Source Browser, Content Request Culture Provider cookie setting - This week in Orchard (12/07/2021)
Fixing forms multi submit, set the cookie in the Content Request Culture Provider, Source Browser with Orchard Core, and many more coming this week!
Orchard Core updates
Set the cookie in the ContentRequestCultureProvider
The ContentRequestCultureProvider allows you to switch the current culture based on the content item URL. If you have a site in French and English and you go on a page that contains a French content item, then the full request will go in French. This is what the RequestCultureProvider does, it assigns the current thread culture to the one that a content item is taken.
The issue is the following. Assume you have a drop-down French and English to switch languages. Like you are, for instance, on the home page for English. And in the drop-down, you select French using the content picker. In this case, your whole navigation is back in French. Everything you will click should be in French now; the widgets, the content items, everything. But if you go to a page that is in English, the cookie is still for French, which means the next page that will open will assume you still want to be in French. This new option lets you switch the cookie to the culture of the content item you are watching. That means if you go to a content item with a different culture, your cookie will say: 'Oh, I want to be in this culture now, I don't want to be in the one that the drop-down selected before!'.
By default, the ContentCulturePicker sets a cookie for the CookieRequestCultureProvider. This can be disabled in the Configuration -> Settings -> Localization -> Content Culture Picker settings page.
The ContentRequestCultureProvider can set the cookie based on the ContentItem that matches the current URL. This setting can be edited in the Configuration -> Settings -> Localization -> Content Request Culture Provider settings page.
Minor security issue: Internal File Path Disclosure
An issue has been raised that the Media module can potentially expose internal file paths, letting a would-be attacker find out what OS the server is using and gaining knowledge about the file structure being used by the web application.
If you open up the AdminController and check out the HttpPost version of the Upload action, you would see the following lines in the code that prints the path of the given file.
The media file stores are supposed to catch all exceptions and rethrow them as a FileStoreException. The issue was the result contains the path, while it shouldn't. This issue has been fixed by now.
Fix forms multi submit
The idea here is that if you add the no-multisubmit class, then you can't submit a form twice. So when you double click, there won't be two POST requests, just a single one. And the issues that it triggered were like locking issues or concurrency issues like two content items use the same version and then two published versions. This is preventing issues like this. And you had to change every single form to prevent that.
Document Static File Provider Feature and robots.txt for Tenants
There is a Static File Provider feature that allows you to have custom static files served for each tenant differently. And in this case, whatever file you put under the App_Data\Sites\[Tenant]\wwwroot will be served in priority over the module's static files or the theme's static files. This way you can customize, for instance, a CSS for a tenant by putting it in this folder. If all tenants use the same theme, you can customize CSS or JavaScript by putting the files there. If you would like to read more about this, check out this updated page of the documentation.
Demos
Source Browser
Source browser website generator that powers https://referencesource.microsoft.com, http://sourceroslyn.io, https://source.dot.net, and others.
Create and host your own static HTML website to browse your C#/VB/MSBuild/TypeScript source code. Note that it does require an ASP.NET Core website for hosting (symbol index is kept server-side), so without ASP.NET Core the search function doesn't work.
Dean Marcussen decided to build one for Orchard Core. And you can now browse the source code of Orchard Core using Source Browser.
You can find the source code in the dm/orchardcore branch of this repository.
If you would like to see a nice demo and discussion about this feature, don't forget to check out the following recording on YouTube!
News from the community
Lombiq Helpful Libraries: Contents Libraries
The Lombiq Helpful Libraries consist of several various libraries that can be handy when developing for Orchard Core CMS, to be used from your own Orchard modules. This time we will see some helpful constants and extensions regarding contents.
The CommonContentDisplayTypes static class contains values that can be used with IContentItemDisplayManager.BuildDisplayAsync or OrchardRazorHelperExtensions.DisplayAsync to safely select the correct display type. Here we have a BuildDisplayAsync method that loads the content item if the display type is not SummaryAdmin. As you can see, we could use the SummaryAdmin constant string here.
The PublicationStatus enum can be used for instance to query content items based on the status of the content item. The WithContentItem extension method also uses these enums to filters a query to match the publication status in ContentItemIndex. You can see we have a query.WithContentItem(PublicationStatus.Published) call that will extend the given query with the ContentItemIndex index and use the given status of the content item.
Orchard Dojo Newsletter
Lombiq's Orchard Dojo Newsletter has 207 subscribers! We have started this newsletter to inform the community around Orchard with the latest news about the platform. By subscribing to this newsletter, you will get an e-mail whenever a new post is published to Orchard Dojo, including This week in Orchard of course.
Do you know of other Orchard enthusiasts who you think would like to read our weekly articles? Tell them to subscribe here!