From 0302b72af6f1032b67a7ba7dc88e6f5353b51c27 Mon Sep 17 00:00:00 2001
From: Kaj Magnus Lindberg <kajmagnus3@gmail.com>
Date: Mon, 9 Sep 2024 09:20:56 +0200
Subject: [PATCH 01/28] Bump version to v0.2024.007.

---
 relchans/tyse-v0-dev | 2 +-
 version.txt          | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/relchans/tyse-v0-dev b/relchans/tyse-v0-dev
index 9b9f590da..7ffd6aa86 160000
--- a/relchans/tyse-v0-dev
+++ b/relchans/tyse-v0-dev
@@ -1 +1 @@
-Subproject commit 9b9f590da473869c6bb9336b1226eaad545c23bc
+Subproject commit 7ffd6aa86153045ab663ed1450f8c4dc4940c1c6
diff --git a/version.txt b/version.txt
index 798315efb..3a75eb0bc 100644
--- a/version.txt
+++ b/version.txt
@@ -1 +1 @@
-v0.2024.006
+v0.2024.007

From 6abaeef0f8531749179922a0edf1697e878d21fb Mon Sep 17 00:00:00 2001
From: Kaj Magnus Lindberg <kajmagnus3@gmail.com>
Date: Mon, 9 Sep 2024 13:21:57 +0200
Subject: [PATCH 02/28] Temp fix flappy e2e test?

---
 .../specs/embcom.sort-order-op-likes-btn-txt.2br.ec.e2e.ts     | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tests/e2e-wdio7/specs/embcom.sort-order-op-likes-btn-txt.2br.ec.e2e.ts b/tests/e2e-wdio7/specs/embcom.sort-order-op-likes-btn-txt.2br.ec.e2e.ts
index df0507455..d4b9ce0a8 100644
--- a/tests/e2e-wdio7/specs/embcom.sort-order-op-likes-btn-txt.2br.ec.e2e.ts
+++ b/tests/e2e-wdio7/specs/embcom.sort-order-op-likes-btn-txt.2br.ec.e2e.ts
@@ -246,6 +246,9 @@ describe("embcom.sort-order-op-likes-btn-txt.2br.ec  TyTEMBSORTLIKETXT", () => {
     // 2024-06-18: Happened again: "Waiting for visible:  .s_MB_Name" repeated until timeout.
     // 2024-06-20: Again
     // await mariasBrowser.metabar.waitUntilLoggedIn(); // not needed, let's skip?
+    // 2024-09-09: Again. Annoying.
+    await mariasBrowser.pause(2000); // let's just do this, for now. There're more
+                                     // important things to do.
     await mariasBrowser.complex.replyToEmbeddingBlogPost("Hi I am here");
   });
 

From 111f3269a108b94cae4e2fa3d2ff9e1ee34bde3e Mon Sep 17 00:00:00 2001
From: Kaj Magnus Lindberg <kajmagnus3@gmail.com>
Date: Fri, 6 Sep 2024 16:53:55 +0200
Subject: [PATCH 03/28] Fix paseto-cmd build err. Add build docs.

---
 modules/paseto-cmd/README.txt  | 12 +++++++++++-
 modules/paseto-cmd/src/main.rs |  6 +++---
 2 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/modules/paseto-cmd/README.txt b/modules/paseto-cmd/README.txt
index b3dde9d6a..7a000b0bf 100644
--- a/modules/paseto-cmd/README.txt
+++ b/modules/paseto-cmd/README.txt
@@ -7,7 +7,17 @@ The secret should be a hex string. If there's any error, then, right now,
 the program exists and prints just nothing (crickets!), or maybe some cryptic
 Rust error message.
 
-But what's this for?
+
+Install Rust and Cargo, see: https://www.rust-lang.org/tools/install (as of Aug 2024).
+Then, do:  (in this folder, i.e. modules/paseto-cmd/)
+
+    cargo build
+
+That generates `modules/paseto-cmd/target/debug/paseto-cmd`. The debug build is
+all we need, see `encryptLocalPasetoV2Token()`  in ../../tests/e2e-wdio7/utils/utils.ts .
+
+
+But why?
 
 This is for blog comments Single Sign-On (SSO) e2e tests. Then, need to generate
 PASETO tokens, but the only Javascript library that supports v2.local tokens
diff --git a/modules/paseto-cmd/src/main.rs b/modules/paseto-cmd/src/main.rs
index 6b373083b..4769f7ac7 100644
--- a/modules/paseto-cmd/src/main.rs
+++ b/modules/paseto-cmd/src/main.rs
@@ -10,9 +10,9 @@ fn main() {
    let args: Vec<String> = env::args().collect();
 
   // Later, handle & print errors: (rather than just unwrap & crash)
-  if let Err(e) = gen_token(args) {
-    eprintln!("{}", e);
-  }
+  //if let Err(e) = gen_token(args) {
+  //  eprintln!("{}", e);
+  //}
 
   let key_as_hex: &String = &args[1];
   let key: Vec<u8> = decode_hex(key_as_hex).unwrap();

From 8ed1ac648c2b5da2b2298e04e0f7474bf41bcc8f Mon Sep 17 00:00:00 2001
From: Kaj Magnus Lindberg <kajmagnus3@gmail.com>
Date: Mon, 16 Sep 2024 09:08:56 +0200
Subject: [PATCH 04/28] Upgr Chromedriver to 128.0.3.

---
 tests/e2e-wdio7/package.json | 2 +-
 tests/e2e-wdio7/yarn.lock    | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/tests/e2e-wdio7/package.json b/tests/e2e-wdio7/package.json
index fb14c395a..5b373d886 100644
--- a/tests/e2e-wdio7/package.json
+++ b/tests/e2e-wdio7/package.json
@@ -14,7 +14,7 @@
     "@wdio/spec-reporter": "^7.20.3",
     "@wdio/types": "^7.20.3",
     "axios": "^0.26.1",
-    "chromedriver": "^128.0.0",
+    "chromedriver": "^128.0.3",
     "paseto.js": "^0.1.7",
     "ts-node": "^10.9.1",
     "wdio-chromedriver-service": "^7.3.2"
diff --git a/tests/e2e-wdio7/yarn.lock b/tests/e2e-wdio7/yarn.lock
index ea7b9e43a..d07cb7d58 100644
--- a/tests/e2e-wdio7/yarn.lock
+++ b/tests/e2e-wdio7/yarn.lock
@@ -1251,10 +1251,10 @@ chrome-launcher@^0.15.0:
     is-wsl "^2.2.0"
     lighthouse-logger "^1.0.0"
 
-chromedriver@^128.0.0:
-  version "128.0.0"
-  resolved "https://registry.yarnpkg.com/chromedriver/-/chromedriver-128.0.0.tgz#7f75a984101199e0bcc2c92fe9f91917fcd1f918"
-  integrity sha512-Ggo21z/dFQxTOTgU0vm0V59Mi79yyR+9AUk/KiVAsRfbDRdVZQYQWfgxnIvD/x8KOKn0oB7haRzDO/KfrKyvOA==
+chromedriver@^128.0.3:
+  version "128.0.3"
+  resolved "https://registry.yarnpkg.com/chromedriver/-/chromedriver-128.0.3.tgz#7c2cd2d160f269e78f40840ee7a043dac3687148"
+  integrity sha512-Xn/bknOpGlY9tKinwS/hVWeNblSeZvbbJbF8XZ73X1jeWfAFPRXx3fMLdNNz8DqruDbx3cKEJ5wR3mnst6G3iw==
   dependencies:
     "@testim/chrome-version" "^1.1.4"
     axios "^1.7.4"

From ab47f367fd502b1c0ea09ee47dd94dc7ae0e19ff Mon Sep 17 00:00:00 2001
From: Kaj Magnus Lindberg <kajmagnus3@gmail.com>
Date: Tue, 17 Sep 2024 07:35:30 +0200
Subject: [PATCH 05/28] Don't send unnecessary fields when updating a SASite

The server rejects the request, if request body too large.
---
 .../src/main/scala/com/debiki/core/Site.scala |  2 +-
 client/app-slim/model.ts                      | 15 +++++++
 .../superadmin/superadmin-app.staff.ts        | 42 +++++++++++++------
 3 files changed, 46 insertions(+), 13 deletions(-)

diff --git a/appsv/model/src/main/scala/com/debiki/core/Site.scala b/appsv/model/src/main/scala/com/debiki/core/Site.scala
index c3b9902d9..d2e412c24 100644
--- a/appsv/model/src/main/scala/com/debiki/core/Site.scala
+++ b/appsv/model/src/main/scala/com/debiki/core/Site.scala
@@ -138,7 +138,7 @@ sealed abstract class SiteStatus(val IntValue: i32) {
 }
 
 
-case class SuperAdminSitePatch(
+case class SuperAdminSitePatch(  // ts: interface SASitePatch
   siteId: SiteId,
   newStatus: SiteStatus,
   newNotes: Opt[St],
diff --git a/client/app-slim/model.ts b/client/app-slim/model.ts
index 291ba0261..02cda6cc4 100644
--- a/client/app-slim/model.ts
+++ b/client/app-slim/model.ts
@@ -2963,6 +2963,21 @@ interface SASite {
 }
 
 
+/// For updating an SASite (but not for purging it).
+///
+interface SASitePatch {  // Scala: case class SuperAdminSitePatch
+  id: SiteId
+  status: SiteStatus
+  superStaffNotes?: St
+  rdbQuotaMiBs?: Nr
+  fileQuotaMiBs?: Nr
+  readLimsMult: Nr | N
+  logLimsMult: Nr | N
+  createLimsMult: Nr | N
+  featureFlags: St
+}
+
+
 interface Rect {
   top: number;
   left: number;
diff --git a/client/app-staff/superadmin/superadmin-app.staff.ts b/client/app-staff/superadmin/superadmin-app.staff.ts
index c36f2d2fc..6a70748dc 100644
--- a/client/app-staff/superadmin/superadmin-app.staff.ts
+++ b/client/app-staff/superadmin/superadmin-app.staff.ts
@@ -273,9 +273,10 @@ const SiteTableRow = createComponent({
   },
 
   changeStatus: function(newStatus: SiteStatus) {
-    const site: SASite = _.clone(this.props.site);
-    site.status = newStatus;
-    Server.updateSites([site]);
+    const site: SASite = this.props.site;
+    const patch: SASitePatch = pluckPatch(site);
+    patch.status = newStatus;
+    Server.updateSites([patch]);
   },
 
   reindex: function() {
@@ -284,16 +285,17 @@ const SiteTableRow = createComponent({
   },
 
   saveNotesAndFlags: function() {
-    const site: SASite = _.clone(this.props.site);
+    const site: SASite = this.props.site;
+    const patch: SASitePatch = pluckPatch(site);
     const state: SiteTableRowState = this.state;
-    site.rdbQuotaMiBs = state.rdbQuotaMiBs;
-    site.fileQuotaMiBs = state.fileQuotaMiBs;
-    site.readLimsMult = state.readLimsMult;
-    site.logLimsMult = state.logLimsMult;
-    site.createLimsMult = state.createLimsMult;
-    site.superStaffNotes = state.newNotes;
-    site.featureFlags = state.newFeatureFlags;
-    Server.updateSites([site]);
+    patch.rdbQuotaMiBs = state.rdbQuotaMiBs;
+    patch.fileQuotaMiBs = state.fileQuotaMiBs;
+    patch.readLimsMult = state.readLimsMult;
+    patch.logLimsMult = state.logLimsMult;
+    patch.createLimsMult = state.createLimsMult;
+    patch.superStaffNotes = state.newNotes;
+    patch.featureFlags = state.newFeatureFlags;
+    Server.updateSites([patch]);
   },
 
   render: function() {
@@ -493,6 +495,22 @@ const SiteTableRow = createComponent({
   }
 });
 
+
+function pluckPatch(site: SASite): SASitePatch {
+  return {
+    id: site.id,
+    status: site.status,
+    superStaffNotes: site.superStaffNotes,
+    rdbQuotaMiBs: site.rdbQuotaMiBs,
+    fileQuotaMiBs: site.fileQuotaMiBs,
+    readLimsMult: site.readLimsMult,
+    logLimsMult: site.logLimsMult,
+    createLimsMult: site.createLimsMult,
+    featureFlags: site.featureFlags,
+  };
+}
+
+
 //------------------------------------------------------------------------------
    }
 //------------------------------------------------------------------------------

From b5fb54b5b0681c5d0e0238a4af05a193394ddac4 Mon Sep 17 00:00:00 2001
From: Kaj Magnus Lindberg <kajmagnus3@gmail.com>
Date: Thu, 19 Sep 2024 01:47:52 +0200
Subject: [PATCH 06/28] Feature flag for disabling the "That's a short comment"
 tips.

---
 appsv/model/src/main/scala/com/debiki/core/user.scala | 3 +++
 client/app-editor/editor/editor.editor.ts             | 5 ++++-
 client/app-slim/oop-methods.ts                        | 2 ++
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/appsv/model/src/main/scala/com/debiki/core/user.scala b/appsv/model/src/main/scala/com/debiki/core/user.scala
index c9881001a..f5cb16822 100644
--- a/appsv/model/src/main/scala/com/debiki/core/user.scala
+++ b/appsv/model/src/main/scala/com/debiki/core/user.scala
@@ -1209,6 +1209,9 @@ sealed trait MemberInclDetails extends ParticipantInclDetails {  RENAME // to Me
     */
   def uiPrefs: Option[JsObject]
 
+  // Later:
+  //def modConf: Opt[JsObject]  // the  pats_t/users3.mod_conf_c  column
+
   def copyPrefs(uiPrefs: Opt[JsObject] = null, privPrefs: MemberPrivacyPrefs = null): MemberVb = {
     this match {
       case thiz: GroupVb =>
diff --git a/client/app-editor/editor/editor.editor.ts b/client/app-editor/editor/editor.editor.ts
index 425f2301f..91a31fb80 100644
--- a/client/app-editor/editor/editor.editor.ts
+++ b/client/app-editor/editor/editor.editor.ts
@@ -2159,6 +2159,8 @@ export const Editor = createFactory<any, EditorState>({
 
   ifNewPostLooksOk: function(titleErrorMessage, textErrorMessage, ifOkFn: () => Vo) {
     const state: EditorState = this.state;
+    const store: Store = state.store;
+
     let errors = '';
     if (titleErrorMessage && isBlank(state.title)) {
       errors += titleErrorMessage;
@@ -2177,7 +2179,8 @@ export const Editor = createFactory<any, EditorState>({
     // Haven't updated the tests — many would fail, if "That's a short ..." dialogs pop up.
     // Also, skip for staff users (if they write something short, it's probably ok)
     // — later, this'll be per group settings; see pats_t.mod_conf_c.
-    const skipProbl = isAutoTestSite() || user_isStaffOrCoreMember(state.store.me);
+    const skipProbl = isAutoTestSite() || user_isStaffOrCoreMember(state.store.me) ||
+            !store_isFeatFlagOn(store, 'ffShortPostTips', true)
 
     const titleLen = state.title.trim().length;
     const textLen = state.text.trim().length;
diff --git a/client/app-slim/oop-methods.ts b/client/app-slim/oop-methods.ts
index 769107a00..5c2aac07b 100644
--- a/client/app-slim/oop-methods.ts
+++ b/client/app-slim/oop-methods.ts
@@ -917,6 +917,8 @@ export function settings_selectTopicType(settings: SettingsVisibleClientSide, me
 
 
 export function store_isFeatFlagOn(store: Store, featureFlag: St, defaultOn?: Bo): Bo {
+  // A bit weird: If a flag is off, `_.includes(..)` will set both `isOn` and `isOff`. But
+  // the last line:  `isOn && !isOff`  becomes false, so it works. Oh well.
   const offFlag = '0' + featureFlag;
   const isOn = defaultOn ||
           _.includes(store.siteFeatureFlags, featureFlag) ||

From a05fee5bf78d3eae2a9acc742046437a739dd468 Mon Sep 17 00:00:00 2001
From: Kaj Magnus Lindberg <kajmagnus3@gmail.com>
Date: Wed, 11 Sep 2024 09:00:18 +0200
Subject: [PATCH 07/28] Refactor loginIfNeeded(): Create shared impl fn.

---
 .../app-more/login/create-user-dialog.more.ts |   1 +
 client/app-slim/form/form.ts                  |   2 +-
 client/app-slim/forum/forum.ts                |   8 +-
 client/app-slim/login/login-if-needed.ts      | 131 +++++++++++++-----
 client/app-slim/model.ts                      |   1 +
 client/app-slim/page/post-actions.ts          |  10 +-
 .../react-elements/name-login-btns.ts         |   5 +-
 client/app-slim/slim-bundle.d.ts              |   2 +-
 client/app-slim/watchbar/watchbar.ts          |   2 +-
 client/embedded-comments/blog-comments.ts     |   4 +
 docs/tests-map.txt                            |   5 +
 11 files changed, 120 insertions(+), 51 deletions(-)

diff --git a/client/app-more/login/create-user-dialog.more.ts b/client/app-more/login/create-user-dialog.more.ts
index ef09d1b3c..afdfa6afa 100644
--- a/client/app-more/login/create-user-dialog.more.ts
+++ b/client/app-more/login/create-user-dialog.more.ts
@@ -322,6 +322,7 @@ export var CreateUserDialogContent = createClassAndFactory({
     }
     else if (props.afterLoginCallback || (
           anyReturnToUrl && !eds.isInLoginPopup &&
+          // We should not redirect here, if we should redirect from verification emails *only*.
           anyReturnToUrl.indexOf('_RedirFromVerifEmailOnly_') === -1)) {
       const returnToUrl = anyReturnToUrl.replace(/__dwHash__/, '#');
       const currentUrl = window.location.toString();
diff --git a/client/app-slim/form/form.ts b/client/app-slim/form/form.ts
index 81f9f759a..4f9dcf29f 100644
--- a/client/app-slim/form/form.ts
+++ b/client/app-slim/form/form.ts
@@ -45,7 +45,7 @@ export function activateAnyCustomForm() {
         Server.submitCustomFormAsNewTopic(formData);
       }
       else if (doWhat.value === 'SignUp') {
-        login.loginIfNeeded(LoginReason.SignUp, location.toString());
+        login.loginIfNeeded(LoginReason.SignUp, '');
       }
       else if (doWhat.value === 'SignUpSubmitUtx') {  // [plugin]
         login.loginIfNeeded(LoginReason.SignUp, '/-/redir-to-my-last-topic', function() {
diff --git a/client/app-slim/forum/forum.ts b/client/app-slim/forum/forum.ts
index 8c9d035b6..aff11d4e0 100644
--- a/client/app-slim/forum/forum.ts
+++ b/client/app-slim/forum/forum.ts
@@ -550,8 +550,12 @@ const ForumButtons = createComponent({
   },
 
   createTopic: function(category: Category) {
-    const anyReturnToUrl = window.location.toString().replace(/#/, '__dwHash__');
-    login.loginIfNeeded(LoginReason.CreateTopic, anyReturnToUrl, () => {
+    // Remember any #composeTopic action (FragActionType.ComposeTopic), so we'll
+    // continue composing, after having signed up (if needed) and clicked any
+    // email verification link.  TESTS_MISSING  TyTFRAGCOMPTO
+    const loc = window.location;
+    const returnToRelativeUrl = loc.pathname + loc.search + loc.hash.replace(/#/, '__dwHash__');
+    login.loginIfNeeded(LoginReason.CreateTopic, returnToRelativeUrl, () => {
       if (this.isGone) return;
       const newTopicTypes = category.newTopicTypes || [];
       if (newTopicTypes.length === 0) {
diff --git a/client/app-slim/login/login-if-needed.ts b/client/app-slim/login/login-if-needed.ts
index 6a9ef70a2..6bd278328 100644
--- a/client/app-slim/login/login-if-needed.ts
+++ b/client/app-slim/login/login-if-needed.ts
@@ -16,8 +16,8 @@
  */
 
 /// <reference path="../links.ts" />
+// (Why does this behave as -already-loaded.ts? Oh well. [_5BKRF020])
 /// <reference path="../more-bundle-not-yet-loaded.ts" />
-// or should be ...already-loaded ? (5BKRF020)
 
 //------------------------------------------------------------------------------
    namespace debiki2.login {
@@ -48,70 +48,115 @@ export function getAuthnNonce(): St | U {
 
 
 // From before React.js.  Gah! This needs to be refactored :-/  Try to remove this field.
-export let anyContinueAfterLoginCallback = null;
+export let anyContinueAfterLoginCallback: (() => V) | U;
 
 
+/// If login needed, redirects to `postNr` only if the user was signing up and had
+/// to click an email verification link (the redirect link is then in the email addr
+/// verification email).  Otherwise, runs `onOk()`.
+///
 export function loginIfNeededReturnToPost(
-      loginReason: LoginReason, postNr: PostNr, success: () => void,
-      willCompose?: boolean) {
+      loginReason: LoginReason, postNr: PostNr, onOk: () => V, willCompose?: Bo) {
   // If posting a progress post, then, after login, scroll to the bottom, so one
   // can click that button again — it's at the bottom.
   const anchor = loginReason === LoginReason.PostProgressPost
       ? FragActionHashScrollToBottom
-      : (postNr < FirstReplyNr ? '' : (
+      : (postNr < FirstReplyNr
+          ?
+            // UX COULD: Here it could be nice, if in embedded comments, scroll down to
+            // the comments section?  [scroll_to_emb_comts]
+            ''
+          : (
           // We use 'comment-' for embedded comments; they start on nr 1 = post 2. [2PAWC0]
-          eds.isInEmbeddedCommentsIframe
+          // (Hopefully the embedding website has no elems with ids like 'comment-NNN'.)
+          eds.isInIframe
               ? FragParamCommentNr + (postNr - 1)
               : FragParamPostNr + postNr));
 
-  loginIfNeededReturnToAnchor(loginReason, anchor, success, willCompose);
+  loginIfNeededImpl(loginReason, anchor, true, onOk, willCompose);
 }
 
 
+/// Same as `loginIfNeededReturnToPost()` above, but goes to `anchor` (a #hash-fragment)
+/// after any signup, instead of to a post nr.
+///
 export function loginIfNeededReturnToAnchor(
-      loginReason: LoginReason, anchor: string, success?: () => void, willCompose?: boolean) {
-  const returnToUrl = makeReturnToPageHashForVerifEmail(anchor);
-  success = success || function() {};
+      loginReason: LoginReason, anchor: St, onOk?: () => V, willCompose?: Bo) {
+  loginIfNeededImpl(loginReason, anchor, true, onOk, willCompose);
+}
+
+
+/// If login needed, always redirects to `path` afterwards and ignores `onOk()`.
+///
+export function loginIfNeeded(loginReason: LoginReason, path: St, onOk?: () => V,
+     willCompose?: Bo) {
+  loginIfNeededImpl(loginReason, path, false, onOk, willCompose);
+}
+
+
+function loginIfNeededImpl(loginReason: LoginReason, pathOrHash: St, redirFromEmailOnly: Bo,
+      onOk?: () => V, willCompose?: Bo) {
+
+  onOk = onOk || function() {};
   const store: Store = ReactStore.allData();
   const me: Myself = store.me;
+
+  // No login needed, or not until later when submitting any comment?
   if (me.isLoggedIn || (willCompose && ReactStore.mayComposeBeforeSignup())) {
-    success();
+    onOk();
+    return;
   }
-  else if (eds.isInIframe) {
-    // ... or only if isInSomeEmbCommentsIframe()?
 
-    anyContinueAfterLoginCallback = success;
+  const returnToUrl: St = redirFromEmailOnly
+          ? makeReturnToPageHashForVerifEmail(pathOrHash)
+          : (eds.embeddingUrl || location.toString()) + pathOrHash;
+
+  // _Make_SSO url here?  And if sth, then, can redir.
+  // Pass  anchor   or  pathOrHash (just path?)   and if there's a SSO url,
+  // then can use  %-encoded  return-to paths + hash:
+  //
+  //   returnToOrigin
+  //   returnToRelUrl  (relative origin)
+
+  // But prefix the  returnToOrigin with  "check_is_legit:"  to force the SSO
+  // server to verify that the origin is legit, before redirecting anyone to there
+  // — so there won't be any pishing attacks.
+
+  // And if   ssoHow = 'RedirEmbeddingPage', then, do that the 1st thing.
+
+
+  if (eds.isInIframe) {
+    // TESTS_MISSING: Compose comment before logging in? Then, we'd be  TyTEMBCOMPBEFLGI
+    // in the *editor* iframe, now, rather than the *comments* iframe.
+
+    anyContinueAfterLoginCallback = onOk;
 
     // Don't open a dialog inside the iframe; open a popup instead.
-    // Need to open the popup here immediately, before loading any scripts, because if
-    // not done immediately after mouse click, the popup gets blocked (in Chrome at least).
-    // And when opening in a popup, we don't need any more scripts here in the main win anyway.
+    // Need to open the popup here immediately, because if not done immediately after
+    // mouse click, the popup gets blocked (in Chrome at least).
+    //
+    // (This'll call `LoginController.showLoginPopup()` in the app server, to show:
+    // ../../../appsv/server/views/authn/authnPage.scala.html  in a popup.
+    // The popup calls  `debiki2.login.getLoginDialog().openToSignUp()`.  That's similar to
+    // the else case below, but in a popup, [_popup_or_not], with no SSO and not admin area.)
+    //
     const url = origin() + '/-/login-popup?mode=' + loginReason +   // [2ABKW24T]
       '&isInLoginPopup&returnToUrl=' + returnToUrl;
     d.i.createLoginPopup(url);
   }
-  else {
-    loginIfNeeded(loginReason, returnToUrl, success);
-  }
-}
-
-
-// Later, merge with loginIfNeededReturnToAnchor() above, and rename to loginIfNeeded, and use only
-// that fn always — then will work also in iframe (will open popup).
-export function loginIfNeeded(loginReason: LoginReason, returnToUrl: St, onOk?: () => Vo,
-     willCompose?: Bo) {
-  if (ReactStore.getMe().isLoggedIn || (willCompose && ReactStore.mayComposeBeforeSignup())) {
-    if (onOk) onOk();
-  }
   else {
     goToSsoPageOrElse(returnToUrl, loginReason, onOk, function() {
       Server.loadMoreScriptsBundle(() => {
+        // (This is similar to above [_popup_or_not], but in the main win, not in a popup.)
+
         // People with an account, are typically logged in already, and won't get to here often.
         // Instead, most people here, are new users, so show the signup dialog.
         // But when creating a new site, one logs in as admin (NeedToBeAdmin) if one
         // clicked the link (verified one's admin email), but then tries to log in in
         // another browser.
-        // (Why won't this result in a compil err? (5BKRF020))
+
+        // (Why won't this result in a compil err? We're including:
+        // ../more-bundle-not-yet-loaded.ts  only,  not ...-already-loaded.ts. [_5BKRF020])
         const diag = debiki2.login.getLoginDialog();
         const logInOrSignUp = loginReason === LoginReason.NeedToBeAdmin ?
                   diag.openToLogIn : diag.openToSignUp;
@@ -124,6 +169,7 @@ export function loginIfNeeded(loginReason: LoginReason, returnToUrl: St, onOk?:
 
 
 export function openLoginDialogToSignUp(purpose: LoginReason) {
+  // _Make_SSO url here? And pass to goToSsoPage...()  ?
   goToSsoPageOrElse(location.toString(), purpose, null, function() {
     Server.loadMoreScriptsBundle(() => {
       debiki2.login.getLoginDialog().openToSignUp(purpose);
@@ -133,6 +179,7 @@ export function openLoginDialogToSignUp(purpose: LoginReason) {
 
 
 export function openLoginDialog(purpose: LoginReason) {
+  // _Make_SSO url here? And pass to goToSsoPage...()  ?
   goToSsoPageOrElse(location.toString(), purpose, null, function() {
     Server.loadMoreScriptsBundle(() => {
       debiki2.login.getLoginDialog().openToLogIn(purpose);
@@ -142,7 +189,7 @@ export function openLoginDialog(purpose: LoginReason) {
 
 
 function goToSsoPageOrElse(returnToUrl: St, toDoWhat: LoginReason | U,
-        doAfterLogin: () => void | U, orElse: () => void) {
+        doAfterLogin: (() => V) | U, orElse: () => V): V {
   // Dupl code? [SSOINSTAREDIR]
   const store: Store = ReactStore.allData();
   const anySsoUrl: St | U = makeSsoUrl(store, returnToUrl);
@@ -156,11 +203,15 @@ function goToSsoPageOrElse(returnToUrl: St, toDoWhat: LoginReason | U,
     // stay on the same page, and navigate away to the IDP only in a popup win,
     // so the editor stays open and one can submit the reply, after login.
     if (store.settings.enableSso) {
+      // This is Ty's own SSO.
+
       // Harmless bug: If session & local storage don't work, this redirect will
       // destroy the browser authn nonce.  [br_authn_nonce]
       location.assign(anySsoUrl);  // backw compat, see above
     }
     else {
+      // This is SSO too, but using some standard like OAuth2 (not Ty's own).
+
       // This'll trigger the [SSOINSTAREDIR] code in login-dialog.more.ts — the
       // SSO url then gets reconstructed, so we don't need to include it here.
       // BUT, sleeping BUG: we should incl the authn nonce!  [br_authn_nonce]
@@ -181,6 +232,10 @@ function goToSsoPageOrElse(returnToUrl: St, toDoWhat: LoginReason | U,
 }
 
