={context.stages.map((stage) => ({
+							label: stage.name,
+							value: stage.id,
+						}))}
+						/**
+						 * This just means: if it is set to `true`, allow it to act on all stages.
+						 * If it is set to `false`, allow it to act on no stages.
+						 * Otherwise just reuse the value of the `stages` field. (this is a bit of a cop-out as this situation should never come to pass)
+						 */
+						defaultValue={
+							value === true
+								? context.stages.map((stage) => stage.id)
+								: !value
+									? []
+									: (value.stages ?? [])
+						}
+						onValueChange={(val) => {
+							onChange(
+								val.length > 0 && val.length !== context.stages.length
+									? {
+											stages: val as StagesId[],
+											pubTypes:
+												typeof value == "object" ? value.pubTypes : [],
+										}
+									: true
+							);
+						}}
+						animation={0}
+						data-testid={`pub-${ApiAccessType.write}-stages-select`}
+					/>
+
+					<h3 className="font-semibold">Types</h3>
+					<span className="text-xs text-muted-foreground">
+						Select the types of Pubs this token can read
+					</span>
+					<MultiSelect
+						variant="inverted"
+						options={context.pubTypes.map((pubType) => ({
+							label: pubType.name,
+							value: pubType.id,
+						}))}
+						/**
+						 * This just means: if it is set to `true`, allow it to act on all stages.
+						 * If it is set to `false`, allow it to act on no stages.
+						 * Otherwise just reuse the value of the `stages` field. (this is a bit of a cop-out as this situation should never come to pass)
+						 */
+						defaultValue={
+							value === true
+								? context.pubTypes.map((stage) => stage.id)
+								: !value
+									? []
+									: (value.pubTypes ?? [])
+						}
+						onValueChange={(val) => {
+							onChange(
+								val.length > 0 && val.length !== context.pubTypes.length
+									? {
+											pubTypes: val as PubTypesId[],
+											stages: typeof value == "object" ? value.stages : [],
+										}
+									: true
+							);
+						}}
+						animation={0}
+						data-testid={`pub-${ApiAccessType.write}-pub-types-select`}
+					/>
+				</div>
+			);
+		},
 		[ApiAccessType.write]: ({ value, onChange }) => {
-			const context = useContext(CreateTokenFormContextContext);
+			const context = useContext(CreateTokenFormContext);
 			return (
 				<div className="flex flex-col gap-2">
 					<h3 className="text-lg font-semibold">Stages</h3>
@@ -176,7 +254,7 @@ const permissionContraintMap: PermissionContraintMap = {
 	},
 	stage: {
 		[ApiAccessType.read]: ({ value, onChange }) => {
-			const context = useContext(CreateTokenFormContextContext);
+			const context = useContext(CreateTokenFormContext);
 			return (
 				<div className="flex flex-col gap-2">
 					<h3 className="text-lg font-semibold">Stages</h3>
@@ -214,35 +292,31 @@ export const PermissionField = ({
 	form,
 	name,
 	prettyName,
-	context,
 }: {
 	form: CreateTokenForm;
 	name: ApiAccessScope;
 	prettyName: string;
-	context: CreateTokenFormContext;
 }) => {
 	return (
-		<CreateTokenFormContextContext.Provider value={context}>
-			<FormField
-				control={form.control}
-				name={`permissions.${name}`}
-				render={({ field }) => (
-					<div className="">
-						<h3 className="text-sm">{prettyName}</h3>
-						<div className="grid h-10 grid-cols-3 gap-2">
-							{Object.values(ApiAccessType).map((type) => (
-								<FormField
-									key={type}
-									control={form.control}
-									name={`permissions.${name}.${type}`}
-									render={ConstraintFormFieldRender}
-								/>
-							))}
-						</div>
+		<FormField
+			control={form.control}
+			name={`permissions.${name}`}
+			render={({ field }) => (
+				<div className="">
+					<h3 className="text-sm">{prettyName}</h3>
+					<div className="grid h-10 grid-cols-3 gap-2">
+						{Object.values(ApiAccessType).map((type) => (
+							<FormField
+								key={type}
+								control={form.control}
+								name={`permissions.${name}.${type}`}
+								render={ConstraintFormFieldRender}
+							/>
+						))}
 					</div>
-				)}
-			/>
-		</CreateTokenFormContextContext.Provider>
+				</div>
+			)}
+		/>
 	);
 };
 
diff --git a/core/app/c/[communitySlug]/settings/tokens/page.tsx b/core/app/c/[communitySlug]/settings/tokens/page.tsx
index f3c3391b0..9218bdfba 100644
--- a/core/app/c/[communitySlug]/settings/tokens/page.tsx
+++ b/core/app/c/[communitySlug]/settings/tokens/page.tsx
@@ -3,10 +3,11 @@ import type { Metadata } from "next";
 import { notFound } from "next/navigation";
 
 import { getPageLoginData } from "~/lib/authentication/loginData";
+import { getPubTypesForCommunity } from "~/lib/server";
 import { getApiAccessTokensByCommunity } from "~/lib/server/apiAccessTokens";
 import { findCommunityBySlug } from "~/lib/server/community";
 import { getStages } from "~/lib/server/stages";
-import { CreateTokenForm } from "./CreateTokenForm";
+import { CreateTokenFormWithContext } from "./CreateTokenForm";
 import { ExistingToken } from "./ExistingToken";
 
 export const metadata: Metadata = {
@@ -21,8 +22,9 @@ export default async function Page(props: { params: { communitySlug: string } })
 		return notFound();
 	}
 
-	const [stages, existingTokens] = await Promise.all([
+	const [stages, pubTypes, existingTokens] = await Promise.all([
 		getStages({ communityId: community.id, userId: user.id }).execute(),
+		getPubTypesForCommunity(community.id),
 		getApiAccessTokensByCommunity(community.id).execute(),
 	]);
 
@@ -47,11 +49,7 @@ export default async function Page(props: { params: { communitySlug: string } })
 							</div>
 						</div>
 					)}
-					<CreateTokenForm
-						context={{
-							stages,
-						}}
-					/>
+					<CreateTokenFormWithContext stages={stages} pubTypes={pubTypes} />
 				</div>
 			</div>
 		</div>
diff --git a/packages/db/src/types/ApiAccessToken.ts b/packages/db/src/types/ApiAccessToken.ts
index a8442ca2f..b1de4b1c8 100644
--- a/packages/db/src/types/ApiAccessToken.ts
+++ b/packages/db/src/types/ApiAccessToken.ts
@@ -6,8 +6,10 @@ import { z } from "zod";
 
 import type { ApiAccessPermissions as NonGenericApiAccessPermissions } from "../public/ApiAccessPermissions";
 import type { ApiAccessType } from "../public/ApiAccessType";
+import type { PubTypes } from "../public/PubTypes";
 import type { Stages } from "../public/Stages";
 import { ApiAccessScope } from "../public/ApiAccessScope";
+import { pubTypesIdSchema } from "../public/PubTypes";
 import { stagesIdSchema } from "../public/Stages";
 
 /**
@@ -55,7 +57,14 @@ export const permissionsSchema = z.object({
 		archive: z.boolean().optional(),
 	}),
 	[ApiAccessScope.pub]: z.object({
-		read: z.boolean().optional(),
+		read: z
+			.object({
+				stages: z.array(stagesIdSchema),
+				pubTypes: z.array(pubTypesIdSchema),
+			})
+			.partial()
+			.or(z.boolean())
+			.optional(),
 		write: z
 			.object({
 				stages: z.array(stagesIdSchema),
@@ -78,6 +87,7 @@ export const permissionsSchema = z.object({
 
 export type CreateTokenFormContext = {
 	stages: Stages[];
+	pubTypes: PubTypes[];
 };
 
 export type ApiAccessPermissionConstraintsInput = z.infer<typeof permissionsSchema>;

From 91ff6eb6c9d0c7204c8fc2aeeb1123f9d539d0c3 Mon Sep 17 00:00:00 2001
From: "Thomas F. K. Jorna" <hello@tefkah.com>
Date: Wed, 29 Jan 2025 15:34:13 +0100
Subject: [PATCH 2/9] feat: add ability to set pub read restrictions for api
 tokens

---
 .../site/[...ts-rest]/route.ts                |  50 +++-
 .../tokens/CreateTokenFormContext.tsx         |  13 +-
 .../settings/tokens/PermissionField.tsx       |  82 +++----
 .../[communitySlug]/settings/tokens/page.tsx  |  21 +-
 .../app/c/[communitySlug]/types/TypeBlock.tsx |  62 ++---
 core/lib/server/pub.db.test.ts                |  24 +-
 core/lib/server/pub.ts                        |  39 +++-
 core/playwright.config.ts                     |   2 +-
 core/playwright/api/site.spec.ts              |  69 +++++-
 core/playwright/fixtures/api-token-page.ts    |  54 ++++-
 core/playwright/fixtures/pub-types-page.ts    |  13 ++
 .../playwright/fixtures/stages-manage-page.ts |  16 +-
 core/playwright/site-api.spec.ts              | 218 +++++++++++++++++-
 packages/contracts/src/resources/site.ts      |  19 +-
 packages/db/src/types/ApiAccessToken.ts       |  31 ++-
 packages/ui/src/multi-select.tsx              |   7 +
 16 files changed, 599 insertions(+), 121 deletions(-)

diff --git a/core/app/api/v0/c/[communitySlug]/site/[...ts-rest]/route.ts b/core/app/api/v0/c/[communitySlug]/site/[...ts-rest]/route.ts
index d0d4e8382..627f60e69 100644
--- a/core/app/api/v0/c/[communitySlug]/site/[...ts-rest]/route.ts
+++ b/core/app/api/v0/c/[communitySlug]/site/[...ts-rest]/route.ts
@@ -222,7 +222,7 @@ const handler = createNextHandler(
 	{
 		pubs: {
 			get: async ({ params, query }) => {
-				const { user, community } = await checkAuthorization({
+				const { user, community, authorization } = await checkAuthorization({
 					token: { scope: ApiAccessScope.pub, type: ApiAccessType.read },
 					cookies: {
 						capability: Capabilities.viewPub,
@@ -239,25 +239,65 @@ const handler = createNextHandler(
 					query
 				);
 
+				if (typeof authorization === "object") {
+					const allowedStages = authorization.stages;
+					if (allowedStages && allowedStages.length > 0) {
+						throw new ForbiddenError(
+							`You are not authorized to view this pub in stage ${pub.stageId}`
+						);
+					}
+				}
+
 				return {
 					status: 200,
 					body: pub,
 				};
 			},
 			getMany: async ({ query }) => {
-				const { user, community } = await checkAuthorization({
+				const { user, community, authorization } = await checkAuthorization({
 					token: { scope: ApiAccessScope.pub, type: ApiAccessType.read },
 					// TODO: figure out capability here
 					cookies: false,
 				});
 
