Our blog contains the activity stream of Orchard Dojo: general news, new resources or tutorials are announced here.

Featured tags

IIS
API
SMS
SEO
All tags >

Feature aware Razor Pages, Orchard Core Commerce - This week in Orchard (06/05/2022)

This week you can read that the Feature attribute was not working for Razor Pages, the Lucene documentation updates, and a demo of the Orchard Core Commerce module! Are you interested in the details? Check out this post for more! Orchard Core updates Feature attribute was not working for Razor Pages The Feature attribute was not applied to Razor Pages because Razor Pages were always tied to the module. What does it mean? Well, let's follow the steps below: Create a Module with a feature. Add a Razor Page. Add the Feature attribute to a Razor Page. Enable the module and the feature it will serve the Razor Page. Disable the feature - notice that Razor Page is still served. Now, the feature is disabled, and the site should not serve the Razor Page, but it was still served. Now, this has been fixed and you can also try it out if you enable the Orchard Core and Orchard Foo Demo features that sit in the Orchard Demo project. Note that this project is not referenced by default, so if you would like to try it out, you can simply add it to the OrchardCore.Cms.Web, for example. You can find two Razor Pages (Edit and List) with the Feature attribute OrchardCore.Demo.Foo. Meaning that if you enable the Orchard Demo feature but keep the Orchard Demo Foo disabled, you can not reach these pages. Lucene documentation updates You can write elaborate Lucene Queries with the ElasticSearch DSL. This includes the match query type (akin to using the my search term syntax in the search box) and match_all (like writing "my search term" for exact search). And you can optionally use the parsed Lucene search syntax in the search text box. However, the documentation of the Lucene module had some missing examples about how you can combine the two and how to use the search syntax with a Query. The simple_query_string is also available but was missing from the docs, it has been added too. Demos Orchard Core Commerce Orchard Core Commerce will be an Orchard Core port and partial rewrite of the open source Nwazet Commerce module that was built for Orchard CMS 1.x. Nwazet Commerce was initially built in 2012 by Bertrand Le Roy, loosely based on a commerce sample by Sipke Shoorstra. The initial goal of Nwazet Commerce was to power the website of the hardware startup Nwazet. While Nwazet is no longer operating, the Nwazet Commerce project went on, and was further developed by a group of passionate contributors who are using the platform for their own, and their customer's websites. Like Orchard, Nwazet Commerce was built with extensibility in mind, and as such it has its own extensions (typical examples include local tax and shipping modules). It's also pure, idiomatic Orchard. Orchard Core represents a major evolution of the Orchard design principles and is sufficiently different that running Nwazet Commerce on it will necessitate significant work. As such, the community decided that starting from a blank slate was the best way to go, so they will port Nwazet Commerce piece by piece, being careful to accurately apply Orchard Core's new design principles. The community also decided to adopt a new name that gets rid of the now obsolete origins and establishes our ambition for the module to become the go-to commerce module for Orchard Core. This work is in its initial design phases and will focus at first on porting a minimum viable feature set. In this demo, we will check out the current state of the module. To set up your dev environment, you should clone this repository, build and run the SampleWebApp project (set up with any recipe) and enable the Orchard Core Commerce, Orchard Core Commerce Session Cart Storage, and the Orchard Core Commerce Settings Currency Selector features. From now on, you can start using the features by creating a new Product content type and adding the Product part to it, and so on. But you can run the built-in recipes (MultiCurrencyProduct, Order, and Product) to set up your content model just by a few clicks. Meaning you will have a Product content type with a Product Part and multiple Price Parts. Order content type with an Order Part, a shipping address, and a billing address. Product content type with a Product Part and a Price Part. And if you check out the recording below you will know how to create products like this one, where you can define the SKU(Stock Keeping Unit), the base price of the product, and you have the option to attach the built-in Boolean/Numeric/Text Product Attribute Fields that can help you to define the available sizes for the given T-shirt for example. News from the community Lombiq provides stewardship for Orchard Core Commerce You saw the current state of the Orchard Core Commerce module, and if you follow the news around Orchard and Orchard Core, you may notice that the project is moving a little slow because of the level of the contributions. We'd like to announce that Lombiq Technologies provides stewardship for the Orchard Core Commerce project. Bertrand, who initially founded the Orchard 1 and Orchard Core Commerce modules, reached out to us if we are interested in actively maintaining the project. We at Lombiq are really excited about this opportunity. We want to move this forward with proper planning and frequent contributions to the repository. On our side, Márk Bartha will be the project leader. A few seasoned Orchard developers are ready to implement features. But first, we want to hear your opinion about what you need first and most for the MVP. We'll put together a short survey to collect your ideas in an organized manner. Until then, feel free to comment and let us know your thoughts! Orchard Dojo Newsletter Lombiq's Orchard Dojo Newsletter has 248 subscribers! We have started this newsletter to inform the community around Orchard with the latest news about the platform. By subscribing to this newsletter, you will get an e-mail whenever a new post is published to Orchard Dojo, including This week in Orchard of course. Do you know of other Orchard enthusiasts who you think would like to read our weekly articles? Tell them to subscribe here! If you are interested in more news around Orchard and the details of the topics above, don't forget to check out the recording of this Orchard meeting!

