fix: Remove val() BIGINT precision loss, scope tag uniqueness, add admin unpublish

CFML's val() returns Java double (53-bit mantissa), silently corrupting
19-digit snowflake-style BIGINT IDs in SQL WHERE clauses. Removed val()
wrappers from ~20 queries across Controller.cfc, BlogController.cfc, and
AdminController.cfc.

Scoped Tag uniqueness validation to per-blog (scope="blogId") so tags
like "wheels" can be reused across different posts.

Added Unpublish/Revert to Draft action in admin blog panel: sets statusId
to Draft, clears approval status and publishedAt. Includes route, controller
action, verifies exception, and dropdown buttons in both blog.cfm and
_blogs.cfm partial.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: bpamiri

app/controllers/Controller.cfc

@@ -115,7 +115,7 @@ component extends="wheels.Controller" {
 
     function getCategoriesByBlogid(required numeric id) {
         return model("BlogCategory").findAll(
-            where = "blogId = #val(arguments.id)#",
+            where = "blogId = #arguments.id#",
             include = "Blog,Category",
             cache = 10
         );
@@ -386,11 +386,34 @@ component extends="wheels.Controller" {
                     newTag.blogId = blogId;
                     newTag.createdAt = now();
                     newTag.updatedAt = now();
-                    newTag.save();
+                    if (!newTag.save()) {
+                        model("Log").log(
+                            category = "wheels.blog.tags",
+                            level = "ERROR",
+                            message = "Failed to save tag '#trim(tagName)#' for blogId: #blogId#",
+                            details = {
+                                "blog_id": blogId,
+                                "tag_name": trim(tagName),
+                                "errors": newTag.allErrors()
+                            },
+                            userId = GetSignedInUserId()
+                        );
+                    }
                 }
             }
         } catch (any e) {
-            local.exception = e;
+            model("Log").log(
+                category = "wheels.blog.tags",
+                level = "ERROR",
+                message = "Failed to save blog tags for blogId: #blogId#",
+                details = {
+                    "blog_id": blogId,
+                    "error_message": e.message,
+                    "error_detail": e.detail,
+                    "error_type": e.type
+                },
+                userId = GetSignedInUserId()
+            );
         }
     }
 
@@ -399,7 +422,7 @@ component extends="wheels.Controller" {
         try {
             if (blogId > 0) {
                 // direct delete approach
-                model("Tag").deleteAll(where="blogId = #val(arguments.blogId)#");
+                model("Tag").deleteAll(where="blogId = #arguments.blogId#");
 
                 return true;
             }
@@ -458,7 +481,7 @@ component extends="wheels.Controller" {
         try {
             if (blogId > 0) {
                 // Find all category associations for this blog post
-                model("BlogCategory").deleteAll(where="blogId = #val(arguments.blogId)#");
+                model("BlogCategory").deleteAll(where="blogId = #arguments.blogId#");
 
                 return true;
             }
@@ -513,7 +536,7 @@ component extends="wheels.Controller" {
 
             // Check if a blog with the same title/slug exists (that isn't this one)
             var existingBlog = model("Blog").findFirst(
-                where="title = '#params.title#' AND slug = '#params.slug#' AND id != #val(blogId)#"
+                where="title = '#params.title#' AND slug = '#params.slug#' AND id != #blogId#"
             );
 
             if (isObject(existingBlog)) {

app/controllers/admin/AdminController.cfc

@@ -3,7 +3,7 @@ component extends="app.Controllers.Controller" {
 
     function config() {
         super.config();
-        verifies(except="index,dashboard,checkAdminAccess,blog,editBlog,deleteBlog,update,blogList,blogApprove,rejectBlog,showBlog,commentsPublish,unpublishComment,comments,blogBulkApprove,blogBulkReject,viewComments,publishblog,closeComments", params="key", paramsTypes="integer");
+        verifies(except="index,dashboard,checkAdminAccess,blog,editBlog,deleteBlog,update,blogList,blogApprove,rejectBlog,unpublishBlog,showBlog,commentsPublish,unpublishComment,comments,blogBulkApprove,blogBulkReject,viewComments,publishblog,closeComments", params="key", paramsTypes="integer");
         usesLayout(template="/admin/AdminController/layout");
         filters(through="checkAdminAccess");
     }
@@ -37,8 +37,8 @@ component extends="app.Controllers.Controller" {
             // Get categories and tags for the form
             var categories = model("Category").findAll(order="name ASC");
             var postTypes = model("PostType").findAll(order="name ASC");
-            var blogCategories = model("BlogCategory").findAll(where="blogId = #val(blog.id)#");
-            var blogTags = model("Tag").findAll(where="blogId = #val(blog.id)#");
+            var blogCategories = model("BlogCategory").findAll(where="blogId = #blog.id#");
+            var blogTags = model("Tag").findAll(where="blogId = #blog.id#");
 