 
+// Constructs a url to an external SSO server to which the browser should be sent
+// to log in.  Included in this url, is a return-to-url, so, after login,
+// the exteral SSO server knows where to send the user next.
+//
 // forTySsoTest: If we're on the Ty SSO test page, and should only generate
 // a SSO url if Talkyard's own SSO is in use (but not any external OIDC or OAuth2 IDP).
 //
@@ -207,13 +262,13 @@ export function makeSsoUrl(store: Store, returnToUrlMaybeMagicRedir: St,
   // The SSO endpoint needs to check the return to full URL or origin against a white list
   // to verify that the request isn't a phishing attack — i.e. someone who sets up a site
   // that looks exactly like the external website where Single Sign-On happens,
-  // or looks exactly like the Talkyard forum, and uses $[returnTo...} to redirect
+  // or looks exactly like the Talkyard forum, and uses ${returnTo...} to redirect
   // to the phishing site. — That's why the full url and the origin params have
   // Dangerous in their names.
   //   Usually there'd be just one entry in the "white list", namely the address to the
   // Talkyard forum. And then, better use `${talkyardPathQueryEscHash}` instead. However,
-  // can be many Talkyard origins, if there's also a blog with embedded comments,
-  // or more than one forum, which all use the same SSO login page.
+  // can be many origins, if there's also a blog with embedded comments (e.g. blog.company.com),
+  // or more than one forum (e.g. forum.company.com), which all use the same SSO login page.
   const ssoUrlWithReturn = talkyardSsoUrl
       ? (talkyardSsoUrl
         .replace('${talkyardUrlDangerous}', returnToUrl)
@@ -229,14 +284,14 @@ export function makeSsoUrl(store: Store, returnToUrlMaybeMagicRedir: St,
 }
 
 
-function makeReturnToPageHashForVerifEmail(hash) {
+function makeReturnToPageHashForVerifEmail(hash: St): St {
   // The magic '__Redir...' string tells the server to use the return-to-URL only if it
   // needs to send an email address verification email (it'd include the return
   // to URL on a welcome page show via a link in the email).
   // '__dwHash__' is an encoded hash that won't be lost when included in a GET URL.
   // The server replaces it with '#' later on.
   // If we're showing embedded comments in an <iframe>, use the embedding page's url.
-  const pageUrl = eds.embeddingUrl ? eds.embeddingUrl : window.location.toString();
+  const pageUrl = eds.embeddingUrl || window.location.toString();
   let returnToUrl = '_RedirFromVerifEmailOnly_' + pageUrl.replace(/#.*/, '');
   if (hash) {
     hash = hash.replace(/^#/, '');
@@ -246,7 +301,7 @@ function makeReturnToPageHashForVerifEmail(hash) {
 }
 
 
-export function continueAfterLogin(anyReturnToUrl?: string) {
+export function continueAfterLogin(anyReturnToUrl?: St) {
   // Minor clean up: Use guard clauses, instead of nested ifs.
 
   if (eds.isInLoginWindow) {
diff --git a/client/app-slim/model.ts b/client/app-slim/model.ts
index 02cda6cc4..f08379d72 100644
--- a/client/app-slim/model.ts
+++ b/client/app-slim/model.ts
@@ -1347,6 +1347,7 @@ interface SettingsVisibleClientSide extends TopicInterfaceSettings, SettingsDisc
   doubleTypePassword?: boolean;         // default: false
   ssoUrl?: string;                      // default: undefined
   ssoShowEmbAuthnBtns?: ShowEmbAuthnBtnsBitf;  // default: undef —> All
+  // RENAME `enableSso` to `enableTysOwnSso`? & Could be a version nr, not just a bool?
   enableSso?: boolean;                  // default: undefined —> false
   ssoWillRedirAfterLogout?: Bo;         // default: undef —> false
   rememberEmbSess?: Bo;                 // default: undef —> true
diff --git a/client/app-slim/page/post-actions.ts b/client/app-slim/page/post-actions.ts
index 6cdd958d4..12da84a30 100644
--- a/client/app-slim/page/post-actions.ts
+++ b/client/app-slim/page/post-actions.ts
@@ -228,7 +228,7 @@ export const PostActions = createComponent({
     const atRect = cloneEventTargetRect(event);
     const store: Store = this.props.store;
     const post: Post = this.props.post;
-    loginIfNeededThen(LoginReason.LoginToLike, post.nr, () => {
+    login.loginIfNeededReturnToPost(LoginReason.LoginToLike, post.nr, () => {
       if (this.isGone) return;
       const toggleOn = !me_hasVoted(store.me, post.nr, PostVoteType.Like);
       toggleVote(this.props.store, post, PostVoteType.Like, toggleOn, atRect);
@@ -563,7 +563,7 @@ const MoreVotesDropdownModal = createComponent({
   onWrongClick: function(event: MouseEvent) {
     const atRect = cloneEventTargetRect(event);
     const post: Post = this.state.post;
-    loginIfNeededThen(LoginReason.LoginToDisagree, post.nr, () => {
+    login.loginIfNeededReturnToPost(LoginReason.LoginToDisagree, post.nr, () => {
       toggleVote(this.state.store, post, PostVoteType.Disagree, !this.hasVoted(PostVoteType.Disagree),
             atRect, this.closeSoon);
     });
@@ -975,16 +975,12 @@ const MoreDropdownModal = createComponent({
 
 
 function flagPost(post: Post, at: Rect) {
-  loginIfNeededThen(LoginReason.LoginToFlag, post.nr, () => {
+  login.loginIfNeededReturnToPost(LoginReason.LoginToFlag, post.nr, () => {
     morebundle.openFlagDialog(post.nr, at);
   });
 }
 
 
-function loginIfNeededThen(loginToWhat: LoginReason, postNr: PostNr, success: () => Vo) {
-  login.loginIfNeededReturnToPost(loginToWhat, postNr, success);
-}
-
 //------------------------------------------------------------------------------
    }
 //------------------------------------------------------------------------------
diff --git a/client/app-slim/react-elements/name-login-btns.ts b/client/app-slim/react-elements/name-login-btns.ts
index d7dbbd329..06c68e13f 100644
--- a/client/app-slim/react-elements/name-login-btns.ts
+++ b/client/app-slim/react-elements/name-login-btns.ts
@@ -45,7 +45,10 @@ export const NameLoginBtns = createComponent({
   },
 
   onLoginClick: function() {
-    login.loginIfNeededReturnToAnchor(this.props.purpose || LoginReason.LoginToLogin, '');
+    login.loginIfNeededReturnToAnchor(this.props.purpose || LoginReason.LoginToLogin,
+        // Wouldo it be nice to, if in embedded comments, scroll down to the comments
+        // section after login?  [scroll_to_emb_comts]
+        '');
   },
 
   onLogoutClick: function() {
diff --git a/client/app-slim/slim-bundle.d.ts b/client/app-slim/slim-bundle.d.ts
index 506e6f314..9d988acd4 100644
--- a/client/app-slim/slim-bundle.d.ts
+++ b/client/app-slim/slim-bundle.d.ts
@@ -282,7 +282,7 @@ declare namespace debiki2 {
     function loginIfNeededReturnToPost(
         loginReason: LoginReason, postNr: PostNr, success?: () => Vo, willCompose?: Bo);
 
-    function loginIfNeeded(loginReason, returnToUrl: string, onDone?: () => void);
+    function loginIfNeeded(loginReason: LoginReason, pathOrHash: St, onOk?: () => V);
     function openLoginDialogToSignUp(purpose);
     function openLoginDialog(purpose);
 
diff --git a/client/app-slim/watchbar/watchbar.ts b/client/app-slim/watchbar/watchbar.ts
index 1ef1926ba..280a21bbf 100644
--- a/client/app-slim/watchbar/watchbar.ts
+++ b/client/app-slim/watchbar/watchbar.ts
@@ -193,7 +193,7 @@ const ChatChannels = createComponent({
   },
 
   createChatChannel: function() {
-    login.loginIfNeeded(LoginReason.LoginToChat, location.toString(), () => {
+    login.loginIfNeeded(LoginReason.LoginToChat, '', () => {
       if (this.isGone) return;
       Server.listCategoriesAllSections((categories: Category[]) => {
         if (this.isGone) return;
diff --git a/client/embedded-comments/blog-comments.ts b/client/embedded-comments/blog-comments.ts
index 8e010b6ff..f5fe999c6 100644
--- a/client/embedded-comments/blog-comments.ts
+++ b/client/embedded-comments/blog-comments.ts
@@ -918,6 +918,9 @@ function onMessage(event) {
       //
       // Log in via the first comments iframe only — otherwise there'd be races
       // and unnecessarily many server requests.
+      // (Probably better to not incl any token or secret in any url (as is however
+      // done with e.g. `htmlClassParam`, see  [emb_comts_url_params]), so they won't
+      // end up in any request logs somewhere.)
       //
       if (authnTried) {
         // Noop.
@@ -1100,6 +1103,7 @@ function onMessage(event) {
       if (eventData.goTo) {
         // For SSO-logout, we need to redirect this parent win  [sso_redir_par_win]
         // to the logout url.
+        logM(`Going to: ${eventData.goTo}`);
         location.assign(eventData.goTo);
       }
       break;
diff --git a/docs/tests-map.txt b/docs/tests-map.txt
index 8bb5f2501..419d18baa 100644
--- a/docs/tests-map.txt
+++ b/docs/tests-map.txt
@@ -1121,6 +1121,11 @@ embedded comments:
   post 1st comment, edit:   TESTS_MISSING
     when unapproved:
     auto approved:
+  compose before
+    login:
+            - embcom.drafts-previews-not-logged-in.2br  TyT2ZBKPW048
+    signup:
+            - TESTS_MISSING  TyTEMBCOMPBEFLGI  # missing, right?
   vote before page exists:
           - embcom.vote-bef-page-exists.1br  TyT2AKBS056
   config notf prefs before page exists:

From 7ddf6089753b28933826559612a44a0ea1fb928c Mon Sep 17 00:00:00 2001
From: Kaj Magnus Lindberg <kajmagnus3@gmail.com>
Date: Thu, 12 Sep 2024 19:07:29 +0200
Subject: [PATCH 08/28] Better embedded comments SSO: 'RedirPage' option.

---
 client/app-head/head-bundle.ts            |   2 +
 client/app-slim/login/login-if-needed.ts  | 105 ++++++++++++++--------
 client/app-slim/model.ts                  |   3 +
 client/app-slim/slim-bundle.d.ts          |   3 +-
 client/app-staff/admin/admin-app.staff.ts |   2 +-
 client/embedded-comments/blog-comments.ts |  21 ++++-
 6 files changed, 94 insertions(+), 42 deletions(-)

diff --git a/client/app-head/head-bundle.ts b/client/app-head/head-bundle.ts
index 008c11f3b..ec2e128c2 100644
--- a/client/app-head/head-bundle.ts
+++ b/client/app-head/head-bundle.ts
@@ -181,6 +181,7 @@ if (_narrow) {
 // see: https://stackoverflow.com/a/979995/694469  for more details.
 try {
   var _searchParams = new URLSearchParams(location.search);
+  var _ssoHow = _searchParams.get('ssoHow');
   var _class = _searchParams.get('htmlClass');
   if (_class) {
     _doc.className += ' ' + _class.replace(/[^a-zA-Z0-9_-]/g, ' ');
@@ -286,6 +287,7 @@ if (!eds.isInEmbeddedEditor) {
   loadGlobalStaffScript: @{ tpi.globals.loadGlobalStaffScript.toString },
   */
 
+eds.ssoHow = _ssoHow;
 
 // Backw compat CLEAN_UP convert old js code in these 'namespaces' to Typescript instead [4KSWPY]
 // RENAME to tyd ("Talkyard Dynamic" things, like is-sth-ready promises?, remove 'internal' and 'v0'
diff --git a/client/app-slim/login/login-if-needed.ts b/client/app-slim/login/login-if-needed.ts
index 6bd278328..e1d8c8c79 100644
--- a/client/app-slim/login/login-if-needed.ts
+++ b/client/app-slim/login/login-if-needed.ts
@@ -73,7 +73,7 @@ export function loginIfNeededReturnToPost(
               ? FragParamCommentNr + (postNr - 1)
               : FragParamPostNr + postNr));
 
-  loginIfNeededImpl(loginReason, anchor, true, onOk, willCompose);
+  loginIfNeededImpl(loginReason, anchor, null, true, onOk, willCompose);
 }
 
 
@@ -82,7 +82,7 @@ export function loginIfNeededReturnToPost(
 ///
 export function loginIfNeededReturnToAnchor(
       loginReason: LoginReason, anchor: St, onOk?: () => V, willCompose?: Bo) {
-  loginIfNeededImpl(loginReason, anchor, true, onOk, willCompose);
+  loginIfNeededImpl(loginReason, anchor, null, true, onOk, willCompose);
 }
 
 
@@ -90,12 +90,12 @@ export function loginIfNeededReturnToAnchor(
 ///
 export function loginIfNeeded(loginReason: LoginReason, path: St, onOk?: () => V,
      willCompose?: Bo) {
-  loginIfNeededImpl(loginReason, path, false, onOk, willCompose);
+  loginIfNeededImpl(loginReason, null, path, false, onOk, willCompose);
 }
 
 
-function loginIfNeededImpl(loginReason: LoginReason, pathOrHash: St, redirFromEmailOnly: Bo,
-      onOk?: () => V, willCompose?: Bo) {
+function loginIfNeededImpl(loginReason: LoginReason, toHash: St, toPath: St,
+      redirFromEmailOnly: Bo, onOk?: () => V, willCompose?: Bo) {
 
   onOk = onOk || function() {};
   const store: Store = ReactStore.allData();
@@ -107,25 +107,27 @@ function loginIfNeededImpl(loginReason: LoginReason, pathOrHash: St, redirFromEm
     return;
   }
 
-  const returnToUrl: St = redirFromEmailOnly
-          ? makeReturnToPageHashForVerifEmail(pathOrHash)
-          : (eds.embeddingUrl || location.toString()) + pathOrHash;
+  const makeReturnToUrl = (): St => {
+    // This can't happen, currently. And, currently, `toPath` is a Talkyard URL path,
+    // not a path for any embedding website.
+    dieIf(toPath && eds.embeddingUrl, 'TyEREDIREMBNGPATH');
 
-  // _Make_SSO url here?  And if sth, then, can redir.
-  // Pass  anchor   or  pathOrHash (just path?)   and if there's a SSO url,
-  // then can use  %-encoded  return-to paths + hash:
-  //
-  //   returnToOrigin
-  //   returnToRelUrl  (relative origin)
+    let url = toPath ? location.origin + toPath : eds.embeddingUrl || location.toString();
 
-  // But prefix the  returnToOrigin with  "check_is_legit:"  to force the SSO
-  // server to verify that the origin is legit, before redirecting anyone to there
-  // — so there won't be any pishing attacks.
-
-  // And if   ssoHow = 'RedirEmbeddingPage', then, do that the 1st thing.
+    // (This can be a Talkyard hash, e.g. #post-123. But can also be  #comment-123 and
+    // that's for the embedd*ing* website and Talkyard's script there, which looks at
+    // the hash and scrolls to that comment in Ty's blog comments iframe.)
+    if (toHash) {
+      url = url.replace(/#.*/, '') + toHash;
+    }
+    return url;
+  }
 
+  const returnToUrl_new = makeReturnToUrl();
+  const returnToUrl_legacy = redirFromEmailOnly ?
+            makeReturnToPageHashForVerifEmail(toHash) : returnToUrl_new;
 
-  if (eds.isInIframe) {
+  if (eds.isInIframe && eds.ssoHow !== 'RedirPage') {
     // TESTS_MISSING: Compose comment before logging in? Then, we'd be  TyTEMBCOMPBEFLGI
     // in the *editor* iframe, now, rather than the *comments* iframe.
 
@@ -141,11 +143,11 @@ function loginIfNeededImpl(loginReason: LoginReason, pathOrHash: St, redirFromEm
     // the else case below, but in a popup, [_popup_or_not], with no SSO and not admin area.)
     //
     const url = origin() + '/-/login-popup?mode=' + loginReason +   // [2ABKW24T]
-      '&isInLoginPopup&returnToUrl=' + returnToUrl;
+      '&isInLoginPopup&returnToUrl=' + returnToUrl_legacy;
     d.i.createLoginPopup(url);
   }
   else {
-    goToSsoPageOrElse(returnToUrl, loginReason, onOk, function() {
+    goToSsoPageOrElse(returnToUrl_new, returnToUrl_legacy, onOk, function() {
       Server.loadMoreScriptsBundle(() => {
         // (This is similar to above [_popup_or_not], but in the main win, not in a popup.)
 
@@ -161,7 +163,7 @@ function loginIfNeededImpl(loginReason: LoginReason, pathOrHash: St, redirFromEm
         const logInOrSignUp = loginReason === LoginReason.NeedToBeAdmin ?
                   diag.openToLogIn : diag.openToSignUp;
         logInOrSignUp(
-              loginReason, returnToUrl, onOk || function() {});
+              loginReason, returnToUrl_legacy, onOk || function() {});
       });
     });
   }
@@ -169,8 +171,7 @@ function loginIfNeededImpl(loginReason: LoginReason, pathOrHash: St, redirFromEm
 
 
 export function openLoginDialogToSignUp(purpose: LoginReason) {
-  // _Make_SSO url here? And pass to goToSsoPage...()  ?
-  goToSsoPageOrElse(location.toString(), purpose, null, function() {
+  goToSsoPageOrElse(location.toString(), null, null, function() {
     Server.loadMoreScriptsBundle(() => {
       debiki2.login.getLoginDialog().openToSignUp(purpose);
     });
@@ -179,8 +180,7 @@ export function openLoginDialogToSignUp(purpose: LoginReason) {
 
 
 export function openLoginDialog(purpose: LoginReason) {
-  // _Make_SSO url here? And pass to goToSsoPage...()  ?
-  goToSsoPageOrElse(location.toString(), purpose, null, function() {
+  goToSsoPageOrElse(location.toString(), null, null, function() {
     Server.loadMoreScriptsBundle(() => {
       debiki2.login.getLoginDialog().openToLogIn(purpose);
     });
@@ -188,21 +188,25 @@ export function openLoginDialog(purpose: LoginReason) {
 }
 
 
-function goToSsoPageOrElse(returnToUrl: St, toDoWhat: LoginReason | U,
+function goToSsoPageOrElse(returnToUrl: St, returnToUrl_legacy: St | N,
         doAfterLogin: (() => V) | U, orElse: () => V): V {
   // Dupl code? [SSOINSTAREDIR]
   const store: Store = ReactStore.allData();
-  const anySsoUrl: St | U = makeSsoUrl(store, returnToUrl);
+  const anySsoUrl: St | U = makeSsoUrl(store, returnToUrl, returnToUrl_legacy);
   if (anySsoUrl) {
     // Currently Talkyard's own SSO opens in the same window (not in a popup win)
     // — let's keep that behavior, for backw compatibility.
-    // Maybe one day will be a conf val?
+    // Maybe one day will be a conf val?  [[Upd 2024: Yes now there is: 'RedirPage',
+    // so blog comments can redirect the whole embedd*ing* page.]]
     // However, let custom IDP SSO open in a popup — this works better
     // with embedded comments, [2ABKW24T]
     // and if logging in because sumbitting a reply — then, it's nice to
     // stay on the same page, and navigate away to the IDP only in a popup win,
     // so the editor stays open and one can submit the reply, after login.
-    if (store.settings.enableSso) {
+    if (store.settings.enableSso && eds.ssoHow === 'RedirPage') {
+      window.parent.postMessage(JSON.stringify(['ssoRedir', anySsoUrl]), eds.embeddingOrigin);
+    }
+    else if (store.settings.enableSso) {
       // This is Ty's own SSO.
 
       // Harmless bug: If session & local storage don't work, this redirect will
@@ -239,7 +243,7 @@ function goToSsoPageOrElse(returnToUrl: St, toDoWhat: LoginReason | U,
 // forTySsoTest: If we're on the Ty SSO test page, and should only generate
 // a SSO url if Talkyard's own SSO is in use (but not any external OIDC or OAuth2 IDP).
 //
-export function makeSsoUrl(store: Store, returnToUrlMaybeMagicRedir: St,
+export function makeSsoUrl(store: Store, returnToUrl_new: St, returnToUrlMagicRedir_legacy?: St | N,
       forTySsoTest?: true): St | U {
   const settings: SettingsVisibleClientSide = store.settings;
   const talkyardSsoUrl = (settings.enableSso || forTySsoTest) && settings.ssoUrl;
@@ -252,15 +256,19 @@ export function makeSsoUrl(store: Store, returnToUrlMaybeMagicRedir: St,
 
   // Remove magic text that tells the Talkyard server to redirect to the return to url,
   // only if it sends an email address verification email. (Via a link in that email.)
-  const returnToUrl = returnToUrlMaybeMagicRedir.replace('_RedirFromVerifEmailOnly_', '');
+  // Might still include a weird '__dwHash__' to encode '#' (instead of percent encoding).
+  const returnToUrl_legacy = returnToUrlMagicRedir_legacy
+          ? returnToUrlMagicRedir_legacy.replace('_RedirFromVerifEmailOnly_', '')
+          : returnToUrl_new;
 
-  const origin = location.origin;
-  const returnToPathQueryHash = returnToUrl.substr(origin.length, 9999);
+  const origin = eds.embeddingOrigin || location.origin;
+  const returnToPathQueryHash_new = returnToUrl_new.substring(origin.length);
+  const returnToPathQueryHash_legacy = returnToUrl_legacy.substring(origin.length);
 
   const [nonce, lastsAcrossReload] = login.getOrCreateAuthnNonce();
 
   // The SSO endpoint needs to check the return to full URL or origin against a white list
-  // to verify that the request isn't a phishing attack — i.e. someone who sets up a site
+  // to verify that the request isn't a [_phishing] attack — i.e. someone who sets up a site
   // that looks exactly like the external website where Single Sign-On happens,
   // or looks exactly like the Talkyard forum, and uses ${returnTo...} to redirect
   // to the phishing site. — That's why the full url and the origin params have
@@ -271,13 +279,32 @@ export function makeSsoUrl(store: Store, returnToUrlMaybeMagicRedir: St,
   // or more than one forum (e.g. forum.company.com), which all use the same SSO login page.
   const ssoUrlWithReturn = talkyardSsoUrl
       ? (talkyardSsoUrl
-        .replace('${talkyardUrlDangerous}', returnToUrl)
+        // Legacy:
+        .replace('${talkyardUrlDangerous}', returnToUrl_legacy)
         .replace('${talkyardOriginDangerous}', origin)
-        .replace('${talkyardPathQueryEscHash}', returnToPathQueryHash))
+        .replace('${talkyardPathQueryEscHash}', returnToPathQueryHash_legacy)
+
+        // Better?
+        // - Let's percent encode the parameters, instead of '__dwHash__'.
+        // - Let's prefix the origin with a reminder for the Ty SSO integration
+        //   to look at the origin and check if it's one of their origins (and not
+        //   a [_phishing] site, see above). This makes the origin parameter
+        //   invalid, so they cannot forget to look at it (then, won't work).
+        //   (In 'check_if_legit!', '!' won't get % encoded, but ':' would have been.)
+        // - Let's not say "Talkyard URL" or "Talkyard origin" — because if we're
+        //   SSO logging in to blog comments, the user won't be redirected back to
+        //   any *Talkyard* origin, but to the embedd*ing* webiste, e.g. a Ghost
+        //   blog or static website.  (If they need to know it's for Talkyard SSO,
+        //   they can add an `&isTalkyard=true` query string param themselves.)
+        .replace('${returnToOrigin}', encodeURIComponent('check_if_legit!' + origin))
+        // The external SSO server should send the user to the return-to-origin 
+        // plus this /path/and/maybe/?query=and#hash.
+        .replace('${returnToPathQueryHash}', encodeURIComponent(returnToPathQueryHash_new)))
+
         // + nonce, later  [br_authn_nonce]
       : (
         `${UrlPaths.AuthnRoot}${customSsoIdp.protocol}/${customSsoIdp.alias}` +
-            `?returnToUrl=${returnToPathQueryHash}` +
+            `?returnToUrl=${returnToPathQueryHash_legacy}` +
             `&nonce=${nonce}` );
 
   return ssoUrlWithReturn;
diff --git a/client/app-slim/model.ts b/client/app-slim/model.ts
index f08379d72..23b5a549b 100644
--- a/client/app-slim/model.ts
+++ b/client/app-slim/model.ts
@@ -3322,6 +3322,7 @@ interface UserPresenceWsMsg {
 
 
 // These variables are initialized in a certain <head><script>.  [5JWKA27]
+// Not always from the server — e.g. `ssoHow` is from any embedding page (e.g. blog post).
 
 interface ServerVars {
   doWhat: 'Noop' | 'StartPage' | 'ResetPwd';
@@ -3391,6 +3392,8 @@ interface ServerVars {
   // When creating new site.
   baseDomain?: string;
 
+  ssoHow?: 'RedirPage' | 'LoginPopup' | St // or sth else (invalid)
+
   newPasswordData?: NewPasswordData;
 }
 
diff --git a/client/app-slim/slim-bundle.d.ts b/client/app-slim/slim-bundle.d.ts
index 9d988acd4..4043932cf 100644
--- a/client/app-slim/slim-bundle.d.ts
+++ b/client/app-slim/slim-bundle.d.ts
@@ -286,7 +286,8 @@ declare namespace debiki2 {
     function openLoginDialogToSignUp(purpose);
     function openLoginDialog(purpose);
 
-    function makeSsoUrl(store: Store, returnToUrl: St, forTySsoTest?: true): St;
+    function makeSsoUrl(store: Store, returnToUrl: St, returnToUrl_legacy?: St | N,
+          forTySsoTest?: true): St;
     function getOrCreateAuthnNonce(): [St, Bo];
     function getAuthnNonce(): St;
   }
diff --git a/client/app-staff/admin/admin-app.staff.ts b/client/app-staff/admin/admin-app.staff.ts
index cca201711..a3fff6ef2 100644
--- a/client/app-staff/admin/admin-app.staff.ts
+++ b/client/app-staff/admin/admin-app.staff.ts
@@ -89,7 +89,7 @@ const SsoTestComponent = createReactClass(<any> {
     const settings = store.settings;
     const me: Myself = store.me;
     const ssoUrl = login.makeSsoUrl(
-            store, window.location.toString(), true /* forTySsoTest */);
+            store, window.location.toString(), null, true /* forTySsoTest */);
 
     const noSsoUrlInfo = ssoUrl ? null :
       rFragment({},
diff --git a/client/embedded-comments/blog-comments.ts b/client/embedded-comments/blog-comments.ts
index f5fe999c6..968281ede 100644
--- a/client/embedded-comments/blog-comments.ts
+++ b/client/embedded-comments/blog-comments.ts
@@ -47,6 +47,13 @@ interface WindowWithTalkyardProps {
   talkyardReloadCommentsAndEditor: () => void;
   talkyardAddCommentsIframe: (ps: { appendInside: HElm, discussionId: St }) => HElm;
   talkyardForgetRemovedCommentIframes: () => Vo;
+  talkyardUiLanguage?: St;
+
+  // Either 'RedirPage' or 'PopupWin'. The former redirects the embedding page to
+  // the SSO login page. The latter shows a login popup (the default).
+  // ('RedirPage' rather than 'redirPage' is more consistent with the naming in
+  // ../../tests/e2e-wdio7/pub-api.ts .)
+  talkyardSsoHow?: St;
 }
 
 // Later: SSO and HMAC via https://pasteo.io? https://paseto.io/rfc/  [blog_comments_sso]
@@ -141,6 +148,8 @@ const insecureSomethingErrMsg = insecureTyIframeProbl ? (
 
 const considerQueryParams = windowWithTalkyardProps.talkyardConsiderQueryParams;
 
+const ssoHow = windowWithTalkyardProps.talkyardSsoHow;
+
 // For automatic Single Sign-On with PASETO authn tokens, either in a variable,
 // or a cookie (cookie better? So not incl in html, although encrypted).
 const authnTokenInVar = windowWithTalkyardProps.talkyardAuthnToken;
@@ -571,8 +580,11 @@ function intCommentIframe(commentsElem, iframeNr: Nr, manyCommentsIframes: Bo) {
 
   const logLevelParam = talkyardLogLevel ? `&logLevel=${talkyardLogLevel}` : '';
 
-  const allUrlParams =
+  const ssoHowParam = ssoHow ? `&ssoHow=${ssoHow}` : '';
+
+  const allUrlParams =  // [emb_comts_url_params]
           edPageIdParam + discIdParam + catRefParam + embeddingUrlParam +
+          ssoHowParam +
           htmlClassParam + logLevelParam + scriptVersionQueryParam;
 
   var commentsIframeUrl = serverOrigin + '/-/embedded-comments?' + allUrlParams;
@@ -1031,6 +1043,13 @@ function onMessage(event) {
       debiki.Utterscroll.stopScrolling(eventData);
       break;
       */
+    case 'ssoRedir':
+      // Redirect to the SSO server. In the url, there's parameters that tells the
+      // SSO server about the current url, so it (the server) can redirect the user
+      // back here after login.  [sso_redir_par_win]
+      logD(`Going to SSO page: ${eventData}`);
+      location.assign(eventData);
+      break;
 
     case 'authnErr':
       logW(`Error logging in using ${eventData.prettyMethod}. ` +

From 3a26be90e70ae050638b7950f9ff86865c5cdc30 Mon Sep 17 00:00:00 2001
From: Kaj Magnus Lindberg <kajmagnus3@gmail.com>
Date: Fri, 6 Sep 2024 18:04:58 +0200
Subject: [PATCH 09/28] Embedded comments 'RedirPage' e2e test.

