Return fragment of HTML from govspeak POSTed to /preview

Author: edavey

.rubocop.yml

@@ -48,3 +48,4 @@ Lint/MissingSuper:
 Rails/SaveBang:
   Exclude:
     - 'Rakefile'
+    - 'test/test_helper.rb'

app/controllers/admin/preview_controller.rb

@@ -0,0 +1,11 @@
+class Admin::PreviewController < Admin::BaseController
+  include GovspeakPreviewHelper
+
+  def preview
+    if Govspeak::HtmlValidator.new(params[:body]).valid?
+      render layout: false
+    else
+      render plain: "Content contains possible XSS exploits", status: :forbidden
+    end
+  end
+end

app/views/admin/preview/preview.html.erb

@@ -0,0 +1,10 @@
+<section>
+  <article class="document">
+    <div class="body">
+      <%= govspeak_to_html(
+        params[:body],
+        preview: true,
+       ) %>
+    </div>
+  </article>
+</section>

test/controllers/admin/preview_controller_test.rb

@@ -0,0 +1,19 @@
+require "test_helper"
+
+class Admin::PreviewControllerTest < ActionController::TestCase
+  setup do
+    login_as :writer
+  end
+
+  should_be_an_admin_controller
+
+  view_test "renders the body param using govspeak into a document body template" do
+    post :preview, params: { body: "# gov speak" }
+    assert_select ".document .body h1", "gov speak"
+  end
+
+  test "preview returns a 403 if the content contains potential XSS exploits" do
+    post :preview, params: { body: "<script>alert('woah');</script>" }
+    assert_response :forbidden
+  end
+end

test/support/controller_test_helpers.rb

@@ -0,0 +1,11 @@
+module ControllerTestHelpers
+  extend ActiveSupport::Concern
+
+  module ClassMethods
+    def should_be_an_admin_controller
+      test "should be an admin controller" do
+        assert @controller.is_a?(Admin::BaseController), "the controller should be an admin controller"
+      end
+    end
+  end
+end

test/support/view_rendering.rb

@@ -0,0 +1,141 @@
+# This is mostly taken from rspec.
+# Specifically: https://raw.github.com/rspec/rspec-rails/52493649d70754377b5e41be1c385a742f268bd7/lib/rspec/rails/view_rendering.rb
+# Helpers for optionally rendering views in controller specs.
+module ViewRendering
+  extend ActiveSupport::Concern
+
+  attr_accessor :controller
+
+  def render_views?
+    self.class.view_tests.include?(method_name)
+  end
+
+  module ClassMethods
+    def view_test(name, &block)
+      test(name, &block)
+      add_view_test("test_#{name.gsub(/\s+/, '_')}")
+    end
+
+    def view_tests
+      @view_tests ||= []
+    end
+
+    def add_view_test(test_name)
+      view_tests << test_name
+    end
+  end
+
+  class EmptyTemplateResolver
+    def self.build(path)
+      if path.is_a?(::ActionView::Resolver)
+        ResolverDecorator.new(path)
+      else
+        FileSystemResolver.new(path)
+      end
+    end
+
+    def self.nullify_template_rendering(templates)
+      templates.map do |template|
+        ::ActionView::Template.new(
+          "",
+          template.identifier,
+          EmptyTemplateHandler,
+          virtual_path: template.virtual_path,
+          format: template.format,
+          locals: [],
+        )
+      end
+    end
+
+    # Delegates all methods to the submitted resolver and for all methods
+    # that return a collection of `ActionView::Template` instances, return
+    # templates with modified source
+    class ResolverDecorator < ::ActionView::Resolver
+      (::ActionView::Resolver.instance_methods - Object.instance_methods).each do |method|
+        undef_method method
+      end
+
+      (::ActionView::Resolver.methods - Object.methods).each do |method|
+        singleton_class.undef_method method
+      end
+
+      # rubocop:disable Lint/MissingSuper
+      def initialize(resolver)
+        @resolver = resolver
+      end
+      # rubocop:enable Lint/MissingSuper
+
+      # rubocop:disable Style/MissingRespondToMissing
+      def method_missing(name, *args, &block)
+        result = @resolver.send(name, *args, &block)
+        nullify_templates(result)
+      end
+      # rubocop:enable Style/MissingRespondToMissing
+
+    private
+
+      def nullify_templates(collection)
+        return collection unless collection.is_a?(Enumerable)
+        return collection unless collection.all? { |element| element.is_a?(::ActionView::Template) }
+
+        EmptyTemplateResolver.nullify_template_rendering(collection)
+      end
+    end
+
+    # Delegates find_templates to the submitted path set and then returns
+    # templates with modified source
+    class FileSystemResolver < ::ActionView::FileSystemResolver
+    private
+
+      def find_templates(*args)
+        templates = super
+        EmptyTemplateResolver.nullify_template_rendering(templates)
+      end
+    end
+  end
+
+  class EmptyTemplateHandler
+    def self.call(_template, _source = nil)
+      ::Rails.logger.info("  Template rendering was prevented by rspec-rails. Use `render_views` to verify rendered view contents if necessary.")
+
+      %("")
+    end
+  end
+
+  # Used to null out view rendering in controller specs.
+  module EmptyTemplates
+    def prepend_view_path(new_path)
+      super(_path_decorator(*new_path))
+    end
+
+    def append_view_path(new_path)
+      super(_path_decorator(*new_path))
+    end
+
+  private
+
+    def _path_decorator(*paths)
+      paths.map { |path| EmptyTemplateResolver.build(path) }
+    end
+  end
+
+  RESOLVER_CACHE = Hash.new do |hash, path|
+    hash[path] = EmptyTemplateResolver.build(path)
+  end
+
+  included do
+    setup do
+      unless render_views?
+        @_original_path_set = controller.class.view_paths
+        path_set = @_original_path_set.map { |resolver| RESOLVER_CACHE[resolver] }
+
+        controller.class.view_paths = path_set
+        controller.extend(EmptyTemplates)
+      end
+    end
+
+    teardown do
+      controller.class.view_paths = @_original_path_set unless render_views?
+    end
+  end
+end

test/test_helper.rb

@@ -162,18 +162,18 @@ def fixture_path
 end
 
 class ActionController::TestCase
-  # include HtmlAssertions
+  include HtmlAssertions
   # include AdminControllerTestHelpers
   # include AdminEditionControllerTestHelpers
   # include AdminEditionControllerScheduledPublishingTestHelpers
   # include AdminEditionRolesBehaviour
   # include AdminEditionWorldLocationsBehaviour
   # include DocumentControllerTestHelpers
-  # include ControllerTestHelpers
+  include ControllerTestHelpers
   # include ResourceTestHelpers
   # include AtomTestHelpers
   # include CacheControlTestHelpers
-  # include ViewRendering
+  include ViewRendering
   #
   # include Admin::EditionRoutesHelper
 
@@ -194,8 +194,8 @@ class ActionController::TestCase
     stub_request(:get, %r{\A#{Plek.find('publishing-api')}/v2/expanded-links/}).to_return(body: { links: {} }.to_json)
   end
 
-  def login_as(role_or_user, organisation = nil)
-    @current_user = role_or_user.is_a?(Symbol) ? create(role_or_user, organisation:) : role_or_user
+  def login_as(role_or_user)
+    @current_user = role_or_user.is_a?(Symbol) ? create(role_or_user) : role_or_user
     request.env["warden"] = stub(authenticate!: true, authenticated?: true, user: @current_user)
     Current.user = @current_user
     @current_user