adjust to createbundle security refactoring

Author: dbu

bundles/block/cache.rst

@@ -9,8 +9,8 @@ The Symfony2 CMF BlockBundle additionally provides its own adapters for:
 
 * `ESI`_
 * `SSI`_
-* Asynchronous javascript
-* Synchronous javascript
+* Asynchronous JavaScript
+* Synchronous JavaScript
 
 .. note::
 
@@ -145,14 +145,14 @@ is triggered:
 
     * The ESI and SSI adapter add a specific tag and a url to retrieve the
       block content;
-    * The javascript adapter adds javascript and a url to retrieve the block
+    * The JavaScript adapter adds JavaScript and a url to retrieve the block
       content.
 
   * If the cache element is not expired and has data it is returned.
 * The template is rendered:
 
   * For ESI and SSI the url is called to retrieve the block content
-  * For Javascript the browser calls a url and replaces a placeholder with the
+  * For JavaScript the browser calls a url and replaces a placeholder with the
   * returned block content
 
 .. note::
@@ -308,10 +308,10 @@ This extends the default SsiCache adapter of the SonataCacheBundle.
 See :ref:`the configuration reference <reference-config-block-caches-ssi>` to
 learn how to configure the ssi adapter.
 
-Javascript
+JavaScript
 ~~~~~~~~~~
 
-Renders the block using javascript, the page is loaded and not waiting for the
+Renders the block using JavaScript, the page is loaded and not waiting for the
 block to be finished rendering or retrieving data. The block is then
 asynchronously or synchronously loaded and added to the page.
 

bundles/block/introduction.rst

@@ -207,7 +207,7 @@ A block service contains:
 * Default settings;
 * Dorm configuration;
 * Cache configuration;
-* Javascript and stylesheet assets to be loaded;
+* JavaScript files and stylesheet assets to be loaded;
 * A load method.
 
 The block services provided by the Symfony2 CMF BlockBundle are in the
@@ -292,11 +292,11 @@ Cache Configuration
 The method ``getCacheKeys`` contains cache keys to be used for caching the
 block.
 
-Javascript and Stylesheets
+JavaScript and Stylesheets
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-The methods ``getJavascripts`` and ``getStylesheets`` can be used to define
-javascript and stylesheet assets needed by a block. Use the twig helpers
+The methods ``getJavaScripts`` and ``getStylesheets`` can be used to define
+JavaScript and stylesheet assets needed by a block. Use the twig helpers
 ``sonata_block_include_javascripts`` and ``sonata_block_include_stylesheets``
 to render them:
 
@@ -314,7 +314,7 @@ to render them:
 
 .. note::
 
-    This will output the javascripts and stylesheets for all blocks loaded in
+    This will output the JavaScript files and stylesheets for all blocks loaded in
     the service container of your application.
 
 The Load Method

bundles/block/types.rst

@@ -21,8 +21,8 @@ Publish Workflow Interfaces
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 The ``AbstractBlock`` implements the write interfaces for publishable and
-publish time period, see the 
-:doc:`publish workflow documentation <../core/publish_workflow>` for more 
+publish time period, see the
+:doc:`publish workflow documentation <../core/publish_workflow>` for more
 information.
 
 Sonata Admin
@@ -275,15 +275,15 @@ SlideshowBlock
 
 The ``SlideshowBlock`` is a special kind of ``ContainerBlock``. It can contain
 any kind of blocks that will be rendered with a wrapper div to help a
-javascript slideshow library to slide them.
+JavaScript slideshow library to slide them.
 
 The ``ImagineBlock`` is particularly suited if you want to do an image
 slideshow, but the ``SlideshowBlock`` can handle any kind of blocks, also mixed
 types of blocks in the same slideshow.
 
 .. note::
 
-    This bundle does not attempt to provide a javascript library for animating
+    This bundle does not attempt to provide a JavaScript library for animating
     the slideshow. Chose your preferred library that plays well with the rest
     of your site and hook it on the slideshows. (See also below).
 
@@ -341,7 +341,7 @@ Make the slideshow work in the frontend
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 Since the BlockBundle doesn't contain anything to make the slideshow work
-in the frontend, you need to do this yourself. Use your favourite javascript
+in the frontend, you need to do this yourself. Use your favourite JavaScript
 library to make the slideshow interactive. If special markup is needed for
 your slideshow code to work, you can override
 ``BlockBundle:Block:block_slideshow.html.twig`` and/or the templates of the

bundles/create/developing-hallo.rst

@@ -36,7 +36,7 @@ To use this template, specify ``hallo-coffee`` as editor in the
         ) ?>
 
 The hallo-coffee template uses assetic to load the coffee script files from
-``Resources/public/vendor/hallo/src``, rather than the precompiled javascript
+``Resources/public/vendor/hallo/src``, rather than the precompiled JavaScript
 from ``Resources/public/vendor/create/deps/hallo-min.js``. This also means
 that you need to add a mapping for coffeescript in your assetic configuration
 and you need the `coffee compiler set up correctly`_.

bundles/create/introduction.rst

@@ -9,7 +9,7 @@ CreateBundle
     applications. It integrates create.js and the CreatePHP library into
     Symfony2.
 
-The javascript library `create.js`_ provides a comprehensive web editing
+The JavaScript library `create.js`_ provides a comprehensive web editing
 interface for Content Management Systems. It is designed to provide a modern,
 fully browser-based HTML5 environment for managing content. Create.js can be
 adapted to work on almost any content management backend. Create.js makes your
@@ -88,7 +88,7 @@ Installation
 You can install this bundle `with composer`_ using the
 `symfony-cmf/create-bundle`_ package.
 
-Additionally, you will need to provide the javascript libraries. The standard
+Additionally, you will need to provide the JavaScript libraries. The standard
 way to do this is to add a ``scripts`` section in your ``composer.json`` to
 have the CreateBundle download the necessary libraries:
 
@@ -187,7 +187,7 @@ You also need to configure the FOSRestBundle to handle json:
             ),
         ));
 
-If you want to use Assetic to combine the CSS and Javascript used for
+If you want to use Assetic to combine the CSS and JavaScript used for
 create.js, you need to enable the CreateBundle in the assetic configuration.
 Find the configuration for ``assetic.bundles``. If it is not present, assetic
 automatically scans all bundles for assets and you don't need to do anything.
@@ -274,29 +274,52 @@ additionally need to register the route for the image upload handler:
 
         return $collection;
 
+.. _bundle_create_introduction_access_control:
+
 Access Control
 ~~~~~~~~~~~~~~
 