Add UI for email proxy settings, Lombiq Orchard Visual Studio Extension supports Visual Studio 2022 - This week in Orchard (31/03/2022)

Fixing that content parts/fields were not showing up in preview when ContentCard is used, preventing Visual Studio Missing Components warning, adding UI for email proxy settings, and the Lombiq Orchard Visual Studio Extension now supports Visual Studio 2022! Check out our current post to read about the details! Orchard Core updates Add UI for email proxy settings A few weeks ago, we mentioned that from now you have the option to configure the proxy server and the proxy port number if you would like to set up the SMTP settings. And you must configure ProxyHost and ProxyPort if the SMTP server runs through a proxy server. But you don't have a UI for these until now! If you enable the Email feature and navigate to Configuration -> Settings -> Email, you will find the text boxes that you can use to set up the proxy hostname and proxy port number. Prevent Visual Studio Missing Components warning If you have installed Visual Studio Community 2022 (and don't forget: Orchard Core 1.3.0 release is removing support for netcoreapp3.1 and net5.0. Only net6.0 is supported, which is not supported in Visual Studio 2019), you didn't need to install any additional components. So, maybe we could just remove the .vsconfig file. But maybe still useful to keep it, so Jean-Thierry Kéchichian removed the Microsoft.NetCore.ComponentGroup.Web.2.1, Microsoft.VisualStudio.Component.TypeScript.3.5, and Microsoft.VisualStudio.Workload.NetCoreTools components that aren't included in the Visual Studio Community component directory documentation or marked as no more supported. Content parts/fields were not showing up in preview when ContentCard is used Let's say, you are trying to modify the BagPart to support a read-only scenario. Like if a user does not have permission to EditContent but has permission to ViewContent. In that case, the user should not be able to edit but should be able to view the data. Here are the steps to reproduce the behavior: Add content type A and attach BagPart to it that contains content type B. Make B securable to control who can edit and who can view it. Give the user read-only permission to B and Edit permission to A. At this point, you'll need to modify the BagPart.Edit.cshtml template to set the BuildEditor property to false when the user does not have the proper permission to edit. Finally, you'll need to render the ContentPreview shape on the ContentCard.Frame to display the ContentCard in a preview only. The expected behavior would be that the ContentCard to show up in the BagPart as it would in a preview screen. But it does not. The display the content cards correctly, the fix was to do a little modification in the ContentCard.cshtml file. News from the community Lombiq Orchard Visual Studio Extension now supports Visual Studio 2022 Lombiq Orchard Visual Studio Extension is a Visual Studio extension with many features and templates frequently used by Lombiq developers. It contains Orchard-related (including Orchard Core) as well as generic goodies. It contains several useful features like: Dependency Injector: When a class is opened in the editor, you can inject a dependency with this feature. Type the dependency name, hit Enter, and it will be injected. Orchard Error Log Watcher: Watches the Orchard error log (or any other error log) and lights up an icon when a new entry was logged. And wait, there's more! This feature also supports BlinkStick USB LED sticks that can blink or light up when an error happens. Check out this video for a demo of the whole feature. And from now, our Orchard Visual Studio Extension supports Visual Studio 2022! For more details, check out the Readme! Orchard Dojo Newsletter Lombiq's Orchard Dojo Newsletter has 244 subscribers! We have started this newsletter to inform the community around Orchard with the latest news about the platform. By subscribing to this newsletter, you will get an e-mail whenever a new post is published to Orchard Dojo, including This week in Orchard of course. Do you know of other Orchard enthusiasts who you think would like to read our weekly articles? Tell them to subscribe here! If you are interested in more news around Orchard and the details of the topics above, don't forget to check out the recording of this Orchard meeting!

Orchard Core 1.3.0, fix missing permission checks and encoding - This week in Orchard (24/03/2022)

We are thrilled to announce that Orchard Core 1.3.0 is now available! Check out this post to know everything about the latest release of Orchard Core! Now let's see the newest features and additions of the current release that we will continue next week too! Let's get started! Orchard Core updates Fix missing permission checks and encoding These are security fixes that are fixed with Orchard Core 1.3.0. In this case, the fix targets two major issues. The first is that some authorization checks were not done correctly for some controllers. Here you can see the changes of the AdminController of the Features module. The second change is in the SEO module. There were XSS issues in the module. They were not very critical issues because you have to reach the admin editor to do that, and when you define SEO things for the front-end, you might want to render an HTML. But now it's sanitized for XSS reasons. The properties in the SeoPart are now encoded, in a way that you can use the Shortcodes, but you can't type anything else. You can't write any HTML you want, just the ones that make sense. And there is one special case when you set up the Google Schema: now it's not outputting anything, it's just validating the JSON format that you have provided. And when you create custom Shortcodes now the usage of the Shortcode (which is just some documentation) is now also sanitized, such that you can't inject custom JavaScript code in the description of the Shortcodes and try to hack people on the same admin page. Update full-text search index documentation Orchard Core provides a Lucene module/feature that allows you to do a full-text search on your websites. It is possible to configure which text/data you want to index in the Content Type configuration by using Liquid. And the following guide is helping you with how to implement a website full-text search step by step. And now the page has been updated with the following section: if your content item is also a set of content items, then you need to call the full_text_aspect helper to include the content of the content item inside the full-text search index. Fix NRE with TaxonomyIndex The index runs while cloning a content item, right after an empty content item was created (so before the actual cloning). The fields are there, but all are null. Casting this to JObject fails, as null is a JValue. The solution is that you have to do the casting in another way by using the as keyword. News from the community Orchard Core 1.3.0 Orchard Core 1.3.0 is now available! If you open up nuget.org and search for the OrchardCore.Application.Cms.Targets package, you will find the updated version of Orchard Core! There is a new page in the documentation with the breaking changes and the new features. Upgrade your solution to 1.3.0 now! Feel free to drop on the dedicated Gitter chat and ask questions! And don't forget: this release is removing support for netcoreapp3.1 and net5.0. Only net6.0 is supported. Updated Lombiq's Open-Source Orchard Core Extensions Lombiq's Open-Source Orchard Core Extensions is an Orchard Core CMS Visual Studio solution. It contains most of Lombiq's open-source Orchard modules and themes, as well as related utilities and libraries, like the Lombiq UI Testing Toolbox or the Training Demo module that guides you to become an Orchard Core developer. And from now, this solution with all the extensions inside is updated to Orchard Core v1.3.0 and .NET 6! Orchard Dojo Newsletter Lombiq's Orchard Dojo Newsletter has 241 subscribers! We have started this newsletter to inform the community around Orchard with the latest news about the platform. By subscribing to this newsletter, you will get an e-mail whenever a new post is published to Orchard Dojo, including This week in Orchard of course. Do you know of other Orchard enthusiasts who you think would like to read our weekly articles? Tell them to subscribe here! If you are interested in more news around Orchard and the details of the topics above, don't forget to check out the recording of this Orchard meeting!

