From 03f4bc4c1211c6969394607e3985ebb6724843d1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dafydd=20Ll=C5=B7r=20Pearson?= <DafyddLlyr@gmail.com>
Date: Wed, 14 Feb 2024 11:45:29 +0000
Subject: [PATCH 1/8] docs: Add link to pen test report in repo readme (#2789)

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index f6d9930baa..f7523d8075 100644
--- a/README.md
+++ b/README.md
@@ -129,7 +129,7 @@ Our public-facing live services were last audited by the [Digital Accessibility
 
 ### Security
 
-Our whole stack was last assessed by [Jumpsec](https://www.jumpsec.com/) between the 21st and 30th November 2023. JUMPSEC then performed a retest of the issues identified in the initial test on the 8th of February 2024. This included verifying that fixes had been successfully applied and that no further risks were introduced as a result of the remediation work carried out. Their penetration test concluded that - "the security posture of PlanX was strong, and following industry best practices. JUMPSEC commend the PlanX team on their dedication to security and ability to both maintain and mitigate issues in a responsible and timely manner".
+Our whole stack was last assessed by [Jumpsec](https://www.jumpsec.com/) between the 21st and 30th November 2023. JUMPSEC then performed a retest of the issues identified in the initial test on the 8th of February 2024. This included verifying that fixes had been successfully applied and that no further risks were introduced as a result of the remediation work carried out. Their penetration test concluded that - "the security posture of PlanX was strong, and following industry best practices. JUMPSEC commend the PlanX team on their dedication to security and ability to both maintain and mitigate issues in a responsible and timely manner". You can [review our report here](https://file.notion.so/f/f/d2306134-7ae0-417c-8db3-cdd87c524efa/ab940248-ca60-49a3-bfae-0b6faa916b1e/2024-02-13_JUMPSEC_Lambeth_PlanX_Web_Application_Assessment_Report_v2.0.pdf?id=aa4ed144-4b48-4a88-9693-6a3644bfd6cf&table=block&spaceId=d2306134-7ae0-417c-8db3-cdd87c524efa&expirationTimestamp=1707998400000&signature=76AfnXjSTzw8O5TEW9Ao0mOmWTG4WzE8rm-Rfa54wGU&downloadName=Penetration+test+%28Jumpsec%29+13%2F02%2F24.pdf).
 
 
 ## Related packages

From 7757af511e144089d70b025b0cd43a033d1e8e45 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dafydd=20Ll=C5=B7r=20Pearson?= <DafyddLlyr@gmail.com>
Date: Wed, 14 Feb 2024 14:15:37 +0000
Subject: [PATCH 2/8] chore: Sync govpay secrets (#2787)

---
 scripts/seed-database/container.sh                |  2 +-
 scripts/seed-database/write/team_integrations.sql | 11 +++++++----
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/scripts/seed-database/container.sh b/scripts/seed-database/container.sh
index c3f3152738..e6e56cd635 100755
--- a/scripts/seed-database/container.sh
+++ b/scripts/seed-database/container.sh
@@ -35,7 +35,7 @@ done
 
 # Copy subset of team_integrations columns
 # Do not copy production values
-psql --quiet ${REMOTE_PG} --command="\\copy (SELECT id, team_id, staging_bops_submission_url, staging_bops_secret, has_planning_data FROM team_integrations) TO '/tmp/team_integrations.csv' (FORMAT csv, DELIMITER ';');"
+psql --quiet ${REMOTE_PG} --command="\\copy (SELECT id, team_id, staging_bops_submission_url, staging_bops_secret, has_planning_data, staging_govpay_secret FROM team_integrations) TO '/tmp/team_integrations.csv' (FORMAT csv, DELIMITER ';');"
 echo team_integrations downloaded
 
 psql --quiet ${REMOTE_PG} --command="\\copy (SELECT DISTINCT ON (flow_id) id, data, flow_id, summary, publisher_id, created_at FROM published_flows ORDER BY flow_id, created_at DESC) TO '/tmp/published_flows.csv' (FORMAT csv, DELIMITER ';');"
diff --git a/scripts/seed-database/write/team_integrations.sql b/scripts/seed-database/write/team_integrations.sql
index 44a433e756..9eda3c21a5 100644
--- a/scripts/seed-database/write/team_integrations.sql
+++ b/scripts/seed-database/write/team_integrations.sql
@@ -4,19 +4,21 @@ CREATE TEMPORARY TABLE sync_team_integrations (
   team_id integer,
   staging_bops_submission_url text,
   staging_bops_secret text,
-  has_planning_data boolean
+  has_planning_data boolean,
+  staging_govpay_secret text
 );
 
