Merge pull request #6572 from getkirby/fix/6400-preview-permission-pe…

…r-role

Support role permissions for  `preview` option

src/Cms/File.php

@@ -624,7 +624,7 @@ public function url(): string
 	 * Page URL and the filename as a more stable
 	 * alternative for the media URLs.
 	 */
-	public function previewUrl(): string
+	public function previewUrl(): string|null
 	{
 		$parent = $this->parent();
 		$url    = Url::to($this->id());
@@ -633,6 +633,12 @@ public function previewUrl(): string
 			case 'page':
 				$preview = $parent->blueprint()->preview();
 
+				// user has no permission to preview page,
+				// also return null for file preview
+				if ($preview === false) {
+					return null;
+				}
+
 				// the page has a custom preview setting,
 				// thus the file is only accessible through
 				// the direct media URL

src/Cms/PageBlueprint.php

@@ -180,7 +180,7 @@ public function preview(): string|bool
 			return $this->model->toString($preview);
 		}
 
-		return $preview;
+		return $this->model->permissions()->can('preview', true);
 	}
 
 	/**

src/Cms/SiteBlueprint.php

@@ -51,6 +51,6 @@ public function preview(): string|bool
 			return $this->model->toString($preview);
 		}
 
-		return $preview;
+		return $this->model->permissions()->can('preview', true);
 	}
 }

tests/Cms/Files/FileTest.php

@@ -725,6 +725,25 @@ public function testPermalink()
 
 	public function testPreviewUrl()
 	{
+		$app = $this->app->clone([
+			'users' => [
+				[
+					'id'    => 'test',
+					'email' => '[email protected]',
+					'role'  => 'editor'
+				]
+			],
+			'roles' => [
+				[
+					'id'    => 'editor',
+					'name'  => 'editor',
+				]
+			]
+		]);
+
+		// authenticate
+		$app->impersonate('[email protected]');
+
 		$page = new Page([
 			'slug'  => 'test',
 			'files' => [
@@ -738,8 +757,42 @@ public function testPreviewUrl()
 		$this->assertSame('/test/test.pdf', $file->previewUrl());
 	}
 
+	public function testPreviewUrlUnauthenticated()
+	{
+		$page = new Page([
+			'slug'  => 'test',
+			'files' => [
+				[
+					'filename' => 'test.pdf'
+				]
+			]
+		]);
+
+		$file = $page->file('test.pdf');
+		$this->assertNull($file->previewUrl());
+	}
+
 	public function testPreviewUrlForDraft()
 	{
+		$app = $this->app->clone([
+			'users' => [
+				[
+					'id'    => 'test',
+					'email' => '[email protected]',
+					'role'  => 'editor'
+				]
+			],
+			'roles' => [
+				[
+					'id'    => 'editor',
+					'name'  => 'editor',
+				]
+			]
+		]);
+
+		// authenticate
+		$app->impersonate('[email protected]');
+
 		$page = new Page([
 			'slug'    => 'test',
 			'isDraft' => true,
@@ -754,7 +807,7 @@ public function testPreviewUrlForDraft()
 		$this->assertSame($file->url(), $file->previewUrl());
 	}
 
-	public function testPreviewUrlForPageWithCustomPreviewSetting()
+	public function testPreviewUrlForPageWithDeniedPreviewSetting()
 	{
 		$app = new App([
 			'blueprints' => [
@@ -779,15 +832,98 @@ public function testPreviewUrlForPageWithCustomPreviewSetting()
 						]
 					]
 				]
+			],
+			'users' => [
+				[
+					'id'    => 'test',
+					'email' => '[email protected]',
+					'role'  => 'editor'
+				]
+			],
+			'roles' => [
+				[
+					'id'    => 'editor',
+					'name'  => 'editor',
+				]
+			]
+		]);
+
+		// authenticate
+		$app->impersonate('[email protected]');
+
+		$file = $app->file('test/test.pdf');
+		$this->assertNull($file->previewUrl());
+	}
+
+	public function testPreviewUrlForPageWithCustomPreviewSetting()
+	{
+		$app = new App([
+			'blueprints' => [
+				'pages/test' => [
+					'options' => [
+						'preview' => '/foo/bar'
+					]
+				]
+			],
+			'roots' => [
+				'index' => '/dev/null'
+			],
+			'site' => [
+				'children' => [
+					[
+						'slug'     => 'test',
+						'template' => 'test',
+						'files'    => [
+							[
+								'filename' => 'test.pdf'
+							]
+						]
+					]
+				]
+			],
+			'users' => [
+				[
+					'id'    => 'test',
+					'email' => '[email protected]',
+					'role'  => 'editor'
+				]
+			],
+			'roles' => [
+				[
+					'id'    => 'editor',
+					'name'  => 'editor',
+				]
 			]
 		]);
 