Support Mail Proxy, open-source Lombiq projects published on NuGet - This week in Orchard (10/03/2022)

Topics for the week are the new mail proxy support, documentation about how to use a local copy of Orchard Core source code as NuGet packages, and the published Lombiq projects on NuGet! Do you want to know more? Then check out our post now! Orchard Core updates Support Mail Proxy Let's say that your web hosting provider doesn't allow outbound connections by default (IONOS Windows Shared). In this case, all outbound connections should be sent through a proxy on this platform. You can configure it for HTTP(S) by adding this in the Startup.cs of the Orchard Core web app: HttpClient.DefaultProxy = new WebProxy("http://winproxy.server.lan:3128"); However, there was no way to configure this for SMTP connections. So there was an issue about not being able to send a mail with Orchard on this hosting provider. But from now you can configure the proxy server and the proxy port number by enabling the OrchardCore.Email module and using the SMTP Settings. The documentation is also updated with these new settings. Using a local copy of Orchard Core source code as NuGet packages There is a new page in the Orchard Core Documentation about how to use a local copy of Orchard Core source code as NuGet packages. In this new article, you can see how to create your own local NuGet feed from your local source code, how to publish to your NuGet feed, and how to update your project to use the newly created feed. News from the community Configure portable object localization in ASP.NET Core There was an ASP.NET Community Standup about localizing the .NET website. There was a topic on how the .NET websites have been localized using the Orchard Core localization package with PO files. Sébastien Ros did a demo about the package, explained how the localizer works, how to inject it, how to use the module, how to create a PO file, how to use pluralization, etc. If you would like to know more about localization and haven't seen that demo yet, check out the recording of that standup meeting here! And in the meantime, now there is a new article on the Microsoft Technical Documentation where you can read more about what is a PO file, how to configure PO file support in ASP.NET Core, or how to create a PO file with several useful examples. Open-source Lombiq projects now published on NuGet We have more than 160 open-source repositories under our GitHub organization, out of which more than 140 are somehow related to Orchard (including Orchard Core and 1.x). Up until now, if you wanted to utilize our projects in your own ones, you could only reference them as Git submodules or copy over the source files. Now, however, all the Orchard Core-related projects of ours, as well as several others, are available as NuGet packages! Check out our blog post to know more about our NuGet packages! Do you want to easily publish your projects to NuGet as well? You can build on what we've created for that: Take a look at our new GitHub Actions project that we developed with the help of Orchard community member Dean Marcussen. Orchard Dojo Newsletter Lombiq's Orchard Dojo Newsletter has 238 subscribers! We have started this newsletter to inform the community around Orchard with the latest news about the platform. By subscribing to this newsletter, you will get an e-mail whenever a new post is published to Orchard Dojo, including This week in Orchard of course. Do you know of other Orchard enthusiasts who you think would like to read our weekly articles? Tell them to subscribe here! If you are interested in more news around Orchard and the details of the topics above, don't forget to check out the recording of this Orchard meeting!

Hide the "New" option if they are not authorized to edit, UI testing PoC with the Lombiq UI Testing Toolbox - This week in Orchard (04/03/2022)

