Secure Media feature, add a way to hide ContentTypeDefinitionSettings - This week in Orchard (19/04/2024)

Gábor Domonkos's avatar
Admin UI, Media Library, This week in Orchard, Security

Consolidate admin required fields, add a way to hide ContentTypeDefinitionSettings, and a demo about the brand-new Secure Media feature! Let's see the details!

Orchard Core updates

Consolidate admin required fields

Content fields and some parts added to a content type can be set as required, but there is no visualization before submitting changes. The validation error messages for required fields have inconsistent text messages (some contain a dot at the end, some don't, some are using '' for value, and some have explicit value names in the text. Also, validation error messages are included in the validation summary only, and not under the required field, but for example, in TitlePart everything is correct.

All error messages should be written in the same format and text, for example: Please add value for '{0}'. At least some CSS class should be added on all required field labels to be able to identify required fields in the content item form and required validation messages should be displayed under each validated field.

As you can see in the screen below, the community consolidated the admin required fields by making the following steps:

  • Add star char for all required fields.
  • Add validation message for required input field like in TitlePart.
  • Consolidated color for start and validation error messages.
  • Consolidated error message texts.
  • Removed client validation from inputs because of inconsistent form behavior dependent on the used browser, selected locale, etc.

Consolidate admin required fields

Add a way to hide ContentTypeDefinitionSettings

The intention behind this change was to add a configuration to show/hide the creatable, listable, draftable, versionable, and securable flags. We have a new ContentTypeDefinitionDriverOptions class which contains boolean values that you can use to show or hide the creatable, listable, draftable, versionable, and securable options when editing the content definition of a content type on the admin UI. The ContentTypeDefinitionOptions class offers a method for configuring content type definitions to either display or conceal global settings from appearing on the UI.

In certain cases, like when creating CustomSettings or CustomUserSettings, these options are useless. So, it would be nice to hide them instead since they do nothing.

So, to quickly demonstrate this change, we enabled the Custom User Settings feature under Configuration -> Features. After, we navigated to Content -> Content Definition -> Content Types and created a new content type called UserProfile. We added some fields to it and set the stereotype to CustomUserSettings to be able to use this content type as a custom user setting.

As you can see, only the Securable checkbox is here, we can't set the other content type definitions like creatable, listable, etc. And the reason for that is in the Startup.cs file of the OrchardCore.Users module, we set up the boolean values of the ContentTypeDefinitionDriverOptions class where the stereotype is CustomUserSettings. But we haven't touched the value of the ShowSecurable, so it can be kept its true value.

Add a way to hide ContentTypeDefinitionSettings


Secure Media feature

This demo is about the brand-new Secure Media feature for additional control over who can access media files. The key features include:

  • Restricted Access to Media Folders: A view permission is created for the root media folder and each first-level folder within the media root, allowing administrators to restrict access based on user roles.
  • Enhanced Viewing Permissions: Introduces permissions to view one's own media files and/or those of others, expanding upon the existing ManageOwnMedia permission.
  • Consistent Access Rules for Media and Content Items: Media attached to content items will adhere to the ViewContent permission of the respective content item. This alignment ensures consistent access rules between media and content items.
  • Protection for Temporary Attached Media Files: Secures temporary attached media files in a manner similar to personal user files.
  • Improved Management Permissions in Admin: Refines the manage media permissions to allow media management only when viewing permissions are also granted. This prevents users from managing media they cannot view. Additionally, the creation and deletion buttons in the admin interface are disabled for folders that are not accessible post-creation or for special folders like "_Users" and "mediafields".
  • Handling Unauthorized Access: Introduces a middleware that returns a 404 NotFound response for unauthenticated access attempts to secured media files. This approach not only restricts access but also conceals the existence of the file.
  • Configurable Cache-Control for Secured Files: Sets the Cache-Control header of secured files to no-store by default, preventing their caching. This setting is configurable to suit different needs.
  • Bearer Token Authentication for API Access: Enables bearer token authentication for media files, aligning with Orchard Core's API capabilities. This feature is particularly useful for headless CMS scenarios and external application integrations.

We will not do a deep dive here but will try to demonstrate some of the mentioned features.

First of all, you need to enable the feature itself by heading to Configuration -> Features where you will find the Secure Media feature. After enabling it, let's add a new folder to the root of the media library under Content -> Media Library. We named it secure and placed a file into this library.

Creating the folder named secure

Now, let's navigate to Security -> Roles, and find a section called Secure Media. By default, everyone can see everything, so nothing will change if you enable the feature. It's currently only using the root folder and the first folder level; this means you can only have one tier of secured media folder. And as you can see here, you can define who can view media content in our newly created folder, called secure.

Secure Media permissions

Now let's play a little bit with the permissions and say that Anonymous users and Editor users don't have permission to view media content inside the secure folder.

To test this out, we created a new user with the Editor role and logged in with this user. Head to the admin UI of Orchard Core and open up the Media Library. As you can see, this user can't see the folder called secure and can't access the files inside the folder.

Users with the Editor role don't have permission to view the secure media folder

As always, if you want to see more about this new feature, head to YouTube for a recording!

News from the community

Orchard Dojo Newsletter

Lombiq's Orchard Dojo Newsletter has 471 subscribers! We have started this newsletter to inform the community around Orchard of the latest news about the platform. By subscribing to this newsletter, you will get an e-mail whenever a new post is published to Orchard Dojo, including This week in Orchard of course.

Do you know of other Orchard enthusiasts who would like to read our weekly articles? Tell them to subscribe here!

If you are interested in more news about Orchard and the details of the topics above, don't forget to check out the recording of this Orchard meeting!

No Comments

Add a Comment