             // Prepare data for the view
             var selectedCategories = [];
@@ -202,6 +202,16 @@ component extends="app.Controllers.Controller" {
         }
     }
 
+    function unpublishBlog() {
+        try {
+            blogUnpublish(params.id);
+            renderText('<span class="badge bg-warning text-dark">Pending</span>');
+        } catch (any e) {
+            cfheader(statusCode=500);
+            renderText(e.message);
+        }
+    }
+
     function blogBulkApprove(){
         if (!structKeyExists(params, "selectedBlogIds") || !isArray(params.selectedBlogIds) || arrayLen(params.selectedBlogIds) == 0) {
             blogs = getAllBlogs();
@@ -742,6 +752,33 @@ component extends="app.Controllers.Controller" {
         };
     }
 
+    private function blogUnpublish(id){
+        var blog = model("Blog").findByKey(id);
+
+        if (isObject(blog)) {
+            blog.statusId = 1;
+            blog.status = "";
+            blog.publishedAt = "";
+            if (blog.save()) {
+                return {
+                    success = true,
+                    message = "Blog unpublished successfully!"
+                };
+            } else {
+                return {
+                    success = false,
+                    errors = blog.allErrors(),
+                    message = "Failed to unpublish blog!"
+                };
+            }
+        }
+
+        return {
+            success = false,
+            message = "Blog not found"
+        };
+    }
+
     public void function importData() {
 
         // 1) Load & parse JSON
@@ -949,8 +986,8 @@ component extends="app.Controllers.Controller" {
                     postMap[wpId] = existingPost.id;
 
                     // Delete existing categories and tags for this post
-                    model("BlogCategory").deleteAll(where="blogId = #val(existingPost.id)#");
-                    model("Tag").deleteAll(where="blogId = #val(existingPost.id)#");
+                    model("BlogCategory").deleteAll(where="blogId = #existingPost.id#");
+                    model("Tag").deleteAll(where="blogId = #existingPost.id#");
 
                     // Process taxonomies (categories and tags)
                     processTaxonomies(item, existingPost.id, arguments.categoryMap, arguments.tagMap);

app/controllers/web/BlogController.cfc

@@ -118,8 +118,8 @@ component extends="app.Controllers.Controller" {
         // Try to get both stats in one query if your database supports it
         try {
             return {
-                "totalPosts": model("Blog").count(where="createdBy = #val(arguments.authorId)#"),
-                "totalComments": model("Comment").count(where="authorId = #val(arguments.authorId)#")
+                "totalPosts": model("Blog").count(where="createdBy = #arguments.authorId#"),
+                "totalComments": model("Comment").count(where="authorId = #arguments.authorId#")
             };
         } catch (any e) {
             model("Log").log(
@@ -221,8 +221,8 @@ component extends="app.Controllers.Controller" {
             // Get categories and tags for the form
             categories = model("Category").findAll(order="name ASC");
             postTypes = model("PostType").findAll(order="name ASC");
-            var blogCategories = model("BlogCategory").findAll(where="blogId = #val(blog.id)#");
-            var blogTags = model("Tag").findAll(where="blogId = #val(blog.id)#");
+            var blogCategories = model("BlogCategory").findAll(where="blogId = #blog.id#");
+            var blogTags = model("Tag").findAll(where="blogId = #blog.id#");
 