---
 docs/tests-map.txt                            |   5 +-
 s/run-e2e-tests.sh                            |   1 +
 .../specs/embcom.sso.redir-page.2br.ec.e2e.ts | 301 ++++++++++++++++++
 ...so.token-direct-w-logout-url.2br.ec.e2e.ts |   5 +-
 tests/e2e-wdio7/utils/ty-e2e-test-browser.ts  |   4 +
 tests/e2e-wdio7/utils/utils.ts                |   5 +-
 6 files changed, 318 insertions(+), 3 deletions(-)
 create mode 100644 tests/e2e-wdio7/specs/embcom.sso.redir-page.2br.ec.e2e.ts

diff --git a/docs/tests-map.txt b/docs/tests-map.txt
index 419d18baa..9d54a83f7 100644
--- a/docs/tests-map.txt
+++ b/docs/tests-map.txt
@@ -285,9 +285,12 @@ single-sign-on:  (3093533)
 sso, embedded comments, [_embcom_sso],
 embedded comments sso,
 blog comments sso:
-            - embcom.sso.token-direct-w-logout-url.2br.test.ts  TyTE2EEMBSSO1
+            - embcom.sso.token-direct-w-logout-url.2br.ec  TyTE2EEMBSSO1
+                - combining with  direct SSO:  TyT306MRG2
             - embcom.sso.token-in-cookie.2br.ec  TyTE2EEMBSSO2
             - embcom.manyframes.js-api.sso.2br.ec  TyTEMANYEMBDISAPISSO
+  redirect whole embedding page to sso server:
+            - embcom.sso.redir-page.2br.ec.e2e.ts  TyTE2EEMBSSO3.TyTEMBSSOREDIR
 
 impersonate:
           - impersonate-post-as-other.2browsers  TyT502KNG24
diff --git a/s/run-e2e-tests.sh b/s/run-e2e-tests.sh
index 56d41d669..42e54030f 100755
--- a/s/run-e2e-tests.sh
+++ b/s/run-e2e-tests.sh
@@ -706,6 +706,7 @@ function runAllE2eTests {
   # Single Sign-On, embedded comments:
   $r s/wdio-7     --only embcom.sso.token-direct-w-logout-url.2br.ec --cd -i $args
   $r s/wdio-7     --only embcom.sso.token-in-cookie.2br.ec --cd -i $args
+  $r s/wdio-7     --only embcom.sso.redir-page.2br.ec --cd -i $args
 
   # Many comments iframes:
   $r s/wdio-7     --only embcom.manyframes.basic.2br --cd -i $args
diff --git a/tests/e2e-wdio7/specs/embcom.sso.redir-page.2br.ec.e2e.ts b/tests/e2e-wdio7/specs/embcom.sso.redir-page.2br.ec.e2e.ts
new file mode 100644
index 000000000..c1a002013
--- /dev/null
+++ b/tests/e2e-wdio7/specs/embcom.sso.redir-page.2br.ec.e2e.ts
@@ -0,0 +1,301 @@
+/// <reference path="../test-types.ts"/>
+
+import * as _ from 'lodash';
+import assert from '../utils/ty-assert';
+import * as fs from 'fs';
+import server from '../utils/server';
+import * as u from '../utils/utils';
+import { buildSite } from '../utils/site-builder';
+import { TyE2eTestBrowser } from '../utils/ty-e2e-test-browser';
+import { die } from '../utils/log-and-die';
+import c from '../test-constants';
+
+
+// Dupl code  [embcom_sso_e2e_dupl]
+
+let brA: TyE2eTestBrowser;
+let brB: TyE2eTestBrowser;
+let owen: Member;
+let owen_brA: TyE2eTestBrowser;
+
+let selina_brB: TyE2eTestBrowser;
+const selinaExtUser: ExternalUser = {
+  ssoId: 'selina-soid',
+  username: 'selina_un',
+  fullName: 'Selina Full Name',
+  primaryEmailAddress: 'e2e-test-selina@x.co',
+  isEmailAddressVerified: true,
+}
+
+const selinaAutnhMsg = {
+  //sub: 'ject',
+  //exp: '2021-05-01T00:00:00Z',
+  //iat: '2021-05-01T00:00:00Z',
+  data: {
+    //ifExists: 'DoNothing', // or 'Update'
+    //lookupKey: 'soid:selina_sign_on_id',
+    user: {
+      ...selinaExtUser,
+    },
+  },
+};
+
+const localHostname = 'comments-for-e2e-test-embsth';
+const embeddingOrigin = 'http://e2e-test-embsth.localhost:8080';
+
+let site: IdAddress;
+let forum: TwoCatsTestForum;
+
+const ssoUrl =
+    `http://localhost:8080/${u.ssoLoginPageSlug}` +
+        '?redir2Origin=\${returnToOrigin}' +
+        '&redir2RelUrl=\${returnToPathQueryHash}' +
+        '&isTalkyard=true';
+
+const ssoUrlVarsReplaced = (embeddingOrigin: St, relativeUrl: St): St =>
+    `http://localhost:8080/${u.ssoLoginPageSlug}` +
+        `?redir2Origin=${encodeURIComponent('check_if_legit!' + embeddingOrigin)}` +
+        `&redir2RelUrl=${encodeURIComponent(relativeUrl)}` +
+        '&isTalkyard=true';
+
+const ssoLogoutUrl =
+    `http://localhost:8080/${u.ssoLogoutRedirPageSlug}`;
+
+let pasetoV2LocalSecret = '';
+
+
+
+describe(`embcom.sso.redir-page.2br.ec.e2e.ts  TyTE2EEMBSSO3`, () => {
+
+  it(`Construct site`, async () => {
+    const builder = buildSite();
+    forum = builder.addTwoCatsForum({
+      title: "Some E2E Test",
+      members: ['memah', 'maria', 'michael']
+    });
+
+    builder.getSite().meta.localHostname = localHostname;
+    builder.getSite().settings.allowEmbeddingFrom = embeddingOrigin;
+
+    builder.settings({
+      numFirstPostsToApprove: 0,
+      numFirstPostsToReview: 0,
+      enableApi: true,
+    });
+
+    brA = new TyE2eTestBrowser(wdioBrowserA, 'brA');
+    brB = new TyE2eTestBrowser(wdioBrowserB, 'brB');
+
+    owen = forum.members.owen;
+    owen_brA = brA;
+
+    selina_brB = brB;
+
+    assert.refEq(builder.getSite(), forum.siteData);
+  });
+
+  it(`Import site`, async () => {
+    site = await server.importSiteData(forum.siteData);
+    await server.skipRateLimits(site.id);
+  });
+
+
+  it(`Owen logs in to admin area, ... `, async () => {
+    await owen_brA.adminArea.settings.login.goHere(site.origin, { loginAs: owen });
+  });
+
+  it(`... and types an SSO login URL`, async () => {
+    await owen_brA.scrollToBottom(); // just speeds the test up slightly
+    await owen_brA.adminArea.settings.login.typeSsoUrl(ssoUrl);
+  });
+
+  it(`... and enables SSO`, async () => {
+    await owen_brA.adminArea.settings.login.setEnableSso(true);
+  });
+
+  it(`... types a Logout Redir URL`, async () => {
+    await owen_brA.adminArea.settings.login.setSsoLogoutUrl(ssoLogoutUrl);
+  });
+
+  it(`... generates a PASETO v2.local shared secret`, async () => {
+    await owen_brA.adminArea.settings.login.generatePasetoV2LocalSecret();
+  });
+
+  it(`... copies the secret`, async () => {
+    pasetoV2LocalSecret = await owen_brA.adminArea.settings.login.copyPasetoV2LocalSecret();
+  });
+
+  it(`... and saves the new settings`, async () => {
+    await owen_brA.adminArea.settings.clickSaveAll();
+  });
+
+  it(`There are external SSO login pages`, async () => {
+    u.createSingleSignOnPagesInHtmlDir();
+  });
+
+
+  // ----- Encrypt tokens
+
+  // E.g. "v2.local.kBENRnu2p2.....JKJZB9Lw"
+  let selinasToken: St | U;
+
+  it(`The external server generates a login token for Selina`, async () => {
+    selinasToken = u.encryptLocalPasetoV2Token(pasetoV2LocalSecret, selinaAutnhMsg);
+  });
+
+
+  // ----- Create test website
+
+  it(`There's a website with embedding pages`, async () => {
+    const dir = 'target';
+    const twoComtsPageId = 'twoComtsPageId';
+    fs.writeFileSync(`${dir}/so-as-selina.html`, makeHtml('aaa', '#050', twoComtsPageId,
+                                                                              selinasToken));
+    fs.writeFileSync(`${dir}/so-no-token.html`, makeHtml('bbb', '#520', twoComtsPageId));
+    function makeHtml(pageName: St, bgColor: St, discussionId: St, authnToken?: St): St {
+      return u.makeEmbeddedCommentsHtml({
+              pageName, discussionId, authnToken, localHostname, bgColor,
+              ssoHow: 'RedirPage' });
+    }
+  });
+
+
+  // ----- SSO, good token
+
+  it(`Selina opens embedding page aaa`, async () => {
+    await selina_brB.go2(embeddingOrigin + '/so-as-selina.html');
+  });
+
+  it(`... can reply directly, auto logged in via PASETO token`, async () => {
+    await selina_brB.complex.replyToEmbeddingBlogPost("I got logged_in_via_a_PASETO_token");
+    await selina_brB.complex.replyToPostNr(c.FirstReplyNr,
+        "I'm writing that I wrote that I write that I'm writing that I'm writing", {
+        isEmbedded: true });
+  });
+
+  /* But there is one, since there's a logout url, `ssoLogoutUrl`.
+  it(`There's no logout button — not included, when auto logged in via token,
+          then, the embedd*ing* page manages login/out
+          by including/excluding a PASETO token   UNIMPL   [hide_authn_btns]`, async () => {
+    assert.not(await selina_brB.metabar.isLogoutBtnDisplayed());
+  }); */
+  it(`There's no login button  (already logged in)`, async () => {
+    assert.not(await selina_brB.metabar.isLoginButtonDisplayed());
+  });
+
+
+  // ----- No token
+
+  it(`Selina goes to a page without any token`, async () => {
+    await selina_brB.go2(embeddingOrigin + '/so-no-token.html');
+    await selina_brB.switchToEmbeddedCommentsIrame();
+    await selina_brB.metabar.waitForDisplayed();
+  });
+
+  it(`... she's NOT logged in, because auto token sessions are NOT remembered
+        across page reloads`, async () => {
+    await selina_brB.complex.waitForNotLoggedInInEmbeddedCommentsIframe({
+          willBeLoginBtn: false });
+    await selina_brB.switchToEmbeddedCommentsIrame();
+    assert.not(await selina_brB.metabar.isMyUsernameVisible());
+  });
+
+  it(`... there's a Login button`, async () => {
+    assert.ok(await selina_brB.metabar.isLoginButtonDisplayed());
+  });
+  it(`... no logout button`, async () => {
+    assert.not(await selina_brB.metabar.isLogoutBtnDisplayed());
+  });
+
+
+  // ----- Combining emb SSO with SSO redirect   TyTEMBSSOREDIR
+
+  // Clicking any action button, will redirect the whole embedding page to the SSO
+  // server.
+
+  let embeddingNoTokenRelUrl = '';
+
+  it(`Selina clicks Log In`, async () => {
+    await selina_brB.switchToAnyParentFrame();
+    embeddingNoTokenRelUrl = await selina_brB.urlPathQueryHash();
+    const actualEmbOrigin = await selina_brB.origin();
+    assert.eq(actualEmbOrigin, embeddingOrigin); // ttt
+
+    await selina_brB.rememberCurrentUrl();
+    await selina_brB.switchToEmbeddedCommentsIrame();
+
+    // We're in the comments iframe.  When we click Log In, it sends a 'ssoRedir'
+    // message to Talkyard's script in the embedd*ing* page, which does
+    // `location.assign(..)` to the SSO page.
+    await selina_brB.metabar.clickLogin();
+  });
+
+  it(`... gets to the dummy external login page, at localhost:8080`, async () => {
+    await selina_brB.waitForNewUrl();
+  });
+
+  it(`... with the correct url parameters`, async () => {
+    const urlNow = await selina_brB.getUrl();
+    assert.eq(urlNow, ssoUrlVarsReplaced(embeddingOrigin, embeddingNoTokenRelUrl));
+
+    // The url is now: (plus line breaks)
+    //  http://localhost:8080/sso-dummy-login.html
+    //    ?redir2Origin=check_if_legit!http%3A%2F%2Fe2e-test-embsth.localhost%3A8080
+    //    &redir2RelUrl=%2Fso-no-token.html
+    //    &isTalkyard=true
+  });
+
+  for (let doWhat of ['Reply', 'Like', 'Disagree', 'Flag']) {
+
+    it(`Selina goes back to the blog`, async () => {
+      await selina_brB.go2(embeddingOrigin + '/so-no-token.html');
+      await selina_brB.waitForExist('iframe#ed-embedded-editor');
+      await selina_brB.rememberCurrentUrl();
+      await selina_brB.switchToEmbeddedCommentsIrame();
+    });
+
+    switch (doWhat) {
+      case 'Reply':
+        it(`... clicks Reply to comment nr 2`, async () => {
+          // This'll redirect to the SSO page, like above, but with '#comment-2' in
+          // the return-to relative url (since we're trying to reply to that comment).
+          await selina_brB.topic.clickReplyToPostNr(c.SecondReplyNr); // (#comment-2 == #post-3)
+        });
+        break;
+      case 'Like':
+        it(`... like-votes comment nr 2`, async () => {
+          // This also redirects to the SSO page, with '...#comment-2' in the return-to url.
+          await selina_brB.topic.clickLikeVote(c.SecondReplyNr);
+        });
+        break;
+      case 'Disagree':
+        it(`... disagrees with comment nr 2`, async () => {
+          await selina_brB.topic.toggleDisagreeVote(c.SecondReplyNr, {
+                  waitForModalGone: false }); // we'll get redirected instead
+        });
+        break;
+      case 'Flag':
+        it(`... flags comment nr 2`, async () => {
+          await selina_brB.topic.clickFlagPost(c.SecondReplyNr, { needToClickMore: false });
+        });
+        break;
+      default:
+        die('TyE407SMJT24');
+    }
+
+    it(`... gets to the external login page, now with return-to '...#comment-2'`, async () => {
+      await selina_brB.waitForNewUrl();
+      const urlNow = await selina_brB.getUrl();
+      assert.eq(urlNow, ssoUrlVarsReplaced(
+            embeddingOrigin, embeddingNoTokenRelUrl + '#comment-2'));
+
+      // The url is now: (plus line breaks)
+      //  http://localhost:8080/sso-dummy-login.html
+      //    ?redir2Origin=check_if_legit!http%3A%2F%2Fe2e-test-embsth.localhost%3A8080
+      //    &redir2RelUrl=%2Fso-no-token.html%23comment-2
+      //    &isTalkyard=true
+    });
+  }
+
+});
+
diff --git a/tests/e2e-wdio7/specs/embcom.sso.token-direct-w-logout-url.2br.ec.e2e.ts b/tests/e2e-wdio7/specs/embcom.sso.token-direct-w-logout-url.2br.ec.e2e.ts
index d0a2b256c..aecf8a7a9 100644
--- a/tests/e2e-wdio7/specs/embcom.sso.token-direct-w-logout-url.2br.ec.e2e.ts
+++ b/tests/e2e-wdio7/specs/embcom.sso.token-direct-w-logout-url.2br.ec.e2e.ts
@@ -45,6 +45,7 @@ const selinaAutnhMsg = {
   },
 };
 
+// Inited later. [_init_data_user]
 let selinaWithMariasEmailAuthnMsg = _.cloneDeep(selinaAutnhMsg);
 
 
@@ -119,13 +120,15 @@ describe(`embcom.sso.token-direct-w-logout-url.2br.ec  TyTE2EEMBSSO1`, () => {
       // Exclude Maria's name, so we'll know that 'maria_ssoid' really gets used
       // to look up the correct user, and we'll se username "Maria" although
       // not specified here.  [.lookup_by_ssoid]
+      // username: ... – no, skip
+      // fullName: ... — skip
       ssoId: 'maria_ssoid',
       isEmailAddressVerified: true,
       primaryEmailAddress: maria.emailAddress,
     };
 
     selina_brB = brB;
-    selinaWithMariasEmailAuthnMsg.data.user = {
+    selinaWithMariasEmailAuthnMsg.data.user = {  // [_init_data_user]
       ...mariaExtUser,
       ssoId: selinaExtUser.ssoId,
     };
diff --git a/tests/e2e-wdio7/utils/ty-e2e-test-browser.ts b/tests/e2e-wdio7/utils/ty-e2e-test-browser.ts
index 64bec67d9..78e24fde3 100644
--- a/tests/e2e-wdio7/utils/ty-e2e-test-browser.ts
+++ b/tests/e2e-wdio7/utils/ty-e2e-test-browser.ts
@@ -7006,6 +7006,10 @@ export class TyE2eTestBrowser {
 
       __flagPostSelector: '.icon-flag',  // for now, later: e_...
 
+      /// needToClickMore:
+      /// If not logged in, there aren't many buttons to click, and the Flag button
+      /// is therefore visible directly, rather than "hidden" in the More hamburger dropdown.
+      ///
       clickFlagPost: async (postNr: PostNr, opts: { needToClickMore?: false } = {}) => {
         if (opts.needToClickMore !== false) {
           // Flag button is inside the More dialog.
diff --git a/tests/e2e-wdio7/utils/utils.ts b/tests/e2e-wdio7/utils/utils.ts
index 2628093cf..e4384dac4 100644
--- a/tests/e2e-wdio7/utils/utils.ts
+++ b/tests/e2e-wdio7/utils/utils.ts
@@ -281,7 +281,7 @@ export function makeEmbeddedCommentsHtml(ps: { pageName: string, discussionId?:
       localHostname?: string, color?: string, bgColor: string, htmlToPaste?: string,
       talkyardConsiderQueryParams?: St[],
       authnToken?: St | Ay, authnTokenCookie?: St | Ay,
-      talkyardLogLevel?: St | Nr, appendExtraHtml?:  St  }): St {
+      talkyardLogLevel?: St | Nr, ssoHow?: St, appendExtraHtml?:  St  }): St {
     // Dupl code [046KWESJJLI3].
     dieIf(!!ps.localHostname && !!ps.htmlToPaste, 'TyE502PK562');
     dieIf(!ps.localHostname && !ps.htmlToPaste, 'TyE7FHQJ45X');
@@ -299,6 +299,8 @@ export function makeEmbeddedCommentsHtml(ps: { pageName: string, discussionId?:
             `talkyardLogLevel=${ps.talkyardLogLevel}`;
     const ignQueryParams = !ps.talkyardConsiderQueryParams ? '' :
             `talkyardConsiderQueryParams = ${JSON.stringify(ps.talkyardConsiderQueryParams)};`;
+    const ssoHowParam = !ps.ssoHow ? '' :
+            `talkyardSsoHow = ${JSON.stringify(ps.ssoHow)};`;
 
     // Dupl code [_authn_tokn_html].
     const authnTokenCookieScript = !ps.authnTokenCookie ? '' : `
@@ -331,6 +333,7 @@ authnTokenScript + `
 talkyardServerUrl='${settings.scheme}://${ps.localHostname}.localhost';
 ${talkyardLogLevel}
 ${ignQueryParams}
+${ssoHowParam}
 </script>
 <script async defer src="${settings.scheme}://${ps.localHostname}.localhost/-/talkyard-comments.js"></script>
 <div class="talkyard-comments" ${discIdAttr} ${catRefAttr} style="margin-top: 45px;"></div>

From 150b8b43e6ad779a6a53929a2045df317893b409 Mon Sep 17 00:00:00 2001
From: Kaj Magnus Lindberg <kajmagnus3@gmail.com>
Date: Fri, 13 Sep 2024 16:35:32 +0200
Subject: [PATCH 10/28] Fix typo in "addMmember()".

---
 tests/e2e-wdio7/specs/__e2e-test-template.2br.f.e2e__.ts        | 2 +-
 tests/e2e-wdio7/utils/site-builder.ts                           | 2 +-
 tests/e2e/specs/__e2e-test-template__.2br.test.ts               | 2 +-
 tests/e2e/specs/api-list-query-for-topics-popular-first.test.ts | 2 +-
 tests/e2e/utils/site-builder.ts                                 | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/tests/e2e-wdio7/specs/__e2e-test-template.2br.f.e2e__.ts b/tests/e2e-wdio7/specs/__e2e-test-template.2br.f.e2e__.ts
index fc3a8f74f..1ecca67ce 100644
--- a/tests/e2e-wdio7/specs/__e2e-test-template.2br.f.e2e__.ts
+++ b/tests/e2e-wdio7/specs/__e2e-test-template.2br.f.e2e__.ts
@@ -79,7 +79,7 @@ describe(`some-e2e-test  TyTE2E1234ABC`, () => {
     //builder.getSite().settings.allowEmbeddingFrom = embeddingOrigin;
 
     // Adding a new member:
-    const newMember: Member = builder.addMmember('hens_username');
+    const newMember: Member = builder.addMember('hens_username');
 
     // Placing Cat B in Staff Cat:
     forum.categories.catB.parentId = forum.categories.staffCat.id;
diff --git a/tests/e2e-wdio7/utils/site-builder.ts b/tests/e2e-wdio7/utils/site-builder.ts
index 2689c14ae..d9773588c 100644
--- a/tests/e2e-wdio7/utils/site-builder.ts
+++ b/tests/e2e-wdio7/utils/site-builder.ts
@@ -221,7 +221,7 @@ export function buildSite(site: SiteData | U = undefined, ps: { okInitEarly?: bo
     },
 
 
-    addMmember: function(username: string): Member {
+    addMember: function(username: string): Member {
       const member = make.member(username, {});
       (site as SiteData2).members.push(member);
       return member;
diff --git a/tests/e2e/specs/__e2e-test-template__.2br.test.ts b/tests/e2e/specs/__e2e-test-template__.2br.test.ts
index 59ad8c430..b08a4957c 100644
--- a/tests/e2e/specs/__e2e-test-template__.2br.test.ts
+++ b/tests/e2e/specs/__e2e-test-template__.2br.test.ts
@@ -73,7 +73,7 @@ describe(`some-e2e-test  TyTE2E1234ABC`, () => {
     //builder.getSite().settings.allowEmbeddingFrom = embeddingOrigin;
 
     // Adding a new member:
-    const newMember: Member = builder.addMmember('hens_username');
+    const newMember: Member = builder.addMember('hens_username');
 
     const newPage: PageJustAdded = builder.addPage({
       id: 'extraPageId',
diff --git a/tests/e2e/specs/api-list-query-for-topics-popular-first.test.ts b/tests/e2e/specs/api-list-query-for-topics-popular-first.test.ts
index ee4a568c5..dbf812ba9 100644
--- a/tests/e2e/specs/api-list-query-for-topics-popular-first.test.ts
+++ b/tests/e2e/specs/api-list-query-for-topics-popular-first.test.ts
@@ -54,7 +54,7 @@ describe("api-list-query-for-topics.test.ts  TyT603AKSL25", () => {
       members: ['michael', 'maria', 'owen'],
     });
 
-    margaret = builder.addMmember('margaret');
+    margaret = builder.addMember('margaret');
     pageAaaJustAdded = builder.addPage({
       id: 'pageAaaId',
       createdAtMs: c.JanOne2020HalfPastFive + 10*1000,
diff --git a/tests/e2e/utils/site-builder.ts b/tests/e2e/utils/site-builder.ts
index 52077c1ed..e29cf0ebb 100644
--- a/tests/e2e/utils/site-builder.ts
+++ b/tests/e2e/utils/site-builder.ts
@@ -173,7 +173,7 @@ function buildSite(site: SiteData | U = undefined, ps: { okInitEarly?: boolean }
     },
 
 
-    addMmember: function(username: string): Member {
+    addMember: function(username: string): Member {
       const member = make.member(username, {});
       (site as SiteData2).members.push(member);
       return member;

From cc0276e012f05f5046c51a2a5781f4b468ab9efa Mon Sep 17 00:00:00 2001
From: Kaj Magnus Lindberg <kajmagnus3@gmail.com>
Date: Mon, 16 Sep 2024 11:20:16 +0200
Subject: [PATCH 11/28] Fix sleeping e2e template bug.

---
 tests/e2e-wdio7/specs/__e2e-test-template.2br.f.e2e__.ts | 4 ++--
 tests/e2e-wdio7/utils/make.ts                            | 1 +
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/tests/e2e-wdio7/specs/__e2e-test-template.2br.f.e2e__.ts b/tests/e2e-wdio7/specs/__e2e-test-template.2br.f.e2e__.ts
index 1ecca67ce..b88f407ce 100644
--- a/tests/e2e-wdio7/specs/__e2e-test-template.2br.f.e2e__.ts
+++ b/tests/e2e-wdio7/specs/__e2e-test-template.2br.f.e2e__.ts
@@ -111,11 +111,11 @@ describe(`some-e2e-test  TyTE2E1234ABC`, () => {
       //maxPostsPendApprBefore: 0,
       numFirstPostsToReview: 0,
     });
-    builder.getSite().pageNotfPrefs = [{
+    builder.getSite().pageNotfPrefs.push({
       memberId: forum.members.owen.id,
       notfLevel: c.TestPageNotfLevel.Muted,
       wholeSite: true,
-    }];
+    });
 
     // Enable API.
     builder.settings({ enableApi: true });
diff --git a/tests/e2e-wdio7/utils/make.ts b/tests/e2e-wdio7/utils/make.ts
index b54b48e04..8a3795643 100644
--- a/tests/e2e-wdio7/utils/make.ts
+++ b/tests/e2e-wdio7/utils/make.ts
@@ -60,6 +60,7 @@ function makeEmptySite(ps: { okInitEarly?: boolean } = {}): SiteData {
   categories: [],
   tags: [],
   types: [],
+  pageNotfPrefs: [],
   pages: [],
   pagePaths: [],
   posts: [],

From e20220b48094d5b8950c373bac4372fb7cc342ba Mon Sep 17 00:00:00 2001
From: Kaj Magnus Lindberg <kajmagnus3@gmail.com>
Date: Mon, 16 Sep 2024 11:18:40 +0200
Subject: [PATCH 12/28] Fix two E2EBUG: Add timeout, don't wait for promises
 one at a time

Use __waitAndGetThingsInList(), which calls Promise.all() instead of one
at a time.
---
 tests/e2e-wdio7/utils/ty-e2e-test-browser.ts | 39 ++++++++++++--------
 1 file changed, 23 insertions(+), 16 deletions(-)

diff --git a/tests/e2e-wdio7/utils/ty-e2e-test-browser.ts b/tests/e2e-wdio7/utils/ty-e2e-test-browser.ts
index 78e24fde3..e0177397b 100644
--- a/tests/e2e-wdio7/utils/ty-e2e-test-browser.ts
+++ b/tests/e2e-wdio7/utils/ty-e2e-test-browser.ts
@@ -2588,6 +2588,7 @@ export class TyE2eTestBrowser {
       let items: T[] | U;
       let len: Nr | St = `?`;
       await this.waitUntil(async () => {
+        logBoring(`Hoping for ${j2s(ps)} list items: ${listItemSelector} ...`);
         const elms: WElm[] = await this.$$(listItemSelector);
         len = elms.length;
         if (!isOkMany(len, ps))
@@ -2597,7 +2598,22 @@ export class TyE2eTestBrowser {
           return await fn(e);
         });
 
-        items = await Promise.all(promises);
+        // Webdriverio v7 keeps retrying automatically, it seems: it can start logging
+        //   "Request encountered a stale element - terminating request"
+        // forever until timeout after 30s. Let's retry sooner:
+        const tooSlowPromise = new Promise(resolve => {
+          setTimeout(resolve, 3000, 'TOO_SLOW');
+        });
+        const itemsOrTimeout =
+                await Promise.race([Promise.all(promises), tooSlowPromise]);
+
+        if (itemsOrTimeout === 'TOO_SLOW') {
+          logMessage(`Promises.all(...) is taking too long. ${promises.length
+                } \`fn(e: WElm)\` promises. Aborting. [TyM4GMW20K]`);
+          return false;
+        }
+
+        items = itemsOrTimeout as T[];  // `promises` resolved is type T[]
         return true;
       }, {
         ...ps,
@@ -5152,25 +5168,16 @@ export class TyE2eTestBrowser {
 
       assertTopicTitlesAreAndOrder: async (titles: St[]) => {
         // If there's a React component change, the elems go stale, so try a few times.
-        // But will that really help? Seems wdio 7 got stuck in an internal loop, printing:
-        //    "[0-0] 2023-09-09T07:11:52.390Z WARN webdriver:
-        //         Request encountered a stale element - terminating request"
-        // all the time. [E2EBUG]
         await utils.tryManyTimes(`Checking topic titles and order`, 3, async () => {
-          // Or use  this.waitAndGetListTexts()  instead?
-          const els = await this.$$(this.forumTopicList.titleSelector);
+          const actualTitles = await this.waitAndGetListTexts(this.forumTopicList.titleSelector);
+          logBoring(`Found ${actualTitles.length} titles, comparing with expected ...`);
           for (let i = 0; i < titles.length; ++i) {
             const titleShouldBe = titles[i];
-            const actualTitleElem = els[i];
-            if (!actualTitleElem) {
-              assert.ok(false, `Title ix ${i} missing, should be: "${titleShouldBe}"`);
-            }
-            const actualTitle = await actualTitleElem.getText();
-            if (titleShouldBe !== actualTitle) {
-              assert.ok(false,
-                      `Title ix ${i} is: "${actualTitle}", should be: "${titleShouldBe}"`);
-            }
+            const actualTitle = actualTitles[i];
+            tyAssert.ok(!!actualTitle, `Title ix ${i} missing, should be: "${titleShouldBe}"`);
+            tyAssert.eq(actualTitle, titleShouldBe, `Title ix ${i}`);
           }
+          tyAssert.eq(actualTitles.length, titles.length, `Too many titles: ${j2s(actualTitles)}`);
         });
       },
 

From 5004d3d5ad76743e91b54dddb1b18e98d011906c Mon Sep 17 00:00:00 2001
From: Kaj Magnus Lindberg <kajmagnus3@gmail.com>
Date: Mon, 16 Sep 2024 11:20:51 +0200
Subject: [PATCH 13/28] E2e tests security tab fns.