This week you can read about hiding the "New" option from the admin UI if they are not authorized to edit, changing the content of the built-in recipes, and a demo about a UI testing PoC with the Lombiq UI Testing Toolbox! Are you interested in the details? Check out this post for more! Orchard Core updates Hide the "New" option if they are not authorized to edit If you have a list content type (e.g., Blog) with the contained type (Blog Post) and the user doesn't have Edit Blog Post permission, they still see the New Blog Post button on the Blog editor. Note, that the user has permission to edit the Blog. And it was a bug that could be reproduced by just following some simple steps: Create a Blog Post content type. Create a Blog content type with a ListPart containing the Blog Post type. Update the Moderator role: set Edit for Blog but don't set it to Blog Post. Create a test user and associate them with the Moderator role. Log in with the test user and create a Blog. Observe that the New Blog Post button appears on the top-right corner, but you'll get a 403 when you click on it. The solution was just to similarly to the Content list page authorize the user to edit the types so if they are not authorized to edit, then hide the New option. Remove FileContentDefinition from recipes Last December, the community decided to do not to enable the File Content Definition feature by default. And by doing that, the OrchardCore.Contents.FileContentDefinition usage was removed from the Agency and Blog recipes. It's only useful in specific cases, and most of the time you need to turn it off. The same issue is there with the Headless and Blank recipes. Especially for the Blank recipe, there is no reason to include anything apart from the bare bones. The solution was just to remove the OrchardCore.Contents.FileContentDefinition enables a step from the two recipes. Demos UI testing PoC with the Lombiq UI Testing Toolbox In this demo, we will talk about this particular pull request, which is about a proof of concept. Maybe you have already heard about the Lombiq UI Testing Toolbox, our web UI testing toolbox mostly for Orchard Core applications. Everything you need to do UI testing with Selenium for an Orchard app is here. We wrote about it several times here as well, first when we open-sourced it when we added some Orchard Core Features tests to it, and some weeks ago, you could read about the automated monkey testing feature of the toolbox. So, what about trying out this toolbox in Orchard itself, and let's see whether it works and whether it can be useful. Of course, we have Cypress tests in Orchard Core, so this will be something with the same goal - not necessarily useful, not necessarily wanted to add - it's a proof of concept. Let's see how it looks! If you check out the mentioned pull request, you will find a new OrchardCore.Tests.UI project which references the UI Testing Toolbox. It contains a couple of classes, the main point here is the BasicOrchardFeaturesTests one. As you can see, this contains two xUnit test methods. The first is just running the TestBasicOrchardFeaturesExceptRegistrationAsync method, which tests all the basic Orchard features except for registration with the Blog recipe. You can specify the recipe itself with several other options like enabling accessibility checks. The second test is a failing test that you can check out on the CI. It's a usual Dotnet test execution, so you get a test summary in the end. You can see what the test did, and you can find the exact reason why this test failed (because it's cannot find the element by the navbar ID on a given page). If you go to Summary and check out Artifacts, you can download a file that contains the whole dump of the application with screenshots, HTML output, the Orchard logs, everything that you may need for troubleshooting. And, of course, you can also execute the test from Visual Studio as usual. The next steps here would be to: Recreate the Cypress tests so we can see how it compares. Most possibly, this would be running TestBasicOrchardFeaturesExceptRegistrationAsync with all recipes. Using WebApplicationFactory directly instead of running the tested app with the Dotnet CLI would be useful. What's behind TestBasicOrchardFeaturesExceptRegistrationAsync would potentially need to be copied to be serious here, since if something changes in Orchard deliberately, it can fail. If you would like to know more about this PoC, head to YouTube for a recording! News from the community War in Ukraine and Lombiq War in Ukraine and Lombiq: How does it affect us at Lombiq and what we're doing to help: https://lombiq.com/blog/war-in-ukraine-and-lombiq Orchard Dojo Newsletter Lombiq's Orchard Dojo Newsletter has 238 subscribers! We have started this newsletter to inform the community around Orchard with the latest news about the platform. By subscribing to this newsletter, you will get an e-mail whenever a new post is published to Orchard Dojo, including This week in Orchard of course. Do you know of other Orchard enthusiasts who you think would like to read our weekly articles? Tell them to subscribe here! If you are interested in more news around Orchard and the details of the topics above, don't forget to check out the recording of this Orchard meeting!

Fix route ChangePasswordConfirmation, Fluid 2.2.14 - This week in Orchard (09/02/2022)

New custom path for the ChangePasswordConfirmation, Fluid 2.2.14 with several fixes and improvements, Orchard Core on the ASP.NET Community Standup are the topics of this week. Check out this post for the details! Orchard Core updates Fix route ChangePasswordConfirmation The idea is that now there is a custom route for the ChangePasswordConfirmation instead of using the generic one. So, the action OrchardCore.Users.Controllers.ChangePasswordConfirmation() is now mapped to /ChangePasswordConfirmation, because that action was mapped to /OrchardCore.Users/ChangePasswordConfirmation. And the documentation of Orchard Core has been also updated with this new custom path. Fluid 2.2.14 Fluid 2.2.14 has been released with several fixes and improvements. Let's see some of the changes here! The first one is about displaying the source of an error message. Now, if there is a parser error, it will tell you the location of the error (line and column) but it will also show the line with the error. And this way it's easier to understand where the issue is. And if you have multiple templates, for instance, then you don't have to guess what template contains the error because you can see the error directly. Now FluidParserOptions can be configured by using Fluid.MvcViewEngine. This introduces a small set of further changes to support the recent work allowing for FunctionValues. Update to FluidViewParser constructor to pass FluidParserOptions argument. Update to sample projects to use the new constructor. The next improvement is to fix some keyword conflicts. Someone finds an issue in Orchard is that if you have a variable that is named emptyThing, the parser would find that you mean the empty keyword and will fail saying what is this Thing after the empty? And it's the same for blank, true and false. So, if you have variable names starting with empty, you can have them now, this is what this PR is fixing. And another one is to implement offset continue. Now you can assign a range directly to a variable with this version. Before you could not. The second thing is that you can do offset with the keyword continue. So, in this case, continue is a keyword and what happens is that it will do another loop starting from where the previous loop stopped. So here, if you say limit: 2, it will start from the 4th item. And you can also pass another limit if you want. So, here the idea is that we loop for three items in the array, and then we loop again for the rest and display all the items. News from the community ASP.NET Community Standup - PO (portable object) localization with Orchard Core There was an ASP.NET Community Standup about localizing the .NET website. The topics were how the .NET websites have been localized using the Orchard Core localization package with PO files. Sébastien Ros did a demo about the package, explained how the localizer works, how to inject it, how to use the module, how to create a PO file, how to use pluralization, etc. If you would like to know more about localization, check out the recording of that standup meeting here! DotNest Core is on Orchard Core 1.2.2 DotNest Core is a complete redevelopment of the DotNest platform, all on the latest version of Orchard Core. We've been running it with a couple of select few customers for a while now, and it's time to open it up a bit more. While you can't yet simply create an Orchard Core-based DotNest site, you can sign up for our limited beta here. You'll soon be able to get a fully functional, reliably hosted Orchard Core site on DotNest where you can build your personal website or something to showcase your Orchard skills with. And now the DotNest Core sites run on Orchard Core 1.2.2! Do you want to have a hassle-free Orchard site running in the cloud? Then sign up for the beta here! Orchard Dojo Newsletter Lombiq's Orchard Dojo Newsletter has 239 subscribers! We have started this newsletter to inform the community around Orchard with the latest news about the platform. By subscribing to this newsletter, you will get an e-mail whenever a new post is published to Orchard Dojo, including This week in Orchard of course. Do you know of other Orchard enthusiasts who you think would like to read our weekly articles? Tell them to subscribe here! If you are interested in more news around Orchard and the details of the topics above, don't forget to check out the recording of this week's Orchard meeting!