 \COPY sync_team_integrations FROM '/tmp/team_integrations.csv' WITH (FORMAT csv, DELIMITER ';');
 
 INSERT INTO
-  team_integrations (id, team_id, staging_bops_submission_url, staging_bops_secret, has_planning_data)
+  team_integrations (id, team_id, staging_bops_submission_url, staging_bops_secret, has_planning_data, staging_govpay_secret)
 SELECT
   id,
   team_id,
   staging_bops_submission_url,
   staging_bops_secret,
-  has_planning_data
+  has_planning_data,
+  staging_govpay_secret
 FROM
   sync_team_integrations ON CONFLICT (id) DO
 UPDATE
@@ -24,7 +26,8 @@ SET
   team_id = EXCLUDED.team_id,
   staging_bops_submission_url = EXCLUDED.staging_bops_submission_url,
   staging_bops_secret = EXCLUDED.staging_bops_secret,
-  has_planning_data = EXCLUDED.has_planning_data;
+  has_planning_data = EXCLUDED.has_planning_data,
+  staging_govpay_secret = EXCLUDED.staging_govpay_secret;
 SELECT
   setval('team_integrations_id_seq', max(id))
 FROM

From dccadc0b3992e723a34320f19058c9ebc96ee0f2 Mon Sep 17 00:00:00 2001
From: Jessica McInchak <jessica.mcinchak@gmail.com>
Date: Thu, 15 Feb 2024 09:31:12 +0000
Subject: [PATCH 3/8] fix: format Airbrake API errors for more readable Slack
 (#2781)

---
 api.planx.uk/server.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/api.planx.uk/server.ts b/api.planx.uk/server.ts
index 649e615984..b2842216f0 100644
--- a/api.planx.uk/server.ts
+++ b/api.planx.uk/server.ts
@@ -157,7 +157,7 @@ const errorHandler: ErrorRequestHandler = (errorObject, _req, res, _next) => {
       airbrake &&
       (errorObject instanceof Error || errorObject instanceof ServerError)
     ) {
-      airbrake.notify(errorObject);
+      airbrake.notify(JSON.stringify(errorObject, null, 2));
       return {
         ...errorObject,
         message: errorObject.message.concat(", this error has been logged"),

From 59ec67941e9d7a678abf4d2660d2026b385b8f47 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dafydd=20Ll=C5=B7r=20Pearson?= <DafyddLlyr@gmail.com>
Date: Thu, 15 Feb 2024 11:12:45 +0000
Subject: [PATCH 4/8] fix: Add no-cache headers to file route (#2793)

---
 api.planx.uk/modules/auth/middleware.ts | 10 ++++++++++
 api.planx.uk/modules/file/routes.ts     |  7 ++++++-
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/api.planx.uk/modules/auth/middleware.ts b/api.planx.uk/modules/auth/middleware.ts
index bf0f412e13..b1695d5fe1 100644
--- a/api.planx.uk/modules/auth/middleware.ts
+++ b/api.planx.uk/modules/auth/middleware.ts
@@ -207,3 +207,13 @@ export const useLoginAuth: RequestHandler = (req, res, next) =>
       });
     }
   });
+
+export const useNoCache: RequestHandler = (_req, res, next) => {
+  res.setHeader("Surrogate-Control", "no-store");
+  res.setHeader(
+    "Cache-Control",
+    "no-store, no-cache, must-revalidate, proxy-revalidate",
+  );
+  res.setHeader("Expires", "0");
+  next();
+};
diff --git a/api.planx.uk/modules/file/routes.ts b/api.planx.uk/modules/file/routes.ts
index 5603d962f7..9f301b4ea2 100644
--- a/api.planx.uk/modules/file/routes.ts
+++ b/api.planx.uk/modules/file/routes.ts
@@ -1,7 +1,11 @@
 import { Router } from "express";
 
