Pull Request

Pull Request resolves #47370

• I read the Generative AI policy and my contribution is either not created with the help of AI or is compatible with the policy and GNU/GPL 2 or later.

Summary of Changes

This PR implements a secure, time-limited token-based preview system that allows administrators to preview articles regardless of their publishing date or published state, even when "Shared Sessions" is disabled in Global Configuration.

Key changes:

1. Added a new database table #__content_preview_tokens to store preview tokens with expiration
2. Modified the preview link generation in the admin article view to include &preview=1 and a unique token
3. Added isAdminPreview() validation method in the frontend ArticleModel to verify valid preview requests
4. Bypassed publishing date and state filters for authenticated preview requests

Testing Instructions

Prerequisites:

• Joomla installation with "Shared Sessions" disabled (Global Configuration → System → Session Settings → Shared Sessions = No)
• A user account with administrator privileges

Test Scenario 1: Future-dated article preview

1. Create a new article with "Start Publishing" set to tomorrow's date
2. Click the Preview button from the article edit form
3. ✅ Verify the article preview displays correctly (not a 404 error)

Test Scenario 2: Unpublished article preview

1. Create a new article and set its state to "Unpublished"
2. Click the Preview button from the article edit form
3. ✅ Verify the article preview displays correctly

Test Scenario 3: Regular frontend access (regression)

1. Access a published article normally (without preview=1 parameter)
2. ✅ Verify the article displays normally with publishing date restrictions applied
3. Access a future-dated article normally
4. ✅ Verify the article shows a 404 (correct behavior for public users)

Actual result BEFORE applying this Pull Request

When "Shared Sessions" is disabled:

• Clicking Preview on a future-dated article displays a 404 - Article not found error
• Clicking Preview on an unpublished article displays a 404 - Article not found error
• Administrators must enable "Shared Sessions" for preview to work, which is not ideal for security-conscious sites

Expected result AFTER applying this Pull Request

When "Shared Sessions" is disabled:

• Clicking Preview on a future-dated article displays the article preview correctly
• Clicking Preview on an unpublished article displays the article preview correctly
• Security is maintained through time-limited, cryptographically secure tokens tied to user permissions

Implementation Details

1. New Database Table (#__content_preview_tokens)

CREATE TABLE IF NOT EXISTS `#__content_preview_tokens` (
    `id`         INT(11)      NOT NULL AUTO_INCREMENT,
    `token`      VARCHAR(64)  NOT NULL,
    `user_id`    INT(11)      NOT NULL,
    `article_id` INT(11)      NOT NULL,
    `expires`    DATETIME     NOT NULL,
    PRIMARY KEY (`id`),
    UNIQUE KEY `idx_token` (`token`),
    KEY `idx_article` (`article_id`),
    KEY `idx_expires` (`expires`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 DEFAULT COLLATE=utf8mb4_unicode_ci;

2. Token Generation (administrator/components/com_content/src/View/Article/HtmlView.php)

• Generates a cryptographically secure 32-character hex token using random_bytes(16)
• Token expires after 5 minutes (sufficient for preview, limits replay attacks)
• Automatically cleans up expired tokens from the database
• Appends &preview=1&preview_token={token} to both standard preview and accessibility (jooa11y) preview links

3. Token Validation (components/com_content/src/Model/ArticleModel.php)

• Checks for preview=1 parameter in the request
• Validates the token exists in the database, matches the article ID, and is not expired
• Verifies the user associated with the token has core.edit.state permission
• Returns true only if all validation passes

4. Filter Bypass Logic

• Date filters (publish_up/publish_down) are skipped when isAdminPreview() returns true
• State filters (published/unpublished) are skipped when isAdminPreview() returns true
• Post-query state validation is skipped when isAdminPreview() returns true

Security Considerations

Additional Notes

Testing performed:

• ✅ Future-dated article preview works with Shared Sessions disabled
• ✅ Unpublished article preview works with Shared Sessions disabled
• ✅ Expired tokens correctly return 404
• ✅ Regular frontend article access unaffected (regression test passed)
• ❌ Accessibility check (jooa11y) is not currently working with the same token mechanism, if this PR is accepted I might follow up with another PR to solve its issue.

Database installation:
The table creation query was tested via phpMyAdmin on an existing Joomla installation.

Note on branch targeting:
I understand that bug fixes are typically made against the 5.4 branch, while new features target 6.2. However, since my solution introduces a new database table and implements a token-based preview system (which adds new functionality to the core), I believe this could be a feature rather than a pure bug fix. Therefore, I have developed this against the 6.2 branch. If the maintainers prefer this to be backported or handled differently, I'm happy to adjust accordingly.

Link to documentations

Please select:

• Documentation link for guide.joomla.org:
• No documentation changes for guide.joomla.org needed
• Pull Request link for manual.joomla.org:
• No documentation changes for manual.joomla.org needed