             // Prepare data for the view
             var selectedCategories = [];
@@ -264,7 +264,7 @@ component extends="app.Controllers.Controller" {
     private function getBlogsByAuthor(required authorId, numeric page=1, numeric perPage=6, boolean isInfiniteScroll=false) {
         var result = {
             query = model("Blog").findAll(
-                where="blog_posts.statusId <> 1 AND blog_posts.status = 'Approved' AND blog_posts.publishedAt IS NOT NULL AND blog_posts.createdBy = #val(arguments.authorId)#",
+                where="blog_posts.statusId <> 1 AND blog_posts.status = 'Approved' AND blog_posts.publishedAt IS NOT NULL AND blog_posts.createdBy = #arguments.authorId#",
                 include="User",
                 order="COALESCE(post_created_date, blog_posts.createdat) DESC",
                 page = arguments.page,
@@ -275,7 +275,7 @@ component extends="app.Controllers.Controller" {
         };
 
         result.totalCount = model("Blog").count(
-            where="blog_posts.statusId <> 1 AND blog_posts.status = 'Approved' AND blog_posts.publishedAt IS NOT NULL AND blog_posts.createdBy = #val(arguments.authorId)#"
+            where="blog_posts.statusId <> 1 AND blog_posts.status = 'Approved' AND blog_posts.publishedAt IS NOT NULL AND blog_posts.createdBy = #arguments.authorId#"
         );
         result.hasMore = (page * perPage) < result.totalCount;
 
@@ -648,7 +648,7 @@ component extends="app.Controllers.Controller" {
                 var whereClause = "title = '#form.title#'";
 
                 if(structKeyExists(form, "id") && isNumeric(form.id) && form.id > 0) {
-                    whereClause &= " AND id != #val(form.id)#";
+                    whereClause &= " AND id != #form.id#";
                 }
 
                 var blogModel = model("Blog").findAll(where=whereClause);
@@ -857,15 +857,15 @@ component extends="app.Controllers.Controller" {
         if (!isObject(category)) return {query=queryNew(""), hasMore=false, totalCount=0};
 
         var blogCategoryQuery = model("BlogCategory")
-            .findAll(where="categoryId = #val(category.id)#", returnAs="query");
+            .findAll(where="categoryId = #category.id#", returnAs="query");
         if (blogCategoryQuery.recordCount == 0) return {query=queryNew(""), hasMore=false, totalCount=0};
 
         var blogIds = blogCategoryQuery.columnData("blogId");
         var blogIdList = arrayToList(blogIds);
 
         var result = {
             query = model("Blog").findAll(
-                where="blog_posts.id IN (#blogIdList#) AND categoryId = #val(category.id)# AND blog_posts.status ='Approved' AND blog_posts.publishedAt IS NOT NULL",
+                where="blog_posts.id IN (#blogIdList#) AND categoryId = #category.id# AND blog_posts.status ='Approved' AND blog_posts.publishedAt IS NOT NULL",
                 order="createdAt DESC",
                 include="User,BlogCategory",
                 returnAs="query",
@@ -877,7 +877,7 @@ component extends="app.Controllers.Controller" {
         };
 
         result.totalCount = model("Blog").count(
-            where="blog_posts.id IN (#blogIdList#) AND categoryId = #val(category.id)# AND blog_posts.status ='Approved' AND blog_posts.publishedAt IS NOT NULL",
+            where="blog_posts.id IN (#blogIdList#) AND categoryId = #category.id# AND blog_posts.status ='Approved' AND blog_posts.publishedAt IS NOT NULL",
             include="User,BlogCategory"
         );
         result.hasMore = (page * perPage) < result.totalCount;
@@ -908,7 +908,7 @@ component extends="app.Controllers.Controller" {
 
     private function getBlogById(required numeric id) {
         return model("Blog").findOne(
-            where="blog_posts.id = #val(arguments.id)#",
+            where="blog_posts.id = #arguments.id#",
             include="User, PostStatus"
         );
     }
@@ -993,7 +993,18 @@ component extends="app.Controllers.Controller" {
                     }
                     newBlog.save();
 
