feat: add phpMyFAQ recent news widget to admin dashboard

thorsten · thorsten · commit 7d753c719adb · 2026-03-13T16:30:27.000+01:00
Add a full-width dashboard panel that fetches and displays recent news
from phpmyfaq.de via a server-side API proxy. News content is parsed
from markdown to HTML with relative links resolved against the
phpmyfaq.de base URL. The widget is controlled by a new
main.enableRecentNews configuration toggle (enabled by default).
diff --git a/phpmyfaq/admin/assets/src/dashboard.test.ts b/phpmyfaq/admin/assets/src/dashboard.test.ts
@@ -1,5 +1,5 @@
 import { beforeEach, afterEach, describe, expect, it, vi } from 'vitest';
-import { getLatestVersion } from './dashboard';
+import { getLatestVersion, fetchRecentNews, parseNewsMarkdown } from './dashboard';
 
 vi.mock('masonry-layout', () => ({
   default: vi.fn(),
@@ -65,3 +65,160 @@ describe('dashboard getLatestVersion', () => {
     expect(alert?.textContent).not.toBeNull();
   });
 });
+
+describe('parseNewsMarkdown', () => {
+  it('converts markdown links with absolute URLs', () => {
+    const result = parseNewsMarkdown('Check [our site](https://example.com) now');
+    expect(result).toContain('<a href="https://example.com" target="_blank" rel="noopener noreferrer">our site</a>');
+  });
+
+  it('resolves relative URLs against phpmyfaq.de base', () => {
+    const result = parseNewsMarkdown('See [downloads](/download)');
+    expect(result).toContain(
+      '<a href="https://www.phpmyfaq.de/download" target="_blank" rel="noopener noreferrer">downloads</a>'
+    );
+  });
+
+  it('resolves relative URLs without leading slash', () => {
+    const result = parseNewsMarkdown('See [news](news/latest)');
+    expect(result).toContain(
+      '<a href="https://www.phpmyfaq.de/news/latest" target="_blank" rel="noopener noreferrer">news</a>'
+    );
+  });
+
+  it('converts bold markdown', () => {
+    const result = parseNewsMarkdown('This is **important** text');
+    expect(result).toContain('<strong>important</strong>');
+  });
+
+  it('converts italic markdown', () => {
+    const result = parseNewsMarkdown('This is *italic* text');
+    expect(result).toContain('<em>italic</em>');
+  });
+
+  it('escapes HTML entities to prevent XSS', () => {
+    const result = parseNewsMarkdown('<script>alert("xss")</script>');
+    expect(result).not.toContain('<script>');
+    expect(result).toContain('&lt;script&gt;');
+  });
+
+  it('returns plain text when no markdown is present', () => {
+    const result = parseNewsMarkdown('Just plain text');
+    expect(result).toBe('Just plain text');
+  });
+});
+
+describe('fetchRecentNews', () => {
+  beforeEach(() => {
+    document.body.innerHTML = `
+      <div id="pmf-news-loader" class="d-none"></div>
+      <div id="pmf-recent-news"></div>
+    `;
+  });
+
+  afterEach(() => {
+    document.body.innerHTML = '';
+    vi.unstubAllGlobals();
+    vi.clearAllMocks();
+  });
+
+  it('does nothing when container element is missing', async () => {
+    document.body.innerHTML = '';
+    const fetchMock = vi.fn();
+    vi.stubGlobal('fetch', fetchMock);
+
+    await fetchRecentNews();
+
+    expect(fetchMock).not.toHaveBeenCalled();
+  });
+
+  it('renders news items on successful response', async () => {
+    const fetchMock = vi.fn().mockResolvedValue({
+      ok: true,
+      json: vi.fn().mockResolvedValue({
+        news: [
+          { date: '2026-03-10', content: 'phpMyFAQ **4.2** released' },
+          { date: '2026-03-01', content: 'Check [downloads](/download)' },
+        ],
+      }),
+    });
+    vi.stubGlobal('fetch', fetchMock);
+
+    await fetchRecentNews();
+
+    const container = document.getElementById('pmf-recent-news') as HTMLDivElement;
+    const items = container.querySelectorAll('li');
+    expect(items.length).toBe(2);
+    expect(items[0].querySelector('small')?.textContent).toBe('2026-03-10');
+    expect(items[0].querySelector('span')?.innerHTML).toContain('<strong>4.2</strong>');
+    expect(items[1].querySelector('span')?.innerHTML).toContain('href="https://www.phpmyfaq.de/download"');
+  });
+
+  it('limits displayed news to 5 items', async () => {
+    const news = Array.from({ length: 8 }, (_, i) => ({
+      date: `2026-03-${String(i + 1).padStart(2, '0')}`,
+      content: `News item ${i + 1}`,
+    }));
+    const fetchMock = vi.fn().mockResolvedValue({
+      ok: true,
+      json: vi.fn().mockResolvedValue({ news }),
+    });
+    vi.stubGlobal('fetch', fetchMock);
+
+    await fetchRecentNews();
+
+    const container = document.getElementById('pmf-recent-news') as HTMLDivElement;
+    expect(container.querySelectorAll('li').length).toBe(5);
+  });
+
+  it('shows fallback message when news array is empty', async () => {
+    const fetchMock = vi.fn().mockResolvedValue({
+      ok: true,
+      json: vi.fn().mockResolvedValue({ news: [] }),
+    });
+    vi.stubGlobal('fetch', fetchMock);
+
+    await fetchRecentNews();
+
+    const container = document.getElementById('pmf-recent-news') as HTMLDivElement;
+    expect(container.textContent).toContain('No recent news available.');
+  });
+
+  it('shows error message when response is not ok', async () => {
+    const fetchMock = vi.fn().mockResolvedValue({
+      ok: false,
+      json: vi.fn().mockResolvedValue({ error: 'disabled' }),
+    });
+    vi.stubGlobal('fetch', fetchMock);
+
+    await fetchRecentNews();
+
+    const container = document.getElementById('pmf-recent-news') as HTMLDivElement;
+    expect(container.textContent).toContain('Could not load news.');
+  });
+
+  it('shows error message on fetch failure', async () => {
+    const fetchMock = vi.fn().mockRejectedValue(new Error('Network error'));
+    vi.stubGlobal('fetch', fetchMock);
+
+    await fetchRecentNews();
+
+    const container = document.getElementById('pmf-recent-news') as HTMLDivElement;
+    expect(container.textContent).toContain('Could not load news.');
+    const loader = document.getElementById('pmf-news-loader') as HTMLDivElement;
+    expect(loader.classList.contains('d-none')).toBe(true);
+  });
+
+  it('hides loader after successful fetch', async () => {
+    const fetchMock = vi.fn().mockResolvedValue({
+      ok: true,
+      json: vi.fn().mockResolvedValue({ news: [{ date: '2026-03-10', content: 'Test' }] }),
+    });
+    vi.stubGlobal('fetch', fetchMock);
+
+    await fetchRecentNews();
+
+    const loader = document.getElementById('pmf-news-loader') as HTMLDivElement;
+    expect(loader.classList.contains('d-none')).toBe(true);
+  });
+});
diff --git a/phpmyfaq/admin/assets/src/dashboard.ts b/phpmyfaq/admin/assets/src/dashboard.ts
@@ -400,6 +400,101 @@ export const getLatestVersion = async (): Promise<void> => {
   }
 };
 