Orchard Core 1.2.2 release, Media search indexing - This week in Orchard (26/01/2022)

Orchard Core 1.2.2 is now available that addresses some other security issues. Check out this post to know the content of this release of Orchard Core and to see the latest features of the framework! Orchard Core updates Media search indexing The idea here was to allow to search for content in files. Last summer, you could see a demo in this This week in Orchard post that shows a feature that provides a simple implementation to index media for search. More precisely, it indexes media files related to content items, so said content items will turn up in search when one of their media files matches the search query. And now this feature is merged to the main branch of Orchard Core! Check out the updated documentation to know more! Remove multiple compilation paths on MediaTokenService From the next minor version, Orchard Core will only build with .NET 6.0, so we can remove all the things from the code that do not target .NET 6.0 specifically. This time the ParseQuery method of the MediaTokenService got simpler because now we don't need to use the slower version, we can use the fast version with structs now. Add response to SmtpResult When you send an SMTP request, the response can be read, and now you can do whatever you want with the response. We already know if it failed or not from the SmtpResult, but now there is even more information in the Response. News from the community Orchard Core 1.2.2 release Orchard Core 1.2.1 has been released a few days after the 1.2.0 one, and here comes 1.2.2 to address some other security issues. If you open up nuget.org and search for the OrchardCore.Application.Cms.Targets package, you will find the newest released version of Orchard Core! Don't forget that 1.2.x is the latest minor version of Orchard Core that can be built by .NET Core 3.1 and .NET 5. If you take the main branch, it will only build with .NET 6.0, and the upcoming versions will be only shipped with .NET 6.0. .NET 6.0 is an LTS and shipped for many months now with some security updates already. It will also make the local builds with Visual Studio faster, the CI is faster because it doesn't have to build everything three times and run the tests three times. Now let's see the fix that is in this release! If you have a Link Field, you can provide a URL to that field, and the URL is now sanitized. Before this change, you could pass some JavaScript in the URL. With that what we are doing is checking the link that we are generating is sanitized. This issue was also in the Menu Item Link Field and also in the HTML Menu Item Link Field, so everywhere where we pass a link. Another fix was in the AuditTrailContentController.cs to be consistent with the other fixes. Error messages can't contain HTML and the issue that the _notifier.WarningAsync is asking for a LocalizedHtmlString. Why is it asking for a LocalizedHtmlString? It's because WarningAsync expects a LocalizedString using H[""]. In this case, the goal was to render an error message as a notification. But the error message is a string. So the developer decided to wrap the error message into a LocalizedHtmlString and pass it. And by doing that we say this is a safe string, this is already encoded, so it can be used in a view. This is what the H[""] does. So, everything here is safe. So, it can be passed as a LocalizedHtmlString. We are lucky that the error message is safe because internally it's a static string. But we don't do that, because it could be like some other developers will copy this code without understanding that this is safe or not. So, let's assume that it's not safe, and you shouldn't pass it as a LocalizedHtmlString, because that will prevent the notifier from encoding the result. The fix here is to pass the error message as an argument and because it's passed as an argument it will be encoded. So, this is how we pass a LocalizedHtmlString to a notifier from an unknown string safely. We can just pass it as an argument. And if you would like to know more about the fixed security issues, don't forget to check out this recording on YouTube! Looking for some useful Orchard Core extensions that can help improve your Orchard Core 1.2.2 application faster and easier? Here's a bundle solution of all of Lombiq's open-source Orchard Core extensions (modules and themes). Clone and try them out now! This is an Orchard Core CMS Visual Studio solution that contains most of Lombiq's open-source Orchard modules and themes, as well as related utilities and libraries. And we have also updated the solution to use Orchard Core 1.2.2! Orchard Dojo Newsletter Lombiq's Orchard Dojo Newsletter has 240 subscribers! We have started this newsletter to inform the community around Orchard with the latest news about the platform. By subscribing to this newsletter, you will get an e-mail whenever a new post is published to Orchard Dojo, including This week in Orchard of course. Do you know of other Orchard enthusiasts who you think would like to read our weekly articles? Tell them to subscribe here! If you are interested in more news around Orchard and the details of the topics above, don't forget to check out the recording of this week's Orchard meeting!