-				const { pubTypeId, stageId, ...rest } = query;
+				const allowedPubTypes =
+					typeof authorization === "object" ? authorization.pubTypes : undefined;
+				const allowedStages =
+					typeof authorization === "object" ? authorization.stages : undefined;
+
+				let { pubTypeId, stageId, pubIds, ...rest } = query;
+
+				const requestedPubTypes = pubTypeId
+					? Array.isArray(pubTypeId)
+						? pubTypeId
+						: [pubTypeId]
+					: undefined;
+				const requestedStages = stageId
+					? Array.isArray(stageId)
+						? stageId
+						: [stageId]
+					: undefined;
+				const requestedPubIds = pubIds
+					? Array.isArray(pubIds)
+						? pubIds
+						: [pubIds]
+					: undefined;
+
+				const pubTypes = requestedPubTypes
+					? requestedPubTypes.filter((pubType) => allowedPubTypes?.includes(pubType))
+					: allowedPubTypes;
+				const stages = requestedStages
+					? requestedStages.filter((stage) => allowedStages?.includes(stage))
+					: allowedStages;
+
+				console.log(pubTypes, stages);
 
 				const pubs = await getPubsWithRelatedValuesAndChildren(
 					{
 						communityId: community.id,
-						pubTypeId,
-						stageId,
+						pubTypeId: pubTypes,
+						stageId: stages,
+						pubIds: requestedPubIds,
 						userId: user.id,
 					},
 					rest
diff --git a/core/app/c/[communitySlug]/settings/tokens/CreateTokenFormContext.tsx b/core/app/c/[communitySlug]/settings/tokens/CreateTokenFormContext.tsx
index a7bdd2275..546e3717f 100644
--- a/core/app/c/[communitySlug]/settings/tokens/CreateTokenFormContext.tsx
+++ b/core/app/c/[communitySlug]/settings/tokens/CreateTokenFormContext.tsx
@@ -3,8 +3,17 @@
 import { createContext } from "react";
 
 import type { CreateTokenFormContext as CreateTokenFormContextType } from "db/types";
+import { NO_STAGE_OPTION } from "db/types";
 
 export const CreateTokenFormContext = createContext<CreateTokenFormContextType>({
-	stages: [],
-	pubTypes: [],
+	stages: {
+		stages: [],
+		allOptions: [NO_STAGE_OPTION],
+		allValues: [NO_STAGE_OPTION.value],
+	},
+	pubTypes: {
+		pubTypes: [],
+		allOptions: [],
+		allValues: [],
+	},
 });
diff --git a/core/app/c/[communitySlug]/settings/tokens/PermissionField.tsx b/core/app/c/[communitySlug]/settings/tokens/PermissionField.tsx
index 5be2eab62..479bca0ad 100644
--- a/core/app/c/[communitySlug]/settings/tokens/PermissionField.tsx
+++ b/core/app/c/[communitySlug]/settings/tokens/PermissionField.tsx
@@ -135,6 +135,7 @@ const permissionContraintMap: PermissionContraintMap = {
 	pub: {
 		[ApiAccessType.read]: ({ value, onChange }) => {
 			const context = useContext(CreateTokenFormContext);
+
 			return (
 				<div className="flex flex-col gap-2">
 					<h3 className="font-semibold">Stages</h3>
@@ -143,35 +144,34 @@ const permissionContraintMap: PermissionContraintMap = {
 					</span>
 					<MultiSelect
 						variant="inverted"
-						options={context.stages.map((stage) => ({
-							label: stage.name,
-							value: stage.id,
-						}))}
-						/**
-						 * This just means: if it is set to `true`, allow it to act on all stages.
-						 * If it is set to `false`, allow it to act on no stages.
-						 * Otherwise just reuse the value of the `stages` field. (this is a bit of a cop-out as this situation should never come to pass)
-						 */
+						options={context.stages.allOptions}
 						defaultValue={
 							value === true
-								? context.stages.map((stage) => stage.id)
+								? context.stages.allValues
 								: !value
 									? []
 									: (value.stages ?? [])
 						}
 						onValueChange={(val) => {
-							onChange(
-								val.length > 0 && val.length !== context.stages.length
-									? {
-											stages: val as StagesId[],
-											pubTypes:
-												typeof value == "object" ? value.pubTypes : [],
-										}
-									: true
-							);
+							const allStagesSelected =
+								val.length === context.stages.allValues.length;
+
+							const allPubTypesSelected =
+								typeof value === "object" &&
+								value.pubTypes?.length === context.pubTypes.allValues.length;
+
+							if (allStagesSelected && allPubTypesSelected) {
+								onChange(true);
+								return;
+							}
+
+							onChange({
+								stages: val as StagesId[],
+								pubTypes: typeof value === "object" ? value.pubTypes : [],
+							});
 						}}
 						animation={0}
-						data-testid={`pub-${ApiAccessType.write}-stages-select`}
+						data-testid={`pub-${ApiAccessType.read}-stages-select`}
 					/>
 
 					<h3 className="font-semibold">Types</h3>
@@ -180,34 +180,34 @@ const permissionContraintMap: PermissionContraintMap = {
 					</span>
 					<MultiSelect
 						variant="inverted"
-						options={context.pubTypes.map((pubType) => ({
-							label: pubType.name,
-							value: pubType.id,
-						}))}
-						/**
-						 * This just means: if it is set to `true`, allow it to act on all stages.
-						 * If it is set to `false`, allow it to act on no stages.
-						 * Otherwise just reuse the value of the `stages` field. (this is a bit of a cop-out as this situation should never come to pass)
-						 */
+						options={context.pubTypes.allOptions}
 						defaultValue={
 							value === true
-								? context.pubTypes.map((stage) => stage.id)
+								? context.pubTypes.allValues
 								: !value
 									? []
 									: (value.pubTypes ?? [])
 						}
 						onValueChange={(val) => {
-							onChange(
-								val.length > 0 && val.length !== context.pubTypes.length
-									? {
-											pubTypes: val as PubTypesId[],
-											stages: typeof value == "object" ? value.stages : [],
-										}
-									: true
-							);
+							const allPubTypesSelected =
+								val.length === context.pubTypes.allValues.length;
+
+							const allStagesSelected =
+								typeof value === "object" &&
+								value.stages?.length === context.stages.allValues.length;
+
+							if (allPubTypesSelected && allStagesSelected) {
+								onChange(true);
+								return;
+							}
+
+							onChange({
+								pubTypes: val as PubTypesId[],
+								stages: typeof value == "object" ? value.stages : [],
+							});
 						}}
 						animation={0}
-						data-testid={`pub-${ApiAccessType.write}-pub-types-select`}
+						data-testid={`pub-${ApiAccessType.read}-pubTypes-select`}
 					/>
 				</div>
 			);
@@ -241,7 +241,7 @@ const permissionContraintMap: PermissionContraintMap = {
 						onValueChange={(value) => {
 							onChange(
 								value.length > 0 && value.length !== context.stages.length
-									? { stages: value }
+									? { stages: value as StagesId[] }
 									: true
 							);
 						}}
@@ -275,7 +275,7 @@ const permissionContraintMap: PermissionContraintMap = {
 									: value.stages
 						}
 						onValueChange={(value) => {
-							onChange(value.length > 0 ? value : true);
+							onChange(value.length > 0 ? { stages: value as StagesId[] } : true);
 						}}
 						animation={0}
 						data-testid={`stage-${ApiAccessType.read}-stages-select`}
diff --git a/core/app/c/[communitySlug]/settings/tokens/page.tsx b/core/app/c/[communitySlug]/settings/tokens/page.tsx
index 9218bdfba..a6cb74284 100644
--- a/core/app/c/[communitySlug]/settings/tokens/page.tsx
+++ b/core/app/c/[communitySlug]/settings/tokens/page.tsx
@@ -2,6 +2,8 @@ import type { Metadata } from "next";
 
 import { notFound } from "next/navigation";
 
+import { NO_STAGE_OPTION } from "db/types";
+
 import { getPageLoginData } from "~/lib/authentication/loginData";
 import { getPubTypesForCommunity } from "~/lib/server";
 import { getApiAccessTokensByCommunity } from "~/lib/server/apiAccessTokens";
@@ -49,7 +51,24 @@ export default async function Page(props: { params: { communitySlug: string } })
 							</div>
 						</div>
 					)}
-					<CreateTokenFormWithContext stages={stages} pubTypes={pubTypes} />
+					<CreateTokenFormWithContext
+						stages={{
+							stages,
+							allOptions: [
+								NO_STAGE_OPTION,
+								...stages.map((stage) => ({ label: stage.name, value: stage.id })),
+							],
+							allValues: [NO_STAGE_OPTION.value, ...stages.map((stage) => stage.id)],
+						}}
+						pubTypes={{
+							pubTypes,
+							allOptions: pubTypes.map((pubType) => ({
+								label: pubType.name,
+								value: pubType.id,
+							})),
+							allValues: pubTypes.map((pubType) => pubType.id),
+						}}
+					/>
 				</div>
 			</div>
 		</div>
diff --git a/core/app/c/[communitySlug]/types/TypeBlock.tsx b/core/app/c/[communitySlug]/types/TypeBlock.tsx
index ab1224160..d79486715 100644
--- a/core/app/c/[communitySlug]/types/TypeBlock.tsx
+++ b/core/app/c/[communitySlug]/types/TypeBlock.tsx
@@ -4,7 +4,7 @@ import { useState } from "react";
 
 import type { CoreSchemaType, PubFieldsId } from "db/public";
 import { Button } from "ui/button";
-import { Card, CardContent } from "ui/card";
+import { Card, CardContent, CardHeader } from "ui/card";
 import { Check, ChevronDown, ChevronUp, Pencil } from "ui/icon";
 import { Label } from "ui/label";
 import { usePubFieldContext } from "ui/pubFields";
@@ -90,44 +90,52 @@ const TypeBlock: React.FC<Props> = function ({ type, allowEditing }) {
 	};
 	return (
 		<Card>
-			<CardContent className="px-6 py-2">
-				<div className="flex items-center justify-between">
-					<h2 className="flex-grow font-bold">{type.name}</h2>
+			<CardHeader className="flex flex-row items-center justify-between">
+				<h2 className="flex-grow font-bold">
+					{type.name}{" "}
+					<span
+						className="inline-block whitespace-nowrap rounded-md bg-gray-100 p-0.5 text-xs text-gray-500"
+						data-testid={`pubtype-${type.name}-id`}
+					>
+						<pre className="font-mono">{type.id}</pre>
+					</span>
+				</h2>
+				<Button
+					size="icon"
+					variant={"ghost"}
+					aria-label="Expand"
+					onClick={() => {
+						setExpanded(!expanded);
+					}}
+				>
+					{expanded ? <ChevronUp /> : <ChevronDown />}
+				</Button>
+				{allowEditing && (
 					<Button
+						className="ml-1"
 						size="icon"
-						variant={"ghost"}
-						aria-label="Expand"
+						variant={editing ? "secondary" : "ghost"}
+						aria-label="Edit"
 						onClick={() => {
-							setExpanded(!expanded);
+							setEditing(!editing);
 						}}
+						data-testid={`edit-pubtype-${type.name}`}
 					>
-						{expanded ? <ChevronUp /> : <ChevronDown />}
+						<span className="sr-only">Edit Pub Type</span>
+						<Pencil size="12" />
 					</Button>
-					{allowEditing && (
-						<Button
-							className="ml-1"
-							size="icon"
-							variant={editing ? "secondary" : "ghost"}
-							aria-label="Edit"
-							onClick={() => {
-								setEditing(!editing);
-							}}
-							data-testid={`edit-pubtype-${type.name}`}
-						>
-							<span className="sr-only">Edit Pub Type</span>
-							<Pencil size="12" />
-						</Button>
-					)}
-				</div>
+				)}
+			</CardHeader>
+			<CardContent>
 				<div className="text-sm">{type.description}</div>
 				{(expanded || editing) && (
-					<div className="ml-2 mt-4">
+					<div>
 						<RadioGroup
 							defaultValue={titleField}
 							onValueChange={handleTitleFieldChange}
 							className="flex"
 						>
-							<table className="border-separate border-spacing-x-2 text-left">
+							<table className="border-separate text-left">
 								<thead>
 									<tr>
 										<th>Fields</th>
@@ -196,7 +204,7 @@ const TypeBlock: React.FC<Props> = function ({ type, allowEditing }) {
 					</div>
 				)}
 				{editing && (
-					<div className="m-4">
+					<div className="">
 						<Label className="my-1 block">
 							Add additional fields to <span className="italic">{type.name}</span>
 						</Label>
diff --git a/core/lib/server/pub.db.test.ts b/core/lib/server/pub.db.test.ts
index 3634f7c67..ce1dc199f 100644
--- a/core/lib/server/pub.db.test.ts
+++ b/core/lib/server/pub.db.test.ts
@@ -658,7 +658,7 @@ describe("getPubsWithRelatedValuesAndChildren", () => {
 		});
 	});
 
