Added article preview controller (#326)

* added article preview controller

* article preview controller

* removed not needed const

* tests

* docs

* docs

* improvements

* include spec, fixes

Author: takeit

app/config/security.yml

@@ -5,7 +5,7 @@ security:
     role_hierarchy:
         ROLE_USER:          [ROLE_READER]
         ROLE_JOURNALIST:    [ROLE_USER]
-        ROLE_EDITOR:        [ROLE_JOURNALIST, ROLE_CAN_VIEW_NON_PUBLISHED]
+        ROLE_EDITOR:        [ROLE_JOURNALIST, ROLE_ARTICLE_PREVIEW]
         ROLE_INTERNAL_API:  [ROLE_EDITOR]
         ROLE_ADMIN:         [ROLE_EDITOR]
         ROLE_SUPER_ADMIN:   [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
@@ -35,6 +35,14 @@ security:
                 authenticators:
                     - swp.security.token_authenticator
             stateless: true
+        preview:
+            pattern: ^/preview/article
+            anonymous: false
+            logout: false
+            guard:
+                authenticators:
+                    - swp.security.preview_token_authenticator
+            stateless: true
         main:
             pattern: ^/
             form_login:
@@ -45,3 +53,6 @@ security:
             logout:
                 path: security_logout
             anonymous: true
+
+    access_control:
+        - { path: ^/preview/article, roles: ROLE_EDITOR }

docs/cookbooks/developers/article_preview.rst

@@ -1,11 +1,21 @@
 Article Preview
 ===============
 
-Article preview is based on user privileges. Every article which is not published yet can be previewed by users with special privileges assigned to them. If a user has, for example, ``ROLE_EDITOR`` role, he/she can preview article using url: ``domain.com/<section>/<article-slug>``.
+Article preview is based on user roles. Every article which is not published yet can be previewed by users with special roles assigned to them. This role is named ``ROLE_ARTICLE_PREVIEW``.
 
-For example, if you created an article that has a slug ``test-article`` and is assigned to ``news`` route, it will be available for preview under ``/news/test-article`` url but only when the user has ``ROLE_CAN_VIEW_NON_PUBLISHED`` role assigned. In other cases 404 error will be thrown.
+If a user has ``ROLE_ARTICLE_PREVIEW`` role assigned, he/she can preview article using url: ``domain.com/preview/article/<routeId>/<article-slug>/?auth_token=<token>``.
 
-If you are building JavaScript app and you want to preview article, the preview url of an article can be taken from articles API (``/content/articles/``), from ``_links`` JSON object - ``online`` link and loaded in an iframe for preview.
+Where ``<routeId>`` is route identifier on which you want to preview given article by it's slug (``<article-slug>`` parameter).
+
+Important here is to provide token, in order to be authorized to preview an article.
+
+.. tip::
+
+    See :doc:`API Authentication </internal_api/authentication>` section for more details on how to obtain user token.
+
+For example, if you created an article that has a slug ``test-article`` and this article is assigned to ``news`` route which id is 5, it will be available for preview under ``/preview/article/5/test-article?auth_token=uty56392323==`` url but only when the user has ``ROLE_ARTICLE_PREVIEW`` role assigned. In other cases 403 error will be thrown.
+
+If you are building JavaScript app and you want to preview article, the preview url of an article can be taken and loaded in an iframe for preview.
 
 User roles eligible for article preview:
 ----------------------------------------