Orchard Core 1.2.1 release, Remove exists check for blobs - This week in Orchard (20/01/2022)

Orchard Core 1.2.1 is now available to fix some security issues. Check out this post to know the content of this release of Orchard Core and to see the latest features of the framework! Orchard Core updates Remove exists check for blobs Instead of querying the blob, if it exists any time, we just try to get it, and maybe the server will return with a BlobNotFound error. This way, if it's there, we prevent one external network communication to check if it's there before asking for it. So, we just ask for it, and then if it fails, it fails. It's a pretty common issue with Blob Storage because of its high latency you need to do as few communications as you can. Starting background tasks without waiting for initialized tenants You can have a scenario where you would like Orchard itself to starts its background tasks without the need of a request for each one of the tenants. Until now, you need to make a request to as parent tenant and to every child tenant to be sure background tasks of each tenant start to run. So, by default background tasks are waiting for their shell to be lazily built on a first matching request. From now, you have a ShellWarmup bool option in the appsettings.json that allows you to eagerly build shells just before executing their first background task. News from the community Orchard Core 1.2.1 release Orchard Core 1.2.0 has been released on the 6th of January. But after a few days, a vulnerability security issue has been filed. That's the reason why the community had to create a new Orchard Core 1.2.1 release, to fix that security issue. You can update to the new version as usual. If you open up nuget.org and search for the OrchardCore.Application.Cms.Targets package, you will find the newest released version of Orchard Core! But let's see the fix that is in this release! It's not critical in the way that only users that are authenticated and have access to the dashboard can do things. Looking at the security issue and then how to not have them anymore. These are XSS issues, which means you can inject custom JavaScript in a page that could be triggered automatically, and then if you inject some fancy JavaScript you can force a user to submit queries and on this site, you could extract secrets or have them do things they don't want to do on the site. We encode everything we output. This means if the thing you output contains some JavaScript, it will be encoded, which means it will be rendered and not the JavaScript itself to be executed. In this case here, what was happening is that the translation was called on a variable, but we can't translate it. When we call T[], the IHtmlLocalizer will lookup for this text. If it finds this text in the translations, it will render the translation, otherwise, it will render the text as-is. That's why we always pass the English versions, such that if it doesn't find a localization, it will render this text in English. So, we don't have to create the translation for English, we just use that key that we passed. But the T[""] can contain HTML. And that's how we do to translate notifications, links, and stuff like this. And because it can contain HTML, the @ before that will just render it as is. So, whatever is passed there, it will be rendered as-is and not encoded. If we put some HTML or JavaScript inside that, this will be rendered as is and not encoded. What happened there is that when we do any string, like @T["Add widget"] is fine because we know this is a static string to generate. So, we know what we are rendering. But when we do it in a variable like @T[item.value], it can contain anything. And we don't know what it contains. And if it's user inputted, then there can be bad issues. So, we should never translate a user inputted value like this. This is an encoding issue over a bug. This is a list of SelectListItem, which itself contain a localized string instantiated value. There is no reason to use a localized string here. We use localized string as a type when we know that the property needs to be a localized string and should be a sign with a call to T for instance. This piece of code from the DashboardController is just to list the display name of the content type and the technical name of the content type. It's just a list of content types to allow you to create a new content item based on the type. The first solution is to don't translate variables. We have the design and started the PR for dynamic content translations, which is supposed to fix that, to provide a solution to be able to translate content types, permissions, and all the things that are user inputted and dynamic in the database (not static text). We should either not translate dynamic variables or use the new localization PR. The second option is to explicitly encode it for just this vulnerability. In this case, it's not breaking anyone, and it's secure because here, we explicitly translate the encoded value of the display name. So, it would break people who have spaces in their content type display name, because now they have to translate Foo content&nbps;type not Foo content type. .NET Foundation Most Active Community Projects 2021 Shaun Walker shared this image on Twitter that contains the most active community projects based on the number of pull requests, the number of commits, and the number of new contributors. As you can see, Orchard has 1507 pull requests in 2021, which is great. Orchard has 1291 commits, which is weird. Why do we have more pull requests than commits? Do we really close that many pull requests? We have some mini PRs created by Dependabot. And we haven't talked about which projects are using squash and merge and which projects aren't. But it's still a nice thing to be able to see Orchard in the top 10! :) Orchard Dojo Newsletter Lombiq's Orchard Dojo Newsletter has 238 subscribers! We have started this newsletter to inform the community around Orchard with the latest news about the platform. By subscribing to this newsletter, you will get an e-mail whenever a new post is published to Orchard Dojo, including This week in Orchard of course. Do you know of other Orchard enthusiasts who you think would like to read our weekly articles? Tell them to subscribe here! If you are interested in more news around Orchard and the details of the topics above, don't forget to check out the recording of this week's Orchard meeting!

Google Tag Manager, User Approval feature - This week in Orchard (06/08/2021)