-	it("should be able to filter by pubtype or stage and pubtype and stage", async () => {
+	it("should be able to filter by pubtype or stage or no stage and pubtype and stage", async () => {
 		const { getPubsWithRelatedValuesAndChildren } = await import("./pub");
 
 		const allPubs = await getPubsWithRelatedValuesAndChildren(
@@ -668,23 +668,29 @@ describe("getPubsWithRelatedValuesAndChildren", () => {
 
 		expect(allPubs.length).toBe(5);
 
-		const [minimalPubs, pubsInStage1, basicPubsInStage1] = await Promise.all([
+		const [minimalPubs, pubsInStage1, basicPubsInStage1, pubsInNoStage] = await Promise.all([
 			getPubsWithRelatedValuesAndChildren(
-				{ pubTypeId: pubTypes["Minimal Pub"].id, communityId: community.id },
+				{ pubTypeId: [pubTypes["Minimal Pub"].id], communityId: community.id },
 				{ withPubType: true, depth: 10 }
 			),
 			getPubsWithRelatedValuesAndChildren(
-				{ stageId: stages["Stage 1"].id, communityId: community.id },
+				{ stageId: [stages["Stage 1"].id], communityId: community.id },
 				{ withStage: true, depth: 10 }
 			),
 			getPubsWithRelatedValuesAndChildren(
 				{
-					pubTypeId: pubTypes["Basic Pub"].id,
-					stageId: stages["Stage 1"].id,
+					pubTypeId: [pubTypes["Basic Pub"].id],
+					stageId: [stages["Stage 1"].id],
 					communityId: community.id,
 				},
 				{ withPubType: true, withStage: true, depth: 10 }
 			),
+			getPubsWithRelatedValuesAndChildren(
+				// passing ['no-stage'] is different from passing null,
+				// as null will just not filter by stage at all
+				{ communityId: community.id, stageId: ["no-stage"] },
+				{ withPubType: true, withStage: true, depth: 10 }
+			),
 		]);
 
 		expect(minimalPubs.length).toBe(1);
@@ -695,6 +701,12 @@ describe("getPubsWithRelatedValuesAndChildren", () => {
 		expect(basicPubsInStage1.length).toBe(1);
 		expect(basicPubsInStage1[0].pubType?.id).toBe(pubTypes["Basic Pub"].id);
 		expect(basicPubsInStage1[0].stage?.id).toBe(stages["Stage 1"].id);
+
+		const allPubsWithoutStage = allPubs.filter((p) => p.stageId === null);
+		expect(pubsInNoStage.length).toBe(allPubsWithoutStage.length);
+		pubsInNoStage.forEach((p) => {
+			expect(p.stageId).toBeNull();
+		});
 	});
 
 	it("should be able to limit the amount of top-level pubs retrieved while still fetching children and related pubs", async () => {
diff --git a/core/lib/server/pub.ts b/core/lib/server/pub.ts
index bb248af78..24c561e9a 100644
--- a/core/lib/server/pub.ts
+++ b/core/lib/server/pub.ts
@@ -34,8 +34,9 @@ import type {
 	StagesId,
 	UsersId,
 } from "db/public";
-import type { LastModifiedBy } from "db/types";
+import type { LastModifiedBy, StageConstraint } from "db/types";
 import { Capabilities, CoreSchemaType, MemberRole, MembershipType, OperationType } from "db/public";
+import { NO_STAGE_OPTION } from "db/types";
 import { assert, expect } from "utils";
 
 import type { MaybeHas, Prettify, XOR } from "../types";
@@ -1211,6 +1212,7 @@ interface GetPubsWithRelatedValuesAndChildrenOptions extends GetManyParams, Mayb
 type PubIdOrPubTypeIdOrStageIdOrCommunityId =
 	| {
 			pubId: PubsId;
+			pubIds?: never;
 			pubTypeId?: never;
 			stageId?: never;
 			communityId: CommunitiesId;
@@ -1218,8 +1220,12 @@ type PubIdOrPubTypeIdOrStageIdOrCommunityId =
 	  }
 	| {
 			pubId?: never;
-			pubTypeId?: PubTypesId;
-			stageId?: StagesId;
+			/**
+			 * Multiple pubIds to filter by
+			 */
+			pubIds?: PubsId[];
+			pubTypeId?: PubTypesId[];
+			stageId?: StageConstraint[];
 			communityId: CommunitiesId;
 			userId?: UsersId;
 	  };
@@ -1617,12 +1623,29 @@ export async function getPubsWithRelatedValuesAndChildren<
 								)
 						)
 					)
-					.$if(Boolean(props.pubId), (qb) => qb.where("pubs.id", "=", props.pubId!))
-					.$if(Boolean(props.stageId), (qb) =>
-						qb.where("PubsInStages.stageId", "=", props.stageId!)
+					.$if(!!props.pubId, (qb) => qb.where("pubs.id", "=", props.pubId!))
+					.$if(!!props.pubIds && props.pubIds.length > 0, (qb) =>
+						qb.where("pubs.id", "in", props.pubIds!)
 					)
-					.$if(Boolean(props.pubTypeId), (qb) =>
-						qb.where("pubs.pubTypeId", "=", props.pubTypeId!)
+					.$if(!!props.stageId && props.stageId.length > 0, (qb) => {
+						const noStage = props.stageId!.find(
+							(stage) => stage === NO_STAGE_OPTION.value
+						);
+						const stages = props.stageId!.filter(
+							(stage): stage is StagesId => stage !== NO_STAGE_OPTION.value
+						);
+
+						return qb.where((eb) =>
+							eb.or([
+								...(stages.length > 0
+									? [eb("PubsInStages.stageId", "in", stages)]
+									: []),
+								...(noStage ? [eb("PubsInStages.stageId", "is", null)] : []),
+							])
+						);
+					})
+					.$if(!!props.pubTypeId && props.pubTypeId.length > 0, (qb) =>
+						qb.where("pubs.pubTypeId", "in", props.pubTypeId!)
 					)
 					.$if(Boolean(limit), (qb) => qb.limit(limit!))
 					.$if(Boolean(offset), (qb) => qb.offset(offset!))
diff --git a/core/playwright.config.ts b/core/playwright.config.ts
index 0d000edd6..de7804e74 100644
--- a/core/playwright.config.ts
+++ b/core/playwright.config.ts
@@ -35,7 +35,7 @@ export default defineConfig({
 		},
 	],
 	// max 30 seconds per test in CI
-	timeout: process.env.CI ? 30 * 1000 : 10 * 60 * 1000,
+	timeout: process.env.CI ? 30 * 1000 :  30 * 1000,
 	/* Reporter to use. See https://playwright.dev/docs/test-reporters */
 	reporter: process.env.CI ? "github" : "html",
 	/* Shared settings for all the projects below. See https://playwright.dev/docs/api/class-testoptions. */
diff --git a/core/playwright/api/site.spec.ts b/core/playwright/api/site.spec.ts
index c7c1d56a1..40e4b2cc0 100644
--- a/core/playwright/api/site.spec.ts
+++ b/core/playwright/api/site.spec.ts
@@ -2,8 +2,12 @@ import type { Page } from "@playwright/test";
 
 import { expect, test } from "@playwright/test";
 
+import type { PubTypesId, StagesId } from "db/public";
+
 import { ApiTokenPage } from "../fixtures/api-token-page";
 import { LoginPage } from "../fixtures/login-page";
+import { PubTypesPage } from "../fixtures/pub-types-page";
+import { StagesManagePage } from "../fixtures/stages-manage-page";
 import { createCommunity } from "../helpers";
 
 const now = new Date().getTime();
@@ -13,6 +17,14 @@ test.describe.configure({ mode: "serial" });
 
 let page: Page;
 
+const TEST_STAGE_1 = "test stage" as const;
+const TEST_STAGE_2 = "test stage 2" as const;
+
+let testStage1Id: StagesId;
+let testStage2Id: StagesId;
+
+let testPubTypeId: PubTypesId;
+
 test.beforeAll(async ({ browser }) => {
 	page = await browser.newPage();
 	const loginPage = new LoginPage(page);
@@ -24,9 +36,25 @@ test.beforeAll(async ({ browser }) => {
 		community: { name: `test community ${now}`, slug: COMMUNITY_SLUG },
 	});
 
+	const stagesPage = new StagesManagePage(page, COMMUNITY_SLUG);
+	await stagesPage.goTo();
+	const testStage1 = await stagesPage.addStage(TEST_STAGE_1);
+	testStage1Id = testStage1.id;
+	const testStage2 = await stagesPage.addStage(TEST_STAGE_2);
+	testStage2Id = testStage2.id;
+
+	const pubTypesPage = new PubTypesPage(page, COMMUNITY_SLUG);
+	await pubTypesPage.goto();
+	const testPubType = await pubTypesPage.addType("test pub type", "test pub type description", [
+		`title`,
+	]);
+	testPubTypeId = testPubType.id;
+});
+
+test("should be able to create token with all permissions", async () => {
 	const tokenPage = new ApiTokenPage(page, COMMUNITY_SLUG);
 	await tokenPage.goto();
-	await tokenPage.createToken({
+	const token = await tokenPage.createToken({
 		// expiration: new Date(Date.now() + 1000 * 60 * 60 * 24 * 30),
 		name: "test token",
 		permissions: {
@@ -37,8 +65,43 @@ test.beforeAll(async ({ browser }) => {
 			member: { read: true, write: true, archive: true },
 		},
 	});
+
+	expect(token).not.toBeNull();
+
+	tokenPage.goto();
 });
 