---
 .../specs/categories-basic.3br.d.e2e.ts       |  6 +--
 tests/e2e-wdio7/test-types.ts                 | 12 +++++
 tests/e2e-wdio7/utils/ty-e2e-test-browser.ts  | 51 +++++++++++++------
 3 files changed, 51 insertions(+), 18 deletions(-)

diff --git a/tests/e2e-wdio7/specs/categories-basic.3br.d.e2e.ts b/tests/e2e-wdio7/specs/categories-basic.3br.d.e2e.ts
index fd5ef4623..2c9624635 100644
--- a/tests/e2e-wdio7/specs/categories-basic.3br.d.e2e.ts
+++ b/tests/e2e-wdio7/specs/categories-basic.3br.d.e2e.ts
@@ -163,7 +163,7 @@ describe(`categories-basic.3br.d   TyTCATSBASIC`, () => {
     await owen.categoryDialog.fillInFields({ name: WastelandCategoryNameOnlyStaffCreate });
     await owen.categoryDialog.setNotUnlisted();
     await owen.categoryDialog.openSecurityTab();
-    await owen.categoryDialog.securityTab.setMayCreate(c.EveryoneId, false);
+    await owen.categoryDialog.securityTab.setMay('CreatePages', c.EveryoneId, false);
     await owen.categoryDialog.submit();
   });
 
@@ -209,8 +209,8 @@ describe(`categories-basic.3br.d   TyTCATSBASIC`, () => {
     await owen.forumButtons.clickEditCategory();
     await owen.categoryDialog.fillInFields({ name: WastelandCategoryNameStaffOnly });
     await owen.categoryDialog.openSecurityTab();
-    await owen.categoryDialog.securityTab.setMayReply(c.EveryoneId, false);
-    await owen.categoryDialog.securityTab.setMaySee(c.EveryoneId, false);
+    await owen.categoryDialog.securityTab.setMay('PostReplies', c.EveryoneId, false);
+    await owen.categoryDialog.securityTab.setMay('SeeOthers', c.EveryoneId, false);
     await owen.categoryDialog.submit();
   });
 
diff --git a/tests/e2e-wdio7/test-types.ts b/tests/e2e-wdio7/test-types.ts
index 17b9a6a2d..2488ec026 100644
--- a/tests/e2e-wdio7/test-types.ts
+++ b/tests/e2e-wdio7/test-types.ts
@@ -77,3 +77,15 @@ export interface E2eVote {
 }
 
 
+export type PermName =
+        'EditOthersTopics' |
+        'EditOthersReplies' |
+        'EditWikis' |
+        'EditOwn' |
+        'DeleteOthersTopics' |
+        'DeleteOthersReplies' |
+        'CreatePages' |
+        'PostReplies' |
+        'SeeOthers' |
+        'SeeOwn';
+
diff --git a/tests/e2e-wdio7/utils/ty-e2e-test-browser.ts b/tests/e2e-wdio7/utils/ty-e2e-test-browser.ts
index e0177397b..30f3786c4 100644
--- a/tests/e2e-wdio7/utils/ty-e2e-test-browser.ts
+++ b/tests/e2e-wdio7/utils/ty-e2e-test-browser.ts
@@ -1,5 +1,5 @@
 import * as _ from 'lodash';
-import { IsWhere, E2eAuthor, E2eVote, isWhere_isInIframe } from '../test-types';
+import { IsWhere, E2eAuthor, E2eVote, isWhere_isInIframe, PermName } from '../test-types';
 import { ServerSays } from '../test-types2';
 import { SiteType, NewSiteOwnerType } from '../test-constants';
 
@@ -5431,6 +5431,26 @@ export class TyE2eTestBrowser {
       },
 
       securityTab: {
+        _mkSel: (what: PermName, groupId: PatId, disabled?: 'ShouldBeDisabled'): St => {
+          let permClass: St;
+          switch (what) {
+            case 'EditOthersTopics': permClass = 's_PoP_Ps_P_EdPg'; break;
+            case 'EditOthersReplies': permClass = 's_PoP_Ps_P_EdCm'; break;
+            case 'EditWikis': permClass = 's_PoP_Ps_P_EdWk'; break;
+            case 'EditOwn': permClass = 's_PoP_Ps_P_EdOwn'; break;
+            case 'DeleteOthersTopics': permClass = 's_PoP_Ps_P_DlPg'; break;
+            case 'DeleteOthersReplies': permClass = 's_PoP_Ps_P_DlCm'; break;
+            case 'CreatePages': permClass = 's_PoP_Ps_P_CrPg'; break;
+            case 'PostReplies': permClass = 's_PoP_Ps_P_Re'; break;
+            case 'SeeOthers': permClass = 's_PoP_Ps_P_See'; break;
+            case 'SeeOwn': permClass = 's_PoP_Ps_P_SeeOwn'; break;
+            default: die('TyE03FLMR25');
+          }
+          const dotDis = disabled ? '.disabled' : '';
+          const brackDis = disabled ? '[disabled]' : '';
+          return `.s_PoP-Grp-${groupId} .${permClass} .checkbox${dotDis} input${brackDis}`;
+        },
+
         switchGroupFromTo: async (fromGroupName: St, toGroupName: St) => {
           await this.waitAndClickSelectorWithText('.s_PoP_Un .e_SelGrpB', fromGroupName);
           await this.waitAndClickSelectorWithText(
@@ -5449,24 +5469,25 @@ export class TyE2eTestBrowser {
               '.esDropModal_content .esExplDrp_entry', groupName);
         },
 
-        setMayCreate: async (groupId: UserId, may: Bo) => {
-          // For now, just click once
-          await this.waitAndClick(`.s_PoP-Grp-${groupId} .s_PoP_Ps_P_CrPg input`);
-        },
-
-        setMayReply: async (groupId: UserId, may: Bo) => {
-          // For now, just click once
-          await this.waitAndClick(`.s_PoP-Grp-${groupId} .s_PoP_Ps_P_Re input`);
+        setMay: async (what: PermName, groupId: UserId, may: Bo) => {
+          const sel = this.categoryDialog.securityTab._mkSel(what, groupId);
+          await this.setCheckbox(sel, may);
         },
 
-        setMayEditWiki: async (groupId: UserId, may: Bo) => {
-          // For now, just click once
-          await this.waitAndClick(`li.s_PoP:last-child .s_PoP_Ps_P_EdWk input`);  // for now
+        getMay: async (what: PermName, groupId: UserId, disabled?: 'ShouldBeDisabled'): Pr<Bo> => {
+          const sel = this.categoryDialog.securityTab._mkSel(what, groupId, disabled);
+          await this.waitForVisible(sel);
+          return await (await this.$(sel)).isSelected();
         },
 
-        setMaySee: async (groupId: UserId, may: Bo) => {
-          // For now, just click once
-          await this.waitAndClick(`.s_PoP-Grp-${groupId} .s_PoP_Ps_P_See input`);
+        assertMay: async (what: PermName, groupId: UserId, may: Bo, disabled?: 'ShouldBeDisabled'): Pr<V> => {
+          const actual = await this.categoryDialog.securityTab.getMay(what, groupId, disabled);
+          if (may) {
+            tyAssert.that(actual, `Group ${groupId} can't ${what} (but they should be able to)`);
+          }
+          else {
+            tyAssert.not(actual, `Group ${groupId} can ${what} (but they should not be able to)`);
+          }
         },
       }
     }

From 5bafa49d9f7ef5f959d5cee086714693c25ea578 Mon Sep 17 00:00:00 2001
From: Kaj Magnus Lindberg <kajmagnus3@gmail.com>
Date: Mon, 16 Sep 2024 11:21:21 +0200
Subject: [PATCH 14/28] E2e tests: Add an emails fn, a backlinks fn.

---
 tests/e2e-wdio7/utils/server.ts              | 28 +++++++++++++++++---
 tests/e2e-wdio7/utils/ty-e2e-test-browser.ts | 15 ++++++++---
 2 files changed, 36 insertions(+), 7 deletions(-)

diff --git a/tests/e2e-wdio7/utils/server.ts b/tests/e2e-wdio7/utils/server.ts
index 85e042242..2d4f35cea 100644
--- a/tests/e2e-wdio7/utils/server.ts
+++ b/tests/e2e-wdio7/utils/server.ts
@@ -396,7 +396,16 @@ function addAdminNotice(ps: { siteId: SiteId, noticeId: Nr }) {
 
 
 async function getLastEmailSenTo(siteId: SiteId, email: St, dontWait?: 'DontWait')
-        : Pr<EmailSubjectBody | Nl> {
+        : Pr<EmailSubjectBody | N> {
+  const res = await waitGetLastEmailsSentTo(siteId, email, -1, dontWait);
+  return res ? res[0] : null;
+}
+
+
+/// (atLeast = -1 returns only the very last email, even if there are more. Legacy.)
+///
+async function waitGetLastEmailsSentTo(siteId: SiteId, email: St, atLeast: Nr, dontWait?: 'DontWait')
+        : Pr<EmailSubjectBody[]> {
   if (!email || email.indexOf('@') <= 0 || email.indexOf('@') >= email.length - 2) {
     die(`Not an email address: '${email}'  [TyE4MQEJ9MS2]`);
   }
@@ -404,7 +413,16 @@ async function getLastEmailSenTo(siteId: SiteId, email: St, dontWait?: 'DontWait
     const response = await getOrDie(settings.mainSiteOrigin + '/-/last-e2e-test-email?sentTo=' + email +
       '&siteId=' + siteId);
     const lastEmails = JSON.parse(response.body).emails;
-    if (lastEmails.length) {
+
+    if (atLeast >= 1) {
+      if (lastEmails.length >= atLeast) {
+        logMessage(`${email} has gotten ${lastEmails.length} emails, >= ${atLeast}.`);
+        return lastEmails;
+      }
+      logMessage(`${email} has gotten ${lastEmails.length} emails, waiting for >= ${atLeast}`);
+    }
+    else if (atLeast !== -1) die('TyE306EVCHF');
+    else if (lastEmails.length) {
       logMessage(`${email} has gotten ${lastEmails.length} emails:`);
       for (let i = 0; i < lastEmails.length; ++i) {
         const oneLastEmail = lastEmails[i];
@@ -412,8 +430,9 @@ async function getLastEmailSenTo(siteId: SiteId, email: St, dontWait?: 'DontWait
             i === lastEmails.length - 1 ? " <— the last one, returning it" : ''));
       }
       const lastEmail = lastEmails[lastEmails.length - 1];
-      return lastEmail;
+      return [lastEmail];
     }
+
     // Internal functions can specify 'DontWait', if they pause themselves.
     if (dontWait !== 'DontWait') {
       await wdioBrowserA.pause(500 - 100); // 100 ms for a request, perhaps?
@@ -879,7 +898,8 @@ export default {
   deleteRedisKey,
   getTestCounters,
   addAdminNotice,
-  getLastEmailSenTo,  // RENAME waitGetLastEmailsSentTo
+  getLastEmailSenTo,  // RENAME waitGetLastEmailSentTo
+  waitGetLastEmailsSentTo,
   countLastEmailsSentTo,
   getEmailsSentToAddrs,
   sendIncomingEmailWebhook,
diff --git a/tests/e2e-wdio7/utils/ty-e2e-test-browser.ts b/tests/e2e-wdio7/utils/ty-e2e-test-browser.ts
index 30f3786c4..a075adcce 100644
--- a/tests/e2e-wdio7/utils/ty-e2e-test-browser.ts
+++ b/tests/e2e-wdio7/utils/ty-e2e-test-browser.ts
@@ -5431,7 +5431,7 @@ export class TyE2eTestBrowser {
       },
 
       securityTab: {
-        _mkSel: (what: PermName, groupId: PatId, disabled?: 'ShouldBeDisabled'): St => {
+        _mkSel: (what: PermName, groupId: PatId, shouldBeDisabled?: 'ShouldBeDisabled'): St => {
           let permClass: St;
           switch (what) {
             case 'EditOthersTopics': permClass = 's_PoP_Ps_P_EdPg'; break;
@@ -5446,8 +5446,8 @@ export class TyE2eTestBrowser {
             case 'SeeOwn': permClass = 's_PoP_Ps_P_SeeOwn'; break;
             default: die('TyE03FLMR25');
           }
-          const dotDis = disabled ? '.disabled' : '';
-          const brackDis = disabled ? '[disabled]' : '';
+          const dotDis = shouldBeDisabled ? '.disabled' : '';
+          const brackDis = shouldBeDisabled ? '[disabled]' : '';
           return `.s_PoP-Grp-${groupId} .${permClass} .checkbox${dotDis} input${brackDis}`;
         },
 
@@ -7515,6 +7515,15 @@ export class TyE2eTestBrowser {
           });
         },
 
+        getBacklinkUrlsAndTitles: async (): Pr<{ url: St, title: St }[]> => {
+          const res = await this.__waitAndGetThingsInList('.s_InLns_Ln', {}, async (e) => {
+                  const url = await e.getAttribute('href');
+                  const title = await e.getText();
+                  return { url, title };
+                });
+          return res;
+        },
+
         isLinkedFromPageId: async (pageId: PageId): Pr<Bo> => {
           return await this.isExisting(this.topic.backlinks.__mkSelector(pageId));
         },

From ca1814520d2a76326d3726f0d43912b1bd235d1a Mon Sep 17 00:00:00 2001
From: Kaj Magnus Lindberg <kajmagnus3@gmail.com>
Date: Mon, 16 Sep 2024 11:19:20 +0200
Subject: [PATCH 15/28] Grant only may-edit-wiki to Full Members, by default.

---
 appsv/server/debiki/dao/ForumDao.scala        |  9 +++--
 .../forum/create-category-dialog.more.ts      | 37 ++++++++++++++-----
 2 files changed, 32 insertions(+), 14 deletions(-)

diff --git a/appsv/server/debiki/dao/ForumDao.scala b/appsv/server/debiki/dao/ForumDao.scala
index b67b53ce7..3175254d9 100644
--- a/appsv/server/debiki/dao/ForumDao.scala
+++ b/appsv/server/debiki/dao/ForumDao.scala
@@ -818,10 +818,11 @@ object ForumDao {
     * (Of course admins can change this, for their own site.)  [DEFMAYEDWIKI]
     * Sync with dupl code in Typescript. [7KFWY025]
     */
-  def makeFullMembersDefaultCategoryPerms(categoryId: CategoryId): PermsOnPages =
-    makeEveryonesDefaultCategoryPerms(categoryId).copy(
-          forPeopleId = Group.FullMembersId,
-          mayEditWiki = Some(true))
+  def makeFullMembersDefaultCategoryPerms(catId: CatId): PermsOnPages = PermsOnPages(
+    id = NoPermissionId,
+    forPeopleId = Group.FullMembersId,
+    onCategoryId = Some(catId),
+    mayEditWiki = Some(true))
 
 
   // Sync with dupl code in Typescript. [7KFWY025]
diff --git a/client/app-more/forum/create-category-dialog.more.ts b/client/app-more/forum/create-category-dialog.more.ts
index 06393fe9b..1aa816c69 100644
--- a/client/app-more/forum/create-category-dialog.more.ts
+++ b/client/app-more/forum/create-category-dialog.more.ts
@@ -133,11 +133,11 @@ const EditCategoryDialog = createClassAndFactory({
       });
     }
     else {
-      const categoryId = -1; // then the server will give it a >= 1 id  [4GKWSR1]
+      const catIdMin1 = -1; // then the server will give it a >= 1 id  [4GKWSR1]
       Server.loadGroups((groups: Group[]) => {
         if (this.isGone) return;
         const newCategory: CategoryPatch = {
-          id: categoryId,
+          id: catIdMin1,
           extId: '',
           parentId: store.currentPage.categoryId,
           sectionPageId: store.currentPageId,
@@ -157,10 +157,16 @@ const EditCategoryDialog = createClassAndFactory({
           canChangeDefault: true,
           category: newCategory,
           groups: groups,
+          // Sync these default perms with Scala code. [7KFWY025]
           permissions: [
-            defaultPermsOnPages(-11, Groups.EveryoneId, categoryId, false),
-            defaultPermsOnPages(-12, Groups.FullMembersId, categoryId, false),
-            defaultPermsOnPages(-13, Groups.StaffId, categoryId, true)],
+            defaultNewCatPerms(-11, Groups.EveryoneId, catIdMin1, false),
+            // Full members can edit wikis, by default. Apart from that, it is safer if
+            // un-ticking an Everyone group permission, removes it from Full Members
+            // too, and only Staff have permissions explicitly granted to themselves.
+            // [_no_extra_def_perms] [DEFMAYEDWIKI]
+            { ...noPermsOnPages(-12, Groups.FullMembersId, catIdMin1), mayEditWiki: true },
+            // But staff have all permissions explicitly granted to it.  TyTSTAFDEFPERMS
+            defaultNewCatPerms(-13, Groups.StaffId, catIdMin1, true)],
         } as EditCatDiagState);
       });
     }
@@ -582,18 +588,25 @@ const CatSettings = createClassAndFactory({
 
 
 
-function defaultPermsOnPages(newPermId: PermissionId, forWhoId: PeopleId,
-        categoryId: CategoryId, isStaff: boolean): PermsOnPage {
+function noPermsOnPages(newPermId: PermissionId, forWhoId: PeopleId,
+        categoryId: CatId): PermsOnPage {
   return {
     id: newPermId,
     forPeopleId: forWhoId,
     onCategoryId: categoryId,
+  };
+}
+
+
+function defaultNewCatPerms(newPermId: PermissionId, forWhoId: PeopleId,
+        categoryId: CatId, isStaff: Bo): PermsOnPage {
+  return {
+    ...noPermsOnPages(newPermId, forWhoId, categoryId),
     // Setting these to false is not currently supported. [2LG5F04W]
-    // Sync these default perms with Scala code. [7KFWY025]
     mayEditPage: isStaff || undefined,
     mayEditComment: isStaff || undefined,
     mayEditWiki: isStaff || forWhoId >= Groups.FullMembersId, // [DEFMAYEDWIKI]
-    // If someone sees hen's own post, hen would probably get angry if hen couldn't edit it?
+    // If someone sees hans own post, han would probably get angry if han couldn't edit it?
     // And staff probably expects everyone to be allowed to edit their own posts, by default?
     // So, 'true' by default.
     mayEditOwn: true,
@@ -620,7 +633,11 @@ const CatSecurity = createClassAndFactory({
         newPermId = p.id - 1;
       }
     });
-    const newPerm = defaultPermsOnPages(newPermId, Groups.NoUserId, category.id, false);
+    // Start with zero additional permissions, so the group won't accidentally
+    // get any unintended permission. [_no_extra_def_perms] TyTNEWCAT0PERMS
+    // (We don't know which group, yet. The admin will choose a grop from the
+    // `SelectGroupDropdown()`.)
+    const newPerm = noPermsOnPages(newPermId, Groups.NoUserId, category.id);
     this.props.updatePermissions(permissions.concat(newPerm));
   },
 

From dff72fd1236652421259eb13e371ddbc1a4ca8f1 Mon Sep 17 00:00:00 2001
From: Kaj Magnus Lindberg <kajmagnus3@gmail.com>
Date: Wed, 11 Sep 2024 14:47:21 +0200
Subject: [PATCH 16/28] Make `maySeeOwn` work.

---
 .../server/controllers/DraftsController.scala |  6 ++++-
 .../server/controllers/ReplyController.scala  | 16 +++++++++----
 appsv/server/debiki/dao/PostsDao.scala        | 24 ++++++++++++-------
 appsv/server/debiki/dao/UserDao.scala         |  4 ++--
 .../server/talkyard/server/authz/Authz.scala  | 14 ++++++-----
 docs/maybe-do-later.txt                       |  1 +
 s/run-e2e-tests.sh                            |  2 ++
 7 files changed, 46 insertions(+), 21 deletions(-)

diff --git a/appsv/server/controllers/DraftsController.scala b/appsv/server/controllers/DraftsController.scala
index 3bcec4bb8..3b0b82ead 100644
--- a/appsv/server/controllers/DraftsController.scala
+++ b/appsv/server/controllers/DraftsController.scala
@@ -113,9 +113,13 @@ class DraftsController @Inject()(cc: ControllerComponents, edContext: TyContext)
 
       if (draft.isReply) {
         val postType = draft.postType getOrDie "TyER35SKS02GU"
+        val pageAuthor =
+              if (pageMeta.authorId == requester.id) requester
+              else dao.getTheParticipant(pageMeta.authorId)
         throwNoUnless(Authz.mayPostReply(
               request.theUserAndLevels, asAlias = None, dao.getOnesGroupIds(requester),
-              postType, pageMeta, Vector(post), dao.getAnyPrivateGroupTalkMembers(pageMeta),
+              postType, pageMeta, pageAuthor = pageAuthor,
+              Vector(post), dao.getAnyPrivateGroupTalkMembers(pageMeta),
               inCategoriesRootLast = categoriesRootLast,
               tooManyPermissions = dao.getPermsOnPages(categoriesRootLast)), "EdEZBXK3M2")
       }
diff --git a/appsv/server/controllers/ReplyController.scala b/appsv/server/controllers/ReplyController.scala
index 8f99004f0..ef38b2c7f 100644
--- a/appsv/server/controllers/ReplyController.scala
+++ b/appsv/server/controllers/ReplyController.scala
@@ -76,6 +76,9 @@ class ReplyController @Inject()(cc: ControllerComponents, edContext: TyContext)
     REMOVE // these 3 vals, once we're using dao.insertReplyIfAuZ() instead of
     // doing authz here in this fn.
     val pageMeta = dao.getPageMeta(pageId) getOrElse throwIndistinguishableNotFound("EdE5FKW20")
+    val pageAuthor =
+          if (pageMeta.authorId == requester.id) requester
+          else dao.getTheParticipant(pageMeta.authorId)
     val replyToPosts = dao.loadPostsAllOrError(pageId, replyToPostNrs) getOrIfBad { missingPostNr =>
       throwNotFound(s"Post nr $missingPostNr not found", "EdEW3HPY08")
     }
@@ -85,8 +88,9 @@ class ReplyController @Inject()(cc: ControllerComponents, edContext: TyContext)
 
     CLEAN_UP // [dupl_re_authz_chk]  and see the REM OVE just above too, and COU LD below.
     throwNoUnless(Authz.mayPostReply(
-      request.theUserAndLevels, asAlias, dao.getOnesGroupIds(request.theUser),
-      postType, pageMeta, replyToPosts, dao.getAnyPrivateGroupTalkMembers(pageMeta),
+      request.theUserAndLevels, asAlias, dao.getOnesGroupIds(requester),
+      postType, pageMeta, pageAuthor = pageAuthor,
+      replyToPosts, dao.getAnyPrivateGroupTalkMembers(pageMeta),
       inCategoriesRootLast = categoriesRootLast,
       tooManyPermissions = dao.getPermsOnPages(categoriesRootLast)),
       "TyEM0REPLY_")
@@ -119,7 +123,7 @@ class ReplyController @Inject()(cc: ControllerComponents, edContext: TyContext)
 
   def handleChatMessage: Action[JsValue] = PostJsonAction(RateLimits.PostReply,
         maxBytes = MaxPostSize) { request =>
-    import request.{body, dao}
+    import request.{body, dao, reqr}
     val pageId = (body \ "pageId").as[PageId]
     val text = (body \ "text").as[String].trim
     val deleteDraftNr = (body \ "deleteDraftNr").asOpt[DraftNr]
@@ -132,12 +136,16 @@ class ReplyController @Inject()(cc: ControllerComponents, edContext: TyContext)
     val pageMeta = dao.getPageMeta(pageId) getOrElse {
       throwIndistinguishableNotFound("EdE7JS2")
     }
+    val pageAuthor =
+          if (pageMeta.authorId == reqr.id) reqr
+          else dao.getTheParticipant(pageMeta.authorId)
     val replyToPosts = Nil  // currently cannot reply to specific posts, in the chat [7YKDW3]
     val categoriesRootLast = dao.getAncestorCategoriesRootLast(pageMeta.categoryId)
 
     throwNoUnless(Authz.mayPostReply(
       request.theUserAndLevels, asAlias = None, dao.getOnesGroupIds(request.theMember),
-      PostType.ChatMessage, pageMeta, replyToPosts, dao.getAnyPrivateGroupTalkMembers(pageMeta),
+      PostType.ChatMessage, pageMeta, pageAuthor = pageAuthor,
+      replyToPosts, dao.getAnyPrivateGroupTalkMembers(pageMeta),
       inCategoriesRootLast = categoriesRootLast,
       tooManyPermissions = dao.getPermsOnPages(categoriesRootLast)),
       "EdEHDETG4K5")
diff --git a/appsv/server/debiki/dao/PostsDao.scala b/appsv/server/debiki/dao/PostsDao.scala
index df5f2c7a7..7beefb97d 100644
--- a/appsv/server/debiki/dao/PostsDao.scala
+++ b/appsv/server/debiki/dao/PostsDao.scala
@@ -77,6 +77,9 @@ trait PostsDao {
 
     val pageMeta = this.getPageMeta(pageId) getOrElse throwIndistinguishableNotFound(
           "TyE5FKW20", showErrCodeAnyway = reqrAndReplyer.reqrIsAdmin)
+    val pageAuthor =
+          if (pageMeta.authorId == reqrAndReplyer.reqr.id) reqrAndReplyer.reqr
+          else this.getTheParticipant(pageMeta.authorId)
 
     val catsRootLast = this.getAncestorCategoriesSelfFirst(pageMeta.categoryId)
     val tooManyPermissions = getPermsOnPages(categories = catsRootLast)
@@ -94,8 +97,8 @@ trait PostsDao {
           reqrAndLevels,
           // See [4_doer_not_reqr].
           asAlias = if (reqrAndReplyer.areNotTheSame) None else asAlias,
-          this.getOnesGroupIds(reqrAndLevels.user),
-          postType, pageMeta, replyToPosts, privTalkMembers,
+          groupIds = this.getOnesGroupIds(reqrAndLevels.user),
+          postType, pageMeta, pageAuthor = pageAuthor, replyToPosts, privTalkMembers,
           inCategoriesRootLast = catsRootLast, tooManyPermissions),
           "TyEM0REPLY1")
 
@@ -103,7 +106,7 @@ trait PostsDao {
       val replyerAndLevels = readTx(this.loadUserAndLevels(reqrAndReplyer.targetToWho, _))
       throwNoUnless(Authz.mayPostReply(
             replyerAndLevels, asAlias, this.getOnesGroupIds(replyerAndLevels.user),
-            postType, pageMeta, replyToPosts, privTalkMembers,
+            postType, pageMeta, pageAuthor = pageAuthor, replyToPosts, privTalkMembers,
             inCategoriesRootLast = catsRootLast, tooManyPermissions),
             "TyEM0REPLY2")
     }
@@ -186,9 +189,12 @@ trait PostsDao {
     val authorMaybeAnon: Pat = SiteDao.getAliasOrTruePat(
           truePat = realAuthor, pageId = pageId, asAlias)(tx, IfBadAbortReq)
 
+    val pageAuthor = tx.loadTheParticipant(page.meta.authorId)
+
     dieOrThrowNoUnless(Authz.mayPostReply(
       realAuthorAndLevels, asAlias /* _not_same_tx, ok */, realAuthorAndGroupIds,
-      postType, page.meta, replyToPosts, tx.loadAnyPrivateGroupTalkMembers(page.meta),
+      postType, page.meta, pageAuthor = pageAuthor,
+      replyToPosts, tx.loadAnyPrivateGroupTalkMembers(page.meta),
       tx.loadCategoryPathRootLast(page.meta.categoryId, inclSelfFirst = true),
       tx.loadPermsOnPages()), "EdEMAY0RE")
 
@@ -658,14 +664,16 @@ trait PostsDao {
 
       SHOULD_OPTIMIZE // don't load all posts [2GKF0S6], because this is a chat, could be too many.
       val page = newPageDao(pageId, tx)
+      val pageAuthor = tx.loadTheParticipant(page.meta.authorId)
       val replyToPosts = Nil // currently cannot reply to specific posts, in the chat. [7YKDW3]
       val asAlias = None // [anon_chats]
 
       dieOrThrowNoUnless(Authz.mayPostReply(
-        authorAndLevels, asAlias = asAlias, tx.loadGroupIdsMemberIdFirst(author),
-        PostType.ChatMessage, page.meta, Nil, tx.loadAnyPrivateGroupTalkMembers(page.meta),
-        tx.loadCategoryPathRootLast(page.meta.categoryId, inclSelfFirst = true),
-        tx.loadPermsOnPages()), "EdEMAY0CHAT")
+          authorAndLevels, asAlias = asAlias, groupIds = tx.loadGroupIdsMemberIdFirst(author),
+          PostType.ChatMessage, page.meta, pageAuthor = pageAuthor,
+          replyToPosts = Nil, tx.loadAnyPrivateGroupTalkMembers(page.meta),
+          tx.loadCategoryPathRootLast(page.meta.categoryId, inclSelfFirst = true),
+          tx.loadPermsOnPages()), "EdEMAY0CHAT")
 
       val (reviewReasons: Seq[ReviewReason], _) =
         throwOrFindNewPostReviewReasons(page.meta, authorAndLevels, tx)
diff --git a/appsv/server/debiki/dao/UserDao.scala b/appsv/server/debiki/dao/UserDao.scala
index 9034bbf5d..90c61a42a 100644
--- a/appsv/server/debiki/dao/UserDao.scala
+++ b/appsv/server/debiki/dao/UserDao.scala
@@ -1001,8 +1001,8 @@ trait UserDao {
   }
 
 
-  def getTheParticipant(userId: UserId): Participant = {
-    getParticipant(userId).getOrElse(throw UserNotFoundException(userId))
+  def getTheParticipant(userId: UserId, anyTx: Opt[SiteTx] = None): Participant = {
+    getParticipant(userId, anyTx).getOrElse(throw UserNotFoundException(userId))
   }
 
 
diff --git a/appsv/server/talkyard/server/authz/Authz.scala b/appsv/server/talkyard/server/authz/Authz.scala
index f2f0e2985..e18d2a074 100644
--- a/appsv/server/talkyard/server/authz/Authz.scala
+++ b/appsv/server/talkyard/server/authz/Authz.scala
@@ -431,6 +431,7 @@ object Authz {
     groupIds: immutable.Seq[GroupId],
     postType: PostType,
     pageMeta: PageMeta,
+    pageAuthor: Pat,
     replyToPosts: immutable.Seq[Post],
     privateGroupTalkMemberIds: Set[UserId],
     inCategoriesRootLast: immutable.Seq[Category],
@@ -442,10 +443,7 @@ object Authz {
     val mayWhat = checkPermsOnPages(
           Some(user), asAlias = asAlias, groupIds,
           Some(pageMeta),
-          // ANON_UNIMPL: Needed, for maySeeOwn [granular_perms], and later, if there'll be
-          // a mayReplyOnOwn permission?
-          // But let's wait until true author id is incl in posts3/nodes_t. [posts3_true_id]
-          pageAuthor = None,
+          pageAuthor = Some(pageAuthor),
           pageMembers = Some(privateGroupTalkMemberIds),
           catsRootLast = inCategoriesRootLast, tooManyPermissions)
 
@@ -852,8 +850,10 @@ object Authz {
       // then, pat may not see it, or any sub cat.  [see_sub_cat]
       if (mayWhatThisCat.maySee isNot true) {
         // But maySeeOwn=true has precedence over maySee=false.
-        if (isOwnPage && mayWhatThisCat.maySeeOwn) {
-          // Fine, continue.
+        if ((isOwnPage || pageMeta.isEmpty) && mayWhatThisCat.maySeeOwn) {
+          // Fine: Either it's our own page (which we may see), or no page specified — then
+          // we may still see the category.
+          mayWhatThisCat = mayWhatThisCat.copy(maySee = Some(true))
         }
         else
           return mayWhatThisCat
@@ -1037,6 +1037,8 @@ case class MayWhat(
   mayCreatePage: Bo = false,
   mayPostComment: Bo = false,
   maySee: Opt[Bo] = None,
+  // Used to derive maySee: if is own page, and maySeeOwn, then, maySee becomest Some(true).
+  // Is that a bit weird? Works for now.
   maySeeOwn: Bo = false,
   // maySeePagesOneIsMembOf: Bo = false
   // mayListUnlistedCat
diff --git a/docs/maybe-do-later.txt b/docs/maybe-do-later.txt
index 8b8ff18b0..22c35cbb1 100644
--- a/docs/maybe-do-later.txt
+++ b/docs/maybe-do-later.txt
@@ -142,6 +142,7 @@ regardless of how they inherited permissions from other groups.
 
