[5.x] Fix config through Antlers views (#14328)

Co-authored-by: Duncan McClean <duncan@duncanmcclean.com>

Author: jasonvarga

src/Fields/Value.php

@@ -12,6 +12,7 @@
 use Statamic\Facades\Compare;
 use Statamic\Support\Str;
 use Statamic\View\Antlers\Language\Parser\DocumentTransformer;
+use Statamic\View\Cascade;
 use Traversable;
 
 class Value implements ArrayAccess, IteratorAggregate, JsonSerializable
@@ -159,6 +160,10 @@ public function antlersValue(Parser $parser, $variables)
 
             $value = (new DocumentTransformer())->correct($value);
 
+            if (isset($variables['config'])) {
+                $variables['config'] = Cascade::config();
+            }
+
             $parsed = $parser->parse($value, $variables);
 
             if (! $parseFromRawString) {

tests/View/Antlers/ViewTest.php

@@ -6,6 +6,9 @@
 use PHPUnit\Framework\Attributes\Test;
 use Statamic\Facades\Antlers;
 use Statamic\Facades\Cascade;
+use Statamic\Fields\Field;
+use Statamic\Fields\Value;
+use Statamic\Fieldtypes\Text;
 use Statamic\View\Events\ViewRendered;
 use Statamic\View\View;
 use Tests\FakesViews;
@@ -243,15 +246,43 @@ public function view_gets_full_config_but_antlers_parse_gets_allowlisted_config_
 
         $template = 'hello {{ name }} [{{ config:app:name }}] [{{ config:top:secret }}] [{{ config:allowlisted:foo }}]';
 
-        $data = ['name' => 'world', Cascade::instance()->toArray()];
+        $data = ['name' => 'world', Cascade::instance()->hydrate()->toArray()];
+
+        $parsed = (string) Antlers::parse($template, $data);
+        $this->assertStringNotContainsString('123', $parsed, 'Parsed string contains unexpected config value.');
+        $this->assertSame('hello world [test] [] [bar]', $parsed);
 
         $this->viewShouldReturnRaw('template', $template);
         $parsed = (string) View::make('template', $data)->render();
         $this->assertStringContainsString('123', $parsed, 'Parsed view is missing config value.');
         $this->assertSame('hello world [test] [123] [bar]', $parsed);
+    }
 
-        $parsed = (string) Antlers::parse($template, $data);
-        $this->assertStringNotContainsString('123', $parsed, 'Parsed string contains unexpected config value.');
-        $this->assertSame('hello world [test] [] [bar]', $parsed);
+    #[Test]
+    public function antlers_fields_gets_allowlisted_config_only_in_view()
+    {
+        config([
+            'app.name' => 'test', // allowed by default
+            'allowlisted.foo' => 'bar', // allowlisted
+            'top.secret' => '123',
+            'statamic.system.view_config_allowlist' => ['@default', 'allowlisted.foo'],
+        ]);
+
+        $template = 'hello {{ name }} [{{ config:app:name }}] [{{ config:top:secret }}] [{{ config:allowlisted:foo }}]';
+
+        $textFieldtype = new Text();
+        $field = new Field('text_field', [
+            'type' => 'text',
+            'antlers' => true,
+        ]);
+        $textFieldtype->setField($field);
+
+        $value = new Value($template, fieldtype: $textFieldtype);
+
+        $data = ['name' => 'world', 'test' => $value];
+
+        $this->viewShouldReturnRaw('template', '[view:{{ config:top:secret }}] {{ test }}');
+        $parsed = (string) View::make('template', $data)->render();
+        $this->assertSame('[view:123] hello world [test] [] [bar]', $parsed);
     }
 }