Merge commit from fork

fritzmg · web-flow · commit e75f46b11974 · 2025-08-28T11:34:26.000+02:00
diff --git a/news-bundle/config/services.yaml b/news-bundle/config/services.yaml
@@ -67,6 +67,7 @@ services:
             - '%kernel.project_dir%'
             - '@contao.cache.entity_tags'
             - '%kernel.charset%'
+            - '@security.helper'
 
     contao_news.listener.preview_url_convert:
         class: Contao\NewsBundle\EventListener\PreviewUrlConvertListener
diff --git a/news-bundle/src/EventListener/NewsFeedListener.php b/news-bundle/src/EventListener/NewsFeedListener.php
@@ -19,9 +19,11 @@
 use Contao\CoreBundle\Image\ImageFactoryInterface;
 use Contao\CoreBundle\InsertTag\InsertTagParser;
 use Contao\CoreBundle\Routing\ContentUrlGenerator;
+use Contao\CoreBundle\Security\ContaoCorePermissions;
 use Contao\Environment;
 use Contao\File;
 use Contao\FilesModel;
+use Contao\NewsArchiveModel;
 use Contao\NewsBundle\Event\FetchArticlesForFeedEvent;
 use Contao\NewsBundle\Event\TransformArticleForFeedEvent;
 use Contao\NewsModel;
@@ -35,6 +37,7 @@
 use Symfony\Component\EventDispatcher\Attribute\AsEventListener;
 use Symfony\Component\Filesystem\Path;
 use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
+use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
 
 /**
  * @internal
@@ -49,14 +52,15 @@ public function __construct(
         private readonly string $projectDir,
         private readonly EntityCacheTags $cacheTags,
         private readonly string $charset,
+        private readonly AuthorizationCheckerInterface $authorizationChecker,
     ) {
     }
 
     #[AsEventListener(FetchArticlesForFeedEvent::class)]
     public function onFetchArticlesForFeed(FetchArticlesForFeedEvent $event): void
     {
         $pageModel = $event->getPageModel();
-        $archives = StringUtil::deserialize($pageModel->newsArchives, true);
+        $archives = $this->sortOutProtected(StringUtil::deserialize($pageModel->newsArchives, true));
 
         $featured = match ($pageModel->feedFeatured) {
             'featured' => true,
@@ -197,4 +201,25 @@ private function getEnclosures(NewsModel $article, TransformArticleForFeedEvent
 
         return $enclosures;
     }
+
+    /**
+     * @param list<int> $archiveIds
+     *
+     * @return list<int>
+     */
+    private function sortOutProtected(array $archiveIds): array
+    {
+        $newsArchiveModel = $this->framework->getAdapter(NewsArchiveModel::class);
+        $allowedIds = [];
+
+        foreach ($newsArchiveModel->findMultipleByIds($archiveIds) ?? [] as $archive) {
+            if ($archive->protected && !$this->authorizationChecker->isGranted(ContaoCorePermissions::MEMBER_IN_GROUPS, $archive->groups)) {
+                continue;
+            }
+
+            $allowedIds[] = (int) $archive->id;
+        }
+
+        return $allowedIds;
+    }
 }
diff --git a/news-bundle/tests/EventListener/NewsFeedListenerTest.php b/news-bundle/tests/EventListener/NewsFeedListenerTest.php
@@ -23,6 +23,7 @@
 use Contao\FilesModel;
 use Contao\Image\ImageInterface;
 use Contao\Model\Collection;
+use Contao\NewsArchiveModel;
 use Contao\NewsBundle\Event\FetchArticlesForFeedEvent;
 use Contao\NewsBundle\Event\TransformArticleForFeedEvent;
 use Contao\NewsBundle\EventListener\NewsFeedListener;
@@ -38,6 +39,7 @@
 use Symfony\Component\Filesystem\Path;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
+use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
 
 class NewsFeedListenerTest extends ContaoTestCase
 {
@@ -57,6 +59,8 @@ public function testFetchesArticlesFromArchives(string $feedFeatured, bool|null
         $imageFactory = $this->createMock(ImageFactoryInterface::class);
         $cacheTags = $this->createMock(EntityCacheTags::class);
         $newsModel = $this->createMock(NewsModel::class);
+        $normalArchive = $this->mockClassWithProperties(NewsArchiveModel::class, ['id' => 1, 'protected' => 0]);
+        $protectedArchive = $this->mockClassWithProperties(NewsArchiveModel::class, ['id' => 2, 'protected' => 1]);
 
         $collection = $this->createMock(Collection::class);
         $collection
@@ -73,20 +77,35 @@ public function testFetchesArticlesFromArchives(string $feedFeatured, bool|null
             ->willReturn($collection)
         ;
 
-        $framework = $this->mockContaoFramework([NewsModel::class => $newsAdapter]);
+        $newsArchiveAdapter = $this->mockAdapter(['findMultipleByIds']);
+        $newsArchiveAdapter
+            ->expects($this->once())
+            ->method('findMultipleByIds')
+            ->with([1, 2])
+            ->willReturn(new Collection([$normalArchive, $protectedArchive], 'tl_news_archive'))
+        ;
+
+        $framework = $this->mockContaoFramework([NewsModel::class => $newsAdapter, NewsArchiveModel::class => $newsArchiveAdapter]);
         $feed = $this->createMock(Feed::class);
         $request = $this->createMock(Request::class);
         $urlGenerator = $this->createMock(ContentUrlGenerator::class);
 
+        $authorizationChecker = $this->createMock(AuthorizationCheckerInterface::class);
+        $authorizationChecker
+            ->expects($this->once())
+            ->method('isGranted')
+            ->willReturn(false)
+        ;
+
         $pageModel = $this->mockClassWithProperties(PageModel::class, [
-            'newsArchives' => serialize([1]),
+            'newsArchives' => serialize([1, 2]),
             'feedFeatured' => $feedFeatured,
             'maxFeedItems' => 0,
         ]);
 
         $event = new FetchArticlesForFeedEvent($feed, $request, $pageModel);
 
-        $listener = new NewsFeedListener($framework, $imageFactory, $urlGenerator, $insertTags, $this->getTempDir(), $cacheTags, 'UTF-8');
+        $listener = new NewsFeedListener($framework, $imageFactory, $urlGenerator, $insertTags, $this->getTempDir(), $cacheTags, 'UTF-8', $authorizationChecker);
         $listener->onFetchArticlesForFeed($event);
 
         $this->assertSame([$newsModel], $event->getArticles());
@@ -211,6 +230,7 @@ public function testTransformsArticlesToFeedItems(string $feedSource, array $hea
 
         $feed = $this->createMock(Feed::class);
         $cacheTags = $this->createMock(EntityCacheTags::class);
+        $authorizationChecker = $this->createMock(AuthorizationCheckerInterface::class);
 
         $urlGenerator = $this->createMock(ContentUrlGenerator::class);
         $urlGenerator
@@ -229,7 +249,7 @@ public function testTransformsArticlesToFeedItems(string $feedSource, array $hea
         $baseUrl = 'example.org';
         $event = new TransformArticleForFeedEvent($article, $feed, $pageModel, $request, $baseUrl);
 
-        $listener = new NewsFeedListener($framework, $imageFactory, $urlGenerator, $insertTags, $this->getTempDir(), $cacheTags, 'UTF-8');
+        $listener = new NewsFeedListener($framework, $imageFactory, $urlGenerator, $insertTags, $this->getTempDir(), $cacheTags, 'UTF-8', $authorizationChecker);
         $listener->onTransformArticleForFeed($event);
 
         $item = $event->getItem();