-test("token should exist", async () => {
-	await expect(page.getByText("test token")).toBeVisible();
+test("should be able to create token with special permissions", async () => {
+	const tokenPage = new ApiTokenPage(page, COMMUNITY_SLUG);
+	await tokenPage.goto();
+	const token = await tokenPage.createToken({
+		// expiration: new Date(Date.now() + 1000 * 60 * 60 * 24 * 30),
+		name: "test token",
+		permissions: {
+			pub: {
+				read: {
+					stages: [testStage1Id],
+					pubTypes: [testPubTypeId],
+				},
+			},
+		},
+	});
+
+	test.expect(token).not.toBeNull();
+
+	await tokenPage.goto();
+
+	await page.getByRole("button", { name: "Permissions" }).first().click();
+
+	const permissionsText = await page.getByText("pub: read").textContent();
+
+	const permissionContraints = permissionsText?.match(/\{.*\}/)?.[0];
+
+	test.expect(permissionContraints).not.toBeNull();
+
+	const permissionContraintsJson = JSON.parse(permissionContraints!);
+	test.expect(permissionContraintsJson).toMatchObject({
+		stages: [testStage1Id],
+		pubTypes: [testPubTypeId],
+	});
 });
diff --git a/core/playwright/fixtures/api-token-page.ts b/core/playwright/fixtures/api-token-page.ts
index eb8ea11c7..f691ba72f 100644
--- a/core/playwright/fixtures/api-token-page.ts
+++ b/core/playwright/fixtures/api-token-page.ts
@@ -6,6 +6,34 @@ import { expect } from "@playwright/test";
 import { ApiAccessScope, ApiAccessType } from "db/public";
 
 import type { createTokenFormSchema } from "~/app/c/[communitySlug]/settings/tokens/CreateTokenForm";
+import type { Prettify } from "~/lib/types";
+
+type Permissions = z.infer<typeof createTokenFormSchema>["permissions"];
+
+// this is so we can specify the stage name rather than the stage id
+// type PermissionsButWithStringsInsteadOfIds = {
+// 	[Scope in keyof Permissions]?: {
+// 		[Permission in keyof Permissions[Scope]]: Permissions[Scope][Permission] extends
+// 			| boolean
+// 			| undefined
+// 			? Permissions[Scope][Permission]
+// 			: Exclude<
+// 						Permissions[Scope][Permission],
+// 						boolean | undefined
+// 				  > extends infer Restrictions
+// 				?
+// 						| {
+// 								[Restriction in keyof Restrictions]: any[] extends Restrictions[Restriction]
+// 									? string[]
+// 									: Restrictions[Restriction];
+// 						  }
+// 						| boolean
+// 						| undefined
+// 				: never;
+// 	};
+// };
+
+// declare const x: PermissionsButWithStringsInsteadOfIds;
 
 export class ApiTokenPage {
 	private readonly newTokenNameBox: Locator;
@@ -38,7 +66,7 @@ export class ApiTokenPage {
 			z.infer<typeof createTokenFormSchema>,
 			"permissions" | "issuedById" | "expiration"
 		> & {
-			permissions: Partial<z.infer<typeof createTokenFormSchema>["permissions"]> | true;
+			permissions: Partial<Permissions> | true;
 		}
 	) {
 		await this.newTokenNameBox.fill(input.name);
@@ -57,18 +85,30 @@ export class ApiTokenPage {
 					continue;
 				}
 
-				if (value && "stage" in value) {
+				if (typeof value === "object") {
 					await this.page.getByTestId(`${scope}-${type}-options`).click();
-					await this.page.getByTestId(`${scope}-${type}-stages-select`).click();
-					for (const stage of value.stages) {
-						await this.page.getByLabel("Suggestions").getByText(stage).click();
+					for (const [key, values] of Object.entries(value)) {
+						await this.page.getByTestId(`${scope}-${type}-${key}-select`).click({
+							timeout: 2_000,
+						});
+						for (const val of values) {
+							await this.page
+								.getByLabel("Suggestions")
+								.getByTestId(`multi-select-option-${val}`)
+								.click({
+									timeout: 2_000,
+								});
+						}
+						await this.page.getByTestId(`multi-select-close`).click();
+						continue;
 					}
-					continue;
 				}
 			}
 		}
 
-		await this.newTokenCreateButton.click();
+		await this.newTokenCreateButton.click({
+			timeout: 1_000,
+		});
 
 		const token = await this.page.getByTestId("token-value").textContent();
 
diff --git a/core/playwright/fixtures/pub-types-page.ts b/core/playwright/fixtures/pub-types-page.ts
index 440369e53..fb2d78582 100644
--- a/core/playwright/fixtures/pub-types-page.ts
+++ b/core/playwright/fixtures/pub-types-page.ts
@@ -1,5 +1,9 @@
 import type { Page } from "@playwright/test";
 
+import { expect } from "@playwright/test";
+
+import type { PubTypesId } from "db/public";
+
 export class PubTypesPage {
 	private readonly communitySlug: string;
 
@@ -67,5 +71,14 @@ export class PubTypesPage {
 
 		// check whether the new type is created
 		await this.page.getByRole("heading", { name: name }).waitFor();
+
+		const pubTypeId = await this.page.getByTestId(`pubtype-${name}-id`).textContent();
+
+		expect(pubTypeId).toBeTruthy();
+
+		return {
+			name,
+			id: pubTypeId! as PubTypesId,
+		};
 	}
 }
diff --git a/core/playwright/fixtures/stages-manage-page.ts b/core/playwright/fixtures/stages-manage-page.ts
index bbd0a4dfc..cdcacafd0 100644
--- a/core/playwright/fixtures/stages-manage-page.ts
+++ b/core/playwright/fixtures/stages-manage-page.ts
@@ -1,6 +1,8 @@
 import type { Page } from "@playwright/test";
 
-import type { Action } from "db/public";
+import { test } from "@playwright/test";
+
+import type { Action, StagesId } from "db/public";
 
 import { slugifyString } from "~/lib/string";
 
@@ -22,10 +24,22 @@ export class StagesManagePage {
 		await this.page.keyboard.press("Control+n");
 		const node = this.getStageNode("Untitled Stage");
 		await node.dblclick();
+
+		const configureButton = node.getByRole("link");
+		const stageHref = await configureButton.getAttribute("href");
+		const stageId = stageHref?.split("editingStageId=")[1];
+		test.expect(stageId).not.toBeNull();
+
 		const nameInput = node.getByLabel("Edit stage name");
+
 		await nameInput.fill(stageName);
 		await nameInput.press("Enter");
 		await this.page.waitForTimeout(1000);
+
+		return {
+			id: stageId! as StagesId,
+			name: stageName,
+		};
 	}
 
 	async addMoveConstraint(sourceStage: string, destStage: string) {
diff --git a/core/playwright/site-api.spec.ts b/core/playwright/site-api.spec.ts
index 0225dc327..85468468e 100644
--- a/core/playwright/site-api.spec.ts
+++ b/core/playwright/site-api.spec.ts
@@ -3,11 +3,14 @@ import type { APIRequestContext, Page } from "@playwright/test";
 import { expect, test } from "@playwright/test";
 import { initClient } from "@ts-rest/core";
 
-import type { PubsId } from "db/public";
+import type { PubsId, PubTypesId, StagesId } from "db/public";
 import { siteApi } from "contracts";
+import { NO_STAGE_OPTION } from "db/types";
 
 import { ApiTokenPage, expectStatus } from "./fixtures/api-token-page";
 import { LoginPage } from "./fixtures/login-page";
+import { PubTypesPage } from "./fixtures/pub-types-page";
+import { StagesManagePage } from "./fixtures/stages-manage-page";
 import { createCommunity } from "./helpers";
 
 const now = new Date().getTime();
@@ -17,6 +20,14 @@ let page: Page;
 
 let client: ReturnType<typeof initClient<typeof siteApi, any>>;
 
+const createClient = (token: string) =>
+	initClient(siteApi, {
+		baseUrl: `http://localhost:3000/`,
+		baseHeaders: {
+			Authorization: `Bearer ${token}`,
+		},
+	});
+
 test.beforeAll(async ({ browser }) => {
 	page = await browser.newPage();
 
@@ -36,13 +47,9 @@ test.beforeAll(async ({ browser }) => {
 		description: "test description",
 		permissions: true,
 	});
+	expect(token).not.toBeNull();
 
-	client = initClient(siteApi, {
-		baseUrl: `http://localhost:3000/`,
-		baseHeaders: {
-			Authorization: `Bearer ${token}`,
-		},
-	});
+	client = createClient(token!);
 });
 