 In order to limit who can edit content, the provided controllers as well as the
-javascript loader check if the current user is granted the configured
-``cmf_create.role``. By default the role is ``ROLE_ADMIN``.
+JavaScript loader check if the current user is granted the configured
+``cmf_create.security.role``. By default the role is ``ROLE_ADMIN``.
 
 .. tip::
 
     In order to have security in place, you need to configure a
     "Symfony2 firewall". Read more in the `Symfony2 security chapter`_.
+    If you do not do that, create.js will not be loaded and editing
+    will be disabled.
+
+    If you do not want to edit on the production domain directly, e.g.
+    because of caching, you can provide a second domain where you have
+    security configured and do the editing there.
+
+You can completely disable security checks by setting the role parameter to
+boolean ``false``. Then you need to configure access permissions on the routes
+defined in ``Resources/routing/rest.xml`` and, if activated, in ``image.xml``.
+If you set the role to false but do not configure any security,
+**every visitor of your site will be able to edit the content**.
+You also will need custom logic to decide whether to include the create.js
+JavaScript files.
+
+You can also use a custom security check service by implementing
+``Symfony\Cmf\Bundle\CreateBundle\Security\AccessCheckerInterface``
+and setting this service in ``cmf_create.security.checker_service``.
 
 If you need more fine grained access control, look into the CreatePHP
 ``RdfMapperInterface`` ``isEditable`` method.  You can extend a mapper and
 overwrite ``isEditable`` to answer whether the passed domain object is
 editable.
 
-Load create.js Javascript and CSS
+Load create.js JavaScript and CSS
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-This bundle provides templates that load the required Javascript and CSS files
-based on Assetic. The Javascript loader also parametrizes the configuration
-for create.js and the chosen editor.
+This bundle provides a template that loads the required CSS files, as well as
+a controller action that loads the necessary JavaScript *if* the current user
+is allowed to edit according to
+:ref:`the security configuration <bundle_create_introduction_access_control>`.
+The JavaScript loader also parametrizes the configuration for create.js and
+WYSIWYG editor.
 
 Alternatively, you can of course use your own templates to include the assets
 needed by create.js.
@@ -319,7 +342,7 @@ after those to be able to customize as needed) with:
     Make sure assetic is rewriting the paths in your CSS files properly or you
     might not see icon images.
 
