Microsites

Mini-sites — Admin Guide

Admin panel locations

URL	What you can manage
`/admin/microsites/website/`	All sites — filter by owner, published state, visibility. Edit title, slug, public_slug, branding, nav settings, contact config.
`/admin/microsites/websitesection/`	All sections/pages across all sites. Adjust label, slug, visibility, sort order.
`/admin/microsites/sectionasset/`	All page assets. Useful for finding orphaned or broken assets.
`/admin/microsites/pageblock/`	All blocks across all sites. Edit or delete individual blocks.
`/admin/microsites/websiterevision/`	All revision snapshots. The `snapshot` column holds the full JSON.
`/admin/microsites/websitelogo/`	Logo carousel images. Manage `is_active` and `sort_order`.
`/admin/microsites/contactmessage/`	All contact form submissions across every site. Filter by website, status, date.
`/admin/microsites/sectionassetlog/`	Audit trail — every page save logged with user, timestamp, and status message.

public_slug must be globally unique (enforced by DB unique constraint).
If a user claims a slug already in use, the AJAX check at /microsites/api/public-slug-check/ warns them before submission.
To reassign a slug: clear it on the current site in Django admin, then the target site can claim it.
To force-unpublish: in Django admin set public_slug to blank and is_published = False.
Clearing public_slug breaks any existing links to that site — use with caution.

Mode	Behaviour
PUBLIC	Site appears in the /sites/ public directory. Anyone with the URL can view it.
UNLISTED	Accessible by direct URL only. Not listed in the /sites/ directory. Share the link manually.
GROUP	Only members of the `allowed_groups` contacts group can view. Requires the Contacts app group system.

All submissions go to ContactMessage. Status flow: NEW → READ → REPLIED → ARCHIVED.
Owners manage their own inbox at /microsites/<pk>/messages/. Staff can see all at /admin/microsites/contactmessage/.
There is no built-in email notification — owners check their inbox manually.
Filter by status=new to see unread submissions across all sites.

The import validator (_validate_zip_security in microsites/views.py) blocks uploads that contain:

Path traversal — any file path containing .. or starting with /
Disallowed extensions — images must be jpg/jpeg/png/gif/ico/webp/svg; files must be pdf/md/html/htm/txt
ZIP bombs — total uncompressed size > 300 MB, any single file > 50 MB, or more than 500 entries
Unsafe HTML — <script>, javascript:, event attributes (onclick=, onload=), <iframe>, <object>, <embed> in rawhtml block content

Rejected uploads show a user-facing error message. No data is written to the DB on rejection.

A WebsiteRevision is created automatically on every Publish action.
ZIP import into an existing site creates two revisions: one before (auto-snapshot) and one after (imported state).
The snapshot JSON field contains the full site structure at that moment (sections, assets, blocks — keyed by PKs).
Owners restore via the UI at /microsites/<pk>/revisions/. Staff can inspect raw JSON in Django admin.
If the UI restore fails (e.g. PK mismatch after migration), manually copy the snapshot JSON and recreate the structure via Django admin or shell.

Every time a SectionAsset (page) is saved, a log entry is created with: user, timestamp, status (success/warning/error), filename, and a message.
Use /admin/microsites/sectionassetlog/ to correlate a broken page with the user action that caused it.
Filter by asset to see the full save history for a specific page.

To take a site offline immediately: in Django admin, clear public_slug and set is_published = False. The site becomes inaccessible at its public URL within seconds.
To find all public sites owned by a user: filter /admin/microsites/website/ by owner and is_published = True.
Deleting a Website in admin cascades to all sections, assets, blocks, revisions, logos, and contact messages.

The show_of_badge field on Website controls whether the small OrbitingFox branding badge appears on the public site.
Users can toggle it in Settings. An admin-level global override may be configured in the AdminApp settings panel.