 [granular_perms]
 E.g. may-see-others'-sessions. Currently only amdins may, but sometimes, good if mods could too?
+Or a mayReplyOnOwn permission? Maybe never.
 Also see: [wiki_perms]
 
 [tags]
diff --git a/s/run-e2e-tests.sh b/s/run-e2e-tests.sh
index 42e54030f..7e5eef410 100755
--- a/s/run-e2e-tests.sh
+++ b/s/run-e2e-tests.sh
@@ -510,6 +510,7 @@ function runAllE2eTests {
 
   $r s/wdio --only group-permissions-similar-topics.2br.mtime $args
   $r s/wdio --only permissions-edit-wiki-posts.2browsers $args
+  #$r s/wdio-7 --only permissions-see-own.2br.f.e2e $args  # _see_own
 
   # Do after the search and access permission tests above.  [.more_cat_tests]
   $r s/wdio --only categories-delete.2br $args
@@ -540,6 +541,7 @@ function runAllE2eTests {
 
   #$r s/wdio-7 --only alias-anons-true-mixed.2br.f --cd -i $args
   #$r s/wdio-7 --only alias-anons-basic.2br.f --cd -i $args
+  #$r s/wdio-7 --only alias-anons-see-own.2br.f --cd -i $args  # _see_own
 
 
   # API

From bc6633478e23be5927feb4955c5a1af798ee7b35 Mon Sep 17 00:00:00 2001
From: Kaj Magnus Lindberg <kajmagnus3@gmail.com>
Date: Fri, 13 Sep 2024 18:07:00 +0200
Subject: [PATCH 17/28] Add e2e test for `maySeeOwn`. To code review later.

---
 .../main/scala/com/debiki/core/PagePath.scala |    2 +-
 .../forum/create-category-dialog.more.ts      |    2 +-
 docs/tests-map.txt                            |   18 +
 s/run-e2e-tests.sh                            |    2 +-
 .../specs/category-perms.2br.d.e2e.ts         |    2 +
 .../specs/perms-see-own.2br.f.e2e.ts          | 1146 +++++++++++++++++
 tests/e2e-wdio7/test-types2.ts                |   16 +-
 tests/e2e-wdio7/utils/make.ts                 |   14 +
 tests/e2e-wdio7/utils/site-builder.ts         |   21 +
 tests/e2e-wdio7/utils/ty-e2e-test-browser.ts  |    9 +-
 10 files changed, 1225 insertions(+), 7 deletions(-)
 create mode 100644 tests/e2e-wdio7/specs/perms-see-own.2br.f.e2e.ts

diff --git a/appsv/model/src/main/scala/com/debiki/core/PagePath.scala b/appsv/model/src/main/scala/com/debiki/core/PagePath.scala
index bb1b27733..6d670b460 100644
--- a/appsv/model/src/main/scala/com/debiki/core/PagePath.scala
+++ b/appsv/model/src/main/scala/com/debiki/core/PagePath.scala
@@ -329,7 +329,7 @@ object PagePath {
   }
 
 
-  /** Parses the path part of a URL into a PagePath.
+  /** Parses the path part of a URL into a PagePath. [ty_url_fmt]
     *
     * URL path examples:
     * - (server)/fold/ers/-pageId [2WBG49]
diff --git a/client/app-more/forum/create-category-dialog.more.ts b/client/app-more/forum/create-category-dialog.more.ts
index 1aa816c69..2a2c7b82f 100644
--- a/client/app-more/forum/create-category-dialog.more.ts
+++ b/client/app-more/forum/create-category-dialog.more.ts
@@ -634,7 +634,7 @@ const CatSecurity = createClassAndFactory({
       }
     });
     // Start with zero additional permissions, so the group won't accidentally
-    // get any unintended permission. [_no_extra_def_perms] TyTNEWCAT0PERMS
+    // get any unintended permission. [_no_extra_def_perms] TyTNEWPERMSEMPTY
     // (We don't know which group, yet. The admin will choose a grop from the
     // `SelectGroupDropdown()`.)
     const newPerm = noPermsOnPages(newPermId, Groups.NoUserId, category.id);
diff --git a/docs/tests-map.txt b/docs/tests-map.txt
index 9d54a83f7..3eecb2fb6 100644
--- a/docs/tests-map.txt
+++ b/docs/tests-map.txt
@@ -742,10 +742,21 @@ categories:
           - backlinks-basic.2br.d  TyTINTLNS54824.TyTDELCATBLNS
   permissions:   (1QRY7)
             - category-perms.2br.d  TyTE2ECATPREMS01
+            - perms-see-own.2br.f
             - cats-perf-many.2br.d  TyTECATPREFMNY.TyTPRIVCATS
             - promote-demote-by-staff-join-leave-chats.2br.test.ts  TyTE2E5H3GFRVK
             - link-previews-internal-not-see-cat.2br  TyTE2ELNPVIN4837.TyT0ACSPG043
             - link-previews-internal-to-cats-not-see.2br.f  TyTE2ELN2CAT
+    new cat security config:
+            - perms-see-own.2br.f   TyTPERMSEEOWN.TyTDEFCATPERMS & TyTSTAFDEFPERMS
+    new group perms security config:
+            - perms-see-own.2br.f   TyTPERMSEEOWN.TyTNEWPERMSEMPTY
+    see-own:
+            - perms-see-own.2br.f   TyTPERMSEEOWN  CR_MISSING
+            - categories-basic.3br.d   TyTCATSBASIC.TyTSEEOWN
+      move cat & back:
+            - TESTS_MISSING: Move away: Doesn't inherit.  Move back: does.
+                But there are other such tests? Not so important.
     topics on cats list page:
             - category-perms.2br.d  TyTE2ECATPREMS01.TyTSEECATTOPS
             - cats-perf-many.2br.d  TyTECATPREFMNY.TyTSEECATTOPS
@@ -972,6 +983,8 @@ link previews:
   to page/post one may not see:
     restricted category:
           - link-previews-internal-not-see-cat.2br  TyTE2ELNPVIN4837
+    see-own category:
+            - perms-see-own.2br.f  TyTPERMSEEOWN.TyTLNSEEOWN
     private message:
     private chat:
     whisper post:
@@ -996,6 +1009,8 @@ internal links:  # (687295)
           - TESTS_MISSING
   to category:
             - link-previews-internal-to-cats-not-see.2br.d  TyTE2ELN2CAT
+  see-own category:
+            - perms-see-own.2br.f  TyTPERMSEEOWN.TyTLNSEEOWN
 
 discussion -
   users on page:
@@ -1943,6 +1958,9 @@ export and restore:  (impexp)
   overwrite current site:
             - embcom.expimpjson.restore-overwrite-site-same-domain.2br  TyT5WKTJL025
             - embcom.expimpjson.restore-overwrite-site-new-domain.2br  TyT603KNF62
+  exp imp groups & members:
+    import:
+            - perms-see-own.2br.f   TyTPERMSEEOWN.TyTIMPGROUP
   exp imp images:
             - embcom.expimpjson.create-site-exp-json.2br  [402KGS4RQ]
   sanitize html:
diff --git a/s/run-e2e-tests.sh b/s/run-e2e-tests.sh
index 7e5eef410..d29c70ff9 100755
--- a/s/run-e2e-tests.sh
+++ b/s/run-e2e-tests.sh
@@ -510,7 +510,7 @@ function runAllE2eTests {
 
   $r s/wdio --only group-permissions-similar-topics.2br.mtime $args
   $r s/wdio --only permissions-edit-wiki-posts.2browsers $args
-  #$r s/wdio-7 --only permissions-see-own.2br.f.e2e $args  # _see_own
+  #$r s/wdio-7 --only perms-see-own.2br.f $args --cd -i  # _see_own
 
   # Do after the search and access permission tests above.  [.more_cat_tests]
   $r s/wdio --only categories-delete.2br $args
diff --git a/tests/e2e-wdio7/specs/category-perms.2br.d.e2e.ts b/tests/e2e-wdio7/specs/category-perms.2br.d.e2e.ts
index 498586642..6f550da2d 100644
--- a/tests/e2e-wdio7/specs/category-perms.2br.d.e2e.ts
+++ b/tests/e2e-wdio7/specs/category-perms.2br.d.e2e.ts
@@ -147,6 +147,8 @@ describe(`category-perms.2br.d  TyTE2ECATPREMS01`, () => {
       it(ps.stepsTitle, async () => {});
     }
 
