Add way to view unpublished or protected source content

+++ b/sources/content/src/Plugin/tmgmt/Source/ContentEntitySource.php
@@ -49,10 +50,26 @@ class ContentEntitySource extends SourcePluginBase implements SourcePreviewInter
+        'hostname' => \Drupal::request()->getClientIP(),
...
+      if ($url && $anonymous_access && !$entity->access('view', $anonymous)) {

Hm, if we pass this URL to a TSP, the client that will access this URL will not be the getClientIP, because initially this is the service interacting and later just the user browser. Does this still work?

We might want to have some client with different IP in test? (Simpletest might be a bit limited here.) Or some other thing accessing that still gets a 403 if still possible.

You are just testing the API. Yeah the default preview link seems to be fine without this access.
Important followup: Offer an item preview link in local translator!

Needs consideration or even discussion with Berdir.

1. +++ b/sources/content/src/Plugin/tmgmt/Source/ContentEntitySource.php
   @@ -49,10 +50,26 @@ class ContentEntitySource extends SourcePluginBase implements SourcePreviewInter
   +      $values = [
   +        'uid' => 0,
   +        'hostname' => \Drupal::request()->getClientIP(),
   +        'roles' => [RoleInterface::ANONYMOUS_ID],
   +      ];
   +      $anonymous = new UserSession($values);
   

   Not sure where you have this snippet from, UserSession doesn't have a hostname (anymore). And all other values are the default anyway.

   Also, there's an AnonymousUserSession object, which doesn't actually do anything special. But you can should still use it. $anonymous = new AnonymousUserSession();

2. +++ b/sources/content/src/Plugin/tmgmt/Source/ContentEntitySource.php
   @@ -49,10 +50,26 @@ class ContentEntitySource extends SourcePluginBase implements SourcePreviewInter
   +      if ($url && $anonymous_access && !$entity->access('view', $anonymous)) {
   

   I'm not sure we need $anonymous_access. I'd just implement it so that we always return the key. It doesn't hurt anyone if it's there as well for logged in users....

   Uh. Except when it isn't. I'm wondering if it's a feature or a (security) bug when reviewers can see unpublished content. It's not just this, they can see the data anyway.

   Don't create a new url object, just use setOption('query', ...).

   Also note that this will conflict with #2668378: Fatal error with a content entity source without canonical link template

3. +++ b/sources/content/src/Tests/ContentEntitySourceUiTest.php
   @@ -538,4 +536,27 @@ class ContentEntitySourceUiTest extends EntityTestBase {
   +    $this->drupalGet($job_item->getSourceUrl(TRUE)->setAbsolute()->toString());
   

   drupalGet() accepts url objects, just give it what getSourceUrl() returns.

4. +++ b/sources/content/tmgmt_content.module
   @@ -216,3 +218,28 @@ function tmgmt_content_create_continuous_job_items(ContentEntityInterface $entit
   +      return $result->setCacheMaxAge(0);
   

   cacheability is tricky here.

   If the node is publicly cached and *then* we access it, this might not work because everyhting is cached.

   On the other hand, disabling caching completely just because we have a key also isn't an option.

   Instead, what you should do is *always* (even if you don't have a key right now) add a cache context for url.query_args:key. Then it will be cached differently based on the value of the key argument. As long as it doesn't exist, that doesn't hurt anyone.

+++ b/src/Form/SettingsForm.php
@@ -54,9 +54,27 @@ class SettingsForm extends ConfigFormBase {
+      '#description' => t('Enabling this will add a key to the url of the source to let access to the anonymous users that know that key.'),

the description needs a bit work.

It's not just about anonymous users, everyone will then have access:

Enabling this will give translators and anyone with access to jobs access to view all content, including unpublished and other protected content.

Also, there's one more access/caching thing that we should check for.

After you check access successfully, abort the job (we could also accept to close it, but that would update/save the node and invalidate caches anyway). Then check the same URL again. It should now fail, since the job item is no longer active.

That will probably not work yet. To fix it, add the job item as a cacheable dependency (->addCacheableDependency($job_item).

Oh, and you should also check config *if* there is a key query argument and call that method for $config too. Not sure if we really need a test for that, but it wouldn't hurt (check that access works, then disable the setting, then it shouldn't, then enable again, then it should again, then abort the job and it shouldn't anymore).

Looks good now, thanks, committed.