src/SWP/Bundle/ContentBundle/Controller/ArticlePreviewController.php

@@ -0,0 +1,69 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of the Superdesk Web Publisher Content Bundle.
+ *
+ * Copyright 2017 Sourcefabric z.ú. and contributors.
+ *
+ * For the full copyright and license information, please see the
+ * AUTHORS and LICENSE files distributed with this source code.
+ *
+ * @copyright 2017 Sourcefabric z.ú
+ * @license http://www.superdesk.org/license
+ */
+
+namespace SWP\Bundle\ContentBundle\Controller;
+
+use Sensio\Bundle\FrameworkExtraBundle\Configuration\Route;
+use Sensio\Bundle\FrameworkExtraBundle\Configuration\Method;
+use SWP\Bundle\ContentBundle\Model\ArticleInterface;
+use SWP\Bundle\ContentBundle\Model\RouteInterface;
+use Symfony\Bundle\FrameworkBundle\Controller\Controller;
+
+class ArticlePreviewController extends Controller
+{
+    /**
+     * @Route("/preview/article/{routeId}/{slug}", options={"expose"=true}, requirements={"slug"=".+", "routeId"="\d+", "token"=".+"}, name="swp_article_preview")
+     * @Method("GET")
+     */
+    public function previewAction(int $routeId, string $slug)
+    {
+        /** @var RouteInterface $route */
+        $route = $this->findRouteOr404($routeId);
+        /** @var ArticleInterface $article */
+        $article = $this->findArticleOr404($slug);
+
+        $metaFactory = $this->get('swp_template_engine_context.factory.meta_factory');
+        $templateEngineContext = $this->get('swp_template_engine_context');
+        $templateEngineContext->setCurrentPage($metaFactory->create($route));
+        $templateEngineContext->getMetaForValue($article);
+
+        if (null === $route->getArticlesTemplateName()) {
+            throw $this->createNotFoundException(
+                sprintf('Template for route with id "%d" (%s) not found!', $route->getId(), $route->getName())
+            );
+        }
+
+        return $this->render($route->getArticlesTemplateName());
+    }
+
+    private function findRouteOr404(int $id)
+    {
+        if (null === ($route = $this->get('swp.repository.route')->findOneBy(['id' => $id]))) {
+            throw $this->createNotFoundException(sprintf('Route with id: "%s" not found!', $id));
+        }
+
+        return $route;
+    }
+
+    private function findArticleOr404(string $slug)
+    {
+        if (null === ($article = $this->get('swp.repository.article')->findOneBy(['slug' => $slug]))) {
+            throw $this->createNotFoundException(sprintf('Article with slug: "%s" not found!', $slug));
+        }
+
+        return $article;
+    }
+}

src/SWP/Bundle/CoreBundle/Resources/config/services.yml

@@ -104,6 +104,10 @@ services:
             - "@swp.repository.tenant"
             - "@event_dispatcher"
 
+    swp.security.preview_token_authenticator:
+        class: SWP\Bundle\CoreBundle\Security\Authenticator\PreviewTokenAuthenticator
+        parent: swp.security.token_authenticator
+
     swp.security.user_provider:
         class: SWP\Bundle\CoreBundle\Security\Provider\UserProvider
         arguments:

src/SWP/Bundle/CoreBundle/Security/Authenticator/PreviewTokenAuthenticator.php

@@ -0,0 +1,41 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of the Superdesk Web Publisher Core Bundle.
+ *
+ * Copyright 2017 Sourcefabric z.ú. and contributors.
+ *
+ * For the full copyright and license information, please see the
+ * AUTHORS and LICENSE files distributed with this source code.
+ *
+ * @copyright 2017 Sourcefabric z.ú
+ * @license http://www.superdesk.org/license
+ */
+
+namespace SWP\Bundle\CoreBundle\Security\Authenticator;
+
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
+use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException;
+use Symfony\Component\Security\Core\Exception\AuthenticationException;
+
+class PreviewTokenAuthenticator extends TokenAuthenticator
+{
+    /**
+     * {@inheritdoc}
+     */
+    public function onAuthenticationFailure(Request $request, AuthenticationException $exception)
+    {
+        throw new AccessDeniedHttpException(strtr($exception->getMessageKey(), $exception->getMessageData()));
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function start(Request $request, AuthenticationException $authException = null)
+    {
+        throw new UnauthorizedHttpException('Authentication Required');
+    }
+}

