Patrick Bass Area: Cross-cutting infra (audit p14) · Surface: AdminLegalController + AdminSitePageController · Dimension: improve-existing · Severity: minor
Competitor content tools (Circle Pages, Mighty, Discourse, every LMS page editor) let an admin draft a page, preview it privately, and either publish now or schedule for later. Mobieus' editors are publish-on-save only, so reworking the Terms or the About page means editing the live document in front of every member with no safe staging step. A 'Preview public page' button exists (legal/edit.php:58) but it previews the already-saved live version, not an unsaved draft. For a community owner rewriting their guidelines, this forces awkward off-platform drafting.
Evidence
templates/admin/legal/edit.php:243 'Saving publishes immediately. There is no draft mode.' AdminLegalController.php:102 save() writes straight to the live row consumed by PageController::renderLegalPage (PageController.php:81-90 reads LegalPage::findBySlug and renders it). AdminSitePageController.php:101 SitePage::upsert is the live read path too (PageController.php:20 about() reads SitePage::find('about-us')). No status/published_at column exists in either migration.Suggested fix. Add a status column (draft/published) plus optional publish_at to legal_pages and site_pages; render drafts only to super-admins via a ?preview token, keep the public route serving the last-published version, and add a 'Save draft' vs 'Publish' split on the editor toolbar.
Filed by the automated tenant-app audit and adversarially evidence-verified. Status: verified. Open — not yet actioned.
Patrick Bass
@mobieus