 import multer from "multer";
-import { useFilePermission, useTeamEditorAuth } from "../auth/middleware";
+import {
+  useNoCache,
+  useFilePermission,
+  useTeamEditorAuth,
+} from "../auth/middleware";
 import {
   downloadFileSchema,
   privateDownloadController,
@@ -37,6 +41,7 @@ router.get(
 
 router.get(
   "/file/private/:fileKey/:fileName",
+  useNoCache,
   useFilePermission,
   validate(downloadFileSchema),
   privateDownloadController,

From 6b625b0e823bec1830a0666ea9204c998dd5059f Mon Sep 17 00:00:00 2001
From: Jessica McInchak <jessica.mcinchak@gmail.com>
Date: Thu, 15 Feb 2024 11:17:12 +0000
Subject: [PATCH 5/8] Revert "fix: format Airbrake API errors for more readable
 Slack" (#2794)

---
 api.planx.uk/server.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/api.planx.uk/server.ts b/api.planx.uk/server.ts
index b2842216f0..649e615984 100644
--- a/api.planx.uk/server.ts
+++ b/api.planx.uk/server.ts
@@ -157,7 +157,7 @@ const errorHandler: ErrorRequestHandler = (errorObject, _req, res, _next) => {
       airbrake &&
       (errorObject instanceof Error || errorObject instanceof ServerError)
     ) {
-      airbrake.notify(JSON.stringify(errorObject, null, 2));
+      airbrake.notify(errorObject);
       return {
         ...errorObject,
         message: errorObject.message.concat(", this error has been logged"),

From 35190d9923f3212f515ab10bc2aa006598b80db4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dafydd=20Ll=C5=B7r=20Pearson?= <DafyddLlyr@gmail.com>
Date: Thu, 15 Feb 2024 11:21:56 +0000
Subject: [PATCH 6/8] fix: Typo in `PropertyInformation` component [skip pizza]
 (#2795)

---
 .../src/@planx/components/PropertyInformation/Editor.tsx        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/editor.planx.uk/src/@planx/components/PropertyInformation/Editor.tsx b/editor.planx.uk/src/@planx/components/PropertyInformation/Editor.tsx
index e35fe88c36..98c5a24d45 100644
--- a/editor.planx.uk/src/@planx/components/PropertyInformation/Editor.tsx
+++ b/editor.planx.uk/src/@planx/components/PropertyInformation/Editor.tsx
@@ -35,7 +35,7 @@ function PropertyInformationComponent(props: Props) {
     <form onSubmit={formik.handleSubmit} id="modal">
       <ModalSection>
         <ModalSectionContent
-          title="Propery information"
+          title="Property information"
           Icon={ICONS[TYPES.PropertyInformation]}
         >
           <InputRow>

From 21da665565a36c6122fdab5ee7de16127b07e0b3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dafydd=20Ll=C5=B7r=20Pearson?= <DafyddLlyr@gmail.com>
Date: Thu, 15 Feb 2024 12:09:07 +0000
Subject: [PATCH 7/8] feat: Disable `/preview` for unpublished flows (#2792)

---
 .../src/create-flow/create-flow.spec.ts       | 40 ++++++++++++++-
 editor.planx.uk/src/lib/dataMergedHotfix.ts   | 11 ++--
 .../FlowEditor/components/PreviewBrowser.tsx  | 45 ++++++++++------
 .../src/pages/FlowEditor/lib/store/editor.ts  | 21 ++++++--
 editor.planx.uk/src/routes/flow.tsx           | 51 +++++++++++++++----
 editor.planx.uk/src/routes/utils.ts           | 11 ++--
 .../src/routes/views/published.tsx            | 15 +++---
 hasura.planx.uk/metadata/tables.yaml          |  8 +++
 8 files changed, 155 insertions(+), 47 deletions(-)

diff --git a/e2e/tests/ui-driven/src/create-flow/create-flow.spec.ts b/e2e/tests/ui-driven/src/create-flow/create-flow.spec.ts
index bb8b3aba97..cead9db90d 100644
--- a/e2e/tests/ui-driven/src/create-flow/create-flow.spec.ts
+++ b/e2e/tests/ui-driven/src/create-flow/create-flow.spec.ts
@@ -145,7 +145,45 @@ test.describe("Navigation", () => {
     await expect(nodes.getByText(noBranchNoticeText)).toBeVisible();
   });
 