 test.describe("Site API", () => {
@@ -104,4 +111,201 @@ test.describe("Site API", () => {
 			expect(response.body.id).toBe(newPubId);
 		});
 	});
+
+	test.describe("restrictions", () => {
+		let clientOnlyPubTypeClient: ReturnType<typeof createClient>;
+		let clientOnlyStageClient: ReturnType<typeof createClient>;
+		let clientBothClient: ReturnType<typeof createClient>;
+		let clientNoStageClient: ReturnType<typeof createClient>;
+		let testPubType1: PubTypesId;
+		let testPubType2: PubTypesId;
+		let testStage1: StagesId;
+		let testStage2: StagesId;
+
+		test.beforeAll(async () => {
+			const pubTypesPage = new PubTypesPage(page, COMMUNITY_SLUG);
+			await pubTypesPage.goto();
+			const pubType1 = await pubTypesPage.addType(
+				"test pub type",
+				"test pub type description",
+				[`title`]
+			);
+			testPubType1 = pubType1.id;
+			const pubType2 = await pubTypesPage.addType(
+				"test pub type 2",
+				"test pub type description 2",
+				[`title`]
+			);
+			testPubType2 = pubType2.id;
+
+			const stagePage = new StagesManagePage(page, COMMUNITY_SLUG);
+			await stagePage.goTo();
+			const stage1 = await stagePage.addStage("test stage");
+			testStage1 = stage1.id;
+			const stage2 = await stagePage.addStage("test stage 2");
+			testStage2 = stage2.id;
+
+			const pubResponses = await Promise.all(
+				[pubType1, pubType2].flatMap((pubType) =>
+					[null, stage1, stage2].map((stage) =>
+						client.pubs.create({
+							headers: {
+								prefer: "return=representation",
+							},
+							params: {
+								communitySlug: COMMUNITY_SLUG,
+							},
+							body: {
+								pubTypeId: pubType.id,
+								stageId: stage?.id,
+								values: {
+									[`${COMMUNITY_SLUG}:title`]: `pubType: "${pubType.name}"; stage: "${stage?.name}"`,
+								},
+							},
+						})
+					)
+				)
+			);
+
+			expect(pubResponses).toHaveLength(6);
+			pubResponses.forEach((response) => {
+				expectStatus(response, 201);
+			});
+		});
+
+		test("if only pub type is restricted, only pubs of that pub type are returned", async () => {
+			const tokenPage = new ApiTokenPage(page, COMMUNITY_SLUG);
+			await tokenPage.goto();
+
+			const onlyPubTypeToken = await tokenPage.createToken({
+				name: "test token with pub type restriction",
+				permissions: {
+					pub: {
+						read: {
+							pubTypes: [testPubType1],
+						},
+						write: true,
+					},
+				},
+			});
+
+			clientOnlyPubTypeClient = createClient(onlyPubTypeToken!);
+
+			const pubResponseRestricted = await clientOnlyPubTypeClient.pubs.getMany({
+				params: {
+					communitySlug: COMMUNITY_SLUG,
+				},
+				query: {},
+			});
+
+			expectStatus(pubResponseRestricted, 200);
+			expect(pubResponseRestricted.body).toHaveLength(3);
+			expect(pubResponseRestricted.body.every((pub) => pub.pubTypeId === testPubType1)).toBe(
+				true
+			);
+		});
+
+		test("if only stage is restricted, only pubs of that stage are returned", async () => {
+			const tokenPage = new ApiTokenPage(page, COMMUNITY_SLUG);
+			const onlyStageToken = await tokenPage.createToken({
+				name: "test token",
+				permissions: {
+					pub: {
+						read: {
+							stages: [testStage1],
+						},
+					},
+				},
+			});
+			clientOnlyStageClient = createClient(onlyStageToken!);
+
+			const pubResponseRestricted = await clientOnlyStageClient.pubs.getMany({
+				params: {
+					communitySlug: COMMUNITY_SLUG,
+				},
+				query: {},
+			});
+
+			expectStatus(pubResponseRestricted, 200);
+			expect(pubResponseRestricted.body).toHaveLength(2);
+			expect(pubResponseRestricted.body.every((pub) => pub.stageId === testStage1)).toBe(
+				true
+			);
+		});
+
+		test("if both pub type and stage are restricted, only pubs of that pub type and stage are returned", async () => {
+			const tokenPage = new ApiTokenPage(page, COMMUNITY_SLUG);
+			const bothToken = await tokenPage.createToken({
+				name: "test token with pub type and stage restriction",
+				permissions: {
+					pub: {
+						read: {
+							pubTypes: [testPubType1],
+							stages: [testStage1],
+						},
+					},
+				},
+			});
+			clientBothClient = createClient(bothToken!);
+
+			const pubResponseRestricted = await clientBothClient.pubs.getMany({
+				params: {
+					communitySlug: COMMUNITY_SLUG,
+				},
+				query: {},
+			});
+
+			expectStatus(pubResponseRestricted, 200);
+			expect(pubResponseRestricted.body).toHaveLength(1);
+			expect(pubResponseRestricted.body[0].pubTypeId).toBe(testPubType1);
+			expect(pubResponseRestricted.body[0].stageId).toBe(testStage1);
+		});
+
+		test("if stage is restricted, we can still further filter by pub type", async () => {
+			const pubResponseRestrictedToStage1FilteredByPubType1 =
+				await clientOnlyStageClient.pubs.getMany({
+					params: {
+						communitySlug: COMMUNITY_SLUG,
+					},
+					query: {
+						pubTypeId: testPubType1,
+					},
+				});
+
+			expectStatus(pubResponseRestrictedToStage1FilteredByPubType1, 200);
+			expect(pubResponseRestrictedToStage1FilteredByPubType1.body).toHaveLength(1);
+			expect(pubResponseRestrictedToStage1FilteredByPubType1.body[0].pubTypeId).toBe(
+				testPubType1
+			);
+			expect(pubResponseRestrictedToStage1FilteredByPubType1.body[0].stageId).toBe(
+				testStage1
+			);
+		});
+
+		test("if stages are restricted to pubs not in a stage ", async () => {
+			const tokenPage = new ApiTokenPage(page, COMMUNITY_SLUG);
+			const noStageToken = await tokenPage.createToken({
+				name: "test token with no stage restriction",
+				permissions: {
+					pub: {
+						read: {
+							stages: ["no-stage"],
+						},
+					},
+				},
+			});
+			clientNoStageClient = createClient(noStageToken!);
+
+			const pubResponseRestricted = await clientNoStageClient.pubs.getMany({
+				params: {
+					communitySlug: COMMUNITY_SLUG,
+				},
+				query: {},
+			});
+
+			expectStatus(pubResponseRestricted, 200);
+			expect(pubResponseRestricted.body).toHaveLength(2);
+			expect(pubResponseRestricted.body[0].stageId).toBe(null);
+		});
+	});
 });
diff --git a/packages/contracts/src/resources/site.ts b/packages/contracts/src/resources/site.ts
index f67951584..1942d2f4a 100644
--- a/packages/contracts/src/resources/site.ts
+++ b/packages/contracts/src/resources/site.ts
@@ -1,7 +1,5 @@
-import type { AppRouteResponse, ContractOtherResponse, Opaque } from "@ts-rest/core";
-
 import { initContract } from "@ts-rest/core";
-import { z, ZodNull } from "zod";
+import { z } from "zod";
 
 import type {
 	CommunitiesId,
@@ -34,6 +32,7 @@ import {
 	usersIdSchema,
 	usersSchema,
 } from "db/public";
+import { stageConstraintSchema } from "db/types";
 
 import type { Json } from "./types";
 import {
@@ -373,8 +372,18 @@ export const siteApi = contract.router(
 				description:
 					"Get a list of pubs by ID. This endpoint is used by the PubPub site builder to get a list of pubs.",
 				query: getPubQuerySchema.extend({
-					pubTypeId: pubTypesIdSchema.optional().describe("Filter by pub type ID."),
-					stageId: stagesIdSchema.optional().describe("Filter by stage ID."),
+					pubIds: pubsIdSchema
+						.or(z.array(pubsIdSchema))
+						.optional()
+						.describe("Filter by pub ID."),
+					pubTypeId: pubTypesIdSchema
+						.or(z.array(pubTypesIdSchema))
+						.optional()
+						.describe("Filter by pub type ID."),
+					stageId: stageConstraintSchema
+						.or(z.array(stageConstraintSchema))
+						.optional()
+						.describe("Filter by stage ID."),
 					limit: z.number().default(10),
 					offset: z.number().default(0).optional(),
 					orderBy: z.enum(["createdAt", "updatedAt"]).optional(),
diff --git a/packages/db/src/types/ApiAccessToken.ts b/packages/db/src/types/ApiAccessToken.ts
index b1de4b1c8..a20702f1a 100644
--- a/packages/db/src/types/ApiAccessToken.ts
+++ b/packages/db/src/types/ApiAccessToken.ts
@@ -6,8 +6,8 @@ import { z } from "zod";
 
 import type { ApiAccessPermissions as NonGenericApiAccessPermissions } from "../public/ApiAccessPermissions";
 import type { ApiAccessType } from "../public/ApiAccessType";
-import type { PubTypes } from "../public/PubTypes";
-import type { Stages } from "../public/Stages";
+import type { PubTypes, PubTypesId } from "../public/PubTypes";
+import type { Stages, StagesId } from "../public/Stages";
 import { ApiAccessScope } from "../public/ApiAccessScope";
 import { pubTypesIdSchema } from "../public/PubTypes";
 import { stagesIdSchema } from "../public/Stages";
@@ -40,6 +40,15 @@ export type ApiAccessPermissionContraintsObjectShape = {
 	[key in ApiAccessScope]: ApiAccessPermissionConstraintsShape;
 };
 
+export const NO_STAGE_OPTION = {
+	label: "[Pubs with no stage]",
+	value: "no-stage",
+} as const;
+
+export const stageConstraintSchema = z.union([z.literal(NO_STAGE_OPTION.value), stagesIdSchema]);
+
+export type StageConstraint = z.infer<typeof stageConstraintSchema>;
+
 export const permissionsSchema = z.object({
 	[ApiAccessScope.community]: z.object({
 		read: z.boolean().optional(),
@@ -49,7 +58,7 @@ export const permissionsSchema = z.object({
 	[ApiAccessScope.stage]: z.object({
 		read: z
 			.object({
-				stages: z.array(stagesIdSchema),
+				stages: z.array(stageConstraintSchema),
 			})
 			.or(z.boolean())
 			.optional(),
@@ -59,7 +68,7 @@ export const permissionsSchema = z.object({
 	[ApiAccessScope.pub]: z.object({
 		read: z
 			.object({
-				stages: z.array(stagesIdSchema),
+				stages: z.array(stageConstraintSchema),
 				pubTypes: z.array(pubTypesIdSchema),
 			})
 			.partial()
@@ -67,7 +76,7 @@ export const permissionsSchema = z.object({
 			.optional(),
 		write: z
 			.object({
-				stages: z.array(stagesIdSchema),
+				stages: z.array(stageConstraintSchema),
 			})
 			.or(z.boolean())
 			.optional(),
@@ -86,8 +95,16 @@ export const permissionsSchema = z.object({
 }) satisfies z.Schema<ApiAccessPermissionContraintsObjectShape>;
 
 export type CreateTokenFormContext = {
-	stages: Stages[];
-	pubTypes: PubTypes[];
+	stages: {
+		stages: Stages[];
+		allOptions: [typeof NO_STAGE_OPTION, ...{ label: string; value: StagesId }[]];
+		allValues: [typeof NO_STAGE_OPTION.value, ...StagesId[]];
+	};
+	pubTypes: {
+		pubTypes: PubTypes[];
+		allOptions: { label: string; value: PubTypesId }[];
+		allValues: PubTypesId[];
+	};
 };
 
 export type ApiAccessPermissionConstraintsInput = z.infer<typeof permissionsSchema>;
diff --git a/packages/ui/src/multi-select.tsx b/packages/ui/src/multi-select.tsx
index f6e1f5cbd..ca5de8114 100644
--- a/packages/ui/src/multi-select.tsx
+++ b/packages/ui/src/multi-select.tsx
@@ -181,6 +181,7 @@ export const MultiSelect = React.forwardRef<HTMLButtonElement, MultiSelectProps>
 												{option?.label}
 												<XCircle
 													className="ml-2 h-4 w-4 cursor-pointer"
+													data-testid={`multi-select-remove-${value}`}
 													onClick={(event) => {
 														event.stopPropagation();
 														toggleOption(value);
@@ -209,6 +210,7 @@ export const MultiSelect = React.forwardRef<HTMLButtonElement, MultiSelectProps>
 													event.stopPropagation();
 													clearExtraOptions();
 												}}
+												data-testid={`multi-select-clear-extra`}
 											/>
 										</Badge>
 									)}
@@ -216,6 +218,7 @@ export const MultiSelect = React.forwardRef<HTMLButtonElement, MultiSelectProps>
 								<div className="flex items-center justify-between">
 									<XIcon
 										className="mx-2 h-4 cursor-pointer text-muted-foreground"
+										data-testid={`multi-select-clear-all`}
 										onClick={(event) => {
 											event.stopPropagation();
 											handleClear();
@@ -252,6 +255,7 @@ export const MultiSelect = React.forwardRef<HTMLButtonElement, MultiSelectProps>
 									key="all"
 									onSelect={toggleAll}
 									className="cursor-pointer"
+									data-testid={`multi-select-toggle-all`}
 								>
 									<div
 										className={cn(
@@ -272,6 +276,7 @@ export const MultiSelect = React.forwardRef<HTMLButtonElement, MultiSelectProps>
 											key={option.value}
 											onSelect={() => toggleOption(option.value)}
 											className="cursor-pointer"
+											data-testid={`multi-select-option-${option.value}`}
 										>
 											<div
 												className={cn(
@@ -299,6 +304,7 @@ export const MultiSelect = React.forwardRef<HTMLButtonElement, MultiSelectProps>
 											<CommandItem
 												onSelect={handleClear}
 												className="flex-1 cursor-pointer justify-center"
+												data-testid={`multi-select-clear`}
 											>
 												Clear
 											</CommandItem>
@@ -312,6 +318,7 @@ export const MultiSelect = React.forwardRef<HTMLButtonElement, MultiSelectProps>
 									<CommandItem
 										onSelect={() => setIsPopoverOpen(false)}
 										className="flex-1 cursor-pointer justify-center"
+										data-testid={`multi-select-close`}
 									>
 										Close
 									</CommandItem>

From 8102f7b696df2dfe2ded265d98ad0b7cb0e6599e Mon Sep 17 00:00:00 2001
From: "Thomas F. K. Jorna" <hello@tefkah.com>
Date: Mon, 3 Feb 2025 10:04:01 +0100
Subject: [PATCH 3/9] improve read restrictions