+    // TESTS_MISSING: Go to Maria's profile page, verify topics are/not listed?
+
     if (numTopicsVisible >= 1) {
       it(`Memah can see ${numTopicsVisible} topic(s) in the topic list`, async () => {
         await memah_brB.go2('/')
diff --git a/tests/e2e-wdio7/specs/perms-see-own.2br.f.e2e.ts b/tests/e2e-wdio7/specs/perms-see-own.2br.f.e2e.ts
new file mode 100644
index 000000000..4b36402a5
--- /dev/null
+++ b/tests/e2e-wdio7/specs/perms-see-own.2br.f.e2e.ts
@@ -0,0 +1,1146 @@
+/// <reference path="../test-types.ts"/>
+// CR_MISSING
+
+import * as _ from 'lodash';
+import assert from '../utils/ty-assert';
+import server from '../utils/server';
+import * as utils from '../utils/utils';
+import { buildSite } from '../utils/site-builder';
+import { TyE2eTestBrowser } from '../utils/ty-e2e-test-browser';
+import { j2s, logBoring, logMessage } from '../utils/log-and-die';
+import c from '../test-constants';
+
+interface Page { id: St, url: St, title: St };
+type PagesByCatSlug = { [slug: St]: Page };
+
+let brA: TyE2eTestBrowser;
+let brB: TyE2eTestBrowser;
+
+let owen: Member;
+let owen_brA: TyE2eTestBrowser;
+
+let maria: Member;
+let maria_brB: TyE2eTestBrowser;
+const mariasPagesByCatSlug: { [slug: St]: Page } = {};
+
+let michael: Member;
+let michael_brA: TyE2eTestBrowser;
+const michaelsPagesByCatSlug: { [slug: St]: Page } = {};
+
+let kittensUrl = '/help-from-kittens'; // origin added below
+
+let memah: Member;
+let memah_brB: TyE2eTestBrowser;
+
+let mallory: Member;
+
+let supportGroup: GroupInclDetails;
+
+
+let site: IdAddress;
+let forum: TwoCatsTestForum;  // or TwoPagesTestForum or EmptyTestForum or LargeTestForum
+
+// CatA seeOwn: true, seeOthers: false
+// CatAC inherits:  If can't see base cat, then, can't see sub cat. [see_sub_cat]
+//
+// CatB seeOthers: true
+// CatBC seeOwn: true  (but seeOthers: false)
+// CatBC2 seethers: true
+
+const catA   = { slug: 'category-a', name: "CatA" };
+const catAC  = { slug: 'cat-ac', name: "CatAC", id: 6 }; // Owen alters
+
+const catB   = { slug: 'cat-b', name: "CatB" };
+const catBC  = { slug: "catbc", name: "CatBC" }; // Owen creates
+const catBC2 = {  slug: 'cat-bc2', name: "CatBC2", id: 7 };
+
+// We'll post here last —> last email from here.
+const lastCat = catBC2;
+
+// Owen won't make these cats only-see-own. (CatAC will be see-own because CatA will be.)
+const pubCats = [catB, lastCat];
+
+// Owen makes CatA and CatBC only-see-own. CatAC becomes only-see-own too,
+// since is a child of CatA. HMM
+const privCats = [catA, catAC, catBC];
+
+// Let's use this category order, when posting topics and checking for notf emails.
+const allCats = [catA, catAC, catB, catBC, lastCat];
+
+
+/// Maria and Michael post topics in See-own (only) categories, can't see
+/// each others topics (in those categories, but can see, in others).
+///
+/// Memah, in the Customer Support group, sees all categories.
+////
+describe(`perms-see-own.2br.f  TyTPERMSEEOWN`, () => {
+
+  it(`Construct site`, async () => {
+    const builder = buildSite();
+    forum = builder.addCatABForum({
+      title: "See Own E2e Test",
+      members: ['mons', 'maja', 'memah', 'maria', 'michael', 'mallory'],
+    });
+
+    builder.settings({
+      // So no "Sth for you to review" emails sent.
+      numFirstPostsToApprove: 0,
+      numFirstPostsToReview: 0,
+    });
+
+    // Search engine
+    // To have the search engine index the imported site: (by default, test sites
+    // aren't indexed)
+    builder.getSite().isTestSiteIndexAnyway = true;
+
+    // (This also test imports a group and member. TyTIMPGROUP)
+    supportGroup = builder.addGroup('support_group');
+    builder.addGroupPat(supportGroup, forum.members.memah);
+
+    builder.addCategoryWithAboutPage(forum.forumPage, {
+      id: catAC.id,
+      parentCategoryId: forum.categories.catA.id,
+      name: catAC.name,
+      slug: catAC.slug,
+      aboutPageText: "About Cat AC",
+    });
+    builder.addDefaultCatPerms(forum.siteData, catAC.id, catAC.id * 100);
+
+    // CatBC: Owen _creates_category_BC, below.
+
+    builder.addCategoryWithAboutPage(forum.forumPage, {
+      id: catBC2.id,
+      parentCategoryId: forum.categories.catB.id,
+      name: "CatBC2", slug: 'cat-bc2',
+      aboutPageText: "About Cat BC2",
+    });
+    builder.addDefaultCatPerms(forum.siteData, catBC2.id, catBC2.id * 100);
+
+    builder.addPage({
+      id: 'kittensPageId',
+      folder: '/',
+      showId: false,
+      slug: 'help-from-kittens',
+      role: c.TestPageRole.Discussion,
+      title: "Ask the Kittens",
+      body: "Kittens are cute, kittens are clever. Kittens will help you, forever.",
+      categoryId: forum.categories.catB.id, // that's a publ cat
+      authorId: forum.members.memah.id,
+    });
+
+    { // ttt
+      const cats = builder.getSite().categories.filter((c: TestCategory) =>
+                  // Exclude staff and root cat
+                  !!c.parentId && c.slug.indexOf("staff") === -1);
+      // CatA, CatAC, CatB, CatBC2 — but CatBC not yet created.
+      assert.eq(cats.length, 4);
+    }
+
+    // Subscribe Memah, Maria, Michael & Mallory to notifications about new topics, anywhere.
+    // We'll verify that Maria and Michael won't get notified about each other's
+    // only see-own topics.  But that Memah, in the @support_group, will get notified.
+    // And Mallory only about public topics.
+    const mbrs = forum.members;
+    for (let memberId of [mbrs.maria.id, mbrs.michael.id, mbrs.memah.id, mbrs.mallory.id]) {
+      builder.getSite().pageNotfPrefs.push({
+        memberId,
+        notfLevel: c.TestPageNotfLevel.EveryPost,
+        wholeSite: true,
+      });
+    }
+
+    // Let's mute Owen, so fewer emails to keep track of.
+    builder.getSite().pageNotfPrefs.push({
+      memberId: forum.members.owen.id,
+      notfLevel: c.TestPageNotfLevel.Muted,
+      wholeSite: true,
+    });
+
+    brA = new TyE2eTestBrowser(wdioBrowserA, 'brA');
+    brB = new TyE2eTestBrowser(wdioBrowserB, 'brB');
+
+    owen = forum.members.owen;
+    owen_brA = brA;
+    michael = forum.members.michael;
+    michael_brA = brA;
+
+    maria = forum.members.maria;
+    maria_brB = brB;
+    memah = forum.members.memah;
+    memah_brB = brB;
+    mallory = forum.members.mallory;
+
+    assert.refEq(builder.getSite(), forum.siteData);
+  });
+
+  it(`Import site`, async () => {
+    site = await server.importSiteData(forum.siteData);
+    kittensUrl = site.origin + kittensUrl;
+    await server.skipRateLimits(site.id);
+  });
+
+
+  it(`Maria logs in`, async () => {
+    await maria_brB.go2(site.origin);
+    await maria_brB.complex.loginWithPasswordViaTopbar(maria);
+  });
+
+
+  it(`Owen too, goes to cat A`, async () => {
+    await owen_brA.go2(site.origin + '/latest/category-a');
+    await owen_brA.complex.loginWithPasswordViaTopbar(owen);
+  });
+
+  it(`... edits cat A permissions`, async () => {
+    await owen_brA.forumButtons.clickEditCategory();
+    await owen_brA.categoryDialog.openSecurityTab();
+  });
+
+  it(`... makes Everyone see only their own topics`, async () => {
+    // This leaves 'SeeOwn' set to true:
+    await owen_brA.categoryDialog.securityTab.setMay('SeeOthers', c.EveryoneId, false);
+    // ... right?:
+    await owen_brA.categoryDialog.securityTab.assertMay('SeeOwn', c.EveryoneId, true);
+  });
+
+  addAddSupportGroupSteps("CatA");
+
+  function addAddSupportGroupSteps(toWhichCat: St) {
+    it(`Owen adds the @support_group to ${toWhichCat}`, async () => {
+      await owen_brA.categoryDialog.securityTab.addGroup(supportGroup);
+    });
+
+    it(`... it starts with zero additional permissions  TyTNEWPERMSEMPTY`, async () => {
+      // A newly added group gets no new permissions — it just inherits Everyone's permissions.
+      // So, permissions are either may-not, or inherited: granted, but input checbox disabled
+      // (since one would edit the Everyone group to revoke the permission).
+      const assertMay = owen_brA.categoryDialog.securityTab.assertMay;
+      await assertMay('EditOthersTopics',       supportGroup.id, false);
+      await assertMay('EditOthersReplies',      supportGroup.id, false);
+      await assertMay('EditWikis',              supportGroup.id, false);
+      await assertMay('EditOwn',                supportGroup.id, true, 'ShouldBeDisabled');
+      await assertMay('DeleteOthersTopics',     supportGroup.id, false);
+      await assertMay('DeleteOthersReplies',    supportGroup.id, false);
+      await assertMay('CreatePages',            supportGroup.id, true, 'ShouldBeDisabled');
+      await assertMay('PostReplies',            supportGroup.id, true, 'ShouldBeDisabled');
+      await assertMay('SeeOthers',              supportGroup.id, false);
+      await assertMay('SeeOwn',                 supportGroup.id, true, 'ShouldBeDisabled');
+    });
+
+    it(`Owen lets the @support_group members see all posts  (in ${toWhichCat})`, async () => {
+      await owen_brA.categoryDialog.securityTab.setMay('SeeOthers', supportGroup.id, true);
+    });
+  }
+
+  it(`Staff may see everyone's posts (by default, unchanged)`, async () => {
+    assert.that(await owen_brA.categoryDialog.securityTab.getMay('SeeOthers', c.StaffId));
+  });
+
+  it(`Owen saves the changes to CatA`, async () => {
+    await owen_brA.categoryDialog.submit();
+  });
+
+  it(`Owen _creates_category_BC, child of B`, async () => {
+    await owen_brA.forumCategoryList.goHere();
+    await owen_brA.forumButtons.clickCreateCategory();
+    await owen_brA.categoryDialog.fillInFields({ name: 'CatBC' });
+    await owen_brA.categoryDialog.setParentCategory('CatB');
+  });
+
+  it(`... edits CatBC's permissions ...`, async () => {
+    await owen_brA.categoryDialog.openSecurityTab();
+  });
+
+  it(`... the Everyone group can post and edit own  TyTDEFCATPERMS`, async () => {
+    const assertMay = owen_brA.categoryDialog.securityTab.assertMay;
+    await assertMay('EditOthersTopics',       c.EveryoneId, false);
+    await assertMay('EditOthersReplies',      c.EveryoneId, false);
+    await assertMay('EditWikis',              c.EveryoneId, false);
+    await assertMay('EditOwn',                c.EveryoneId, true);
+    await assertMay('DeleteOthersTopics',     c.EveryoneId, false);
+    await assertMay('DeleteOthersReplies',    c.EveryoneId, false);
+    await assertMay('CreatePages',            c.EveryoneId, true);
+    await assertMay('PostReplies',            c.EveryoneId, true);
+    await assertMay('SeeOthers',              c.EveryoneId, true);
+    await assertMay('SeeOwn',                 c.EveryoneId, true);
+  });
+
+  it(`... Full Members inherit Everyone's perms, and can edit wikis  TyTDEFCATPERMS`, async () => {
+    const assertMay = owen_brA.categoryDialog.securityTab.assertMay;
+    await assertMay('EditOthersTopics',       c.FullMembersId, false);
+    await assertMay('EditOthersReplies',      c.FullMembersId, false);
+    await assertMay('EditWikis',              c.FullMembersId, true);   // <——  wikis
+    // Intherited from Everyone, so can't be set to false, therefore true & disabled.
+    await assertMay('EditOwn',                c.FullMembersId, true, 'ShouldBeDisabled');
+    await assertMay('DeleteOthersTopics',     c.FullMembersId, false);
+    await assertMay('DeleteOthersReplies',    c.FullMembersId, false);
+    await assertMay('CreatePages',            c.FullMembersId, true, 'ShouldBeDisabled');
+    await assertMay('PostReplies',            c.FullMembersId, true, 'ShouldBeDisabled');
+    await assertMay('SeeOthers',              c.FullMembersId, true, 'ShouldBeDisabled');
+    await assertMay('SeeOwn',                 c.FullMembersId, true, 'ShouldBeDisabled');
+  });
+
+  it(`... Staff inherits, and can edit and delete others' posts  TyTSTAFDEFPERMS`, async () => {
+    const assertMay = owen_brA.categoryDialog.securityTab.assertMay;
+    await assertMay('EditOthersTopics',       c.StaffId, true);
+    await assertMay('EditOthersReplies',      c.StaffId, true);
+    // Later, when/if [mods_are_core_membs], EditWikis would be true & disabled — since
+    // inherited from Full Members.
+    await assertMay('EditWikis',              c.StaffId, true);
+    await assertMay('EditOwn',                c.StaffId, true, 'ShouldBeDisabled');
+    await assertMay('DeleteOthersTopics',     c.StaffId, true);
+    await assertMay('DeleteOthersReplies',    c.StaffId, true);
+    await assertMay('CreatePages',            c.StaffId, true, 'ShouldBeDisabled');
+    await assertMay('PostReplies',            c.StaffId, true, 'ShouldBeDisabled');
+    await assertMay('SeeOthers',              c.StaffId, true, 'ShouldBeDisabled');
+    await assertMay('SeeOwn',                 c.StaffId, true, 'ShouldBeDisabled');
+  });
+
+
+  it(`... makes Everyone see only their own topics`, async () => {
+    await owen_brA.categoryDialog.securityTab.setMay('SeeOthers', c.EveryoneId, false);
+  });
+  it(`... Full Members then also cannot`, async () => {
+    await owen_brA.categoryDialog.securityTab.assertMay('SeeOthers', c.FullMembersId, false);
+  });
+  it(`... but Staff still can — their group has all perms granted to it,
+            rather than just inheriting from Everyone  TyTSTAFDEFPERMS`, async () => {
+    await owen_brA.categoryDialog.securityTab.assertMay('SeeOthers', c.StaffId, true);
+  });
+
+  addAddSupportGroupSteps("CatBC");
+
+  it(`Owen saves this new category CatBC`, async () => {
+    await owen_brA.categoryDialog.submit();
+  });
+
+
+
+  postTopicInEachCat(() => maria_brB, "Maria", mariasPagesByCatSlug);
+
+
+  it(`Memah gets notified of each of Maria's new topics`, async () => {
+    const emails: EmailSubjectBody[] = await server.waitGetLastEmailsSentTo(
+                                site.id, memah.emailAddress, allCats.length);
+    //logMessage(j2s(emails));
+    checkNewTopicEmails(emails, allCats, maria, "Maria");
+  });
+
+  it(`Michael gets notified of only Maria's others-can-see topics`, async () => {
+    const emails = await server.waitGetLastEmailsSentTo(
+                        site.id, michael.emailAddress, pubCats.length);
+    //logMessage(j2s(emails));
+    checkNewTopicEmails(emails, pubCats, maria, "Maria");
+  });
+
+  it(`... Mallory too`, async () => {
+    const emails = await server.waitGetLastEmailsSentTo(
+                        site.id, mallory.emailAddress, pubCats.length);
+    //logMessage(j2s(emails));
+    checkNewTopicEmails(emails, pubCats, maria, "Maria");
+  });
+
+  it(`No other emails get sent`, async () => {
+    const { num, addrsByTimeAsc } = await server.getEmailsSentToAddrs(site.id);
+    assert.eq(num, allCats.length + pubCats.length * 2, `Emails sent to: ${addrsByTimeAsc}`);
+  });
+
+
+
+  it(`Owen leaves, Michael arrives`, async () => {
+    await owen_brA.topbar.clickLogout();
+    await michael_brA.complex.loginWithPasswordViaTopbar(michael);
+  });
+
+
+  postTopicInEachCat(() => michael_brA, "Michael", michaelsPagesByCatSlug);
+
+
+  it(`Memah gets notified of each of Michael's new topics`, async () => {
+    const allEmails = await server.waitGetLastEmailsSentTo(
+                                site.id, memah.emailAddress, allCats.length * 2);
+    // Skip the one's about Maria's topics.
+    const emails = allEmails.slice(allCats.length);
+    logMessage(j2s(emails));
+    checkNewTopicEmails(emails, allCats, michael, "Michael");
+  });
+
+  it(`Maria gets notified of Michael's others-can-see public topics`, async () => {
+    const emails = await server.waitGetLastEmailsSentTo(
+                              site.id, maria.emailAddress, pubCats.length);
+    logMessage(j2s(emails));
+    checkNewTopicEmails(emails, pubCats, michael, "Michael");
+  });
+
+  it(`... Mallory too`, async () => {
+    const allEmails = await server.waitGetLastEmailsSentTo(
+                        site.id, mallory.emailAddress, pubCats.length);
+    // Skip the one's about Maria's topics.
+    const emails = allEmails.slice(pubCats.length);
+    logMessage(j2s(emails));
+    checkNewTopicEmails(emails, pubCats, michael, "Michael");
+  });
+
+  it(`No other emails get sent`, async () => {
+    // At most 15 per address hmm,  [R2AB067]
+    const { num, addrsByTimeAsc } = await server.getEmailsSentToAddrs(site.id);
+    assert.eq(num, (allCats.length + pubCats.length * 2) * 2, `Emails sent to: ${addrsByTimeAsc}`);
+  });
+
+
+  // [_dir_access_test]
+  it(`Maria can't access Michael's private topics`, async () => {
+    for (let cat of privCats) {
+      const page = michaelsPagesByCatSlug[cat.slug];
+      await maria_brB.go2(page.url);
+      await maria_brB.assertNotFoundError({ whyNot: 'MayNotSeeCat' });
+    }
+  });
+  it(`... but can access Michael's public topics`, async () => {
+    for (let cat of pubCats) {
+      const page = michaelsPagesByCatSlug[cat.slug];
+      await maria_brB.go2(page.url);
+      await maria_brB.assertPageTitleMatches(`Michael_in_${cat.name}`);
+    }
+  });
+
+
+  it(`Maria leaves, Memah arrives`, async () => {
+    await maria_brB.topbar.clickLogout();
+    await memah_brB.complex.loginWithPasswordViaTopbar(memah);
+  });
+
+  // Memah replies to Maria [_dir_access_test]
+  //
+  const memahToMariaCats = [catAC, catBC, catBC2]; // only catBC2 is public, others are see-own
+  addReplyInEachCatStep(() => memah_brB, "Memah", "Maria", memahToMariaCats,
+        mariasPagesByCatSlug);
+
+  it(`Maria gets notified`, async () => {
+    const allEmails = await server.waitGetLastEmailsSentTo(
+                              site.id, maria.emailAddress, pubCats.length + memahToMariaCats.length);
+    assert.eq(allEmails.length,
+          pubCats.length + // Michael's publ posts
+                memahToMariaCats.length, // Memah's replies to Maria
+          `allEmails to Maria: ${j2s(allEmails)}`);
+
+    const emails = allEmails.slice(-memahToMariaCats.length);
+    checkReplyEmails(emails, memahToMariaCats, memah, "Memah", "Maria");
+  });
+
+  it(`Michael too — but only about CatBC2, which is public`, async () => {
+    const allEmails = await server.waitGetLastEmailsSentTo(
+                              site.id, michael.emailAddress, pubCats.length + 1);
+    assert.eq(allEmails.length,  pubCats.length + 1, // Maria's publ posts + Memah's publ reply
+          `allEmails to Michael: ${j2s(allEmails)}`);
+    const emails = allEmails.slice(-1);
+    checkReplyEmails(emails, [catBC2], memah, "Memah", "Maria");
+  });
+
+  it(`... and Mallory — only about CatBC2`, async () => {
+    const numExpected = pubCats.length * 2 + 1; // Maria's & Michel's publ + Memah's publ reply
+    const allEmails = await server.waitGetLastEmailsSentTo(
+            site.id, mallory.emailAddress, numExpected);
+    assert.eq(allEmails.length, numExpected, `allEmails to Mallory: ${j2s(allEmails)}`);
+    const emails = allEmails.slice(-1);
+    checkReplyEmails(emails, [catBC2], memah, "Memah", "Maria");
+  });
+
+  let numTotalEmailsExpected: Nr;
+
+  it(`No other emails get sent`, async () => {
+    // At most 15 per address hmm,  [R2AB067]
+    const { num, addrsByTimeAsc } = await server.getEmailsSentToAddrs(site.id);
+    numTotalEmailsExpected =
+            // Initial posts: Notfs to Memah, and Maria/Michael & Mallory. By Michael & Memah.
+            (allCats.length + pubCats.length * 2) * 2 +
+                memahToMariaCats.length + // Memah's replies to Maria
+                1 + 1; // Memah's publ reply —> notf to Michael & Mallory
+    assert.eq(num, numTotalEmailsExpected,
+           `Emails sent to: ${addrsByTimeAsc}`);
+  });
+
+
+
+  // Memah replies to Michael [_dir_access_test]
+  const memahToMichaelCats = [catA, catBC, catB]; // only CatB is public
+  addReplyInEachCatStep(() => memah_brB, "Memah", "Michael", memahToMichaelCats,
+        michaelsPagesByCatSlug);
+
+  it(`Michael gets notified`, async () => {
+    numTotalEmailsExpected += memahToMariaCats.length;
+    const numEmailsExpected =
+            pubCats.length +  // Maria's publ posts
+            1 +  // Memah's publ reply to Maria
+            memahToMichaelCats.length;  // Memah's replies to Michael
+    const allEmails = await server.waitGetLastEmailsSentTo(
+            site.id, michael.emailAddress, numEmailsExpected);
+    assert.eq(allEmails.length,  numEmailsExpected, `allEmails to Michael: ${j2s(allEmails)}`);
+    const emails = allEmails.slice(memahToMichaelCats.length);
+    checkReplyEmails(emails, memahToMichaelCats, memah, "Memah", "Michael");
+  });
+
+  it(`... Maria too, about the CatB reply only (publ visible)`, async () => {
+    numTotalEmailsExpected += 1;
+    const numEmailsExpected =
+          pubCats.length + // Michael's publ posts
+          memahToMariaCats.length + // Memah's replies to Maria
+          1; // Memah's publ reply to Michael
+    const allEmails = await server.waitGetLastEmailsSentTo(
+            site.id, maria.emailAddress, numEmailsExpected);
+    assert.eq(allEmails.length, numEmailsExpected, `allEmails to Maria: ${j2s(allEmails)}`);
+    const emails = allEmails.slice(-1);
+    checkReplyEmails(emails, [catB], memah, "Memah", "Michael");
+  });
+
+  it(`... and Mallory, about CatB only`, async () => {
+    numTotalEmailsExpected += 1;
+    const numExpected = pubCats.length * 2 + 2; // Maria's & Michel's publ + Memah's 2 publ reply
+    const allEmails = await server.waitGetLastEmailsSentTo(
+            site.id, mallory.emailAddress, numExpected);
+    assert.eq(allEmails.length, numExpected, `allEmails to Mallory: ${j2s(allEmails)}`);
+    const emails = allEmails.slice(-1);
+    checkReplyEmails(emails, [catB], memah, "Memah", "Michael");
+  });
+
+  it(`No other emails get sent`, async () => {
+    // At most 15 per address hmm,  [R2AB067]
+    const { num, addrsByTimeAsc } = await server.getEmailsSentToAddrs(site.id);
+    assert.eq(num, numTotalEmailsExpected, `Emails sent to: ${addrsByTimeAsc}`);
+  });
+
+  const itIsImportant = `It is important to help Michael`;
+
+  it(`Michael replies to Memah's reply to him in private CatBC  [_dir_access_test]`, async () => {
+    await michael_brA.go2(michaelsPagesByCatSlug[catBC.slug].url);
+    await michael_brA.complex.replyToOrigPost(itIsImportant);
+  });
+
+  it(`Memah gets notified about Michael's reply to her`, async () => {
+    numTotalEmailsExpected += 1;
+    await server.waitUntilLastEmailMatches(site.id, memah.emailAddress, [itIsImportant]);
+  });
+
+  it(`No other emails get sent`, async () => {
+    const { num, addrsByTimeAsc } = await server.getEmailsSentToAddrs(site.id);
+    assert.eq(num, numTotalEmailsExpected, `Emails sent to: ${addrsByTimeAsc}`);
+  });
+
+
+  it(`Michael goes to the topic list`, async () => {
+    await michael_brA.forumTopicList.goHere();
+  });
+  it(`... sees his own topics, and Memah's public topics`, async () => {
+    await michael_brA.forumTopicList.assertTopicTitlesAreAndOrder([
+            'Michael_in_CatBC',   // bumped by Michael's reply to Memah
+            'Michael_in_CatB',    // bumped by Memah's reply to Michael
+            'Michael_in_CatA',    //          – '' –
+            'Maria_in_CatBC2',    // bumped by Memah's reply to Maria
+            'Michael_in_CatBC2',  // Michael's last not-bumped topic
+            'Michael_in_CatAC',   // FOK w Category AC
+            'Maria_in_CatB',      // Maria's first publ topic
+            'Ask the Kittens',
+            ]);
+  });
+
+  // Break out fn: _see_public ?
+  it(`Michael goes to Maria's posts page`, async () => {
+    await michael_brA.userProfilePage.activity.posts.goHere(maria.username);
+    await michael_brA.userProfilePage.activity.posts.waitForPostTextsVisible();
+  });
+  it(`... sees only Maria's two public posts`, async () => {
+    await michael_brA.userProfilePage.activity.posts.assertExactly(pubCats.length);
+    // Maria_in_CatBC2
+    // By Maria @maria11 hours ago
+    // Hi Maria_wants_help
+    // 
+    // Maria_in_CatB
+    // By Maria @maria11 hours ago
+    // Hi Maria_wants_help
+  });
+  it(`... goes to Maria's topics page`, async () => {
+    await michael_brA.userProfilePage.activity.switchToTopics({ shallFindTopics: true });
+    //Maria_in_CatBC2
+    //Maria_in_CatB
+  });
+  it(`... sees only Maria's two public topics`, async () => {
+    await michael_brA.userProfilePage.activity.topics.assertExactly(pubCats.length);
+  });
+
+  // Break out fn: _see_all ?
+  it(`Michael goes to his own posts page`, async () => {
+    await michael_brA.userProfilePage.activity.posts.goHere(michael.username);
+    await michael_brA.userProfilePage.activity.posts.waitForPostTextsVisible();
+  });
+  it(`... sees all his posts, incl Michael's reply to Memah`, async () => {
+    await michael_brA.userProfilePage.activity.posts.assertExactly(allCats.length + 1);
+    // Michael_in_CatBC
+    // Michael @michael11 hours ago
+    // It is important to help Michael
+    // 
+    // Michael_in_CatBC2
+    // By Michael @michael11 hours ago
+    // Hi Michael_wants_help
+    // 
+    // Michael_in_CatBC
+    // By Michael @michael11 hours ago
+    // Hi Michael_wants_help
+    // 
+    // Michael_in_CatB
+    // By Michael @michael11 hours ago
+    // Hi Michael_wants_help
+    // 
+    // Michael_in_CatAC
+    // By Michael @michael11 hours ago
+    // Hi Michael_wants_help
+    // 
+    // Michael_in_CatA
+    // By Michael @michael11 hours ago
+    // Hi Michael_wants_help
+  });
+  it(`... goes to his topics page`, async () => {
+    await michael_brA.userProfilePage.activity.switchToTopics({ shallFindTopics: true });
+  });
+  it(`... sees all his topics`, async () => {
+    await michael_brA.userProfilePage.activity.topics.assertExactly(allCats.length);
+    // Michael_in_CatBC2
+    // Michael_in_CatBC
+    // Michael_in_CatB
+    // Michael_in_CatAC
+    // Michael_in_CatA
+  });
+
+  it(`Michael goes to Memah's posts page`, async () => {
+    await michael_brA.userProfilePage.activity.posts.goHere(memah.username);
+    await michael_brA.userProfilePage.activity.posts.waitForPostTextsVisible();
+  });
+  it(`... sees Memah's "shall_help_" replies: 3 to Michael, 1 publ to Maria`, async () => {
+    // And the Kittens page too.
+    await michael_brA.userProfilePage.activity.posts.assertExactly(3 + 1 + 1);
+    // Michael_in_CatB
+    // Memah @memah11 hours ago
+    // I, Memah, shall_help_Michael_in_cat-b
+    //
+    // Michael_in_CatBC
+    // Memah @memah11 hours ago
+    // I, Memah, shall_help_Michael_in_catbc
+    //
+    // Michael_in_CatA
+    // Memah @memah11 hours ago
+    // I, Memah, shall_help_Michael_in_category-a
+    //
+    // Maria_in_CatBC2
+    // Memah @memah11 hours ago
+    // I, Memah, shall_help_Maria_in_cat-bc2
+    //
+    // Ask the Kittens
+    // Kittens are cute, kittens are clever. Kittens will help you, forever.
+  });
+  it(`... goes to _Memahs_topics_page, only the Kittens topic there`, async () => {
+    await michael_brA.userProfilePage.activity.switchToTopics({ shallFindTopics: true });
+    await michael_brA.userProfilePage.activity.topics.assertExactly(1);
+  });
+
+  addSearchTestSteps("Michael", () => michael_brA, {
+        seeMichaelsPriv: true, seeMariasPriv: false });
+
+
+
+  it(`Memah also goes to the topic list`, async () => {
+    await memah_brB.forumTopicList.goHere();
+  });
+  it(`... sees both Michael's and Memah's`, async () => {
+    await memah_brB.forumTopicList.assertTopicTitlesAreAndOrder([
+            'Michael_in_CatBC',     // bumped by Michael's reply to Memah
+            'Michael_in_CatB',      // bumped by Memah's reply to Michael
+            'Michael_in_CatA',      //           – '' –
+            'Maria_in_CatBC2',      // bumped by Memah's reply to Maria
+            'Maria_in_CatBC',       //           – '' –
+            'Maria_in_CatAC',       //           – '' –
+            'Michael_in_CatBC2',    // Michael's last not-bumped topic
+            'Michael_in_CatAC',
+            'Maria_in_CatB',
+            'Maria_in_CatA',        // Maria's first topic
+            'Ask the Kittens',
+            ]);
+  });
+
+  // Break out fn: _see_all ?
+  it(`Memah goes to Maria's posts page`, async () => {
+    await memah_brB.userProfilePage.activity.posts.goHere(maria.username);
+    await memah_brB.userProfilePage.activity.posts.waitForPostTextsVisible();
+  });
+  it(`... sees all Maria's posts`, async () => {
+    await memah_brB.userProfilePage.activity.posts.assertExactly(allCats.length);
+    // Maria_in_CatBC2
+    // By Maria @maria11 hours ago
+    // Hi Maria_wants_help
+    // 
+    // Maria_in_CatBC
+    // By Maria @maria11 hours ago
+    // Hi Maria_wants_help
+    // 
+    // Maria_in_CatB
+    // By Maria @maria11 hours ago
+    // Hi Maria_wants_help
+    // 
+    // Maria_in_CatAC
+    // By Maria @maria11 hours ago
+    // Hi Maria_wants_help
+    // 
+    // Maria_in_CatA
+    // By Maria @maria11 hours ago
+    // Hi Maria_wants_help
+  });
+  it(`... goes to Maria's topics page`, async () => {
+    await memah_brB.userProfilePage.activity.switchToTopics({ shallFindTopics: true });
+    // Maria_in_CatBC2
+    // Maria_in_CatBC
+    // Maria_in_CatB
+    // Maria_in_CatAC
+    // Maria_in_CatA
+  });
+  it(`... sees all Maria's topics`, async () => {
+    await memah_brB.userProfilePage.activity.topics.assertExactly(allCats.length);
+  });
+
+  // Break out fn: _see_all ?
+  it(`Memah goes to Michael's posts page`, async () => {
+    await memah_brB.userProfilePage.activity.posts.goHere(michael.username);
+    await memah_brB.userProfilePage.activity.posts.waitForPostTextsVisible();
+  });
+  it(`... sees all Michal's posts, incl Michael's reply to Memah`, async () => {
+    await memah_brB.userProfilePage.activity.posts.assertExactly(allCats.length + 1);
+    // Michael_in_CatBC
+    // Michael @michael11 hours ago
+    // It is important to help Michael
+    // 
+    // Michael_in_CatBC2
+    // By Michael @michael11 hours ago
+    // Hi Michael_wants_help
+    // 
+    // Michael_in_CatBC
+    // By Michael @michael11 hours ago
+    // Hi Michael_wants_help
+    // 
+    // Michael_in_CatB
+    // By Michael @michael11 hours ago
+    // Hi Michael_wants_help
+    // 
+    // Michael_in_CatAC
+    // By Michael @michael11 hours ago
+    // Hi Michael_wants_help
+    // 
+    // Michael_in_CatA
+    // By Michael @michael11 hours ago
+    // Hi Michael_wants_help
+  });
+  it(`... goes to Michal's topics page`, async () => {
+    await memah_brB.userProfilePage.activity.switchToTopics({ shallFindTopics: true });
+  });
+  it(`... sees all Michal's topics`, async () => {
+    await memah_brB.userProfilePage.activity.topics.assertExactly(allCats.length);
+    // Michael_in_CatBC2
+    // Michael_in_CatBC
+    // Michael_in_CatB
+    // Michael_in_CatAC
+    // Michael_in_CatA
+  });
+
+  it(`Memah goes to her own posts page`, async () => {
+    await memah_brB.userProfilePage.activity.posts.goHere(memah.username);
+    await memah_brB.userProfilePage.activity.posts.waitForPostTextsVisible();
+  });
+  it(`... sees all her replies to Maria and Michael + the Kittens page`, async () => {
+    await memah_brB.userProfilePage.activity.posts.assertExactly(
+            memahToMichaelCats.length + memahToMariaCats.length + 1);
+    // Michael_in_CatB
+    // Memah @memah11 hours ago
+    // I, Memah, shall_help_Michael_in_cat-b
+    // 
+    // Michael_in_CatBC
+    // Memah @memah11 hours ago
+    // I, Memah, shall_help_Michael_in_catbc
+    // 
+    // Michael_in_CatA
+    // Memah @memah11 hours ago
+    // I, Memah, shall_help_Michael_in_category-a
+    // 
+    // Maria_in_CatBC2
+    // Memah @memah11 hours ago
+    // I, Memah, shall_help_Maria_in_cat-bc2
+    // 
+    // Maria_in_CatBC
+    // Memah @memah11 hours ago
+    // I, Memah, shall_help_Maria_in_catbc
+    // 
+    // Maria_in_CatAC
+    // Memah @memah11 hours ago
+    // I, Memah, shall_help_Maria_in_cat-ac
+    // 
+    // Ask the Kittens
+  });
+  it(`... _Memahs_topics_page shows her Kittens topic only`, async () => {
+    await memah_brB.userProfilePage.activity.switchToTopics({ shallFindTopics: true });
+    await memah_brB.userProfilePage.activity.topics.assertExactly(1);
+  });
+
+  addSearchTestSteps("Memah", () => memah_brB, { seeMichaelsPriv: true, seeMariasPriv: true });
+
+
+  const publBacklinkPagesById = {};
+  const mariasPrivBacklinkPagesById = {};
+  const michaelsPrivBacklinkPagesById = {};
+
+  it(`Init expected backlinks`, async () => {
+    for (let cat of pubCats) {
+      const mariasTopic: Page = mariasPagesByCatSlug[cat.slug];
+      publBacklinkPagesById[mariasTopic.id] = mariasTopic;
+
+      const michaelsTopic: Page = michaelsPagesByCatSlug[cat.slug];
+      publBacklinkPagesById[michaelsTopic.id] = michaelsTopic;
+    }
+    assert.eq(_.size(publBacklinkPagesById), 4); // ttt: CatB, CatBC2 for Maria + Michael
+
+    for (let cat of privCats) {
+      const mariasTopic: Page = mariasPagesByCatSlug[cat.slug];
+      mariasPrivBacklinkPagesById[mariasTopic.id] = mariasTopic;
+
+      const michaelsTopic: Page = michaelsPagesByCatSlug[cat.slug];
+      michaelsPrivBacklinkPagesById[michaelsTopic.id] = michaelsTopic;
+    }
+    assert.eq(_.size(mariasPrivBacklinkPagesById), 3);   // ttt: CatA, CatAC, CatBC
+    assert.eq(_.size(michaelsPrivBacklinkPagesById), 3); // ttt
+  });
+
+
+  it(`Memah goes to the Kittens page`, async () => {
+    await memah_brB.go2(kittensUrl);
+  });
+  it(`... sees 10 backlinks: Maria's 5, Michael's 5  (incl both publ and priv)`, async () => {
+    const backlinks = await memah_brB.topic.backlinks.getBacklinkUrlsAndTitles();
+    checkBacklinks(backlinks, {
+          ...mariasPrivBacklinkPagesById,
+          ...michaelsPrivBacklinkPagesById,
+          ...publBacklinkPagesById,
+        });
+  });
+
+
+  // Some _preview_links.
+  let pubPageUrl: St;
+  let privPageUrl: St;
+  let privSubCatPageUrl: St;
+
+  it(`Memah adds links to a public page, and two of Michael's only-see-own pages`, async () => {
+    pubPageUrl = michaelsPagesByCatSlug[catB.slug].url;  // B is public
+    privPageUrl = michaelsPagesByCatSlug[catA.slug].url;  // A is see-own
+    privSubCatPageUrl = michaelsPagesByCatSlug[catAC.slug].url; // AC is see-own, since sub cat
+
+    await memah_brB.complex.editPageBody(`\n\n` +
+            `${privPageUrl}\n\n` +
+            `${pubPageUrl}\n\n` +  // _Memah_2_Michael_link
+            `${privSubCatPageUrl}\n\n`,
+            { append: true, textAfterMatches: /https?:\/\/e2e-test-.*\/michaelincata/ });
+  });
+
+  addCheckLinkPreviewsToMichaelSteps(() => memah_brB, "Memah");
+  
+  function addCheckLinkPreviewsToMichaelSteps(brX: () => TyE2eTestBrowser, who: St) {
+    it(`${who} looks at preview links:  There're 2 broken link previews ...  TEST MAP`, async () => {
+      const sel = utils.makePreviewBrokenSelector('InternalLink');
+      await brX().topic.waitForExistsInPost(c.BodyNr, sel, { howMany: 2 });
+    });
+    it(`... the one to Michael's CatA page — it's access restricted`, async () => {
+      const sel = utils.makePreviewBrokenSelector('InternalLink', {
+            url: privPageUrl,
+            errCode: 'TyMLNPG404-M0SEEPG-PO404-TyEM0SEE_-TyMMBYSEE_-EdMMSEEADDCATPERM-ABX94WN_',
+            });
+      await brX().topic.waitForExistsInPost(c.BodyNr, sel, { howMany: 1 });
+    });
+    it(`... the one to CatAC, also access restricted`, async () => {
+      const sel = utils.makePreviewBrokenSelector('InternalLink', {
+            url: privSubCatPageUrl,
+            errCode: 'TyMLNPG404-M0SEEPG-PO404-TyEM0SEE_-TyMMBYSEE_-EdMMSEEADDCATPERM-ABX94WN_',
+            });
+      await brX().topic.waitForExistsInPost(c.BodyNr, sel, { howMany: 1 });
+    });
+    it(`... but the link preview to Michael's page in CatB works — CatB is public`, async () => {
+      await brX().topic.waitForExistsInPost(c.BodyNr,
+            utils.makePreviewOkSelector('InternalLink', { url: pubPageUrl }));
+    });
+  }
+
+
+  it(`Memah leaves, Maria is back`, async () => {
+    await memah_brB.topbar.clickLogout();
+    await maria_brB.complex.loginWithPasswordViaTopbar(maria);
+  });
+
+  it(`Maria goes to the topic list`, async () => {
+    await maria_brB.forumTopicList.goHere();
+  });
+  it(`... sees her own topics`, async () => {
+    await maria_brB.forumTopicList.assertTopicTitlesAreAndOrder([
+            'Ask the Kittens',      // bumped by Memah's orig post edits
+            'Michael_in_CatB',      // bumped by Memah's reply to Michael
+            'Maria_in_CatBC2',      // bumped by Memah's reply to Maria
+            'Maria_in_CatBC',       //           – '' –
+            'Maria_in_CatAC',       //           – '' –
+            'Michael_in_CatBC2',    // Michael's last not-bumped topic
+            'Maria_in_CatB',
+            'Maria_in_CatA',        // Maria's first topic
+            ]);
+  });
+
+  // Break out fn: _see_all ?
+  it(`Maria goes to her own posts page`, async () => {
+    await maria_brB.userProfilePage.activity.posts.goHere(maria.username);
+    await maria_brB.userProfilePage.activity.posts.waitForPostTextsVisible();
+  });
+  it(`... sees all posts`, async () => {
+    await maria_brB.userProfilePage.activity.posts.assertExactly(allCats.length);
+  });
+  it(`... goes to her topics page`, async () => {
+    await maria_brB.userProfilePage.activity.switchToTopics({ shallFindTopics: true });
+  });
+  it(`... sees all topics`, async () => {
+    await maria_brB.userProfilePage.activity.topics.assertExactly(allCats.length);
+  });
+
+  // Break out fn: _see_public ?
+  it(`Maria goes to Michael's posts page`, async () => {
+    await maria_brB.userProfilePage.activity.posts.goHere(michael.username);
+    await maria_brB.userProfilePage.activity.posts.waitForPostTextsVisible();
+  });
+  it(`... sees his public posts`, async () => {
+    await maria_brB.userProfilePage.activity.posts.assertExactly(pubCats.length);
+  });
+  it(`... goes to his topics page`, async () => {
+    await maria_brB.userProfilePage.activity.switchToTopics({ shallFindTopics: true });
+  });
+  it(`... sees Michael's public topics`, async () => {
+    await maria_brB.userProfilePage.activity.topics.assertExactly(pubCats.length);
+  });
+
+  it(`Maria goes to Memah's posts page`, async () => {
+    await maria_brB.userProfilePage.activity.posts.goHere(memah.username);
+    await maria_brB.userProfilePage.activity.posts.waitForPostTextsVisible();
+  });
+  it(`... sees Memah's "shall_help_" replies: 3 to Maria, 1 publ to Michael, + Kittens page`,
+          async () => {
+    await maria_brB.userProfilePage.activity.posts.assertExactly(3 + 1 + 1);
+  });
+  // Skip — Michael did already.
+  // it(`... goes to _Memahs_topics_page, sees the Kittens topic`, ...
+
+  addSearchTestSteps("Maria", () => maria_brB, { seeMichaelsPriv: false, seeMariasPriv: true,
+        // Memah added a link from the Kittens page. [_Memah_2_Michael_link]
+        linkFromKittensToMichaelsPage: true});
+
+
+  it(`Maria goes to the Kittens page`, async () => {
+    await maria_brB.go2(kittensUrl);
+  });
+  it(`... sees 7 backlinks: Maria's 5, Michael's 2 public  TyTLNSEEOWN`, async () => {
+    // [_links_from_see_own]
+    const backlinks = await maria_brB.topic.backlinks.getBacklinkUrlsAndTitles();
+    checkBacklinks(backlinks, { ...mariasPrivBacklinkPagesById, ...publBacklinkPagesById });
+  });
+
+  addCheckLinkPreviewsToMichaelSteps(() => maria_brB, "Maria");
+
+  // More _preview_links.
+  let mariasPubPageUrl: St;
+  let mariasPrivPageUrl: St;
+
+  it(`Maria adds a comment with a link to a public page, and a see-own page of hers`, async () => {
+    mariasPubPageUrl = mariasPagesByCatSlug[catBC2.slug].url;  // BC2 is public
+    mariasPrivPageUrl = mariasPagesByCatSlug[catBC.slug].url;  // BC is see-own
+
+    await maria_brB.complex.replyToOrigPost(
+            `${mariasPrivPageUrl}\n\n` +
+            `${mariasPubPageUrl}\n\n`);
+  });
+
+  addCheckLinkPreviewsToMariaSteps(() => maria_brB, "Maria");
+  
+  function addCheckLinkPreviewsToMariaSteps(brX: () => TyE2eTestBrowser, who: St) {
+    it(`${who} looks at preview links to Maria's pages:
+            There're 1 broken link preview  TyTLNSEEOWN`, async () => {
+      // [_links_to_see_own]
+      const sel = utils.makePreviewBrokenSelector('InternalLink');
+      await brX().topic.waitForExistsInPost(c.FirstReplyNr, sel, { howMany: 1 });
+    });
+    it(`... the one to Maria's CatBC page — it's access restricted`, async () => {
+      const sel = utils.makePreviewBrokenSelector('InternalLink', {
+            url: mariasPrivPageUrl,
+            errCode: 'TyMLNPG404-M0SEEPG-PO404-TyEM0SEE_-TyMMBYSEE_-EdMMSEEADDCATPERM-ABX94WN_',
+            });
+      await brX().topic.waitForExistsInPost(c.FirstReplyNr, sel, { howMany: 1 });
+    });
+    it(`... but the link preview to Maria's page in CatBC2 works — CatBC2 is public`, async () => {
+      await brX().topic.waitForExistsInPost(c.FirstReplyNr,
+            utils.makePreviewOkSelector('InternalLink', { url: mariasPubPageUrl }));
+    });
+  }
+
+  it(`Michael goes to the Kittens page`, async () => {
+    await michael_brA.go2(kittensUrl);
+  });
+  it(`... sees 7 backlinks: Michael's 5, Maria's 2 public`, async () => {
+    const backlinks = await michael_brA.topic.backlinks.getBacklinkUrlsAndTitles();
+    checkBacklinks(backlinks, { ...michaelsPrivBacklinkPagesById, ...publBacklinkPagesById });
+  });
+
+  addCheckLinkPreviewsToMichaelSteps(() => michael_brA, "Michael");
+
+  addCheckLinkPreviewsToMariaSteps(() => michael_brA, "Michael");
+
+
+  function postTopicInEachCat(brX: () => TyE2eTestBrowser, who: St,
+          pagesByCatSlug: PagesByCatSlug) {
+    it(`${who} posts a topic in each category`, async () => {
+      for (let cat of allCats) {
+        logBoring(`${who} posts in ${cat.name} ...`)
+        const title = `${who}_in_${cat.name}`;
+        const bodyTxt = `Hi ${who}_wants_help`;
+        await brX().go2('/latest/' + cat.slug);
+        await brX().complex.createAndSaveTopic({
+                title,
+                bodyMatchAfter: bodyTxt,
+                body: bodyTxt +
+                    // So we can check if links from only-see-own pages are left out,
+                    // when showing incoming links. [_links_from_see_own] [_links_to_see_own]
+                    // (This expands to a link preview — everyone can see the kittens page.)
+                    '\n\n' + kittensUrl,
+                });
+        const url = await brX().getUrl();
+        const id = await brX().getPageId();
+        pagesByCatSlug[cat.slug] = { id, url, title };
+      }
+    });
+  }
+
+  function checkNewTopicEmails(emails, cats, aboutWho: Member, aboutWhoName: St) {
+    for (let i = 0; i < emails.length; ++i) {
+      logBoring(`Checking new topic email at ix ${i}`)
+      const email = emails[i];
+      const cat = cats[i];
+      const bodyHtml: St = email.bodyHtmlText;
+      assert.includes(bodyHtml, `${aboutWhoName}_in_${cat.name}`);
+      assert.includes(bodyHtml, `${aboutWhoName}_wants_help`);
+      assert.includes(bodyHtml, `>${aboutWho.username}</`); // between <i>..</i> tags
+    }
+  }
+
+  function addReplyInEachCatStep(brX: () => TyE2eTestBrowser, who: St, toWho: St,
+        cats, pagesByCatSlug: PagesByCatSlug) {
+    it(`${who} replies to ${toWho} in cats ${j2s(cats)}`, async () => {
+      for (let cat of cats) {
+        const topic = pagesByCatSlug[cat.slug];
+        logBoring(`${who} posts in ${cat.name}, page ${topic?.title} ...`)
+        await brX().go2(topic.url);
+        await brX().complex.replyToOrigPost(`I, ${who}, shall_help_${toWho}_in_${cat.slug}`);
+      }
+    });
+  }
+
+  function checkReplyEmails(emails, cats, who: Member, whoName: St, toWho: St) {
+    for (let i = 0; i < emails.length; ++i) {
+      logBoring(`Checking reply email at ix ${i}`)
+      const email = emails[i];
+      const cat = cats[i];
+      const bodyHtml: St = email.bodyHtmlText;
+      assert.includes(bodyHtml, `I, ${whoName}, shall_help_${toWho}_in_${cat.slug}`);
+      assert.includes(bodyHtml, `>${who.username}</`); // between <i>..</i> tags
+    }
+  }
+  
+
+  function addSearchTestSteps(who: St, brX: () => TyE2eTestBrowser,
+          ps: { seeMichaelsPriv: Bo, seeMariasPriv: Bo, linkFromKittensToMichaelsPage?: Bo }) {
+    const michaelPrivTopicTitle = 'Michael_in_CatBC';
+    const michaelPrivComt = `"${itIsImportant}"`;
+    const michaelPublTopicTitle = 'Michael_in_CatB';
+    const mariaPrivTopicTitle = 'Maria_in_CatAC';
+    const mariaPublTopicTitle = 'Maria_in_CatBC2';
+
+    it(`${who} searches & finds Michael's private topic: ${ps.seeMichaelsPriv}`, async () => {
+      await brX().topbar.searchFor(michaelPrivTopicTitle);
+      if (ps.seeMichaelsPriv) {
+        await brX().searchResultsPage.waitForAssertNumPagesFound(michaelPrivTopicTitle, 1);
+      }
+      else {
+        await brX().searchResultsPage.assertPhraseNotFound(michaelPrivTopicTitle);
+      }
+    });
+
+    it(`... finds Michael's public topic`, async () => {
+      await brX().searchResultsPage.searchForUntilNumPagesFound(michaelPublTopicTitle,
+            1 + (ps.linkFromKittensToMichaelsPage ? 1 : 0));
+    });
+
+    it(`... finds Maria's private topic: ${ps.seeMariasPriv}`, async () => {
+      if (ps.seeMariasPriv) {
+        await brX().searchResultsPage.searchForUntilNumPagesFound(mariaPrivTopicTitle, 1);
+      }
+      else {
+        await brX().searchResultsPage.searchForWaitForResults(mariaPrivTopicTitle);
+        await brX().searchResultsPage.assertPhraseNotFound(mariaPrivTopicTitle);
+      }
+    });
+
+    it(`... finds Maria's public topic`, async () => {
+      await brX().searchResultsPage.searchForUntilNumPagesFound(mariaPublTopicTitle, 1);
+    });
+
+    /*
+    it(`... finds Memah's reply to Maria: ${ps.seeMariasPriv} `, async () => {
+      await michael_brA.searchResultsPage.searchForUntilNumPagesFound(__, 1);
+    });
+
+    it(`... finds Memah's reply to Michael: ${ps.seeMichaelsPriv}`, async () => {
+      await michael_brA.searchResultsPage.searchForUntilNumPagesFound(__, 1);
+    }); */
+  }
+
+  function checkBacklinks(backlinks: { url: St, title: St }[],
+          pagesById: { [pageId: PageId]: Page }) {
+
+    // `backlinks` looks like:
+    // [{"url":"/-12","title":"Michael_in_CatBC2"}, {"url":"/-5","title":"Maria_in_CatB"}, ...]
+    //
+    // `pagesById` looks like:   {
+    //   "3": { "id": "3", "url": "http://e2e-test-cid-0-0-now-7487.localhost/-3/mariaincata",
+    //         "title":"Maria_in_CatA" },
+    //   "4": { "id": "4", "url": "http://e2e-test-cid-0-0-now-7487.localhost/-4/mariaincatac",
+    //         "title": "Maria_in_CatAC" },
+    //   ...
+    //  }
+
+    const tooManyLinks = [];
+    const linksLeft = { ...pagesById };
+
+    for (let link of backlinks) {
+      // Extract page id from url. All urls are like:  "/-pageId" right now (Sept 2024)
+      // but let's use a regex that works with complete urls.  [ty_url_fmt]
+      // 'https://ex.com/-4/ab/cd?q=p'.replace(/(https?:\/\/[^/]+)?\/-([^/]+).*/, '$2')
+      const pageId = link.url.replace(/(https?:\/\/[^/]+)?\/-([^/]+).*/, '$2');
+      const page = pagesById[pageId];
+      if (!page) {
+        tooManyLinks.push(link);
+      }
+      delete linksLeft[pageId];
+    }
+
+    assert.that(!tooManyLinks.length && _.isEmpty(linksLeft),
+        `Backlinks error — too many links, and/or links missing:\n`+
+        `    tooManyLinks: ${j2s(tooManyLinks)}\n` +
+        `    linksLeft: ${j2s(linksLeft)}\n` +
+        `    backlinks: ${j2s(backlinks)}\n` +
+        `    pagesById: ${j2s(pagesById)}`);
+  }
+
+});
+
diff --git a/tests/e2e-wdio7/test-types2.ts b/tests/e2e-wdio7/test-types2.ts
index a50bc1fee..8cca9f6ab 100644
--- a/tests/e2e-wdio7/test-types2.ts
+++ b/tests/e2e-wdio7/test-types2.ts
@@ -184,7 +184,7 @@ interface SiteData2 {   // [3SD5PB7]
   webhooks: any[]; // Webhook[];
   guests: TestGuest[];
   groups: GroupInclDetails[];
-  groupPps: any[];
+  groupPps: TestGroupPat[];
   members: Member[];
   ppStats: any[];
   ppVisitStats: any[];
@@ -305,6 +305,20 @@ interface TestMyself {
   fullName?: St;
 }
 