-  test("Preview a created flow", async ({ browser }: { browser: Browser }) => {
+  test("Cannot preview an unpublished flow", async ({
+    browser,
+  }: {
+    browser: Browser;
+  }) => {
+    const page = await createAuthenticatedSession({
+      browser,
+      userId: context.user!.id!,
+    });
+
+    await page.goto(
+      `/${context.team.slug}/${serviceProps.slug}/preview?analytics=false`,
+    );
+
+    await expect(page.getByText("Not Found")).toBeVisible();
+  });
+
+  test("Publish a flow", async ({ browser }) => {
+    const page = await createAuthenticatedSession({
+      browser,
+      userId: context.user!.id!,
+    });
+
+    await page.goto(`/${context.team.slug}/${serviceProps.slug}`);
+
+    page.getByRole("button", { name: "CHECK FOR CHANGES TO PUBLISH" }).click();
+    page.getByRole("button", { name: "PUBLISH", exact: true }).click();
+
+    const previewLink = page.getByRole("link", {
+      name: "Open published service",
+    });
+    await expect(previewLink).toBeVisible();
+  });
+
+  test("Can preview a published flow", async ({
+    browser,
+  }: {
+    browser: Browser;
+  }) => {
     const page = await createAuthenticatedSession({
       browser,
       userId: context.user!.id!,
diff --git a/editor.planx.uk/src/lib/dataMergedHotfix.ts b/editor.planx.uk/src/lib/dataMergedHotfix.ts
index ad5c60e1a8..7d553138d5 100644
--- a/editor.planx.uk/src/lib/dataMergedHotfix.ts
+++ b/editor.planx.uk/src/lib/dataMergedHotfix.ts
@@ -1,5 +1,6 @@
 import { ComponentType as TYPES } from "@opensystemslab/planx-core/types";
 import gql from "graphql-tag";
+import { Store } from "pages/FlowEditor/lib/store";
 
 import { publicClient } from "../lib/graphql";
 
@@ -23,10 +24,14 @@ const getFlowData = async (id: string) => {
 // Flatten a flow's data to include main content & portals in a single JSON representation
 // XXX: getFlowData & dataMerged are currently repeated in api.planx.uk/helpers.ts
 //        in order to load frontend /preview routes for flows that are not published
-export const dataMerged = async (id: string, ob: Record<string, any> = {}) => {
+export const dataMerged = async (
+  id: string,
+  ob: Store.flow = {},
+): Promise<Store.flow> => {
   // get the primary flow data
-  const { slug, data }: { slug: string; data: Record<string, any> } =
-    await getFlowData(id);
+  const { slug, data }: { slug: string; data: Store.flow } = await getFlowData(
+    id,
+  );
 