+		// authenticate
+		$app->impersonate('[email protected]');
+
 		$file = $app->file('test/test.pdf');
 		$this->assertSame($file->url(), $file->previewUrl());
 	}
 
 	public function testPreviewUrlForUserFile()
 	{
+		$app = $this->app->clone([
+			'users' => [
+				[
+					'id'    => 'test',
+					'email' => '[email protected]',
+					'role'  => 'editor'
+				]
+			],
+			'roles' => [
+				[
+					'id'    => 'editor',
+					'name'  => 'editor',
+				]
+			]
+		]);
+
+		// authenticate
+		$app->impersonate('[email protected]');
+
 		$user = new User([
 			'email' => '[email protected]',
 			'files' => [
@@ -820,9 +956,25 @@ public function testPreviewUrlForExtendedComponent()
 						]
 					]
 				]
+			],
+			'users' => [
+				[
+					'id'    => 'test',
+					'email' => '[email protected]',
+					'role'  => 'editor'
+				]
+			],
+			'roles' => [
+				[
+					'id'    => 'editor',
+					'name'  => 'editor',
+				]
 			]
 		]);
 
+		// authenticate
+		$app->impersonate('[email protected]');
+
 		$file = $app->file('test/test.pdf');
 		$this->assertSame('https://getkirby.com/test.pdf', $file->previewUrl());
 	}

tests/Cms/Pages/PageTest.php

@@ -583,9 +583,30 @@ public function testPreviewUrl()
 			'slug' => 'test'
 		]);
 
+		// authenticate
+		$app->impersonate('kirby');
+
 		$this->assertSame('/test', $page->previewUrl());
 	}
 
+	public function testPreviewUrlUnauthenticated()
+	{
+		new App([
+			'roots' => [
+				'index' => '/dev/null'
+			],
+			'urls' => [
+				'index' => '/'
+			]
+		]);
+
+		$page = new Page([
+			'slug' => 'test'
+		]);
+
+		$this->assertNull($page->previewUrl());
+	}
+
 	public static function previewUrlProvider(): array
 	{
 		return [
@@ -600,23 +621,46 @@ public static function previewUrlProvider(): array
 			['{{ page.url }}?preview=true', '/test?preview=true&{token}', true],
 			[false, null, false],
 			[false, null, true],
+			[null, null, false, false],
 		];
 	}
 
 	/**
 	 * @dataProvider previewUrlProvider
 	 */
-	public function testCustomPreviewUrl($input, $expected, $draft)
-	{
+	public function testCustomPreviewUrl(
+		$input,
+		$expected,
+		bool $draft,
+		bool $authenticated = true
+	): void {
 		$app = new App([
 			'roots' => [
 				'index' => '/dev/null'
 			],
 			'urls' => [
 				'index' => '/'
+			],
+			'users' => [
+				[
+					'id'    => 'test',
+					'email' => '[email protected]',
+					'role'  => 'editor'
+				]
+			],
+			'roles' => [
+				[
+					'id'    => 'editor',
+					'name'  => 'editor',
+				]
 			]
 		]);
 
+		// authenticate
+		if ($authenticated) {
+			$app->impersonate('[email protected]');
+		}
+
 		$options = [];
 
 		if ($input !== null) {

tests/Cms/Site/SiteTest.php

@@ -194,23 +194,45 @@ public static function previewUrlProvider(): array
 			['https://test.com', 'https://test.com'],
 			['{{ site.url }}#test', '/#test'],
 			[false, null],
+			[null, null, false],
 		];
 	}
 
 	/**
 	 * @dataProvider previewUrlProvider
 	 */
-	public function testCustomPreviewUrl($input, $expected)
-	{
+	public function testCustomPreviewUrl(
+		$input,
+		$expected,
+		bool $authenticated = true
+	): void {
 		$app = new App([
 			'roots' => [
 				'index' => '/dev/null'
 			],
 			'urls' => [
 				'index' => '/'
+			],
+			'users' => [
+				[
+					'id'    => 'test',
+					'email' => '[email protected]',
+					'role'  => 'editor'
+				]
+			],
+			'roles' => [
+				[
+					'id'    => 'editor',
+					'name'  => 'editor',
+				]
 			]
 		]);
 
+		// authenticate
+		if ($authenticated) {
+			$app->impersonate('[email protected]');
+		}
+
 		$options = [];
 
 		if ($input !== null) {