Admin Dashboard improvements, Two-factor Authentication - This week in Orchard (26/05/2023)
Check out our current post to read about the latest Admin Dashboard improvements and to see a demo about supporting two-factor authentication in Orchard Core! And don't forget that Orchard Harvest is just right around the corner!
Orchard Core updates
Show Admin Dashboard shape when Access Admin Dashboard permission is not granted
Currently, when the Admin Dashboard feature is enabled, the /admin route is handled by the Index action in the DashboardController controller. This works great when the user has the Access Admin Dashboard permission. However, when they don't, they get the generic forbid error message.
In some cases, we don't want to give the user access to the admin widgets but want them to still access the admin dashboard. In this case, they will not be able to see the dashboard unless they type the exact path they want to access in the browser.
The solution here was the following:
- If the user does not have Access Admin Dashboard permission, instead of showing 401, we now render the AdminDashboard shape.
- When a Dashboard Widget is secured, we check the permission to ensure the user is able to view it before rendering it. This will give us the ability to control who gets to see which widget.
To test this out, first of all, we need to enable the Admin Dashboard feature. After that, we modify the permissions of the Editor role by saying users with this role have no permission to access the Admin Dashboard.
After that, we added an Html Dashboard Widget to be able to see something instead of the empty dashboard. On the left side of the screen, you can see what the admin user can see. They have the Access Admin Dashboard permission, and the previously created Html Dashboard Widget is visible to them. However, on the right side of the screen, we logged in with a user who has the Editor role. As you can see, Orchard renders the "Welcome to Orchard Core" alert to them, but they can't see the Dashboard Widget or the Dashboard itself.
Do not auto-create a dummy content item when the Admin Dashboard feature is enabled
When the Admin Dashboard feature is enabled for the first time, for some reason, we create a dummy dashboard item. There is no way to avoid this for new tenants currently.
Maybe adding a content item by default is not a good idea because the admin will almost always have to remove it. This change is about removing the sample Orchard Core Admin Widget from the recipe. But if you are curious about this sample widget, you can still use it. If you navigate to Configuration -> Recipes you will find a recipe called Admin Dashboard Widget Sample. And if you execute this recipe, you will be able to see the sample widget in the dashboard again.
And this change was also added to the change logs of the next upcoming release to notify everyone about this change.
Demos
Two-factor Authentication
Now you can have new settings that allow you to enable two-factor authentication. To see how this works, navigate to Security -> Settings -> User Login, where you can see a new tab, called Two-factor Authentication. If you put a tick into the Enable two-factor authentication checkbox, you will see the related settings. You can enable 2FA for everyone, you can enable 2FA for users with specific roles, or you can say to remember the client, so you don't have to keep typing the code every single time on the same computer. The Show email address in the authenticator app allows you to display the email address on the authentication app, otherwise, we will show your username. And the Require two-factor authentication option allows you to force authentication. If you log in, you will be forced to use 2FA.
Right now, let's enable 2FA just for the users with the Administrator role. This means you will have a new option in the dropdown menu if you click on the user icon in the top-right corner called Security. Here, you can set up your authenticator app by clicking on the Add authenticator app button. Here you can set up your authenticator app by following the steps mentioned.
Pull up your phone, open up the authenticator app, scan the QR code, and provide the verification code. On the next screen, you can see your recovery codes which you can use to log in in case you lose your device. But of course, you can reset your recovery codes and also the authenticator app itself under the Security dropdown menu.
Now if we log out and log back in, Orchard Core will ask us to provide that code after we typed the correct username and password.
And as always, if you would like to know more about this feature (which you can try out right now if you are using the nightly builds of Orchard Core) head to YouTube for a recording!
News from the community
Orchard Harvest Online Program
As many of you know, we have been working hard over the past months to organize the next Orchard Harvest in Las Vegas after the last Harvest in 2017. Unfortunately, based on the current economic situation and personal feedback, Las Vegas won’t work this year. Not to mention that unfortunately Microsoft Build, announced after we decided on our dates, also falls in line with the original dates we chose. So, a date change was also necessary.
However, we did not want to let go of this opportunity to meet completely. Therefore, we are pleased to inform you that we will be holding our first online Orchard Harvest starting on the 31st of May at 13:00 UTC. Start your registration for the event right now.
You can find the program of the conference on the official site of Orchard Core. See you next week!
Orchard Dojo Newsletter
Lombiq's Orchard Dojo Newsletter has 462 subscribers! We have started this newsletter to inform the community around Orchard of the latest news about the platform. By subscribing to this newsletter, you will get an e-mail whenever a new post is published to Orchard Dojo, including This week in Orchard of course.
Do you know of other Orchard enthusiasts who would like to read our weekly articles? Tell them to subscribe here!