+
+// See: SitePatchParser.readGroupParticipantOrBad()
+//
+interface TestGroupPat {
+  groupId: PatId
+  ppId: PatId
+  // For now:
+  isMember: true
+  isManager: false
+  isAdder: false
+  isBouncer: false
+}
+
+
 interface Member {   // see also TestGuest below
   id: number;
   ssoId?: St;
diff --git a/tests/e2e-wdio7/utils/make.ts b/tests/e2e-wdio7/utils/make.ts
index 8a3795643..867cc9148 100644
--- a/tests/e2e-wdio7/utils/make.ts
+++ b/tests/e2e-wdio7/utils/make.ts
@@ -51,6 +51,7 @@ function makeEmptySite(ps: { okInitEarly?: boolean } = {}): SiteData {
     companyFullName: "E2E Test Org",
   },
   groups: [],
+  groupPps: [],
   members: [],
   identities: [],
   guests: [],
@@ -366,6 +367,19 @@ export function minion(ps: { oneWordNameAndNumber: string,
 }
 
 
+export function group(username: string, template: Partial<GroupInclDetails> = {})
+        : GroupInclDetails {
+    return {
+      id: getAndBumpNextUserId(),
+      isGroup: true,
+      username,
+      fullName: undefined,
+      createdAtMs: DefaultCreatedAtMs,
+      ...template,
+    };
+}
+
+
 export function loadTestGoose(ps: { nr: Nr, trustLevel: Nr }): Member {
   const trustLevel = ps.trustLevel || c.TestTrustLevel.Basic;
   let levelName;
diff --git a/tests/e2e-wdio7/utils/site-builder.ts b/tests/e2e-wdio7/utils/site-builder.ts
index d9773588c..08a110af0 100644
--- a/tests/e2e-wdio7/utils/site-builder.ts
+++ b/tests/e2e-wdio7/utils/site-builder.ts
@@ -243,6 +243,27 @@ export function buildSite(site: SiteData | U = undefined, ps: { okInitEarly?: bo
     },
 
 
+    addGroup: function(username: string): GroupInclDetails {
+      const group = make.group(username, {});
+      (site as SiteData2).groups.push(group);
+      return group;
+    },
+
+
+    addGroupPat: function(group: GroupInclDetails, member: Pat): TestGroupPat {
+      const groupPat: TestGroupPat = {
+        groupId: group.id,
+        ppId: member.id,
+        isMember: true,
+        isManager: false,
+        isAdder: false,
+        isBouncer: false,
+      };
+      (site as SiteData2).groupPps.push(groupPat);
+      return groupPat;
+    },
+
+
     addLoadTestGooseUsers: function(ps: { howMany: number, nextNr: Nr, trustLevel: Nr }): Member[] {
       const newUsers = [];
       for (let nr = ps.nextNr; nr < ps.nextNr + ps.howMany; ++nr) {
diff --git a/tests/e2e-wdio7/utils/ty-e2e-test-browser.ts b/tests/e2e-wdio7/utils/ty-e2e-test-browser.ts
index a075adcce..e6da353e1 100644
--- a/tests/e2e-wdio7/utils/ty-e2e-test-browser.ts
+++ b/tests/e2e-wdio7/utils/ty-e2e-test-browser.ts
@@ -5462,11 +5462,14 @@ export class TyE2eTestBrowser {
           await this.waitUntilGone(`.s_PoP-Grp-${groupId}`);
         },
 
-        addGroup: async (groupName: St) => {
+        /// `group`: A group, or it's full name.
+        addGroup: async (group: GroupInclDetails | St) => {
           await this.waitAndClick('.s_CD_Sec_AddB');
           await this.waitAndClick('.s_PoP-Select-Grp .e_SelGrpB');
           await this.waitAndClickSelectorWithText(
-              '.esDropModal_content .esExplDrp_entry', groupName);
+              '.esDropModal_content .esExplDrp_entry',
+              _.isString(group) ? group
+                                : group.fullName || '@' + group.username);
         },
 
         setMay: async (what: PermName, groupId: UserId, may: Bo) => {
@@ -10448,7 +10451,7 @@ export class TyE2eTestBrowser {
       },
 
       editPageBody: async (newText: string, opts: { append?: Bo, textAfterIs?: St,
-              textAfterMatches?: St } = {}) => {
+              textAfterMatches?: St | RegExp } = {}) => {
         await this.topic.clickEditOrigPost();
         await this.editor.editText(newText, opts);
         await this.editor.save();

From c29bab7861e05085131521a3c3c2ca162ae2541b Mon Sep 17 00:00:00 2001
From: Kaj Magnus Lindberg <kajmagnus3@gmail.com>
Date: Sun, 22 Sep 2024 07:52:43 +0200
Subject: [PATCH 18/28] E2e test: Make work with maySeeOwn. Add maySeeOwn test
 steps.

---
 docs/tests-map.txt                            |  1 -
 .../specs/categories-basic.3br.d.e2e.ts       | 74 ++++++++++++++++++-
 .../specs/category-perms.2br.d.e2e.ts         |  1 +
 tests/e2e-wdio7/utils/ty-e2e-test-browser.ts  |  5 +-
 4 files changed, 76 insertions(+), 5 deletions(-)

diff --git a/docs/tests-map.txt b/docs/tests-map.txt
index 3eecb2fb6..c62fab738 100644
--- a/docs/tests-map.txt
+++ b/docs/tests-map.txt
@@ -742,7 +742,6 @@ categories:
           - backlinks-basic.2br.d  TyTINTLNS54824.TyTDELCATBLNS
   permissions:   (1QRY7)
             - category-perms.2br.d  TyTE2ECATPREMS01
-            - perms-see-own.2br.f
             - cats-perf-many.2br.d  TyTECATPREFMNY.TyTPRIVCATS
             - promote-demote-by-staff-join-leave-chats.2br.test.ts  TyTE2E5H3GFRVK
             - link-previews-internal-not-see-cat.2br  TyTE2ELNPVIN4837.TyT0ACSPG043
diff --git a/tests/e2e-wdio7/specs/categories-basic.3br.d.e2e.ts b/tests/e2e-wdio7/specs/categories-basic.3br.d.e2e.ts
index 2c9624635..1777f1689 100644
--- a/tests/e2e-wdio7/specs/categories-basic.3br.d.e2e.ts
+++ b/tests/e2e-wdio7/specs/categories-basic.3br.d.e2e.ts
@@ -66,6 +66,7 @@ describe(`categories-basic.3br.d   TyTCATSBASIC`, () => {
 
   var mariasFirstTopicTitle = "Marias topic";
   var mariasFirstTopicText = "Marias text text text.";
+  let mariasPageUrl: St;
 
   it("Maria creates a topic, in the new category", async () => {
     await maria.forumButtons.clickCreateTopic();
@@ -73,7 +74,7 @@ describe(`categories-basic.3br.d   TyTCATSBASIC`, () => {
     await maria.editor.editText(mariasFirstTopicText);
     await maria.rememberCurrentUrl();
     await maria.editor.save();
-    await maria.waitForNewUrl();
+    mariasPageUrl = await maria.waitForNewUrl();
     // Ensure ancestor Wasteland visible.
     await maria.assertPageTitleMatches(mariasFirstTopicTitle);
     await maria.assertPageBodyMatches(mariasFirstTopicText);
@@ -204,13 +205,22 @@ describe(`categories-basic.3br.d   TyTCATSBASIC`, () => {
     await maria.assertPageTitleMatches("Mons Only Staff Create Topic");
   });
 
-  it("Owen sets the category to staff only", async () => {
+  it("Owen edits the category", async () => {
     await owen.go2(idAddress.origin + '/latest/wasteland');
     await owen.forumButtons.clickEditCategory();
+  });
+
+  it("... sets it to staff only", async () => {
     await owen.categoryDialog.fillInFields({ name: WastelandCategoryNameStaffOnly });
     await owen.categoryDialog.openSecurityTab();
     await owen.categoryDialog.securityTab.setMay('PostReplies', c.EveryoneId, false);
     await owen.categoryDialog.securityTab.setMay('SeeOthers', c.EveryoneId, false);
+  });
+  it("... but forgets to un-tick See-Own", async () => {
+    assert.not(await owen.categoryDialog.securityTab.getMay('SeeOthers', c.EveryoneId));
+    assert.that(await owen.categoryDialog.securityTab.getMay('SeeOwn', c.EveryoneId));
+  });
+  it("... saves", async () => {
     await owen.categoryDialog.submit();
   });
 
@@ -224,6 +234,59 @@ describe(`categories-basic.3br.d   TyTCATSBASIC`, () => {
     await owen.assertNthTextMatches('.e2eF_T', 3, /Wasteland Staff Only/);
   });
 
+
+  it("Maria still sees the category in the category list", async () => {
+    await maria.go2(idAddress.origin + '/categories');
+    await maria.waitForVisible(DefaultCategorySelector);
+    await maria.waitForMyDataAdded();
+    // Uncategorized, and Wasteland
+    await maria.forumCategoryList.waitForNumCategoriesVisible(2);
+    assert.that(await maria.isVisible(WastelandCategorySelector));  // (410RKE5)
+  });
+
+  it("... but only her own topic  TyTSEEOWN", async () => {
+    let titles = await maria.forumCategoryList.getTopicTitles(1);
+    assert.deepEq(titles, []); // no topics in Uncategorized, nr 1
+    titles = await maria.forumCategoryList.getTopicTitles(2);
+    assert.deepEq(titles, [mariasFirstTopicTitle]);
+  });
+
+  it("... can access the cateogry", async () => {
+    await maria.forumCategoryList.openCategory(WastelandCategoryNameStaffOnly);
+  });
+
+  it("... sees only her own topic  TyTSEEOWN", async () => {
+    await maria.forumTopicList.waitForTopics();
+    await maria.forumTopicList.assertTopicTitlesAreAndOrder([mariasFirstTopicTitle]);
+  });
+
+  it("... can't post new topics", async () => {
+    await maria.forumButtons.assertNoCreateTopicButton();
+  });
+
+  it("... cannot access Mons page", async () => {
+    await maria.go2(urlToMonsPage);
+    await maria.assertNotFoundError();
+  });
+
+  it("... but can access her own  TyTSEEOWN", async () => {
+    await maria.go2(mariasPageUrl);
+    await maria.assertPageTitleMatches(mariasFirstTopicTitle);
+  });
+
+
+
+  it("Owen edits the category again", async () => {
+    await owen.forumButtons.clickEditCategory();
+  });
+
+  it("... removes See-Own for Everyone  TyTSEEOWN", async () => {
+    await owen.categoryDialog.openSecurityTab();
+    await owen.categoryDialog.securityTab.setMay('SeeOwn', c.EveryoneId, false);
+    await owen.categoryDialog.submit();
+  });
+
+
   it("Mons sees it and can create a 2nd topic", async () => {
     await mons.go2(idAddress.origin + '/categories');
     await mons.waitForVisible(DefaultCategorySelector);
@@ -244,7 +307,12 @@ describe(`categories-basic.3br.d   TyTCATSBASIC`, () => {
   it("... and cannot access pages in it", async () => {
     await maria.go2(urlToMonsPage);
     await maria.assertNotFoundError();
-    await maria.go2(urlToMonsPage3);
+    await maria.go2(urlToMonsPage3); // note: '...3'
+    await maria.assertNotFoundError();
+  });
+
+  it("... not her own page either, any mor", async () => {
+    await maria.go2(mariasPageUrl);
     await maria.assertNotFoundError();
   });
 
diff --git a/tests/e2e-wdio7/specs/category-perms.2br.d.e2e.ts b/tests/e2e-wdio7/specs/category-perms.2br.d.e2e.ts
index 6f550da2d..f82464efe 100644
--- a/tests/e2e-wdio7/specs/category-perms.2br.d.e2e.ts
+++ b/tests/e2e-wdio7/specs/category-perms.2br.d.e2e.ts
@@ -407,6 +407,7 @@ describe(`category-perms.2br.d  TyTE2ECATPREMS01`, () => {
     await owen_brA.forumButtons.clickEditCategory();
     await owen_brA.categoryDialog.openSecurityTab();
     await owen_brA.categoryDialog.securityTab.addGroup(c.EveryoneFullName);
+    await owen_brA.categoryDialog.securityTab.setMay('SeeOthers', c.EveryoneId, true);
     await owen_brA.categoryDialog.submit();
   });
 
diff --git a/tests/e2e-wdio7/utils/ty-e2e-test-browser.ts b/tests/e2e-wdio7/utils/ty-e2e-test-browser.ts
index e6da353e1..e83d89ca1 100644
--- a/tests/e2e-wdio7/utils/ty-e2e-test-browser.ts
+++ b/tests/e2e-wdio7/utils/ty-e2e-test-browser.ts
@@ -1121,13 +1121,16 @@ export class TyE2eTestBrowser {
 
 
     async waitForNewUrl() {
+      let newUrl: St | U;
       assert.ok(!!this._currentUrl, "Please call this.#br.rememberCurrentUrl() first [EsE7JYK24]");
       await this.waitUntil(async () => {
-        return this._currentUrl !== await this.#br.getUrl();
+        newUrl = await this.#br.getUrl()
+        return this._currentUrl !== newUrl;
       }, {
         message: `Waiting for new URL, currently at: ${this._currentUrl}`
       });
       delete this._currentUrl;
+      return newUrl;
     }
 
 

From 554b1b1ad84ed8bcd9279b842735b6a5cd34116b Mon Sep 17 00:00:00 2001
From: Kaj Magnus Lindberg <kajmagnus3@gmail.com>
Date: Sat, 21 Sep 2024 12:18:30 +0200
Subject: [PATCH 19/28] Fix e2e test, now when Full Members get only
 mayEditWiki.

---
 tests/e2e-wdio7/specs/api-search-full-text.1br.f.e2e.ts | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/tests/e2e-wdio7/specs/api-search-full-text.1br.f.e2e.ts b/tests/e2e-wdio7/specs/api-search-full-text.1br.f.e2e.ts
index 479b97eb7..c276b3f03 100644
--- a/tests/e2e-wdio7/specs/api-search-full-text.1br.f.e2e.ts
+++ b/tests/e2e-wdio7/specs/api-search-full-text.1br.f.e2e.ts
@@ -335,6 +335,12 @@ describe(`api-search-full-text.1br.f  TyT70ADNEFTD36`, () => {
   it("... makes it public: adds the Everyone group  TyT69WKTEJG4", async () => {
     await owensBrowser.categoryDialog.securityTab.addGroup(c.EveryoneFullName);
   });
+  it("... grants the See permissions", async () => {
+    await owensBrowser.categoryDialog.securityTab.setMay('SeeOthers', c.EveryoneId, true);
+  });
+  it("... See-Own then gets ticked automatically  TEST MAP", async () => {
+    assert.ok(await owensBrowser.categoryDialog.securityTab.getMay('SeeOwn', c.EveryoneId));
+  });
   it("... saves", async () => {
     await owensBrowser.categoryDialog.submit();
   });

From 317f66e9bbece24c74727927eae59b30afaea8fd Mon Sep 17 00:00:00 2001
From: Kaj Magnus Lindberg <kajmagnus3@gmail.com>
Date: Sun, 22 Sep 2024 07:27:12 +0200
Subject: [PATCH 20/28] Move e2e file to -wdio-7.

---
 .../specs/api-list-query-for-topics-popular-first.1br.f.e2e.ts}   | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename tests/{e2e/specs/api-list-query-for-topics-popular-first.test.ts => e2e-wdio7/specs/api-list-query-for-topics-popular-first.1br.f.e2e.ts} (100%)

diff --git a/tests/e2e/specs/api-list-query-for-topics-popular-first.test.ts b/tests/e2e-wdio7/specs/api-list-query-for-topics-popular-first.1br.f.e2e.ts
similarity index 100%
rename from tests/e2e/specs/api-list-query-for-topics-popular-first.test.ts
rename to tests/e2e-wdio7/specs/api-list-query-for-topics-popular-first.1br.f.e2e.ts

From 96ee1e14effc587d78cec7ce0be6fbb82f7aea80 Mon Sep 17 00:00:00 2001
From: Kaj Magnus Lindberg <kajmagnus3@gmail.com>
Date: Sun, 22 Sep 2024 07:44:05 +0200
Subject: [PATCH 21/28] Port to Wdio 7. Make work with maySeeOwn.

---
 s/run-e2e-tests.sh                            |   2 +-
 ...uery-for-topics-popular-first.1br.f.e2e.ts | 129 +++++++++---------
 2 files changed, 66 insertions(+), 65 deletions(-)

diff --git a/s/run-e2e-tests.sh b/s/run-e2e-tests.sh
index d29c70ff9..57411bb8f 100755
--- a/s/run-e2e-tests.sh
+++ b/s/run-e2e-tests.sh
@@ -553,7 +553,7 @@ function runAllE2eTests {
   $r s/wdio-7 --only api-upsert-posts.2br.d --cd -i $args
 
   $r s/wdio-7 --only api-search-full-text.1br.f --cd -i $args
-  $r s/wdio --only api-list-query-for-topics-popular-first $args
+  $r s/wdio-7 --only api-list-query-for-topics-popular-first --cd -i $args
   $r s/wdio --only api-list-query-for-topics-recent-etc-first $args
   $r s/wdio --only api-list-query-for-posts $args
  #$r s/wdio --only api-list-query-for-events $args
diff --git a/tests/e2e-wdio7/specs/api-list-query-for-topics-popular-first.1br.f.e2e.ts b/tests/e2e-wdio7/specs/api-list-query-for-topics-popular-first.1br.f.e2e.ts
index dbf812ba9..a30a3b72a 100644
--- a/tests/e2e-wdio7/specs/api-list-query-for-topics-popular-first.1br.f.e2e.ts
+++ b/tests/e2e-wdio7/specs/api-list-query-for-topics-popular-first.1br.f.e2e.ts
@@ -1,15 +1,11 @@
 /// <reference path="../test-types.ts"/>
 
 import * as _ from 'lodash';
-import assert = require('../utils/ty-assert');
-// import fs = require('fs');  EMBCMTS
-import server = require('../utils/server');
-import utils = require('../utils/utils');
-import settings = require('../utils/settings');
+import assert from '../utils/ty-assert';
+import server from '../utils/server';
 import { buildSite } from '../utils/site-builder';
-import { TyE2eTestBrowser } from '../utils/pages-for';
-import lad = require('../utils/log-and-die');
-import c = require('../test-constants');
+import { TyE2eTestBrowser } from '../utils/ty-e2e-test-browser';
+import c from '../test-constants';
 
 
 let owen: Member;
@@ -20,7 +16,7 @@ let mariasBrowser: TyE2eTestBrowser;
 let margaret: Member;
 
 let siteIdAddress: IdAddress;
-let siteId;
+let siteId: Nr | U;
 
 let forum: TwoPagesTestForum;
 
@@ -47,7 +43,7 @@ let pageZzzJustAdded: PageJustAdded | U;
 
 describe("api-list-query-for-topics.test.ts  TyT603AKSL25", () => {
 
-  it("import a site", () => {
+  it("import a site", async () => {
     const builder = buildSite();
     forum = builder.addTwoPagesForum({
       title: "Some E2E Test",
@@ -112,13 +108,13 @@ describe("api-list-query-for-topics.test.ts  TyT603AKSL25", () => {
     forum.categories.staffOnlyCategory.extId = staffCatExtId;
 
     assert.refEq(builder.getSite(), forum.siteData);
-    siteIdAddress = server.importSiteData(forum.siteData);
+    siteIdAddress = await server.importSiteData(forum.siteData);
     siteId = siteIdAddress.id;
     server.skipRateLimits(siteId);
   });
 
-  it("initialize people", () => {
-    const richBrowserA = new TyE2eTestBrowser(oneWdioBrowser);
+  it("initialize people", async () => {
+    const richBrowserA = new TyE2eTestBrowser(oneWdioBrowser, 'brA');
     owen = forum.members.owen;
     maria = forum.members.maria;
     mariasBrowser = richBrowserA;
@@ -126,10 +122,10 @@ describe("api-list-query-for-topics.test.ts  TyT603AKSL25", () => {
   });
 
 
-  it("Maria goes to the forum, logs in", () => {
-    mariasBrowser.go2(siteIdAddress.origin);
+  it("Maria goes to the forum, logs in", async () => {
+    await mariasBrowser.go2(siteIdAddress.origin);
     // Log in, so can Like vote, later below.
-    mariasBrowser.complex.loginWithPasswordViaTopbar(maria);
+    await mariasBrowser.complex.loginWithPasswordViaTopbar(maria);
   });
 
 
@@ -139,8 +135,8 @@ describe("api-list-query-for-topics.test.ts  TyT603AKSL25", () => {
 
   let response: ListQueryResults<PageListed>;
 
-  it("Maria lists pages in the Specific category", () => {
-    response = server.apiV0.listQuery<PageListed>({
+  it("Maria lists pages in the Specific category", async () => {
+    response = await server.apiV0.listQuery<PageListed>({
       origin: siteIdAddress.origin,
       listQuery: {
         listWhat: 'Pages',
@@ -149,7 +145,7 @@ describe("api-list-query-for-topics.test.ts  TyT603AKSL25", () => {
     }) as ListQueryResults<PageListed>;
   });
 
-  it("She finds three pages", () => {
+  it("She finds three pages", async () => {
     assert.eq(response.thingsFound.length, 3);
   });
 
@@ -158,61 +154,61 @@ describe("api-list-query-for-topics.test.ts  TyT603AKSL25", () => {
   let pageTwoFound: PageListed;
   let pageThreeFound: PageListed;
 
-  it("The first page is the most recently added page: Zzz  [TyT025WKRGJ]", () => {
+  it("The first page is the most recently added page: Zzz  [TyT025WKRGJ]", async () => {
     pageOneFound = response.thingsFound[0];
     assert.eq(pageOneFound.title, pageZzzTitle);
   });
 
-  it("The second is Margaret's page", () => {
+  it("The second is Margaret's page", async () => {
     pageTwoFound = response.thingsFound[1];
     assert.eq(pageTwoFound.title, margaretsPageTitle);
   });
 
-  it("The third page, is the page added first: Aaa", () => {
+  it("The third page, is the page added first: Aaa", async () => {
     pageThreeFound = response.thingsFound[2];
     assert.eq(pageThreeFound.title, pageAaaTitle);
   });
 
-  it("All of them are in the Specific category", () => {
+  it("All of them are in the Specific category", async () => {
     const specCatName = forum.categories.specificCategory.name;
     assert.eq(pageOneFound.categoriesMainFirst?.[0]?.name,   specCatName);
     assert.eq(pageTwoFound.categoriesMainFirst?.[0]?.name,   specCatName);
     assert.eq(pageThreeFound.categoriesMainFirst?.[0]?.name, specCatName);
   });
 
-  it("The author names are correct", () => {
+  it("The author names are correct", async () => {
     assert.eq(pageOneFound.author?.username,   forum.members.michael.username);
     assert.eq(pageTwoFound.author?.username,   margaret.username);
     assert.eq(pageThreeFound.author?.username, maria.username);
   });
 
-  it("Maria opens Margaret's page", () => {
-    mariasBrowser.go2(pageTwoFound.urlPath);
+  it("Maria opens Margaret's page", async () => {
+    await mariasBrowser.go2(pageTwoFound.urlPath);
   });
 
-  it("The title, body and reply are all there", () => {
-    mariasBrowser.topic.waitForPostAssertTextMatches(c.TitleNr, margaretsPageTitle);
-    mariasBrowser.topic.waitForPostAssertTextMatches(c.BodyNr, margaretsPageBody);
+  it("The title, body and reply are all there", async () => {
+    await mariasBrowser.topic.waitForPostAssertTextMatches(c.TitleNr, margaretsPageTitle);
+    await mariasBrowser.topic.waitForPostAssertTextMatches(c.BodyNr, margaretsPageBody);
   });
 
 
   // ----- Popular First
 
 
-  it("Maria clicks Like", () => {
-    mariasBrowser.topic.clickLikeVote(c.BodyNr);
+  it("Maria clicks Like", async () => {
+    await mariasBrowser.topic.clickLikeVote(c.BodyNr);
   });
 
-  it("... goes to the last page found", () => {
-    mariasBrowser.go2(pageThreeFound.urlPath);
+  it("... goes to the last page found", async () => {
+    await mariasBrowser.go2(pageThreeFound.urlPath);
   });
 
-  it("... posts a comment — so the page gets bumped (new activity on the page)", () => {
-    mariasBrowser.complex.replyToOrigPost(`Hello hi there`);
+  it("... posts a comment — so the page gets bumped (new activity on the page)", async () => {
+    await mariasBrowser.complex.replyToOrigPost(`Hello hi there`);
   });
 