+export const parseNewsMarkdown = (markdown: string): string => {
+  const baseUrl = 'https://www.phpmyfaq.de';
+
+  let html = markdown
+    // Escape HTML entities first to prevent XSS
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;');
+
+  // Parse markdown links [text](url) — resolve relative URLs against base
+  html = html.replace(/\[([^\]]+)\]\(([^)]+)\)/g, (_match: string, text: string, url: string) => {
+    const resolvedUrl =
+      url.startsWith('http://') || url.startsWith('https://')
+        ? url
+        : `${baseUrl}${url.startsWith('/') ? '' : '/'}${url}`;
+    return `<a href="${resolvedUrl}" target="_blank" rel="noopener noreferrer">${text}</a>`;
+  });
+
+  // Bold **text**
+  html = html.replace(/\*\*([^*]+)\*\*/g, '<strong>$1</strong>');
+
+  // Italic *text*
+  html = html.replace(/\*([^*]+)\*/g, '<em>$1</em>');
+
+  return html;
+};
+
+export const fetchRecentNews = async (): Promise<void> => {
+  const container = document.getElementById('pmf-recent-news') as HTMLDivElement | null;
+  const loader = document.getElementById('pmf-news-loader') as HTMLDivElement | null;
+
+  if (!container) {
+    return;
+  }
+
+  if (loader) {
+    loader.classList.remove('d-none');
+  }
+
+  try {
+    const response = await fetch('./api/dashboard/news', {
+      method: 'GET',
+      cache: 'no-cache',
+      headers: {
+        'Content-Type': 'application/json',
+      },
+      redirect: 'follow',
+      referrerPolicy: 'no-referrer',
+    });
+
+    if (loader) {
+      loader.classList.add('d-none');
+    }
+
+    if (response.ok) {
+      const data: { news?: { date: string; content: string }[] } = await response.json();
+      const news = (data.news ?? []).slice(0, 5);
+
+      if (news.length === 0) {
+        container.innerHTML = '<p class="text-muted mb-0">No recent news available.</p>';
+        return;
+      }
+
+      const list = document.createElement('ul');
+      list.className = 'list-unstyled';
+
+      for (const item of news) {
+        const li = document.createElement('li');
+        li.className = 'mb-2';
+
+        const dateSpan = document.createElement('small');
+        dateSpan.className = 'text-muted d-block border-bottom mb-2';
+        dateSpan.textContent = item.date;
+
+        const contentSpan = document.createElement('span');
+        contentSpan.innerHTML = parseNewsMarkdown(item.content);
+
+        li.appendChild(dateSpan);
+        li.appendChild(contentSpan);
+        list.appendChild(li);
+      }
+
+      container.appendChild(list);
+    } else {
+      container.innerHTML = '<p class="text-muted mb-0">Could not load news.</p>';
+    }
+  } catch {
+    if (loader) {
+      loader.classList.add('d-none');
+    }
+    container.innerHTML = '<p class="text-muted mb-0">Could not load news.</p>';
+  }
+};
+
 export const handleVerificationModal = async (): Promise<void> => {
   const verificationModal = document.getElementById('verificationModal') as HTMLDivElement;
   const Translator = new TranslationService();
diff --git a/phpmyfaq/admin/assets/src/index.ts b/phpmyfaq/admin/assets/src/index.ts
@@ -13,7 +13,13 @@
  * @since     2019-12-20
  */
 