We promised that we will continue showing you the newest features and additions of Orchard Core 1.0 this week too! Well, we still have a lot to write about, so without any further ado, let's get started! Orchard Core updates Add user approval feature The user registration process, whether from the Registration controller, or via an ExternalLoginProvider had no features to moderate a user. In Orchard 1 we could moderate users, through an approval process. A new user registering when moderation was required, would not be logged in to the site, but redirected to the registration pending page, (and workflows invoked, to start the moderation process). We already have the IsEnabled bool, but no way to control both local registration and external registration. This change adds a UsersAreModerated setting to the user registration feature. When set true all users, whether registering via an external provider, or direct through the registration controller, will require approval, i.e., their account set IsEnabled = true before they are logged into the site. It also prevents external users from being automatically logged in if they have not confirmed their email address (if the confirmation email setting is set to true). Register user workflow updated to support the feature as well. Let's see this one quickly in action! First of all, you need to enable the Users Registration feature that allows external users to sign up to the site and ask to confirm their email. Now you can head to Security -> Settings -> User Registration, where you will see a new option: Users must be approved before they can log in. Put a tick in this checkbox and, don't forget to select the AllowRegistration option from the select list. Now, let's register with a new user! If you create a new account and hit the Register button, you will find the following screen meaning that an admin needs to approve your account before it can be used. Let's see how you can use this one in workflows! Navigate to Workflows -> Create Workflow, and after you add a name to your workflow, hit the Add Task button. Find the Register User task from the list, and the editor of this task will contain a Users must be approved before they can log in checkbox. Now let's see how we can approve the newly registered users! If you navigate to Security -> Users on the admin UI, you will see a list that contains all the available users in the system, and you will also find a red badge with a Disabled text near the users who are not enabled yet. If you click on the Edit button near a disabled user, you can simply use the Is enabled? switch to enable the given user. After that, the user with the user name: newuser now can log in. OpenID Client parameters The OpenIdConnectOptions support an OnRedirectToIdentityProvider event feature which allows the setting of custom parameters on the protocol message when generating an OpenIdConnectMessage to an external provider. Sometimes you need to be able to send some custom parameters to some of your tenant's AzureB2C auth servers (but not all, and it varies per tenant). options.Events.OnRedirectToIdentityProvider = (context) =>{ context.ProtocolMessage.SetParameter("foo", "bar"); return Task.CompletedTask;}; The solution here would be to have editable parameter (kvp) options on the OpenIdConnectSettings so you can configure different tenants to use different custom parameters. To test this out, you need to enable the OpenID Client feature under Configuration -> Features. After, head to Security -> OpenID Connect -> Authentication client, where you will see the new table called Advanced Parameters. Google Tag Manager Google describes its Tag Manager product as a 'Tag Management System' (TMS). That’s an excellent way to think about it. It does for a website’s tags what a Content Management System (CMS) does for its content. The service provides an interface through which to create and track all the tags your site needs. You no longer have to code each tag manually. Instead, you can create all your tags through the interface. Tag Manager will then implement them for your site. That is if you’ve embedded a straightforward piece of Tag Manager code into each page of the website. The Google Tag Manager container snippet is a small piece of JavaScript and non-JavaScript code that you paste into your pages. It enables Tag Manager to fire tags by inserting gtm.js into the page (or through the use of an iframe when JavaScript isn't available). But how can we use Google Tag Manager in our Orchard Core site? Well, first of all, you have to navigate to the Google Tag Manager portal and create a Tag Manager account. This will give you a generated Container ID for you to use on your website. Copy this ID, we will need it later! Now, enable the Google Tag Manager feature on your Orchard Core site and head to Configuration -> Google Tag Manager. Paste the Container ID here and hit Save. This will mean that the required JavaScript code for Google Tag Manager will be registered for every page on the front-end. News from the community Updated Orchard Core sites OrchardCore.net is the official website for Orchard Core. Try Orchard Core is the place where you can easily set up an Orchard Core site within a few minutes and try out the features of Orchard Core. Both of these sites have been updated to Orchard Core 1.0! Head to Try Orchard Core to try out Orchard Core 1.0 now! The OrchardCore.Samples repository contains a sample Multi-tenant application and a Modular application demonstrating how to build a Modular and a Multi-Tenant ASP.NET Core application using the Orchard Core Framework. This solution is also using Orchard Core 1.0 now, you should check out this solution to see some nice code examples! DotNest Core DotNest Core is a complete redevelopment of the DotNest platform, all on the latest version of Orchard Core. We've been running it with a couple of select few customers for a while now, and it's time to open it up a bit more. While you can't yet just simply create an Orchard Core-based DotNest site, you can sign up for our limited beta here. You'll soon be able to get a fully functional, reliably hosted Orchard Core site on DotNest where you can build your personal website or something to showcase your Orchard skills with. Orchard Dojo Newsletter Lombiq's Orchard Dojo Newsletter has 214 subscribers! We have started this newsletter to inform the community around Orchard with the latest news about the platform. By subscribing to this newsletter, you will get an e-mail whenever a new post is published to Orchard Dojo, including This week in Orchard of course. Do you know of other Orchard enthusiasts who you think would like to read our weekly articles? Tell them to subscribe here!

Code Generation Templates for .NET 5, Fluid 2 breaking changes - This week in Orchard (18/04/2021)