src/SWP/Bundle/CoreBundle/Tests/Functional/ArticlePreviewTest.php

@@ -0,0 +1,218 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of the Superdesk Web Publisher Core Bundle.
+ *
+ * Copyright 2017 Sourcefabric z.ú. and contributors.
+ *
+ * For the full copyright and license information, please see the
+ * AUTHORS and LICENSE files distributed with this source code.
+ *
+ * @copyright 2017 Sourcefabric z.ú
+ * @license http://www.superdesk.org/license
+ */
+
+namespace SWP\Bundle\CoreBundle\Tests\Functional;
+
+use SWP\Bundle\FixturesBundle\WebTestCase;
+
+final class ArticlePreviewTest extends WebTestCase
+{
+    private $router;
+
+    public function setUp()
+    {
+        self::bootKernel();
+        $this->initDatabase();
+        $this->loadCustomFixtures(['tenant']);
+        $this->loadFixtureFiles([
+            '@SWPFixturesBundle/Resources/fixtures/ORM/test/article_preview.yml',
+        ], true);
+
+        $this->router = $this->getContainer()->get('router');
+    }
+
+    public function testArticlePreview()
+    {
+        $route = $this->createRoute();
+
+        $this->ensureArticleIsNotAccessible();
+
+        $client = static::createClient([], ['HTTP_Authorization' => null]);
+        $crawler = $client->request('GET', $this->router->generate(
+            'swp_article_preview',
+            ['routeId' => $route['id'], 'slug' => 'art1-not-published', 'auth_token' => base64_encode('test_token:')]
+        ));
+
+        self::assertTrue($client->getResponse()->isSuccessful());
+        self::assertGreaterThan(0, $crawler->filter('html:contains("Slug: art1-not-published")')->count());
+        self::assertGreaterThan(0, $crawler->filter('html:contains("Current tenant: Default tenant")')->count());
+    }
+
+    public function testArticlePreviewWithoutToken()
+    {
+        $route = $this->createRoute();
+        $client = static::createClient([], ['HTTP_Authorization' => null]);
+        $client->request('GET', $this->router->generate(
+            'swp_article_preview',
+            ['routeId' => $route['id'], 'slug' => 'art1-not-published']
+        ));
+
+        self::assertEquals(401, $client->getResponse()->getStatusCode());
+    }
+
+    public function testArticlePreviewWithFakeToken()
+    {
+        $route = $this->createRoute();
+
+        $this->ensureArticleIsNotAccessible();
+
+        $client = static::createClient([], ['HTTP_Authorization' => null]);
+        $client->request('GET', $this->router->generate(
+            'swp_article_preview',
+            ['routeId' => $route['id'], 'slug' => 'art1-not-published', 'auth_token' => 'fake']
+        ));
+
+        self::assertEquals(403, $client->getResponse()->getStatusCode());
+    }
+
+    public function testArticlePreviewWithNotExistingArticle()
+    {
+        $route = $this->createRoute();
+
+        $this->ensureArticleIsNotAccessible();
+
+        $client = static::createClient([], ['HTTP_Authorization' => null]);
+        $client->request('GET', $this->router->generate(
+            'swp_article_preview',
+            ['routeId' => $route['id'], 'slug' => 'fake-article', 'auth_token' => base64_encode('test_token:')]
+        ));
+
+        self::assertFalse($client->getResponse()->isSuccessful());
+        self::assertEquals($client->getResponse()->getStatusCode(), 404);
+    }
+
+    public function testArticlePreviewWithNotExistingRoute()
+    {
+        $this->ensureArticleIsNotAccessible();
+
+        $client = static::createClient([], ['HTTP_Authorization' => null]);
+        $client->request('GET', $this->router->generate(
+            'swp_article_preview',
+            ['routeId' => 9999, 'slug' => 'art1-not-published', 'auth_token' => base64_encode('test_token:')]
+        ));
+
+        self::assertFalse($client->getResponse()->isSuccessful());
+        self::assertEquals($client->getResponse()->getStatusCode(), 404);
+    }
+
+    public function testArticlePreviewWithoutRouteTemplate()
+    {
+        $route = $this->createRouteWithoutTemplate();
+
+        $this->ensureArticleIsNotAccessible();
+
+        $client = static::createClient([], ['HTTP_Authorization' => null]);
+        $client->request('GET', $this->router->generate(
+            'swp_article_preview',