-import { getLatestVersion, renderVisitorCharts, renderTopTenCharts, handleVerificationModal } from './dashboard';
+import {
+  fetchRecentNews,
+  getLatestVersion,
+  renderVisitorCharts,
+  renderTopTenCharts,
+  handleVerificationModal,
+} from './dashboard';
 import {
   handleClearRatings,
   handleClearVisits,
@@ -101,6 +107,7 @@ document.addEventListener('DOMContentLoaded', async (): Promise<void> => {
   await renderTopTenCharts();
   await getLatestVersion();
   await handleVerificationModal();
+  await fetchRecentNews();
 
   // User → User Management
   await handleUsers();
diff --git a/phpmyfaq/assets/templates/admin/dashboard.twig b/phpmyfaq/assets/templates/admin/dashboard.twig
@@ -394,6 +394,26 @@
 
   </section>
 
+  {% if hasRecentNews %}
+    <section class="row mb-4">
+      <div class="col-12">
+        <div class="card shadow">
+          <h5 class="card-header py-3">
+            <i aria-hidden="true" class="bi bi-newspaper"></i> {{ 'ad_pmf_news' | translate }}
+          </h5>
+          <div class="card-body">
+            <div class="d-flex justify-content-center d-none" id="pmf-news-loader">
+              <div class="spinner-border text-secondary" role="status">
+                <span class="visually-hidden">Loading...</span>
+              </div>
+            </div>
+            <div id="pmf-recent-news"></div>
+          </div>
+        </div>
+      </div>
+    </section>
+  {% endif %}
+
   <!-- Verification Modal -->
   <div class="modal fade" id="verificationModal" tabindex="-1" aria-labelledby="verificationModalLabel"
        data-pmf-current-version="{{ currentVersionApp }}" aria-hidden="true">
diff --git a/phpmyfaq/src/phpMyFAQ/Controller/Administration/Api/DashboardController.php b/phpmyfaq/src/phpMyFAQ/Controller/Administration/Api/DashboardController.php
@@ -27,6 +27,7 @@
 use phpMyFAQ\Faq;
 use phpMyFAQ\System;
 use phpMyFAQ\Translation;
+use Symfony\Component\HttpClient\HttpClient;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
@@ -122,4 +123,35 @@ public function topTen(): JsonResponse
 