---
 .../site/[...ts-rest]/route.ts                | 24 +++++---
 .../settings/tokens/CreateTokenForm.tsx       |  7 ++-
 .../settings/tokens/PermissionField.tsx       | 60 +++++++++----------
 .../stages/components/StageList.tsx           |  2 +-
 core/globalSetup.ts                           |  2 +-
 core/playwright/fixtures/api-token-page.ts    |  4 ++
 core/playwright/site-api.spec.ts              | 19 +++++-
 packages/db/src/public/PublicSchema.ts        | 44 +++++++-------
 packages/ui/src/checkbox.tsx                  |  8 ++-
 9 files changed, 103 insertions(+), 67 deletions(-)

diff --git a/core/app/api/v0/c/[communitySlug]/site/[...ts-rest]/route.ts b/core/app/api/v0/c/[communitySlug]/site/[...ts-rest]/route.ts
index 627f60e69..5c31a8ef3 100644
--- a/core/app/api/v0/c/[communitySlug]/site/[...ts-rest]/route.ts
+++ b/core/app/api/v0/c/[communitySlug]/site/[...ts-rest]/route.ts
@@ -283,14 +283,22 @@ const handler = createNextHandler(
 						: [pubIds]
 					: undefined;
 
-				const pubTypes = requestedPubTypes
-					? requestedPubTypes.filter((pubType) => allowedPubTypes?.includes(pubType))
-					: allowedPubTypes;
-				const stages = requestedStages
-					? requestedStages.filter((stage) => allowedStages?.includes(stage))
-					: allowedStages;
-
-				console.log(pubTypes, stages);
+				const pubTypes =
+					requestedPubTypes?.length && allowedPubTypes?.length
+						? requestedPubTypes.filter((pubType) => allowedPubTypes?.includes(pubType))
+						: allowedPubTypes?.length || requestedPubTypes;
+
+				const stages =
+					requestedStages?.length && allowedStages?.length
+						? requestedStages.filter((stage) => allowedStages?.includes(stage))
+						: (allowedStages ?? requestedStages);
+
+				console.log("requestedPubTypes", requestedPubTypes);
+				console.log("allowedPubTypes", allowedPubTypes);
+				console.log("pubTypes", pubTypes);
+				console.log("requestedStages", requestedStages);
+				console.log("allowedStages", allowedStages);
+				console.log("stages", stages);
 
 				const pubs = await getPubsWithRelatedValuesAndChildren(
 					{
diff --git a/core/app/c/[communitySlug]/settings/tokens/CreateTokenForm.tsx b/core/app/c/[communitySlug]/settings/tokens/CreateTokenForm.tsx
index 3636a3f1e..87badca72 100644
--- a/core/app/c/[communitySlug]/settings/tokens/CreateTokenForm.tsx
+++ b/core/app/c/[communitySlug]/settings/tokens/CreateTokenForm.tsx
@@ -28,6 +28,7 @@ export const createTokenFormSchema = apiAccessTokensInitializerSchema
 		issuedById: true,
 	})
 	.extend({
+		name: z.string().min(1, "Name is required").max(255, "Name is too long"),
 		description: z.string().max(255).optional(),
 		token: apiAccessTokensInitializerSchema.shape.token.optional(),
 		expiration: z
@@ -63,6 +64,8 @@ export const CreateTokenForm = () => {
 	const form = useForm<CreateTokenFormSchema>({
 		resolver: zodResolver(createTokenFormSchema),
 		defaultValues: {
+			name: "",
+			description: "",
 			// default to 1 day from now, mostly to make testing easier
 			expiration: new Date(Date.now() + 1000 * 60 * 60 * 24),
 		},
@@ -80,6 +83,8 @@ export const CreateTokenForm = () => {
 	// this `as const` should not be necessary, not sure why it is
 	const token = form.watch("token" as const);
 
+	console.log(form.getValues());
+
 	return (
 		<Form {...form}>
 			<form className="grid gap-2" onSubmit={form.handleSubmit(onSubmit)}>
@@ -165,7 +170,7 @@ export const CreateTokenForm = () => {
 						<Button
 							type="submit"
 							className="justify-self-end"
-							disabled={!form.formState.isValid}
+							// disabled={!form.formState.isValid}
 							data-testid="create-token-button"
 						>
 							Create Token
diff --git a/core/app/c/[communitySlug]/settings/tokens/PermissionField.tsx b/core/app/c/[communitySlug]/settings/tokens/PermissionField.tsx
index 479bca0ad..af603fcf4 100644
--- a/core/app/c/[communitySlug]/settings/tokens/PermissionField.tsx
+++ b/core/app/c/[communitySlug]/settings/tokens/PermissionField.tsx
@@ -149,8 +149,8 @@ const permissionContraintMap: PermissionContraintMap = {
 							value === true
 								? context.stages.allValues
 								: !value
-									? []
-									: (value.stages ?? [])
+									? context.stages.allValues
+									: (value.stages ?? context.stages.allValues)
 						}
 						onValueChange={(val) => {
 							const allStagesSelected =
@@ -160,14 +160,20 @@ const permissionContraintMap: PermissionContraintMap = {
 								typeof value === "object" &&
 								value.pubTypes?.length === context.pubTypes.allValues.length;
 
-							if (allStagesSelected && allPubTypesSelected) {
+							if ((allStagesSelected || val.length === 0) && allPubTypesSelected) {
 								onChange(true);
 								return;
 							}
 
 							onChange({
-								stages: val as StagesId[],
-								pubTypes: typeof value === "object" ? value.pubTypes : [],
+								stages:
+									val.length === 0
+										? context.stages.allValues
+										: (val as StagesId[]),
+								pubTypes:
+									typeof value === "object"
+										? value.pubTypes
+										: context.pubTypes.allValues,
 							});
 						}}
 						animation={0}
@@ -185,8 +191,8 @@ const permissionContraintMap: PermissionContraintMap = {
 							value === true
 								? context.pubTypes.allValues
 								: !value
-									? []
-									: (value.pubTypes ?? [])
+									? context.pubTypes.allValues
+									: (value.pubTypes ?? context.pubTypes.allValues)
 						}
 						onValueChange={(val) => {
 							const allPubTypesSelected =
@@ -196,14 +202,20 @@ const permissionContraintMap: PermissionContraintMap = {
 								typeof value === "object" &&
 								value.stages?.length === context.stages.allValues.length;
 
-							if (allPubTypesSelected && allStagesSelected) {
+							if ((allStagesSelected || val.length === 0) && allPubTypesSelected) {
 								onChange(true);
 								return;
 							}
 
 							onChange({
-								pubTypes: val as PubTypesId[],
-								stages: typeof value == "object" ? value.stages : [],
+								pubTypes:
+									val.length === 0
+										? context.pubTypes.allValues
+										: (val as PubTypesId[]),
+								stages:
+									typeof value == "object"
+										? value.stages
+										: context.stages.allValues,
 							});
 						}}
 						animation={0}
@@ -222,25 +234,18 @@ const permissionContraintMap: PermissionContraintMap = {
 					</span>
 					<MultiSelect
 						variant="inverted"
-						options={context.stages.map((stage) => ({
-							label: stage.name,
-							value: stage.id,
-						}))}
+						options={context.stages.allOptions}
 						/**
 						 * This just means: if it is set to `true`, allow it to act on all stages.
 						 * If it is set to `false`, allow it to act on no stages.
 						 * Otherwise just reuse the value of the `stages` field. (this is a bit of a cop-out as this situation should never come to pass)
 						 */
 						defaultValue={
-							value === true
-								? context.stages.map((stage) => stage.id)
-								: !value
-									? []
-									: value.stages
+							value === true ? context.stages.allValues : !value ? [] : value.stages
 						}
 						onValueChange={(value) => {
 							onChange(
-								value.length > 0 && value.length !== context.stages.length
+								value.length > 0 && value.length !== context.stages.allValues.length
 									? { stages: value as StagesId[] }
 									: true
 							);
@@ -263,16 +268,9 @@ const permissionContraintMap: PermissionContraintMap = {
 					</span>
 					<MultiSelect
 						variant="inverted"
-						options={context.stages.map((stage) => ({
-							label: stage.name,
-							value: stage.id,
-						}))}
+						options={context.stages.allOptions}
 						defaultValue={
-							value === true
-								? context.stages.map((stage) => stage.id)
-								: !value
-									? []
-									: value.stages
+							value === true ? context.stages.allValues : !value ? [] : value.stages
 						}
 						onValueChange={(value) => {
 							onChange(value.length > 0 ? { stages: value as StagesId[] } : true);
@@ -328,7 +326,7 @@ function FormItemWrapper({
 	dataTestId,
 }: {
 	children?: React.ReactNode;
-	checked: boolean;
+	checked: boolean | "indeterminate";
 	onChange: (change: boolean) => void;
 	type: ApiAccessType;
 	dataTestId: string;
@@ -402,7 +400,7 @@ export const ConstraintFormFieldRender = ({
 	return (
 		<FormItemWrapper
 			dataTestId={`${scope}-${type}-checkbox`}
-			checked={Boolean(field.value)}
+			checked={typeof field.value === "object" ? "indeterminate" : Boolean(field.value)}
 			onChange={field.onChange}
 			type={type}
 		>
diff --git a/core/app/c/[communitySlug]/stages/components/StageList.tsx b/core/app/c/[communitySlug]/stages/components/StageList.tsx
index e5cea9686..a542c52f5 100644
--- a/core/app/c/[communitySlug]/stages/components/StageList.tsx
+++ b/core/app/c/[communitySlug]/stages/components/StageList.tsx
@@ -107,7 +107,7 @@ export async function StagePubs({
 }) {
 	const [stagePubs, actionInstances] = await Promise.all([
 		getPubsWithRelatedValuesAndChildren(
-			{ stageId: stage.id, communityId: stage.communityId },
+			{ stageId: [stage.id], communityId: stage.communityId },
 			{
 				// fetch one extra pub so we know whether or not to render a show more button
 				limit: pagination?.pubsPerPage || (totalPubLimit && totalPubLimit + 1),
diff --git a/core/globalSetup.ts b/core/globalSetup.ts
index 3ef4b9cb6..6ae8391e6 100644
--- a/core/globalSetup.ts
+++ b/core/globalSetup.ts
@@ -16,7 +16,7 @@ export const setup = async () => {
 
 	logger.info("Resetting database...");
 	const result = spawnSync(
-		"MINIMAL_SEED=true pnpm --filter core exec dotenv -e ./.env.test -e ./.env.test.local prisma migrate reset -- --preview-feature --force",
+		"pnpm --filter core exec dotenv -e ./.env.test -e ./.env.test.local prisma migrate reset -- --preview-feature --force",
 		{
 			shell: true,
 			stdio: "inherit",
diff --git a/core/playwright/fixtures/api-token-page.ts b/core/playwright/fixtures/api-token-page.ts
index f691ba72f..f5738a4ae 100644
--- a/core/playwright/fixtures/api-token-page.ts
+++ b/core/playwright/fixtures/api-token-page.ts
@@ -69,6 +69,7 @@ export class ApiTokenPage {
 			permissions: Partial<Permissions> | true;
 		}
 	) {
+		await this.newTokenNameBox.click();
 		await this.newTokenNameBox.fill(input.name);
 		await this.newTokenDescriptionBox.fill(input.description ?? "");
 		// await this.newTokenExpiryDatePicker.fill(input.expiration.toISOString());
@@ -106,6 +107,9 @@ export class ApiTokenPage {
 			}
 		}
 