   // recursively get and flatten internal portals & external portals
   for (const [nodeId, node] of Object.entries(data)) {
diff --git a/editor.planx.uk/src/pages/FlowEditor/components/PreviewBrowser.tsx b/editor.planx.uk/src/pages/FlowEditor/components/PreviewBrowser.tsx
index 94d27731a1..2a3be0e531 100644
--- a/editor.planx.uk/src/pages/FlowEditor/components/PreviewBrowser.tsx
+++ b/editor.planx.uk/src/pages/FlowEditor/components/PreviewBrowser.tsx
@@ -103,6 +103,7 @@ const PreviewBrowser: React.FC<{
     lastPublished,
     lastPublisher,
     validateAndDiffFlow,
+    isFlowPublished,
   ] = useStore((state) => [
     state.id,
     state.flowAnalyticsLink,
@@ -111,6 +112,7 @@ const PreviewBrowser: React.FC<{
     state.lastPublished,
     state.lastPublisher,
     state.validateAndDiffFlow,
+    state.isFlowPublished,
   ]);
   const [key, setKey] = useState<boolean>(false);
   const [lastPublishedTitle, setLastPublishedTitle] = useState<string>(
@@ -189,17 +191,26 @@ const PreviewBrowser: React.FC<{
               <OpenInNewIcon />
             </Link>
           </Tooltip>
-
-          <Tooltip arrow title="Open published service">
-            <Link
-              href={props.url + "?analytics=false"}
-              target="_blank"
-              rel="noopener noreferrer"
-              color="inherit"
-            >
-              <LanguageIcon />
-            </Link>
-          </Tooltip>
+          {isFlowPublished ? (
+            <Tooltip arrow title="Open published service">
+              <Link
+                href={props.url + "?analytics=false"}
+                target="_blank"
+                rel="noopener noreferrer"
+                color="inherit"
+              >
+                <LanguageIcon />
+              </Link>
+            </Tooltip>
+          ) : (
+            <Tooltip arrow title="Flow not yet published">
+              <Box>
+                <Link component={"button"} disabled aria-disabled={true}>
+                  <LanguageIcon />
+                </Link>
+              </Box>
+            </Tooltip>
+          )}
         </Box>
         <Box width="100%" mt={2}>
           <Box display="flex" flexDirection="column" alignItems="flex-end">
@@ -283,12 +294,14 @@ const PreviewBrowser: React.FC<{
                     try {
                       setDialogOpen(false);
                       setLastPublishedTitle("Publishing changes...");
-                      const publishedFlow = await publishFlow(flowId, summary);
+                      const { alteredNodes, message } = await publishFlow(
+                        flowId,
+                        summary,
+                      );
                       setLastPublishedTitle(
-                        publishedFlow?.data.alteredNodes
-                          ? `Successfully published changes to ${publishedFlow.data.alteredNodes.length} node(s)`
-                          : `${publishedFlow?.data?.message}` ||
-                              "No new changes to publish",
+                        alteredNodes
+                          ? `Successfully published changes to ${alteredNodes.length} node(s)`
+                          : `${message}` || "No new changes to publish",
                       );
                     } catch (error) {
                       setLastPublishedTitle("Error trying to publish");
diff --git a/editor.planx.uk/src/pages/FlowEditor/lib/store/editor.ts b/editor.planx.uk/src/pages/FlowEditor/lib/store/editor.ts
index 5e866dea52..f850c66d25 100644
--- a/editor.planx.uk/src/pages/FlowEditor/lib/store/editor.ts
+++ b/editor.planx.uk/src/pages/FlowEditor/lib/store/editor.ts
@@ -54,6 +54,11 @@ export const editorUIStore: StateCreator<
   },
 });
 
+interface PublishFlowResponse {
+  alteredNodes: Store.node[];
+  message: string;
+}
+
 export interface EditorStore extends Store.Store {
   addNode: (node: any, relationships?: any) => void;
   connect: (src: Store.nodeId, tgt: Store.nodeId, object?: any) => void;
@@ -67,6 +72,7 @@ export interface EditorStore extends Store.Store {
   isClone: (id: Store.nodeId) => boolean;
   lastPublished: (flowId: string) => Promise<string>;
   lastPublisher: (flowId: string) => Promise<string>;
+  isFlowPublished: boolean;
   makeUnique: (id: Store.nodeId, parent?: Store.nodeId) => void;
   moveFlow: (flowId: string, teamSlug: string) => Promise<any>;
   moveNode: (
@@ -76,7 +82,10 @@ export interface EditorStore extends Store.Store {
     toParent?: Store.nodeId,
   ) => void;
   pasteNode: (toParent: Store.nodeId, toBefore: Store.nodeId) => void;
-  publishFlow: (flowId: string, summary?: string) => Promise<any>;
+  publishFlow: (
+    flowId: string,
+    summary?: string,
+  ) => Promise<PublishFlowResponse>;
   removeNode: (id: Store.nodeId, parent: Store.nodeId) => void;
   updateNode: (node: any, relationships?: any) => void;
 }
@@ -325,6 +334,8 @@ export const editorStore: StateCreator<
     return first_name.concat(" ", last_name);
   },
 