         return $this->json(['error' => 'User tracking is disabled.'], 400);
     }
+
+    /**
+     * @throws Exception
+     */
+    #[Route(path: 'dashboard/news', name: 'admin.api.dashboard.news', methods: ['GET'])]
+    public function news(): JsonResponse
+    {
+        $this->userIsAuthenticated();
+
+        if (!$this->configuration->get(item: 'main.enableRecentNews')) {
+            return $this->json(['error' => 'Recent news is disabled.'], Response::HTTP_FORBIDDEN);
+        }
+
+        try {
+            $httpClient = HttpClient::create(['max_redirects' => 2, 'timeout' => 10]);
+            $response = $httpClient->request('GET', 'https://www.phpmyfaq.de/api/news/recent');
+
+            if ($response->getStatusCode() === Response::HTTP_OK) {
+                $data = $response->toArray(throw: false);
+                if (isset($data['news']) && is_array($data['news'])) {
+                    $data['news'] = array_slice($data['news'], 0, 5);
+                }
+
+                return $this->json($data);
+            }
+
+            return $this->json(['error' => 'Failed to fetch news.'], Response::HTTP_BAD_GATEWAY);
+        } catch (TransportExceptionInterface $exception) {
+            return $this->json(['error' => $exception->getMessage()], Response::HTTP_BAD_GATEWAY);
+        }
+    }
 }
diff --git a/phpmyfaq/src/phpMyFAQ/Controller/Administration/DashboardController.php b/phpmyfaq/src/phpMyFAQ/Controller/Administration/DashboardController.php
@@ -96,6 +96,7 @@ public function index(Request $request): Response
             'lastBackupDate' => $backupInfo['lastBackupDate'],
             'isBackupOlderThan30Days' => $backupInfo['isBackupOlderThan30Days'],
             'adminDashboardLatestUsers' => $this->latestUsers->getList(limit: 5),
+            'hasRecentNews' => $this->configuration->get(item: 'main.enableRecentNews'),
         ];
 
         if (version_compare($this->configuration->getVersion(), System::getVersion(), operator: '<')) {
diff --git a/phpmyfaq/src/phpMyFAQ/Setup/Migration/Versions/Migration420Alpha.php b/phpmyfaq/src/phpMyFAQ/Setup/Migration/Versions/Migration420Alpha.php
@@ -851,6 +851,9 @@ public function up(OperationRecorder $recorder): void
         $recorder->addConfig('oauth2.refreshTokenTTL', 'P1M');
         $recorder->addConfig('oauth2.authCodeTTL', 'PT10M');
 
+        // Recent news widget
+        $recorder->addConfig('main.enableRecentNews', 'true');
+
         // OAuth2 storage tables
         if ($this->isMySql()) {
             $recorder->addSql(sprintf(
diff --git a/phpmyfaq/translations/language_en.php b/phpmyfaq/translations/language_en.php
@@ -781,6 +781,7 @@
 $PMF_LANG['msgAllCatArticles'] = 'Records in this category';
 $PMF_LANG['msgTagSearch'] = 'Tagged entries';
 $PMF_LANG['ad_pmf_info'] = 'phpMyFAQ Information';
+$PMF_LANG['ad_pmf_news'] = 'phpMyFAQ News';
 $PMF_LANG['msgOnlineVersionCheck'] = 'Online version check';
 $PMF_LANG['ad_system_info'] = 'System Information';
 
@@ -1623,6 +1624,7 @@
 
 $PMF_LANG["msgCommentEditorHint"] = "You can use the text editor to format your comment with bold, italic, lists, and links.";
 $LANG_CONF['main.enableCommentEditor'] = ["checkbox", "Enable WYSIWYG editor for comments (logged-in users only)"];
+$LANG_CONF['main.enableRecentNews'] = ['checkbox', 'Enable recent phpMyFAQ news on dashboard'];
 $PMF_LANG["msgToggleSidebar"] = "Toggle sidebar";
 $PMF_LANG['msgFleschReadingEase'] = 'Readability Score';
 $PMF_LANG['msgFleschTooltip'] = 'The Flesch Reading Ease score measures how easy your text is to read. Higher scores mean easier reading. Aim for 60-70 for general audiences.';
diff --git a/tests/phpMyFAQ/Controller/Administration/Api/DashboardControllerTest.php b/tests/phpMyFAQ/Controller/Administration/Api/DashboardControllerTest.php
diff --git a/tests/phpMyFAQ/Controller/Administration/DashboardControllerTest.php b/tests/phpMyFAQ/Controller/Administration/DashboardControllerTest.php
diff --git a/tests/phpMyFAQ/Strings/AbstractStringTest.php b/tests/phpMyFAQ/Strings/AbstractStringTest.php