-In your page bottom area load the javascripts. If you are using Symfony 2.2 or
+In your page bottom area, load the JavaScript files. If you are using Symfony 2.2 or
 higher, the method reads:
 
 .. configuration-block::
@@ -354,9 +377,15 @@ For Symfony 2.1, the syntax is:
             '_locale' => $app->getRequest()->getLocale(),
         ) ?>
 
+.. tip::
+
+    You can include this call unconditionally. The controller checks if the
+    current user is allowed to edit and only in that case includes the
+    JavaScript.
+
 .. note::
 
-    The provided javascript file configures create.js and the editor. If you
+    The provided JavaScript file configures create.js and the editor. If you
     use the hallo editor, a plugin is enabled to use the tag editor to edit
     ``skos:related`` collections of attributes. For customization of the editor
     configuration further, you will need to use a

bundles/create/other-editors.rst

@@ -36,7 +36,7 @@ Then re-run composer:
 
     $ php composer.phar run-scripts
 
-In your template, load the javascript files using:
+In your template, load the JavaScript files using:
 
 .. configuration-block::
 
@@ -85,7 +85,7 @@ Custom Editors
 --------------
 
 You can provide your own template to customize how to load CKEditor, hallo.js
-or a javascript editor not supported out of the box. The template has
+or a WYSIWYG editor not supported out of the box. The template has
 follow the naming pattern
 ``CmfCreateBundle::includejsfiles-%editor%.html.twig`` to be loaded. You custom
 file thus needs to reside in ``app/Resources/CmfCreateBundle/views/`` and has
@@ -118,4 +118,4 @@ editor parameter:
     help, please see the github issue for `aloha`_ integration.
 
 .. _`Aloha editor`: http://www.aloha-editor.org/
-.. _`aloha`: https://github.com/symfony-cmf/CreateBundle/issues/32
+.. _`aloha`: https://github.com/symfony-cmf/CreateBundle/issues/32

bundles/media/introduction.rst

@@ -235,7 +235,7 @@ is protected by the ``ROLE_CAN_UPLOAD_FILE`` role.
 
 The ``UploadFileHelper`` contains ``UploadEditorHelperInterface`` instances.
 This handles the response returned of the file upload depending on the web
-editing tool used and can be json, javascript or something else. Implement
+editing tool used and can be json, JavaScript or something else. Implement
 your own for specific needs, add it to the service configuration and tag the
 service with ``cmf_media.upload_editor_helper``, the tag alias is the editor
 helper name. The ``UploadFileHelper`` checks the request for the parameter

cookbook/handling_multilang_documents.rst

@@ -45,7 +45,7 @@ for an example.
     Whenever you do a sub-request, for example to call a controller from a twig
     template, do not forget to pass the ``app.request.locale`` along or you will
     lose the request locale and fall back to the default.
-    See for example the action to include the create.js javascript files in the
+    See for example the action to include the create.js JavaScript files in the
     :ref:`create.js reference <bundle-create-usage-embed>`.
 
 PHPCR-ODM multi-language Documents

reference/configuration/create.rst

@@ -18,34 +18,49 @@ Configuration
 Security
 ~~~~~~~~
 
-The controller that receives save requests from create.js requires the user to
-have a specific role to control who is allowed to edit content. As it would
+The controller that receives save requests from create.js does a security check
+to determine whether the current user is allowed to edit content. As it would
 not be convenient to show the create.js editor to users not allowed to edit the
-site, the controller loading the create.js javascripts with the
-``includeJSFilesAction`` also checks this role. If the image controller is
-activated, it checks for this role as well.
+site, the controller loading the create.js JavaScript files with the
+``includeJSFilesAction`` also uses the same security check, as does the image
+upload controller if it is activated.
 
+The default security check checks if the user has a specified role. If nothing
+is configured, the default role is ``ROLE_ADMIN``. If you set the parameter to
+boolean ``false``, every user will be allowed to save changes through the REST
+controller.
+
+A last option is to configure your own ``checker_service`` to be used instead
+of the role based check.
+
+For more information, see the
+:ref:`security section in the bundle doc <bundle_create_introduction_access_control>`.
 
 .. configuration-block::
 
     .. code-block:: yaml
 
         cmf_create:
-            role: ROLE_ADMIN
+            security:
+                role: ROLE_ADMIN
+                checker_service: ~
 
     .. code-block:: xml
 
         <?xml version="1.0" charset="UTF-8" ?>
         <container xmlns="http://symfony.com/schema/dic/services">
-            <config xmlns="http://cmf.symfony.com/schema/dic/create"
-                role="ROLE_ADMIN"
-            />
+            <config xmlns="http://cmf.symfony.com/schema/dic/create">
+                <security role="ROLE_ADMIN" checker-service="null"/>
+            <config/>
         </container>
 
     .. code-block:: php
 
         $container->loadFromExtension('cmf_create', array(
-            'role' => 'ROLE_ADMIN',
+            'security' => array(
+                'role' => 'ROLE_ADMIN',
+                'checker_service' => null,
+            ),
         ));
 
 .. _config-create-persistence: