Bolt\Controller\Frontend::preview PHP Method

Frontend Class Documentation Datei anzeigen Open project: bolt/bolt

preview() public method

The controller for previewing a content from posted data.
public preview ( Request $request, string $contenttypeslug ) : TemplateResponse
$request Symfony\Component\HttpFoundation\Request The Symfony Request
$contenttypeslug string The content type slug
return Bolt\Response\TemplateResponse 
    public function preview(Request $request, $contenttypeslug)
    {
        $contenttype = $this->getContentType($contenttypeslug);
        $id = $request->request->get('id');
        if ($id) {
            $content = $this->storage()->getContent($contenttype['slug'], ['id' => $id, 'returnsingle' => true, 'status' => '!undefined']);
        } else {
            $content = $this->storage()->getContentObject($contenttypeslug);
        }
        $content->setFromPost($request->request->all(), $contenttype);
        $liveEditor = $request->get('_live-editor-preview');
        if (!empty($liveEditor)) {
            $jsFile = (new JavaScript('js/ckeditor/ckeditor.js', 'bolt'))->setPriority(1)->setLate(false);
            $cssFile = (new Stylesheet('css/liveeditor.css', 'bolt'))->setPriority(5)->setLate(false);
            $snippet = (new Snippet())->setCallback('<script>window.boltIsEditing = true;</script>')->setLocation(Target::BEFORE_HEAD_JS);
            $this->app['asset.queue.snippet']->add($snippet);
            $this->app['asset.queue.file']->add($jsFile);
            $this->app['asset.queue.file']->add($cssFile);
        }
        // Then, select which template to use, based on our 'cascading templates rules'
        $template = $this->templateChooser()->record($content);
        // Make sure we can also access it as {{ page.title }} for pages, etc. We set these in the global scope,
        // So that they're also available in menu's and templates rendered by extensions.
        $globals = ['record' => $content, $contenttype['singular_slug'] => $content];
        $response = $this->render($template, [], $globals);
        // Chrome (unlike Firefox and Internet Explorer) has a feature that helps prevent
        // XSS attacks for uncareful people. It blocks embeds, links and src's that have
        // a URL that's also in the request. In Bolt we wish to enable this type of embeds,
        // because otherwise Youtube, Vimeo and Google Maps embeds will simply not show,
        // causing confusion for the editor, because they don't know what's happening.
        // Is this a security concern, you may ask? I believe it cannot be exploited:
        //   - Disabled, the behaviour on Chrome matches Firefox and IE.
        //   - The user must be logged in to see the 'preview' page at all.
        //   - Our CSRF-token ensures that the user will only see their own posted preview.
        // @see: http://security.stackexchange.com/questions/53474/is-chrome-completely-secure-against-reflected-xss
        $response->headers->set('X-XSS-Protection', 0);
        return $response;
    }
Frontend
addRoutes
after
before
getConfigurationRoutes
getListingOrder
getListingParameters
homepage
isTaxonomyValid
listing
preview
record
search
taxonomy
template