+  isFlowPublished: false,
+
   makeUnique: (id, parent) => {
     const [, ops] = makeUnique(id, parent)(get().flow);
     send(ops);
@@ -388,7 +399,7 @@ export const editorStore: StateCreator<
     }
   },
 
-  publishFlow(flowId: string, summary?: string) {
+  async publishFlow(flowId: string, summary?: string) {
     const token = get().jwt;
 
     const urlWithParams = (url: string, params: any) =>
@@ -396,7 +407,7 @@ export const editorStore: StateCreator<
         .filter(Boolean)
         .join("?");
 
-    return axios.post(
+    const { data } = await axios.post<PublishFlowResponse>(
       urlWithParams(
         `${process.env.REACT_APP_API_URL}/flows/${flowId}/publish`,
         { summary },
@@ -408,6 +419,10 @@ export const editorStore: StateCreator<
         },
       },
     );
+
+    set({ isFlowPublished: true });
+
+    return data;
   },
 
   removeNode: (id, parent) => {
diff --git a/editor.planx.uk/src/routes/flow.tsx b/editor.planx.uk/src/routes/flow.tsx
index e156e37749..3ea3d56982 100644
--- a/editor.planx.uk/src/routes/flow.tsx
+++ b/editor.planx.uk/src/routes/flow.tsx
@@ -9,6 +9,7 @@ import {
   map,
   Matcher,
   mount,
+  NotFoundError,
   redirect,
   route,
   withData,
@@ -173,11 +174,31 @@ const nodeRoutes = mount({
   "/:parent/nodes/:id/edit": editNode,
 });
 
+interface FlowMetadata {
+  flowSettings: FlowSettings;
+  flowAnalyticsLink: string;
+  isFlowPublished: boolean;
+}
+
+interface GetFlowMetadata {
+  flows: {
+    flowSettings: FlowSettings;
+    flowAnalyticsLink: string;
+    publishedFlowsAggregate: {
+      aggregate: {
+        count: number;
+      };
+    };
+  }[];
+}
+
 const getFlowMetadata = async (
-  flow: string,
+  flowSlug: string,
   team: string,
-): Promise<{ flowSettings: FlowSettings; flowAnalyticsLink: string }> => {
-  const { data } = await client.query({
+): Promise<FlowMetadata> => {
+  const {
+    data: { flows },
+  } = await client.query<GetFlowMetadata>({
     query: gql`
       query GetFlow($slug: String!, $team_slug: String!) {
         flows(
@@ -187,17 +208,27 @@ const getFlowMetadata = async (
           id
           flowSettings: settings
           flowAnalyticsLink: analytics_link
+          publishedFlowsAggregate: published_flows_aggregate {
+            aggregate {
+              count
+            }
+          }
         }
       }
     `,
     variables: {
-      slug: flow,
+      slug: flowSlug,
       team_slug: team,
     },
   });
+
+  const flow = flows[0];
+  if (!flows) throw new NotFoundError(`Flow ${flowSlug} not found for ${team}`);
+
   const metadata = {
-    flowSettings: data.flows[0]?.flowSettings,
-    flowAnalyticsLink: data.flows[0]?.flowAnalyticsLink,
+    flowSettings: flow.flowSettings,
+    flowAnalyticsLink: flow.flowAnalyticsLink,
+    isFlowPublished: flow.publishedFlowsAggregate?.aggregate.count > 0,
   };
   return metadata;
 };
@@ -209,11 +240,9 @@ const routes = compose(
 
   withView(async (req) => {
     const [flow, ...breadcrumbs] = req.params.flow.split(",");
-    const { flowSettings, flowAnalyticsLink } = await getFlowMetadata(
-      flow,
-      req.params.team,
-    );
-    useStore.setState({ flowSettings, flowAnalyticsLink });
+    const { flowSettings, flowAnalyticsLink, isFlowPublished } =
+      await getFlowMetadata(flow, req.params.team);
+    useStore.setState({ flowSettings, flowAnalyticsLink, isFlowPublished });
 
