Enable/disable RSS feed per list, don't localize custom errors returned by the userinfo endpoint, reject
grant_type=client_credentials token requests containing
scope=offline_access, and a demo about using
WebApplicationFactory in the Lombiq UI Testing Toolbox. Check out our post for the details!
Orchard Core updates
Enable/disable RSS feed per list
After activation of the Feeds module, each List Part gets its public URL which can be accessed from the public and cannot be secured. List items can be intended to be private or handled in some custom way. If someone activates the Feeds module, it can leak that data through the newly added endpoint. So, this change is about adding an option to disable/enable feed generation for a given List Part.
Let's try it out quickly! If you set up your site using the Blog recipe, you will get a Blog content type defined and one Blog content item. Navigate to Content -> Content Items and hit Edit near the Blog one! If you scroll down a little, you will find a new checkbox called Disable RSS feed link generation. It's unchecked by default but you can put a tick in this box to disable the RSS feed generation.
Don't localize custom errors returned by the userinfo endpoint
The OAuth 2.0 specification explicitly requires that errors be composed exclusively of certain USCII characters, which basically prevents localizing them.
It's an issue we identified and fixed some time ago for the errors returned by
AccessController, but not by
UserInfoController, which still returned a localized error.
Reject grant_type=client_credentials token requests containing scope=offline_access
We recently added the ability to automatically grant the requested scopes for
grant_type=client_credentials (which requires that the client be granted the corresponding scope permissions, of course), but we forgot to add a check to prevent a refresh token from being requested via
scope=offline_access, which is a scenario we deliberately don't allow. We have a check preventing blocking
grant_type=refresh_token requests in this case:
Since there's no point in returning a refresh token that won't be usable, we should add a check to prevent the
offline_access scope from being requested in the first place. That's exactly what this fix does.
Use WebApplicationFactory in the Lombiq UI Testing Toolbox
Maybe you have already heard about the Lombiq UI Testing Toolbox, our web UI testing toolbox mostly for Orchard Core applications. Everything you need to do UI testing with Selenium for an Orchard app is here. We wrote about it several times here as well, first when we open-sourced it, when we added some Orchard Core Features tests to it when we added the automated monkey testing feature to it or when we introduced the Visual verification testing. And a few weeks ago, we showed you the latest updates about integrating UI testing into Orchard Core.
In this recording, you could see using
WebApplicationFactory directly instead of running the tested app with the dotnet CLI because you can run an ASP.NET Core app directly with
WebApplicationFactory, see this blog post and the corresponding code. Why?
- This can potentially make things faster.
- Reduce the app-level configuration you have to do, so no need to add the Shortcuts module, for example, or
- Since this would require a hard reference from the UI test project and the web app, we'd get rid of the necessity to manually build the web app.
- This would allow us to debug the app being tested too since it would be the same as the test process.
We introduced this change in the v4.0.0 release of the UI Testing Toolbox, and if you are already using our Toolbox in your solution, don't forget to check out our migration guide for the breaking and non-breaking changes.
And as always, if you want to know more about this new addition to the Lombiq UI Testing Toolbox for Orchard Core check out this recording on YouTube!
News from the community
Orchard Harvest 2023
For those who are too young to remember, we had Orchard conferences, called Orchard Harvest. And the conference website was available under orchardharvest.org, but unfortunately, it's not anymore. The last one was in 2017 in New York. So, having another get-together is very much overdue. If you would like to see or get a feeling of how this looked like before, we have a couple of mood videos on the Orchard YouTube channel, like this one from the first conference.
The point is that we should really think about organizing the next one, and we at Lombiq can take part in that or provide an organizing role with anybody who wants to take part. If you have any feedback or you are looking forward to having a Harvest again, please share your opinion with us by filling out this survey about the upcoming Orchard Harvest!
Orchard Dojo Newsletter
Lombiq's Orchard Dojo Newsletter has 378 subscribers! We have started this newsletter to inform the community around Orchard of the latest news about the platform. By subscribing to this newsletter, you will get an e-mail whenever a new post is published to Orchard Dojo, including This week in Orchard of course.
Do you know of other Orchard enthusiasts who you think would like to read our weekly articles? Tell them to subscribe here!