+		// for some reason the name is not recognized properly sometimes
+		await this.newTokenNameBox.fill(input.name);
+
 		await this.newTokenCreateButton.click({
 			timeout: 1_000,
 		});
diff --git a/core/playwright/site-api.spec.ts b/core/playwright/site-api.spec.ts
index 85468468e..9b7d577b1 100644
--- a/core/playwright/site-api.spec.ts
+++ b/core/playwright/site-api.spec.ts
@@ -126,7 +126,7 @@ test.describe("Site API", () => {
 			const pubTypesPage = new PubTypesPage(page, COMMUNITY_SLUG);
 			await pubTypesPage.goto();
 			const pubType1 = await pubTypesPage.addType(
-				"test pub type",
+				"test pub type 1",
 				"test pub type description",
 				[`title`]
 			);
@@ -235,6 +235,7 @@ test.describe("Site API", () => {
 
 		test("if both pub type and stage are restricted, only pubs of that pub type and stage are returned", async () => {
 			const tokenPage = new ApiTokenPage(page, COMMUNITY_SLUG);
+			tokenPage.goto();
 			const bothToken = await tokenPage.createToken({
 				name: "test token with pub type and stage restriction",
 				permissions: {
@@ -262,6 +263,21 @@ test.describe("Site API", () => {
 		});
 
 		test("if stage is restricted, we can still further filter by pub type", async () => {
+			const tokenPage = new ApiTokenPage(page, COMMUNITY_SLUG);
+			tokenPage.goto();
+			const onlyStageToken = await tokenPage.createToken({
+				name: "tttest token with stage restriction",
+				description: "tttest token with stage restriction",
+				permissions: {
+					pub: {
+						read: {
+							stages: [testStage1],
+						},
+					},
+				},
+			});
+			clientOnlyStageClient = createClient(onlyStageToken!);
+
 			const pubResponseRestrictedToStage1FilteredByPubType1 =
 				await clientOnlyStageClient.pubs.getMany({
 					params: {
@@ -284,6 +300,7 @@ test.describe("Site API", () => {
 
 		test("if stages are restricted to pubs not in a stage ", async () => {
 			const tokenPage = new ApiTokenPage(page, COMMUNITY_SLUG);
+			tokenPage.goto();
 			const noStageToken = await tokenPage.createToken({
 				name: "test token with no stage restriction",
 				permissions: {
diff --git a/packages/db/src/public/PublicSchema.ts b/packages/db/src/public/PublicSchema.ts
index 62eb7d16d..a950774b0 100644
--- a/packages/db/src/public/PublicSchema.ts
+++ b/packages/db/src/public/PublicSchema.ts
@@ -33,6 +33,28 @@ import type { StagesTable } from "./Stages";
 import type { UsersTable } from "./Users";
 
 export interface PublicSchema {
+	api_access_tokens: ApiAccessTokensTable;
+
+	api_access_logs: ApiAccessLogsTable;
+
+	api_access_permissions: ApiAccessPermissionsTable;
+
+	form_elements: FormElementsTable;
+
+	sessions: SessionsTable;
+
+	community_memberships: CommunityMembershipsTable;
+
+	pub_memberships: PubMembershipsTable;
+
+	stage_memberships: StageMembershipsTable;
+
+	form_memberships: FormMembershipsTable;
+
+	membership_capabilities: MembershipCapabilitiesTable;
+
+	pub_values_history: PubValuesHistoryTable;
+
 	_prisma_migrations: PrismaMigrationsTable;
 
 	users: UsersTable;
@@ -70,26 +92,4 @@ export interface PublicSchema {
 	action_runs: ActionRunsTable;
 
 	forms: FormsTable;
-
-	api_access_tokens: ApiAccessTokensTable;
-
-	api_access_logs: ApiAccessLogsTable;
-
-	api_access_permissions: ApiAccessPermissionsTable;
-
-	form_elements: FormElementsTable;
-
-	sessions: SessionsTable;
-
-	community_memberships: CommunityMembershipsTable;
-
-	pub_memberships: PubMembershipsTable;
-
-	stage_memberships: StageMembershipsTable;
-
-	form_memberships: FormMembershipsTable;
-
-	membership_capabilities: MembershipCapabilitiesTable;
-
-	pub_values_history: PubValuesHistoryTable;
 }
diff --git a/packages/ui/src/checkbox.tsx b/packages/ui/src/checkbox.tsx
index 851bf7e59..efbd16125 100644
--- a/packages/ui/src/checkbox.tsx
+++ b/packages/ui/src/checkbox.tsx
@@ -2,7 +2,7 @@
 
 import * as React from "react";
 import * as CheckboxPrimitive from "@radix-ui/react-checkbox";
-import { Check } from "lucide-react";
+import { Check, Minus } from "lucide-react";
 
 import { cn } from "utils";
 
@@ -21,7 +21,11 @@ const Checkbox = React.forwardRef<
 		<CheckboxPrimitive.Indicator
 			className={cn("flex items-center justify-center text-current")}
 		>
-			<Check className="h-4 w-4" />
+			{props.checked === "indeterminate" ? (
+				<Minus className="h-4 w-4" />
+			) : (
+				<Check className="h-4 w-4" />
+			)}
 		</CheckboxPrimitive.Indicator>
 	</CheckboxPrimitive.Root>
 ));

From 4a7e5337feae25a05ab97d7bebff0f9c3a22624e Mon Sep 17 00:00:00 2001
From: "Thomas F. K. Jorna" <hello@tefkah.com>
Date: Mon, 3 Feb 2025 15:00:12 +0100
Subject: [PATCH 4/9] fix: restore old timeout

---
 core/playwright.config.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/playwright.config.ts b/core/playwright.config.ts
index de7804e74..0d000edd6 100644
--- a/core/playwright.config.ts
+++ b/core/playwright.config.ts
@@ -35,7 +35,7 @@ export default defineConfig({
 		},
 	],
 	// max 30 seconds per test in CI
-	timeout: process.env.CI ? 30 * 1000 :  30 * 1000,
+	timeout: process.env.CI ? 30 * 1000 : 10 * 60 * 1000,
 	/* Reporter to use. See https://playwright.dev/docs/test-reporters */
 	reporter: process.env.CI ? "github" : "html",
 	/* Shared settings for all the projects below. See https://playwright.dev/docs/api/class-testoptions. */

From 2fac102df2b6a25b2ce5b2e1958d2aa4d2a2916b Mon Sep 17 00:00:00 2001
From: "Thomas F. K. Jorna" <hello@tefkah.com>
Date: Mon, 3 Feb 2025 15:10:13 +0100
Subject: [PATCH 5/9] fix: do not make contraints optional

---
 .../c/[communitySlug]/site/[...ts-rest]/route.ts   | 14 ++++----------
 .../settings/tokens/CreateTokenForm.tsx            |  2 --
 packages/db/src/types/ApiAccessToken.ts            |  1 -
 3 files changed, 4 insertions(+), 13 deletions(-)

diff --git a/core/app/api/v0/c/[communitySlug]/site/[...ts-rest]/route.ts b/core/app/api/v0/c/[communitySlug]/site/[...ts-rest]/route.ts
index 5c31a8ef3..ca020ebd9 100644
--- a/core/app/api/v0/c/[communitySlug]/site/[...ts-rest]/route.ts
+++ b/core/app/api/v0/c/[communitySlug]/site/[...ts-rest]/route.ts
@@ -106,8 +106,7 @@ const getAuthorization = async () => {
 	return {
 		user,
 		authorization: rules.reduce((acc, curr) => {
-			const { scope, constraints, accessType } = curr;
-			if (!curr.constraints) {
+			if (curr.constraints != null) {
 				acc[curr.scope][curr.accessType] = true;
 				return acc;
 			}
@@ -286,20 +285,15 @@ const handler = createNextHandler(
 				const pubTypes =
 					requestedPubTypes?.length && allowedPubTypes?.length
 						? requestedPubTypes.filter((pubType) => allowedPubTypes?.includes(pubType))
-						: allowedPubTypes?.length || requestedPubTypes;
+						: allowedPubTypes && allowedPubTypes.length > 0
+							? allowedPubTypes
+							: requestedPubTypes;
 
 				const stages =
 					requestedStages?.length && allowedStages?.length
 						? requestedStages.filter((stage) => allowedStages?.includes(stage))
 						: (allowedStages ?? requestedStages);
 
-				console.log("requestedPubTypes", requestedPubTypes);
-				console.log("allowedPubTypes", allowedPubTypes);
-				console.log("pubTypes", pubTypes);
-				console.log("requestedStages", requestedStages);
-				console.log("allowedStages", allowedStages);
-				console.log("stages", stages);
-
 				const pubs = await getPubsWithRelatedValuesAndChildren(
 					{
 						communityId: community.id,
diff --git a/core/app/c/[communitySlug]/settings/tokens/CreateTokenForm.tsx b/core/app/c/[communitySlug]/settings/tokens/CreateTokenForm.tsx
index 87badca72..092ed015b 100644
--- a/core/app/c/[communitySlug]/settings/tokens/CreateTokenForm.tsx
+++ b/core/app/c/[communitySlug]/settings/tokens/CreateTokenForm.tsx
@@ -83,8 +83,6 @@ export const CreateTokenForm = () => {
 	// this `as const` should not be necessary, not sure why it is
 	const token = form.watch("token" as const);
 
-	console.log(form.getValues());
-
 	return (
 		<Form {...form}>
 			<form className="grid gap-2" onSubmit={form.handleSubmit(onSubmit)}>
diff --git a/packages/db/src/types/ApiAccessToken.ts b/packages/db/src/types/ApiAccessToken.ts
index a20702f1a..f0534b586 100644
--- a/packages/db/src/types/ApiAccessToken.ts
+++ b/packages/db/src/types/ApiAccessToken.ts
@@ -71,7 +71,6 @@ export const permissionsSchema = z.object({
 				stages: z.array(stageConstraintSchema),
 				pubTypes: z.array(pubTypesIdSchema),
 			})
-			.partial()
 			.or(z.boolean())
 			.optional(),
 		write: z

From 474f90a4c22a45a74053f42e00a8dbecf9464494 Mon Sep 17 00:00:00 2001
From: "Thomas F. K. Jorna" <hello@tefkah.com>
Date: Mon, 3 Feb 2025 15:43:27 +0100
Subject: [PATCH 6/9] fix: fix tests