     return (
       <>
diff --git a/editor.planx.uk/src/routes/utils.ts b/editor.planx.uk/src/routes/utils.ts
index 9f8afdc0b4..934eb93e2f 100644
--- a/editor.planx.uk/src/routes/utils.ts
+++ b/editor.planx.uk/src/routes/utils.ts
@@ -3,6 +3,7 @@ import gql from "graphql-tag";
 import { hasFeatureFlag } from "lib/featureFlags";
 import { NaviRequest, NotFoundError } from "navi";
 import { useStore } from "pages/FlowEditor/lib/store";
+import { Store } from "pages/FlowEditor/lib/store";
 import { ApplicationPath } from "types";
 
 import { publicClient } from "../lib/graphql";
@@ -18,14 +19,10 @@ export const rootFlowPath = (includePortals = false) => {
 export const rootTeamPath = () =>
   window.location.pathname.split("/").slice(0, 2).join("/");
 
-export const isSaveReturnFlow = (flowData: Record<string, any>): boolean =>
-  Boolean(
-    Object.values(flowData).find(
-      (node: Record<string, any>) => node.type === NodeTypes.Send,
-    ),
-  );
+export const isSaveReturnFlow = (flowData: Store.flow): boolean =>
+  Boolean(Object.values(flowData).find((node) => node.type === NodeTypes.Send));
 
-export const setPath = (flowData: Record<string, any>, req: NaviRequest) => {
+export const setPath = (flowData: Store.flow, req: NaviRequest) => {
   // XXX: store.path is SingleSession by default
   if (!isSaveReturnFlow(flowData)) return;
   if (hasFeatureFlag("DISABLE_SAVE_AND_RETURN")) return;
diff --git a/editor.planx.uk/src/routes/views/published.tsx b/editor.planx.uk/src/routes/views/published.tsx
index 982d3ccadc..f833e5e595 100644
--- a/editor.planx.uk/src/routes/views/published.tsx
+++ b/editor.planx.uk/src/routes/views/published.tsx
@@ -1,9 +1,9 @@
 import gql from "graphql-tag";
-import { dataMerged } from "lib/dataMergedHotfix";
 import { publicClient } from "lib/graphql";
 import { NaviRequest } from "navi";
 import { NotFoundError } from "navi";
 import { useStore } from "pages/FlowEditor/lib/store";
+import { Store } from "pages/FlowEditor/lib/store";
 import PublicLayout from "pages/layout/PublicLayout";
 import SaveAndReturnLayout from "pages/layout/SaveAndReturnLayout";
 import React from "react";
@@ -17,7 +17,7 @@ interface PublishedViewData {
 }
 
 interface PreviewFlow extends Flow {
-  publishedFlows: Record<"data", Flow>[];
+  publishedFlows: Record<"data", Store.flow>[];
 }
 
 /**
@@ -31,16 +31,19 @@ export const publishedView = async (req: NaviRequest) => {
   const data = await fetchDataForPublishedView(flowSlug, teamSlug);
 
   const flow = data.flows[0];
-  if (!flow) throw new NotFoundError(req.originalUrl);
+  if (!flow)
+    throw new NotFoundError(`Flow ${flowSlug} not found for ${teamSlug}`);
 
   const publishedFlow = flow.publishedFlows[0]?.data;
-  const flowData = publishedFlow ? publishedFlow : await dataMerged(flow.id);
-  setPath(flowData, req);
+  if (!publishedFlow)
+    throw new NotFoundError(`Flow ${flowSlug} not published for ${teamSlug}`);
+
+  setPath(publishedFlow, req);
 
