Add plugin owner menu with publish, delete, and verification actions.#405
Add plugin owner menu with publish, delete, and verification actions.#405pontusab wants to merge 1 commit into
Conversation
Owners manage listings from a compact options menu with confirmation dialogs, and can delete published plugins after confirming in an alert dialog. Co-authored-by: Cursor <cursoragent@cursor.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using default effort and found 2 potential issues.
Bugbot Autofix prepared fixes for both issues found in the latest run.
- ✅ Fixed: Publish ignores scan status
- Publishing now requires the plugin scan status to be safe in both the server action and owner menu.
- ✅ Fixed: Missing null check after update
- The update result now treats a missing returned row as a controlled ActionError before revalidation.
Or push these changes by commenting:
@cursor push fc22372b14
Preview (fc22372b14)
diff --git a/apps/cursor/src/actions/toggle-plugin-listing.ts b/apps/cursor/src/actions/toggle-plugin-listing.ts
--- a/apps/cursor/src/actions/toggle-plugin-listing.ts
+++ b/apps/cursor/src/actions/toggle-plugin-listing.ts
@@ -20,7 +20,7 @@
const { data: existing, error: fetchError } = await supabase
.from("plugins")
- .select("id, owner_id, slug, permanently_blocked")
+ .select("id, owner_id, slug, permanently_blocked, scan_status")
.eq("id", id)
.single();
@@ -38,6 +38,12 @@
);
}
+ if (active && existing.scan_status !== "safe") {
+ throw new ActionError(
+ "This plugin cannot be published until the security scan passes.",
+ );
+ }
+
const { data, error } = await supabase
.from("plugins")
.update({ active })
@@ -46,8 +52,8 @@
.select("slug")
.single();
- if (error) {
- throw new ActionError(error.message);
+ if (error || !data) {
+ throw new ActionError(error?.message ?? "Plugin not found.");
}
revalidatePath("/");
diff --git a/apps/cursor/src/components/plugins/plugin-owner-menu.tsx b/apps/cursor/src/components/plugins/plugin-owner-menu.tsx
--- a/apps/cursor/src/components/plugins/plugin-owner-menu.tsx
+++ b/apps/cursor/src/components/plugins/plugin-owner-menu.tsx
@@ -126,7 +126,8 @@
const busy = isRequesting || isToggling || isDeleting;
const canVerify = !plugin.verified && !requestPending;
- const canPublish = !active && !plugin.permanently_blocked;
+ const canPublish =
+ !active && !plugin.permanently_blocked && plugin.scan_status === "safe";
return (
<>You can send follow-ups to the cloud agent here.
Reviewed by Cursor Bugbot for commit 5e1c31e. Configure here.
| const { data, error } = await supabase | ||
| .from("plugins") | ||
| .update({ active }) | ||
| .eq("id", id) |
There was a problem hiding this comment.
Publish ignores scan status
High Severity · Logic Bug
togglePluginListingAction sets active to true for owners with only a permanently_blocked check, so plugins still pending, scanning, flagged, or error can be published and appear in directory queries that filter on active.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 5e1c31e. Configure here.
| } | ||
|
|
||
| revalidatePath("/"); | ||
| revalidatePath(`/plugins/${data.slug}`); |
There was a problem hiding this comment.
Missing null check after update
Medium Severity · Logic Bug
After the listing update, the action only checks Supabase error and then uses data.slug for revalidatePath. If the update returns no row without an error, data can be null and revalidation throws at runtime.
Reviewed by Cursor Bugbot for commit 5e1c31e. Configure here.
1 participant
Owners manage listings from a compact options menu with confirmation dialogs, and can delete published plugins after confirming in an alert dialog.
Note
Medium Risk
Introduces irreversible plugin deletion and listing visibility changes backed by owner checks; mistakes or authorization gaps would affect directory data and public listings.
Overview
Adds a plugin owner options menu on the edit page and plugin detail view, replacing the standalone Edit link with edit, verification request, publish/unpublish, and permanent delete (with dialog confirmations).
New authenticated server actions
deletePluginActionandtogglePluginListingActionenforceowner_id, block publishing whenpermanently_blocked, and revalidate listing paths after changes.VerifyControlsis narrowed to admin-only approve/deny/mark verified; owner verification submission moves into the owner menu.Profile and cards surface unpublished listings for the profile owner via
getUserPlugins(..., { includeInactive: isOwner })and an Unpublished badge onPluginCard. Owners see an unpublished banner on the detail page while content remains viewable; one-click install stays gated onactive.Adds
alert-dialogUI (Radix) and a smallDropdownMenuItemgap style tweak for icon+label rows.Reviewed by Cursor Bugbot for commit 5e1c31e. Bugbot is set up for automated code reviews on this repo. Configure here.