-  it("Maria again lists pages in the Specific category", () => {
-    response = server.apiV0.listQuery<PageListed>({
+  it("Maria again lists pages in the Specific category", async () => {
+    response = await server.apiV0.listQuery<PageListed>({
       origin: siteIdAddress.origin,
       listQuery: {
         listWhat: 'Pages',
@@ -221,21 +217,21 @@ describe("api-list-query-for-topics.test.ts  TyT603AKSL25", () => {
     }) as ListQueryResults<PageListed>;
   });
 
-  it("She again finds three pages", () => {
+  it("She again finds three pages", async () => {
     assert.eq(response.thingsFound.length, 3);
   });
 
-  it("But now Margaret's page is first — it got a Like vote", () => {
+  it("But now Margaret's page is first — it got a Like vote", async () => {
     pageOneFound = response.thingsFound[0];
     assert.eq(pageOneFound.title, margaretsPageTitle);
   });
 
-  it("The activity bumped page, Aaa, comes thereafter", () => {
+  it("The activity bumped page, Aaa, comes thereafter", async () => {
     pageTwoFound = response.thingsFound[1];
     assert.eq(pageTwoFound.title, pageAaaTitle);
   });
 
-  it("The previously topmost page — now it's last", () => {
+  it("The previously topmost page — now it's last", async () => {
     pageThreeFound = response.thingsFound[2];
     assert.eq(pageThreeFound.title, pageZzzTitle);
   });
@@ -244,7 +240,7 @@ describe("api-list-query-for-topics.test.ts  TyT603AKSL25", () => {
   // ----- Private topics stay private   TyT502RKDJ46
 
 
-  function listStaffPages() {
+  async function listStaffPages() {
     return server.apiV0.listQuery<PageListed>({
       origin: siteIdAddress.origin,
       listQuery: {
@@ -254,51 +250,56 @@ describe("api-list-query-for-topics.test.ts  TyT603AKSL25", () => {
     }) as ListQueryResults<PageListed>;
   }
 
-  it("Maria tries to list pages in the Staff category", () => {
-    response = listStaffPages();
+  it("Maria tries to list pages in the Staff category", async () => {
+    response = await listStaffPages();
   });
 
-  it("... but she cannot see those pages", () => {
+  it("... but she cannot see those pages", async () => {
     if (response.thingsFound.length >= 1) {
       assert.fail(`Found staff pages, response:\n${JSON.stringify(response)}`);
     }
   });
 
-  it("Owen logs in", () => {
-    mariasBrowser.topbar.clickLogout();
-    owensBrowser.complex.loginWithPasswordViaTopbar(owen);
+  it("Owen logs in", async () => {
+    await mariasBrowser.topbar.clickLogout();
+    await owensBrowser.complex.loginWithPasswordViaTopbar(owen);
   });
 
   // A bit dupl test code, fine. [60KADJF602]
-  it("... goes to the Staff category", () => {
-    owensBrowser.topbar.clickHome();
-    owensBrowser.forumTopicList.switchToCategory(forum.categories.staffOnlyCategory.name);
+  it("... goes to the Staff category", async () => {
+    await owensBrowser.topbar.clickHome();
+    await owensBrowser.forumTopicList.switchToCategory(forum.categories.staffOnlyCategory.name);
   });
-  it("... eits security settings", () => {
-    owensBrowser.forumButtons.clickEditCategory();
-    owensBrowser.categoryDialog.openSecurityTab();
+  it("... eits security settings", async () => {
+    await owensBrowser.forumButtons.clickEditCategory();
+    await owensBrowser.categoryDialog.openSecurityTab();
   });
-  it("... makes it public: adds the Everyone group  TyT69WKTEJG4", () => {
-    owensBrowser.categoryDialog.securityTab.addGroup(c.EveryoneFullName);
+  it("... makes it public: adds the Everyone group  TyT69WKTEJG4", async () => {
+    await owensBrowser.categoryDialog.securityTab.addGroup(c.EveryoneFullName);
   });
-  it("... saves", () => {
-    owensBrowser.categoryDialog.submit();
+  it("... grants the See permissions", async () => {
+    await owensBrowser.categoryDialog.securityTab.setMay('SeeOthers', c.EveryoneId, true);
+  });
+  it("... See-Own then gets ticked automatically  TyTSEEOWN", async () => {
+    assert.ok(await owensBrowser.categoryDialog.securityTab.getMay('SeeOwn', c.EveryoneId));
+  });
+  it("... saves", async () => {
+    await owensBrowser.categoryDialog.submit();
   });
-  // ---
 
-  it("Maria tries to list the Staff pages again", () => {
-    response = listStaffPages();
+  it("Maria tries to list the Staff pages again", async () => {
+    response = await listStaffPages();
   });
 
-  it("... now she sees one page", () => {
+  it("... now she sees one page", async () => {
     assert.eq(response.thingsFound.length, 1);
   });
 
-  it("... it's the staff only page", () => {
+  it("... it's the staff only page", async () => {
     assert.eq(response.thingsFound[0].title, staffOnlyPageTitle);
   });
 
-  it("... in the Staff category", () => {
+  it("... in the Staff category", async () => {
     assert.eq(response.thingsFound[0].categoriesMainFirst?.[0]?.name,
         forum.categories.staffOnlyCategory.name);
   });

From b9d4abf3345d3fe940f4b5b9ff67152dba6a51f1 Mon Sep 17 00:00:00 2001
From: Kaj Magnus Lindberg <kajmagnus3@gmail.com>
Date: Thu, 19 Sep 2024 08:30:52 +0200
Subject: [PATCH 22/28] Silence warnings about Ty's own deprecations.

---
 appsv/model/build.sbt |  2 --
 build.sbt             | 10 ++++++++++
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/appsv/model/build.sbt b/appsv/model/build.sbt
index 8a00d4b72..1d8fb878d 100644
--- a/appsv/model/build.sbt
+++ b/appsv/model/build.sbt
@@ -21,6 +21,4 @@ libraryDependencies ++= Seq(
   Dependencies.Libs.scalaTest,
 )
 
-scalacOptions += "-deprecation"
-
 compileOrder := CompileOrder.JavaThenScala
diff --git a/build.sbt b/build.sbt
index 2f5a3d09f..7150329c2 100644
--- a/build.sbt
+++ b/build.sbt
@@ -157,6 +157,16 @@ def mainSettings = List(
   version := appVersion,
   libraryDependencies ++= appDependencies,
 
+  // Silence warnings about Ty's own deprecated stuff, so they won't clutter the
+  // build output and make any actually important warnings disappear in the noise.
+  // It's quick to search for "@deprecated" in Ty's own source code, if / when needed.
+  scalacOptions += (
+      """-Wconf:cat=deprecation&origin=talkyard\..*:silent"""
+          + """,cat=deprecation&origin=controllers\..*:silent"""
+          + """,cat=deprecation&origin=com\.debiki\..*:silent"""
+          + """,cat=deprecation&origin=debiki\..*:silent"""
+          + """,cat=deprecation&origin=ed\..*:silent"""),
+
   // Place tests in ./tests/app/ instead of ./test/, because there're other tests in
   // ./tests/, namely security/ and e2e/, and having both ./test/ and ./tests/ seems confusing.
   // RENAME to ./tests/appsv? (since ./app is now ./appsv)

From 89fa292f6a989f1cf5fe09b54a80db6bbe3cbc71 Mon Sep 17 00:00:00 2001
From: Kaj Magnus Lindberg <kajmagnus3@gmail.com>
Date: Thu, 19 Sep 2024 08:48:17 +0200
Subject: [PATCH 23/28] Fix Play FilePart related deprecation warnings.

---
 .../controllers/UploadsController.scala       | 49 +++++++++++--------
 appsv/server/debiki/ImageUtils.scala          |  3 +-
 appsv/server/debiki/dao/UploadsDao.scala      |  7 +--
 3 files changed, 35 insertions(+), 24 deletions(-)

diff --git a/appsv/server/controllers/UploadsController.scala b/appsv/server/controllers/UploadsController.scala
index de667713f..ac4bb402f 100644
--- a/appsv/server/controllers/UploadsController.scala
+++ b/appsv/server/controllers/UploadsController.scala
@@ -30,7 +30,7 @@ import play.api._
 import play.api.libs.Files
 import play.api.libs.json.{JsString, JsValue, Json}
 import play.api.mvc._
-
+import play.api.mvc.MultipartFormData.FilePart
 
 /** Uploads files and serves uploaded files.
   */
@@ -137,22 +137,24 @@ class UploadsController @Inject()(cc: ControllerComponents, edContext: TyContext
     if (files.length != 1)
       throwBadRequest("EdE7UYMF3", s"Use the multipart form data key name 'file' please")
 
-    val file = files.head
+    val filePart: FilePart[Files.TemporaryFile] = files.head
 
     // This far, in this endpoint, we've verified only that size <= maxBytesLargeFile.
     // However, the upload limit might be lower, for this user or this site.
     // We've checked this already [upl_sz_ck] — let's double check, and this
     // time, there're no form-data boundaries.
 
-    _throwForbiddenMaybe(Some(file.filename), sizeBytes = file.fileSize, request)
+    _throwForbiddenMaybe(Some(filePart.filename), sizeBytes = filePart.fileSize, request)
+
+    val file: jio.File = filePart.ref.path.toFile
 
     val uploadRef = dao.addUploadedFile(
-      file.filename, file.ref.file, request.theReqerTrueId, request.theBrowserIdData)
+          filePart.filename, file, request.theReqerTrueId, request.theBrowserIdData)
 
     // Delete the temporary file. (It will be gone already, if we couldn't optimize it,
     // i.e. make it smaller, because then we've moved it to the uploads dir (rather than
     // a smaller compressed copy). Deleting file ref although gone already, doesn't do anything.)
-    file.ref.delete()
+    filePart.ref.delete()
 
     // Don't use OkSafeJson here because Dropzone doesn't understand the safe-JSON prefix.
     Ok(JsString(uploadRef.url)) as JSON
@@ -193,31 +195,38 @@ class UploadsController @Inject()(cc: ControllerComponents, edContext: TyContext
       throwBadRequest("EdE35UY0", o"""Upload three images please: a tiny, a small and a medium
         sized avatar image — instead I got $numFilesUploaded files""")
 
-    val tinyFile = multipartFormData.files.find(_.key == "images[tiny]") getOrElse {
+    val fileParts: Seq[FilePart[Files.TemporaryFile]] =
+          multipartFormData.files
+
+    val tinyFilePart = fileParts.find(_.key == "images[tiny]") getOrElse {
       throwBadRequest("EdE8GYF2", o"""Upload a tiny size avatar image please""")
     }
 
-    val smallFile = multipartFormData.files.find(_.key == "images[small]") getOrElse {
+    val smallFilePart = fileParts.find(_.key == "images[small]") getOrElse {
       throwBadRequest("EdE4YF21", o"""Upload a small size avatar image please""")
     }
 
-    val mediumFile = multipartFormData.files.find(_.key == "images[medium]") getOrElse {
+    val mediumFilePart = fileParts.find(_.key == "images[medium]") getOrElse {
       throwBadRequest("EdE8YUF2", o"""Upload a medium size avatar image please""")
     }
 
+    val tinyFile = tinyFilePart.ref.path.toFile
+    val smallFile = smallFilePart.ref.path.toFile
+    val mediumFile = mediumFilePart.ref.path.toFile
+
     def throwIfTooLarge(whichFile: String, file: jio.File, maxBytes: Int): Unit = {
       val length = file.length
       if (length > maxBytes)
         throwForbidden("DwE7YMF2", s"The $whichFile is too large: $length bytes, max is: $maxBytes")
     }
 
-    throwIfTooLarge("tiny avatar image", tinyFile.ref.file, MaxAvatarTinySizeBytes)
-    throwIfTooLarge("small avatar image", smallFile.ref.file, MaxAvatarSmallSizeBytes)
-    throwIfTooLarge("medium avatar image", mediumFile.ref.file, MaxAvatarMediumSizeBytes)
+    throwIfTooLarge("tiny avatar image", tinyFile, MaxAvatarTinySizeBytes)
+    throwIfTooLarge("small avatar image", smallFile, MaxAvatarSmallSizeBytes)
+    throwIfTooLarge("medium avatar image", mediumFile, MaxAvatarMediumSizeBytes)
 
-    ImageUtils.throwUnlessJpegWithSideBetween(tinyFile.ref.file, "Tiny", 20, 35)
-    ImageUtils.throwUnlessJpegWithSideBetween(smallFile.ref.file, "Small", 40, 60)
-    ImageUtils.throwUnlessJpegWithSideBetween(mediumFile.ref.file, "Medium", 150, 800)
+    ImageUtils.throwUnlessJpegWithSideBetween(tinyFile, "Tiny", 20, 35)
+    ImageUtils.throwUnlessJpegWithSideBetween(smallFile, "Small", 40, 60)
+    ImageUtils.throwUnlessJpegWithSideBetween(mediumFile, "Medium", 150, 800)
 
     // First add metadata entries for the files and move them in place.
     // Then, if there were no errors, update the user so that it starts using the new
@@ -226,18 +235,18 @@ class UploadsController @Inject()(cc: ControllerComponents, edContext: TyContext
     // (since they're unused) — deleting them is not yet implemented though [9YMU2Y].
 
     val tinyAvatarRef = request.dao.addUploadedFile(
-      tinyFile.filename, tinyFile.ref.file, request.theReqerTrueId, request.theBrowserIdData)
+      tinyFilePart.filename, tinyFile, request.theReqerTrueId, request.theBrowserIdData)
 
     val smallAvatarRef = request.dao.addUploadedFile(
-      smallFile.filename, smallFile.ref.file, request.theReqerTrueId, request.theBrowserIdData)
+      smallFilePart.filename, smallFile, request.theReqerTrueId, request.theBrowserIdData)
 
     val mediumAvatarRef = request.dao.addUploadedFile(
-      mediumFile.filename, mediumFile.ref.file, request.theReqerTrueId, request.theBrowserIdData)
+      mediumFilePart.filename, mediumFile, request.theReqerTrueId, request.theBrowserIdData)
 
     // Delete the temporary files.
-    tinyFile.ref.delete()
-    smallFile.ref.delete()
-    mediumFile.ref.delete()
+    tinyFilePart.ref.delete()
+    smallFilePart.ref.delete()
+    mediumFilePart.ref.delete()
 
     // Now the images are in place in the uploads dir, and we've created metadata entries.
     // We just need to link the user to the images:
diff --git a/appsv/server/debiki/ImageUtils.scala b/appsv/server/debiki/ImageUtils.scala
index 4d5e669dc..a608ab1aa 100644
--- a/appsv/server/debiki/ImageUtils.scala
+++ b/appsv/server/debiki/ImageUtils.scala
@@ -145,7 +145,8 @@ object ImageUtils {
 
   val MimeTypeJpeg = "image/jpeg"
 
-  def throwUnlessJpegWithSideBetween(file: jio.File, which: String, minSide: Int, maxSide: Int): Unit = {
+  def throwUnlessJpegWithSideBetween(file: jio.File, which: St,
+          minSide: i32, maxSide: i32): U = {
     // java.nio.file.Files.probeContentType doesn't work in Alpine Linux + JRE 8. Instead, use Tika.
     // (This detects mime type based on actual document content, not just the suffix.) dupl [7YKW23]
     val tika = new org.apache.tika.Tika()
diff --git a/appsv/server/debiki/dao/UploadsDao.scala b/appsv/server/debiki/dao/UploadsDao.scala
index b85e6a8d3..c93773220 100644
--- a/appsv/server/debiki/dao/UploadsDao.scala
+++ b/appsv/server/debiki/dao/UploadsDao.scala
@@ -49,7 +49,7 @@ trait UploadsDao {
     * directory, if stored on localhost (some file systems don't want 99999 files in a
     * single directory).
     */
-  def addUploadedFile(uploadedFileName: String, tempFile: jio.File, uploadedById: TrueId,
+  def addUploadedFile(uploadedFileName: St, tempFile: jio.File, uploadedById: TrueId,
         browserIdData: BrowserIdData): UploadRef = {
 
     // Over quota? [fs_quota]
@@ -363,10 +363,11 @@ object UploadsDao {
   private val Log4 = math.log(4)
 
 
-  def makeHashPath(file: jio.File, dotSuffix: String): String = {
+  def makeHashPath(file: jio.File, dotSuffix: St): St = {
     // (It's okay to truncate the hash, see e.g.:
     // http://crypto.stackexchange.com/questions/9435/is-truncating-a-sha512-hash-to-the-first-160-bits-as-secure-as-using-sha1 )
-    val hashCode = guava.io.Files.hash(file, guava.hash.Hashing.sha256)
+    val hashCode: guava.hash.HashCode =
+          guava.io.Files.asByteSource(file).hash(guava.hash.Hashing.sha256)
     val hashString = base32lowercaseEncoder.encode(hashCode.asBytes) take HashLength
     makeHashPath(file.length().toInt, hashString, dotSuffix)
   }

From 9157915649d6efc4aa548cfad884217baf926b6d Mon Sep 17 00:00:00 2001
From: Kaj Magnus Lindberg <kajmagnus3@gmail.com>
Date: Thu, 19 Sep 2024 10:32:45 +0200
Subject: [PATCH 24/28] Test fixing a "eliminated by erasure" warning.

---
 appsv/server/debiki/dao/RenderContentService.scala | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/appsv/server/debiki/dao/RenderContentService.scala b/appsv/server/debiki/dao/RenderContentService.scala
index a1fc493b9..c82dec191 100644
--- a/appsv/server/debiki/dao/RenderContentService.scala
+++ b/appsv/server/debiki/dao/RenderContentService.scala
@@ -75,7 +75,11 @@ class RenderContentActor(
     // COULD SECURITY DoS attack: Want to enqueue this case last-in-first-out, per page & params, so won't
     // rerender the page more than once, even if is in the queue many times (with different hashes).
     // Can that be done with Akka actors in some simple way?
-    case (sitePageId: SitePageId, paramsAndHash: Opt[RenderParamsAndFreshHash]) =>
+    case (sitePageId: SitePageId, paramsAndHash0: Opt[Any]) =>
+      val paramsAndHash: Opt[RenderParamsAndFreshHash] = paramsAndHash0 flatMap {
+        case p: RenderParamsAndFreshHash => Some(p)
+        case x => logger.warn(o"""Bad type: ${classNameOf(x)} [TyE5FL205F]""") ; None
+      }
       // The page has 1) been modified, or accessed and was out-of-date.  [4KGJW2]
       // Or 2) edited and uncached, and now it's being rerendered in advance (but
       // no one asked for it exactly now — paramsAndHash is None).  [7BWTWR2]

From 55d9a1da102423f731bb390567bd18cdd8622616 Mon Sep 17 00:00:00 2001
From: Kaj Magnus Lindberg <kajmagnus3@gmail.com>
Date: Thu, 19 Sep 2024 18:06:57 +0200
Subject: [PATCH 25/28] Add an unfinished disabled e2e test.

---
 client/app-slim/forum/forum.ts                |   4 +-
 docs/tests-map.txt                            |   7 +-
 s/run-e2e-tests.sh                            |   3 +
 .../frag-action-compose-topic.2br.f.wip.ts    | 130 ++++++++++++++++++
 .../specs/drafts-new-topic.2br.mtime.test.ts  |   2 +-
 5 files changed, 143 insertions(+), 3 deletions(-)
 create mode 100644 tests/e2e-wdio7/specs/frag-action-compose-topic.2br.f.wip.ts

diff --git a/client/app-slim/forum/forum.ts b/client/app-slim/forum/forum.ts
index aff11d4e0..9237f47ba 100644
--- a/client/app-slim/forum/forum.ts
+++ b/client/app-slim/forum/forum.ts
@@ -552,7 +552,9 @@ const ForumButtons = createComponent({
   createTopic: function(category: Category) {
     // Remember any #composeTopic action (FragActionType.ComposeTopic), so we'll
     // continue composing, after having signed up (if needed) and clicked any
-    // email verification link.  TESTS_MISSING  TyTFRAGCOMPTO
+    // email verification link.  Doesn't seem to work, but I don't think
+    // anyone anywhere knows about or uses this anyway. BUG  TESTS_MISSING  TyTFRAGCOMPTO
+    // (The ComposeTopic frag action is used only when reopening new-topic-drafts, currently.)
     const loc = window.location;
     const returnToRelativeUrl = loc.pathname + loc.search + loc.hash.replace(/#/, '__dwHash__');
     login.loginIfNeeded(LoginReason.CreateTopic, returnToRelativeUrl, () => {
diff --git a/docs/tests-map.txt b/docs/tests-map.txt
index c62fab738..f7b27a25c 100644
--- a/docs/tests-map.txt
+++ b/docs/tests-map.txt
@@ -1918,7 +1918,12 @@ url api,
 frag action api,
 url frag action api,
 links like: http://site.localhost/forum/#composeTopic&category=slug:ideas
-          - TESTS_MISSING,  search for  enum FragActionType.
+            - TESTS_MISSING
+            - Not finished:
+               frag-action-compose-topic.2br.f  TyTFRAGCOMPTO, search for  enum FragActionType.
+  open drafts, linkToDraftSource():
+            - drafts-new-topic  TyT5BR20P4.TyTFRAGACT
+
 
 api,
 webhooks:  [.webhooks_api]
diff --git a/s/run-e2e-tests.sh b/s/run-e2e-tests.sh
index 57411bb8f..f9a8f52e9 100755
--- a/s/run-e2e-tests.sh
+++ b/s/run-e2e-tests.sh
@@ -364,6 +364,9 @@ function runAllE2eTests {
   $r s/wdio --only drafts-chat-adv-ed.2browsers $args
   $r s/wdio --only drafts-delete $args
 
+  # Wip:
+  # $r s/wdio-7 --only frag-action-compose-topic.2br.f.wip.ts --cd -i
+
   $r s/wdio --only delete-pages.2br $args
 
   $r s/wdio-7 --only move-posts-same-page.2br.d --cd -i $args
diff --git a/tests/e2e-wdio7/specs/frag-action-compose-topic.2br.f.wip.ts b/tests/e2e-wdio7/specs/frag-action-compose-topic.2br.f.wip.ts
new file mode 100644
index 000000000..b67be7441
--- /dev/null
+++ b/tests/e2e-wdio7/specs/frag-action-compose-topic.2br.f.wip.ts
@@ -0,0 +1,130 @@
+/// <reference path="../test-types.ts"/>
+
+import * as _ from 'lodash';
+import assert from '../utils/ty-assert';
+import server from '../utils/server';
+import { buildSite } from '../utils/site-builder';
+import { TyE2eTestBrowser } from '../utils/ty-e2e-test-browser';
+import c from '../test-constants';
+
+let brA: TyE2eTestBrowser;
+let brB: TyE2eTestBrowser;
+let owen: Member;
+let owen_brA: TyE2eTestBrowser;
+let merry_brB: TyE2eTestBrowser;
+const merrysEmailAdr = 'merry@ex.co';
+
+let site: IdAddress;
+let forum: TwoCatsTestForum;
+
+
+
+// Not finished! [_Work_in_progress].
+//
+describe(`frag-action-compose-topic.2br.f  TyTFRAGCOMPTO`, () => {
+
+  it(`Construct site`, async () => {
+    const builder = buildSite();
+    forum = builder.addCatABForum({
+      title: "Some E2E Test",
+      categoryAExtId: 'cat_a_ext_id',
+      members: ['maria', 'michael']
+    });
+
+    builder.settings({
+      requireVerifiedEmail: false,
+      mayComposeBeforeSignup: true,
+    });
+
+    brA = new TyE2eTestBrowser(wdioBrowserA, 'brA');
+    brB = new TyE2eTestBrowser(wdioBrowserB, 'brB');
+
+    owen = forum.members.owen;
+    owen_brA = brA;
+
+    merry_brB = brB;
+
+    assert.refEq(builder.getSite(), forum.siteData);
+  });
+
+  it(`Import site`, async () => {
+    site = await server.importSiteData(forum.siteData);
+    await server.skipRateLimits(site.id);
+  });
+
+
+  it(`Owen arrives, logs in`, async () => {
+    await owen_brA.go2(site.origin);
+    await owen_brA.complex.loginWithPasswordViaTopbar(owen);
+  });
+
+
+  // [_Work_in_progress]:
+  //
+  // What's supposed to happen, if one doesn't have an account yet, and one
+  // follows a  #composeTopic  link?  Should the signup dialog open?
+  // But is that really good UX, popping up a dialog the first thing,
+  // the person maybe not understanding why — they probably didn't look closely
+  // at the URL.
+  //
+  // But if mayComposeBeforeSignup enabled, then, can open the editor instead,
+  // that's less confusing? & works, but when submitting, and signing up,
+  // seems the draft is lost :-(
+  //
+  it(`Merry arrives — via a #composeTopic link somehow`, async () => {
+    //  http://e2e-test-cid-0-0-now-5232.localhost/latest#composeTopic&categoryId=4&topicType=12
+await merry_brB.d();
+    await merry_brB.go2(site.origin +
+            `#composeTopic&categoryId=${forum.categories.catB.id
+                }&topicType=${c.TestPageRole.Discussion}`);
+  });
+
+  it(`... The editor opens; Merry types a title`, async () => {
+await merry_brB.d();
+    await merry_brB.editor.editTitle("I'm Merry_Not_Zorro")
+    await merry_brB.editor.editText("I have the 949 most popular name, wow. " +
+        "Zorro is no. 10 019, 2023.")
+  });
+
+  it(`...  clicks Save`, async () => {
+    // But don't wait for new page, don't: `saveWaitForNewPage()`.
+    await merry_brB.editor.clickSave();
+  });
+
+  
+  it(`... the Create Account dialog opens; Merry fills it in and submits`, async () => {
+    await merry_brB.rememberCurrentUrl();
+    await merry_brB.loginDialog.createPasswordAccount({
+              username: 'merry',
+              emailAddress: merrysEmailAdr,
+              password: 'public-p4ssw0rd',
+            });
+  });
+
+  /*
+  it(`... the new topic appears`, async () => {
+    // Ooops, need verify email. Once done, draft gone — one's account didn't yet exist.
+
+    await merry_brB.waitForNewUrl();
+    await merry_brB.assertPageTitleMatches(/Merry_Not_Zorro/);
+  });
+
+  let verifLink: St;
+
+  it(`... gets an email, clicks the verification link`, async () => {
+    verifLink = await server.waitAndGetLastVerifyEmailAddressLinkEmailedTo(
+            site.id, merrysEmailAdr);
+  });
+
+  it(`... clicks it`, async () => {
+    await merry_brB.go2(verifLink);
+  });
+  it(`... gets logged in`, async () => {
+    await merry_brB.hasVerifiedSignupEmailPage.clickContinue();
+  });
+  it(`... sees her username menu`, async () => {
+    await merry_brB.topbar.assertMyUsernameMatches('merry');
+  }); */
+
+});
+
diff --git a/tests/e2e/specs/drafts-new-topic.2br.mtime.test.ts b/tests/e2e/specs/drafts-new-topic.2br.mtime.test.ts
index 1bdf7b398..06c440a0a 100644
--- a/tests/e2e/specs/drafts-new-topic.2br.mtime.test.ts
+++ b/tests/e2e/specs/drafts-new-topic.2br.mtime.test.ts
@@ -172,7 +172,7 @@ describe("drafts-new-topic  TyT5BR20P4", () => {
     mariasBrowser.userProfilePage.draftsEtc.waitUntilNumDraftsListed(1);
   });
 
-  it("She clicks it", () => {
+  it("She clicks it  TyTFRAGACT", () => {
     mariasBrowser.userProfilePage.draftsEtc.openDraftIndex(1);
   });
 

From bd83f0870a4189d9afa36a5e4a381b6f7949cb64 Mon Sep 17 00:00:00 2001
From: Kaj Magnus Lindberg <kajmagnus3@gmail.com>
Date: Mon, 23 Sep 2024 05:30:15 +0200
Subject: [PATCH 26/28] Rename 'origin' to 'public' in script.

---
 s/release-canary.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/s/release-canary.sh b/s/release-canary.sh
index 61d065072..1dc0b6629 100755
--- a/s/release-canary.sh
+++ b/s/release-canary.sh
@@ -166,7 +166,8 @@ popd
 # [.must_be_dev_regular]
 git tag $release_version_tag_w_branch tyse-$release_version_tag-dev
 
-git push origin $release_version_tag_w_branch
+# I've named the origin 'public' so it's simpler to remember that it's public.
+git push public $release_version_tag_w_branch
 
 set +x
 echo

From 5c3fa3c86baed4b2fedef37c8d8ac6056aab3099 Mon Sep 17 00:00:00 2001
From: Kaj Magnus Lindberg <kajmagnus3@gmail.com>
Date: Mon, 23 Sep 2024 05:33:35 +0200
Subject: [PATCH 27/28] Rename script.

---
 s/{release-canary.sh => promote-version.sh} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename s/{release-canary.sh => promote-version.sh} (100%)

diff --git a/s/release-canary.sh b/s/promote-version.sh
similarity index 100%
rename from s/release-canary.sh
rename to s/promote-version.sh

From 71487682225edcb8e381c2a51ba75ba555fc7f9a Mon Sep 17 00:00:00 2001
From: Kaj Magnus Lindberg <kajmagnus3@gmail.com>
Date: Mon, 23 Sep 2024 05:35:36 +0200
Subject: [PATCH 28/28] Promote v0.2024.006 to tyse-v0-regular.

---
 relchans/tyse-v0-regular | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/relchans/tyse-v0-regular b/relchans/tyse-v0-regular
index 0b1a193b4..31f52431c 160000
--- a/relchans/tyse-v0-regular
+++ b/relchans/tyse-v0-regular
@@ -1 +1 @@
-Subproject commit 0b1a193b4aca4d79fc03be07e15681fb15f9cd5e
+Subproject commit 31f52431c97c01dee624b1af2c3619e7f1943fce