   const state = useStore.getState();
   // XXX: necessary as long as not every flow is published; aim to remove dataMergedHotfix.ts in future
   // load pre-flattened published flow if exists, else load & flatten flow
-  state.setFlow({ id: flow.id, flow: flowData, flowSlug });
+  state.setFlow({ id: flow.id, flow: publishedFlow, flowSlug });
   state.setGlobalSettings(data.globalSettings[0]);
   state.setFlowSettings(flow.settings);
   state.setTeam(flow.team);
diff --git a/hasura.planx.uk/metadata/tables.yaml b/hasura.planx.uk/metadata/tables.yaml
index 54dfbdf8ea..574b108f7b 100644
--- a/hasura.planx.uk/metadata/tables.yaml
+++ b/hasura.planx.uk/metadata/tables.yaml
@@ -425,6 +425,7 @@
         computed_fields:
           - data_merged
         filter: {}
+        allow_aggregations: true
     - role: platformAdmin
       permission:
         columns:
@@ -441,6 +442,7 @@
         computed_fields:
           - data_merged
         filter: {}
+        allow_aggregations: true
     - role: public
       permission:
         columns:
@@ -456,6 +458,7 @@
         computed_fields:
           - data_merged
         filter: {}
+        allow_aggregations: true
     - role: teamEditor
       permission:
         columns:
@@ -472,6 +475,7 @@
         computed_fields:
           - data_merged
         filter: {}
+        allow_aggregations: true
   update_permissions:
     - role: api
       permission:
@@ -1230,6 +1234,7 @@
           - flow_id
           - data
         filter: {}
+        allow_aggregations: true
     - role: platformAdmin
       permission:
         columns:
@@ -1240,6 +1245,7 @@
           - publisher_id
           - summary
         filter: {}
+        allow_aggregations: true
     - role: public
       permission:
         columns:
@@ -1250,6 +1256,7 @@
           - publisher_id
           - summary
         filter: {}
+        allow_aggregations: true
     - role: teamEditor
       permission:
         columns:
@@ -1260,6 +1267,7 @@
           - publisher_id
           - summary
         filter: {}
+        allow_aggregations: true
 - table:
     name: reconciliation_requests
     schema: public

From 4148a2158d8cdc1d68b7033511e5ed06ad83c1ab Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dafydd=20Ll=C5=B7r=20Pearson?= <DafyddLlyr@gmail.com>
Date: Thu, 15 Feb 2024 13:24:02 +0000
Subject: [PATCH 8/8] fix(types): Add better types to Airbrake logging (#2791)

---
 api.planx.uk/modules/send/utils/helpers.ts         | 14 ++++++--------
 .../webhooks/service/validateInput/utils.ts        |  8 +++++---
 2 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/api.planx.uk/modules/send/utils/helpers.ts b/api.planx.uk/modules/send/utils/helpers.ts
index d527360434..06db45b327 100644
--- a/api.planx.uk/modules/send/utils/helpers.ts
+++ b/api.planx.uk/modules/send/utils/helpers.ts
@@ -21,8 +21,7 @@ export async function logPaymentStatus({
 }): Promise<void> {
   if (!flowId || !sessionId) {
     reportError({
-      message:
-        "Could not log the payment status due to missing context value(s)",
+      error: "Could not log the payment status due to missing context value(s)",
       context: { sessionId, flowId, teamSlug },
     });
   } else {
@@ -38,21 +37,20 @@ export async function logPaymentStatus({
       });
     } catch (e) {
       reportError({
-        message: "Failed to insert a payment status",
-        error: e,
-        govUkResponse,
+        error: `Failed to insert a payment status: ${e}`,
+        context: { govUkResponse },
       });
     }
   }
 }
 
 // tmp explicit error handling
-export function reportError(obj: object) {
+export function reportError(report: { error: any; context: object }) {
   if (airbrake) {
-    airbrake.notify(obj);
+    airbrake.notify(report);
     return;
   }
-  log(obj);
+  log(report);
 }
 
 // tmp logger
diff --git a/api.planx.uk/modules/webhooks/service/validateInput/utils.ts b/api.planx.uk/modules/webhooks/service/validateInput/utils.ts
index 628aee405d..3f8b772598 100644
--- a/api.planx.uk/modules/webhooks/service/validateInput/utils.ts
+++ b/api.planx.uk/modules/webhooks/service/validateInput/utils.ts
@@ -59,8 +59,10 @@ export const isCleanHTML = (input: unknown): boolean => {
  */
 const logUncleanHTMLError = (input: string, cleanHTML: string) => {
   reportError({
-    message: `Warning: Unclean HTML submitted!`,
-    input,
-    cleanHTML,
+    error: `Warning: Unclean HTML submitted!`,
+    context: {
+      input,
+      cleanHTML,
+    },
   });
 };