-                    response.blogId = newBlog.id;
+                    // Retrieve the generated ID by looking up the just-created blog by slug.
+                    // Wheels' PostgreSQL adapter does not always return the auto-generated
+                    // primary key after INSERT (e.g. when the column uses a BIGINT default
+                    // or trigger-based ID generation rather than SERIAL).
+                    if (!len(trim(newBlog.id))) {
+                        var createdBlog = model("Blog").findOne(where="slug = '#blogData.slug#'");
+                        if (isObject(createdBlog)) {
+                            response.blogId = createdBlog.id;
+                        }
+                    } else {
+                        response.blogId = newBlog.id;
+                    }
                     response.message = "Blog post created successfully.";
                 } else {
                     response.message = "A blog post with the same title already exists.";
@@ -1056,7 +1067,7 @@ component extends="app.Controllers.Controller" {
     }
 
     function getAllCommentsByBlogid(required numeric id) {
-        var comments = model("Comment").findAll(include="User", where="isPublished = 1 AND blogid = #val(arguments.id)# AND commentParentId IS NULL", cache=5);
+        var comments = model("Comment").findAll(include="User", where="isPublished = 1 AND blogid = #arguments.id# AND commentParentId IS NULL", cache=5);
 
         return comments;
     }
@@ -1106,7 +1117,7 @@ component extends="app.Controllers.Controller" {
                 response = saveComment(params);
             }
             if(structKeyExists(response, "Id")){
-                comments = commentModel.findAll(include="User", where="id = #val(response.Id)# AND isPublished = 1");
+                comments = commentModel.findAll(include="User", where="id = #response.Id# AND isPublished = 1");
                 renderPartial(partial="partials/comment");
             }
         } catch (any e) {
@@ -1172,7 +1183,7 @@ component extends="app.Controllers.Controller" {
                 throw("Invalid blog ID", "InvalidRequest");
             }
 
-            var blogId = val(params.id);
+            var blogId = params.id;
             var blog = model("Blog").findByKey(blogId);
             var user = model("User").findByKey(currentUserId);
 

app/models/Tag.cfc

@@ -15,7 +15,7 @@ component extends="app.Models.Model" {
         belongsTo(name="Blog", foreignKey="blogId");
 
         validatesPresenceOf(property="name");
-        validatesUniquenessOf(property="name");
+        validatesUniquenessOf(property="name", scope="blogId");
     }
 
     // fetch all tags

app/views/admin/AdminController/blog.cfm

@@ -101,6 +101,16 @@
                                                         hx-confirm="Are you sure you want to reject this blog?"
                                                     >Reject</button>
                                                 </li>
+                                                <li>
+                                                    <button
+                                                        class="dropdown-item text-warning fs-16"
+                                                        hx-post="unpublish"
+                                                        hx-vals='{"id": "#blogs.id[i]#", "authenticityToken": "#authenticityToken()#"}'
+                                                        hx-target=".approval-status-#blogId#"
+                                                        hx-swap="innerHTML"
+                                                        hx-confirm="Are you sure you want to unpublish this blog? It will revert to draft status."
+                                                    >Unpublish</button>
+                                                </li>
                                                 <li>
                                                     <button class="dropdown-item text-danger fs-16"
                                                     hx-post="/admin/blog/delete"

app/views/admin/AdminController/partials/_blogs.cfm

@@ -92,6 +92,16 @@
                                                 hx-confirm="Are you sure you want to reject this blog?"
                                             >Reject</button>
                                         </li>
+                                        <li>
+                                            <button
+                                                class="dropdown-item text-warning fs-16"
+                                                hx-post="unpublish"
+                                                hx-vals='{"id": "#blogs.id[i]#", "authenticityToken": "#authenticityToken()#"}'
+                                                hx-target=".approval-status-#blogId#"
+                                                hx-swap="innerHTML"
+                                                hx-confirm="Are you sure you want to unpublish this blog? It will revert to draft status."
+                                            >Unpublish</button>
+                                        </li>
                                     </ul>
                                 </div>
                             </td>

config/routes.cfm

@@ -141,6 +141,7 @@
 			.post(name = "blog-approve", pattern = "approve", to = "AdminController##blogApprove")
 			.post(name = "bulk-approve", pattern = "bulkApprove", to = "AdminController##blogBulkApprove")
 			.post(name = "blog-reject", pattern = "reject", to = "AdminController##rejectBlog")
+			.post(name = "blog-unpublish-admin", pattern = "unpublish", to = "AdminController##unpublishBlog")
 			.post(name = "bulk-reject", pattern = "bulkReject", to = "AdminController##blogBulkReject")
 			.post(name = "comment-publish", pattern = "publish", to = "AdminController##commentsPublish")
 			.post(name = "comment-unpublish", pattern = "hide", to = "AdminController##unpublishComment")