---
 .../site/[...ts-rest]/route.ts                | 20 +++++++++++--
 .../settings/tokens/PermissionField.tsx       | 16 +++-------
 core/playwright/fixtures/api-token-page.ts    | 29 +++++++++++++++----
 core/playwright/site-api.spec.ts              |  8 +++--
 4 files changed, 51 insertions(+), 22 deletions(-)

diff --git a/core/app/api/v0/c/[communitySlug]/site/[...ts-rest]/route.ts b/core/app/api/v0/c/[communitySlug]/site/[...ts-rest]/route.ts
index ca020ebd9..de082f786 100644
--- a/core/app/api/v0/c/[communitySlug]/site/[...ts-rest]/route.ts
+++ b/core/app/api/v0/c/[communitySlug]/site/[...ts-rest]/route.ts
@@ -106,7 +106,7 @@ const getAuthorization = async () => {
 	return {
 		user,
 		authorization: rules.reduce((acc, curr) => {
-			if (curr.constraints != null) {
+			if (!curr.constraints) {
 				acc[curr.scope][curr.accessType] = true;
 				return acc;
 			}
@@ -240,11 +240,27 @@ const handler = createNextHandler(
 
 				if (typeof authorization === "object") {
 					const allowedStages = authorization.stages;
-					if (allowedStages && allowedStages.length > 0) {
+					if (
+						pub.stageId &&
+						allowedStages &&
+						allowedStages.length > 0 &&
+						!allowedStages.includes(pub.stageId)
+					) {
 						throw new ForbiddenError(
 							`You are not authorized to view this pub in stage ${pub.stageId}`
 						);
 					}
+
+					const allowedPubTypes = authorization.pubTypes;
+					if (
+						allowedPubTypes &&
+						allowedPubTypes.length > 0 &&
+						!allowedPubTypes.includes(pub.pubTypeId)
+					) {
+						throw new ForbiddenError(
+							`You are not authorized to view this pub in pub type ${pub.pubTypeId}`
+						);
+					}
 				}
 
 				return {
diff --git a/core/app/c/[communitySlug]/settings/tokens/PermissionField.tsx b/core/app/c/[communitySlug]/settings/tokens/PermissionField.tsx
index af603fcf4..7b2983e73 100644
--- a/core/app/c/[communitySlug]/settings/tokens/PermissionField.tsx
+++ b/core/app/c/[communitySlug]/settings/tokens/PermissionField.tsx
@@ -146,11 +146,7 @@ const permissionContraintMap: PermissionContraintMap = {
 						variant="inverted"
 						options={context.stages.allOptions}
 						defaultValue={
-							value === true
-								? context.stages.allValues
-								: !value
-									? context.stages.allValues
-									: (value.stages ?? context.stages.allValues)
+							value === true || !value ? context.stages.allValues : value.stages
 						}
 						onValueChange={(val) => {
 							const allStagesSelected =
@@ -188,11 +184,7 @@ const permissionContraintMap: PermissionContraintMap = {
 						variant="inverted"
 						options={context.pubTypes.allOptions}
 						defaultValue={
-							value === true
-								? context.pubTypes.allValues
-								: !value
-									? context.pubTypes.allValues
-									: (value.pubTypes ?? context.pubTypes.allValues)
+							value === true || !value ? context.pubTypes.allValues : value.pubTypes
 						}
 						onValueChange={(val) => {
 							const allPubTypesSelected =
@@ -241,7 +233,7 @@ const permissionContraintMap: PermissionContraintMap = {
 						 * Otherwise just reuse the value of the `stages` field. (this is a bit of a cop-out as this situation should never come to pass)
 						 */
 						defaultValue={
-							value === true ? context.stages.allValues : !value ? [] : value.stages
+							value === true || !value ? context.stages.allValues : value.stages
 						}
 						onValueChange={(value) => {
 							onChange(
@@ -270,7 +262,7 @@ const permissionContraintMap: PermissionContraintMap = {
 						variant="inverted"
 						options={context.stages.allOptions}
 						defaultValue={
-							value === true ? context.stages.allValues : !value ? [] : value.stages
+							value === true || !value ? context.stages.allValues : value.stages
 						}
 						onValueChange={(value) => {
 							onChange(value.length > 0 ? { stages: value as StagesId[] } : true);
diff --git a/core/playwright/fixtures/api-token-page.ts b/core/playwright/fixtures/api-token-page.ts
index f5738a4ae..c9a78d67d 100644
--- a/core/playwright/fixtures/api-token-page.ts
+++ b/core/playwright/fixtures/api-token-page.ts
@@ -88,19 +88,36 @@ export class ApiTokenPage {
 
 				if (typeof value === "object") {
 					await this.page.getByTestId(`${scope}-${type}-options`).click();
-					for (const [key, values] of Object.entries(value)) {
+
+					const constraints = Object.entries(value);
+					for (let i = 0; i < constraints.length; i++) {
+						const [key, values] = constraints[i];
 						await this.page.getByTestId(`${scope}-${type}-${key}-select`).click({
 							timeout: 2_000,
 						});
-						for (const val of values) {
-							await this.page
-								.getByLabel("Suggestions")
-								.getByTestId(`multi-select-option-${val}`)
-								.click({
+
+						const options = await this.page
+							.getByLabel("Suggestions")
+							.getByTestId(/^multi-select-option-/)
+							.all();
+
+						for (const option of options) {
+							const optionValue = await option.getAttribute("data-testid", {
+								timeout: 2_000,
+							});
+							const value = optionValue?.replace("multi-select-option-", "");
+							if (value && !values.some((v) => v === value)) {
+								await option.click({
 									timeout: 2_000,
 								});
+							}
 						}
 						await this.page.getByTestId(`multi-select-close`).click();
+
+						// wait for the popover to close if we have multiple constraints so the selectors do not overlap
+						if (constraints.length > 1 && i < constraints.length - 1) {
+							await this.page.waitForTimeout(1_000);
+						}
 						continue;
 					}
 				}
diff --git a/core/playwright/site-api.spec.ts b/core/playwright/site-api.spec.ts
index 9b7d577b1..62f585b0d 100644
--- a/core/playwright/site-api.spec.ts
+++ b/core/playwright/site-api.spec.ts
@@ -182,6 +182,7 @@ test.describe("Site API", () => {
 				permissions: {
 					pub: {
 						read: {
+							stages: ["no-stage", testStage1, testStage2],
 							pubTypes: [testPubType1],
 						},
 						write: true,
@@ -213,6 +214,7 @@ test.describe("Site API", () => {
 					pub: {
 						read: {
 							stages: [testStage1],
+							pubTypes: [testPubType1, testPubType2],
 						},
 					},
 				},
@@ -266,12 +268,13 @@ test.describe("Site API", () => {
 			const tokenPage = new ApiTokenPage(page, COMMUNITY_SLUG);
 			tokenPage.goto();
 			const onlyStageToken = await tokenPage.createToken({
-				name: "tttest token with stage restriction",
-				description: "tttest token with stage restriction",
+				name: "test token with stage restriction",
+				description: "test token with stage restriction",
 				permissions: {
 					pub: {
 						read: {
 							stages: [testStage1],
+							pubTypes: [testPubType1, testPubType2],
 						},
 					},
 				},
@@ -307,6 +310,7 @@ test.describe("Site API", () => {
 					pub: {
 						read: {
 							stages: ["no-stage"],
+							pubTypes: [testPubType1, testPubType2],
 						},
 					},
 				},

From 3623f048229bec36f7acf3581d343a33862c2750 Mon Sep 17 00:00:00 2001
From: "Thomas F. K. Jorna" <hello@tefkah.com>
Date: Tue, 25 Feb 2025 14:49:53 +0100
Subject: [PATCH 7/9] fix: use new stageId input

---
 core/lib/server/pub.sort.db.test.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/lib/server/pub.sort.db.test.ts b/core/lib/server/pub.sort.db.test.ts
index 2be366b04..9dca72571 100644
--- a/core/lib/server/pub.sort.db.test.ts
+++ b/core/lib/server/pub.sort.db.test.ts
@@ -117,7 +117,7 @@ describe("getPubsWithRelatedValuesAndChildren", () => {
 			getPubsWithRelatedValuesAndChildren(
 				{
 					communityId: community.id,
-					stageId: stages["Stage 1"].id,
+					stageId: [stages["Stage 1"].id],
 				},
 				{
 					limit: 5,
@@ -131,7 +131,7 @@ describe("getPubsWithRelatedValuesAndChildren", () => {
 			getPubsWithRelatedValuesAndChildren(
 				{
 					communityId: community.id,
-					stageId: stages["Stage 2"].id,
+					stageId: [stages["Stage 2"].id],
 				},
 				{
 					limit: 5,

From 5dddd9d024d1c69e52f1824c3d36ee979439318b Mon Sep 17 00:00:00 2001
From: "Thomas F. K. Jorna" <hello@tefkah.com>
Date: Tue, 25 Feb 2025 16:19:17 +0100
Subject: [PATCH 8/9] fix: solve annoying function union type issue

---
 .../settings/tokens/PermissionField.tsx       | 24 ++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/core/app/c/[communitySlug]/settings/tokens/PermissionField.tsx b/core/app/c/[communitySlug]/settings/tokens/PermissionField.tsx
index 7b2983e73..e6c6f90c8 100644
--- a/core/app/c/[communitySlug]/settings/tokens/PermissionField.tsx
+++ b/core/app/c/[communitySlug]/settings/tokens/PermissionField.tsx
@@ -375,7 +375,29 @@ export const ConstraintFormFieldRender = ({
 			return null;
 		}
 
-		return ExtraContraints;
+		// brief explanation:
+		// ExtraContraints ends up being a nice union of all possible Components
+		// that have extra cosntraints
+		// however, a union of functions leads to the parameters of those functions being intersected
+		// consider the union function
+		// `declare function f: ((a: string) => void) | ((a: number) => void)`
+		// you would think: the first param of F is either a string or a number
+		// but when you call `f(4)` you get an error, as the first param is expected to be
+		// `string & number` which is `never`, not `string | number`.
+		// this is extremely annoying behaviour
+
+		// what we do here is basically pre-emptively get the parameters of the function
+		// for our example, `Parameters<f>[0]` _is_ `string | number`, even though
+		// when you call `f(4)` you get an error.
+		// we do the same below
+
+		type ExtraParams = Parameters<typeof ExtraContraints>[0];
+
+		const CorrectlyTypedExtraContraints = ExtraContraints as (
+			props: ExtraParams
+		) => React.ReactNode;
+
+		return CorrectlyTypedExtraContraints;
 	}, [scope, type]);
 
 	if (!ExtraContrainstsFormItem) {

From c49df540cbfc666dc165e191b39a087b0a1b773e Mon Sep 17 00:00:00 2001
From: "Thomas F. K. Jorna" <hello@tefkah.com>
Date: Tue, 25 Feb 2025 18:59:25 +0100
Subject: [PATCH 9/9] fix: fix original token page test

---
 core/playwright/api/site.spec.ts | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/core/playwright/api/site.spec.ts b/core/playwright/api/site.spec.ts
index 40e4b2cc0..3efc54b41 100644
--- a/core/playwright/api/site.spec.ts
+++ b/core/playwright/api/site.spec.ts
@@ -68,7 +68,15 @@ test("should be able to create token with all permissions", async () => {
 
 	expect(token).not.toBeNull();
 
-	tokenPage.goto();
+	await test.step("should be able to revoke token", async () => {
+		const tokenPage = new ApiTokenPage(page, COMMUNITY_SLUG);
+		await tokenPage.goto();
+		await page.getByRole("button", { name: "Revoke token" }).first().click({ timeout: 1_000 });
+
+		await page.getByRole("button", { name: "Remove" }).click();
+
+		await expect(page.getByRole("button", { name: "Revoke token" })).toHaveCount(0);
+	});
 });
 
 test("should be able to create token with special permissions", async () => {
@@ -76,7 +84,7 @@ test("should be able to create token with special permissions", async () => {
 	await tokenPage.goto();
 	const token = await tokenPage.createToken({
 		// expiration: new Date(Date.now() + 1000 * 60 * 60 * 24 * 30),
-		name: "test token",
+		name: "test token with special permissions",
 		permissions: {
 			pub: {
 				read: {