+            ['routeId' => $route['id'], 'slug' => 'art1-not-published', 'auth_token' => base64_encode('test_token:')]
+        ));
+
+        self::assertFalse($client->getResponse()->isSuccessful());
+        self::assertEquals($client->getResponse()->getStatusCode(), 404);
+    }
+
+    public function testTenantsFromDifferentOrganizationsCantPreviewArticlesOfEachother()
+    {
+        $route = $this->createRoute();
+        $this->ensureArticleIsNotAccessible();
+
+        $client = static::createClient([], ['HTTP_Authorization' => null]);
+        $crawler = $client->request('GET', $this->router->generate(
+            'swp_article_preview',
+            ['routeId' => $route['id'], 'slug' => 'art1-not-published', 'auth_token' => base64_encode('test_token:')]
+        ));
+
+        self::assertTrue($client->getResponse()->isSuccessful());
+        self::assertGreaterThan(0, $crawler->filter('html:contains("Slug: art1-not-published")')->count());
+        self::assertGreaterThan(0, $crawler->filter('html:contains("Current tenant: Default tenant")')->count());
+
+        $client->request('GET', $this->router->generate(
+            'swp_article_preview',
+            ['routeId' => $route['id'], 'slug' => 'art1-not-published', 'auth_token' => base64_encode('client1_token')]
+        ));
+
+        self::assertEquals(403, $client->getResponse()->getStatusCode());
+    }
+
+    public function testOneTenantCanPreviewArticlesOfOtherTenantsUsingTokensWithinSameOrganization()
+    {
+        $route = $this->createRoute();
+        $this->ensureArticleIsNotAccessible();
+
+        $client = static::createClient([], ['HTTP_Authorization' => null]);
+        $crawler = $client->request('GET', $this->router->generate(
+            'swp_article_preview',
+            ['routeId' => $route['id'], 'slug' => 'art1-not-published', 'auth_token' => base64_encode('test_token:')]
+        ));
+
+        self::assertTrue($client->getResponse()->isSuccessful());
+        self::assertGreaterThan(0, $crawler->filter('html:contains("Slug: art1-not-published")')->count());
+        self::assertGreaterThan(0, $crawler->filter('html:contains("Current tenant: Default tenant")')->count());
+
+        $client->request('GET', $this->router->generate(
+            'swp_article_preview',
+            ['routeId' => $route['id'], 'slug' => 'art1-not-published', 'auth_token' => base64_encode('client2_token')]
+        ));
+
+        self::assertTrue($client->getResponse()->isSuccessful());
+        self::assertGreaterThan(0, $crawler->filter('html:contains("Slug: art1-not-published")')->count());
+        self::assertGreaterThan(0, $crawler->filter('html:contains("Current tenant: Default tenant")')->count());
+    }
+
+    private function createRoute()
+    {
+        $client = static::createClient();
+        $client->request('POST', $this->router->generate('swp_api_content_create_routes'), [
+            'route' => [
+                'name' => 'news',
+                'type' => 'collection',
+                'content' => null,
+                'templateName' => 'news.html.twig',
+                'articlesTemplateName' => 'article.html.twig',
+            ],
+        ]);
+
+        self::assertEquals(201, $client->getResponse()->getStatusCode());
+
+        return json_decode($client->getResponse()->getContent(), true);
+    }
+
+    private function ensureArticleIsNotAccessible()
+    {
+        $client = static::createClient();
+        $client->request('GET', '/news/art1-not-published');
+
+        self::assertFalse($client->getResponse()->isSuccessful());
+        self::assertEquals(404, $client->getResponse()->getStatusCode());
+    }
+
+    private function createRouteWithoutTemplate()
+    {
+        $client = static::createClient();
+        $client->request('POST', $this->router->generate('swp_api_content_create_routes'), [
+            'route' => [
+                'name' => 'news',
+                'type' => 'collection',
+                'content' => null,
+                'templateName' => 'news.html.twig',
+            ],
+        ]);
+
+        self::assertEquals(201, $client->getResponse()->getStatusCode());
+
+        return json_decode($client->getResponse()->getContent(), true);
+    }
+}