This week we will do some deep dives and take a look at the latest changes of Fluid 2. After, you can see how you can register your custom resources in Orchard Core and how to use the updated code generation templates with .NET 5! Check out our post for more! Orchard Core updates Fluid 2 breaking changes and fixes Let's say you had an expression something like foo != null and foo != "*" in your Liquid code. There are two things here: the null doesn't exist in Liquid. There is no such thing as null in Liquid. When you write null, it's like typing bread, there's nothing like bread in Liquid. Typing foo != null in this case is just about making sure that foo does really exists. Is it set to something? If you would like to check for null, you have to use nil because in Liquid that's how we check for null values. And let's say you write foo != "*" and foo =! null, that means you change the order here. Or let's say you have a code in Liquid like a or b and c or d and e. If you do it in C#, if you have an and and the first part of the expression is false, it won't check the value of the other parts, it will return with false. In Liquid, this is the opposite. In C#, the evaluation of this expression will happen from left to right but in Liquid it will happen from right to left. Let's see an example with this expression: 1 == 2 or b == 3 Liquid will start the evaluation of this expression in the following way: 1 == 2 or (b == 3) 1 == (2 or (b == 3)) (1 == (2 or (b == 3))) So, it will never check that when 1 will be equals to 2 because the evaluation will start from the right. This has been fixed in this version and Fluid now supports the following processing of the evaluation: (1 == 2) or (b == 3) So if you wrote foo != "*" and foo != null it was first checks if the foo is not equal to null. Then it will go to foo != ("*" and (foo != null)). Let's say you do something in your templates like: {% assign foo = 1 + 2 %} This is not valid in Liquid. In Liquid, there are no such operators like +, -, *, /. They are don't exist. They are supported in the first version of Fluid but now it has been removed to be close to the specification, so it's now not supported anymore. What you need to do actually is to change your operators in a way like {% assign foo = 1 |plus: 2 %}. The goal of doing that from the Liquid templating language is to be able to distinguish how to behave in terms of numeric operators and string operators. So if you have the following line of code in Liquid, the result you will get will be 12, not 3. {% assign foo = 1 |append: 2 %} If you have operators in your code, don't forget to rewrite them in the mentioned way. ResourceManifest breaking changes A resource used to be declared by implementing the IResourceManifestProvider interface that was resolved all the time on every page rendering and this change is about to redefine that. Now it's not using IResourceManifestProvider anymore, there is no such interface. You need to create an IConfigureOptions<ResourceManagementOptions> of a ResourceManagementOptions. The ResourceManagementOptions is just a class that can be resolved everywhere. It can be configured in the startup. And in this case, what we do is that is a static constructor of this class is instantiating one manifest instance, and then when the option is configured for every tenant, it's adding this instance (which is immutable) to the list of resource manifests that is in the ResourceManagementOptions class. Your own configuration can even remove existing manifests from the resource manifest or replace them with something else or add new ones. So, the two things here are that now we use the Options pattern from ASP.NET which is more standard. It's also better in terms of performance because it's a singleton for all the tenants. And here we are initializing the ResourceManifest instance in a static property. It's done once for all the tenants, even if you have one thousand tenants, there will be one instance of the ResourceManifest. Modifying the Lucene API To accept Post Form Data Now you can invoke Lucene queries with POST and GET requests too. And there are two methods: a route called content to get the content items and a route called documents to get the full JSON document. Add support for collections to OpenID Tokens Today all the documents are stored in a table called Documents. YesSql supports the notion of collections, which is a way to store some specific types or classes in different document tables to isolate them. So, instead of having everything in the same Documents table, you can have different document tables. When the content of this table can be isolated from the rest, you should do that. This is the case for the OpenId module. There are different levels of isolation. You could say every class should have its own document table. You could say also that every module can have its own document table. And then you can say that everything will go to the same document table. In this case, everything related to OpenId will go to the OpenId document table, which means everything in the collection named OpenId. This configuration tells YesSql there is a collection named OpenId. But how can you use that collection when you do queries? In this case, you have to say to query a class in a collection named OpenId. It will request that document table and get all the indexes that all related to this document table. We also do that when one of the classes has lots of items so it can scale better than putting everything in the same table. Like if you have one million content items it will be slow. In that case, it should be in their own custom collection. Demos Code generation templates for .NET 5 If you install the project templates pointing to the preview source, you are able to use new command line commands when generating an Orchard CMS Web Application to use the .NET 5 framework. You can find every information more detailed on this page of the Orchard core documentation. Right now we will just focus on the new stuff. So, don't forget to install the Orchard CMS templates for creating web applications. You will need to use the latest dev branch of Orchard Core to be able to use .NET 5, so this will be your command: dotnet new -i OrchardCore.ProjectTemplates::1.0.0-rc2-* --nuget-source https://nuget.cloudsmith.io/orchardcore/preview/v3/index.json If you do that, you can head to the folder where you would like to create your new solution. The only thing you have to do is to type the following line: dotnet new occms --framework net5.0 This means the .NET framework 5.0 will be used. If you don't use the --framework or the --fm options, your web application will be using the .NET Core framework 3.1. A number of predefined projects and item templates are installed with Visual Studio. These templates, such as the ASP.NET Web Application and Class Library templates, are available to choose from when you create a new project. Item templates, such as code files, XML files, HTML pages, and Style Sheets, appear in the Add New Item window. These templates provide a starting point for users to begin creating projects, or to expand existing projects. Project templates provide the files that are required for a particular project type, include standard assembly references, and set default project properties and compiler options. Item templates can range in complexity from a single empty file that has a certain file extension to multiple source code files with stub code, designer information files, and embedded resources. You may know that we have some Visual Studio Project Templates for Orchard Core too (we wrote about them in this post). It's still a preview feature in Visual Studio, so, you need to navigate to Tools -> Options -> Environment -> Preview Features and put a tick in the Show all .NET Core templates in the New Project dialog (requires restart) checkbox. After you can just say I want to create a new project File -> New -> Project and you will be able to select the Orchard Core one as the project type. Let's select the Orchard Core Cms Web App (Orchard Project) one for example. After you can set the name of the project, the location, and the name of your solution. The next, Additional information window will contain the property that we are focusing on right now. As you see on the screen, you can select which kind of framework you would like to use for your web application. It can be .NET Core 3.1 and .NET 5.0 as well. The default is .NET Core 3.1 in this case too. Here we are just creating our new solution using the name Test. And if we open up the Test.csproj file, we will see the following content here, where the value of the TargetFramework will be set to net5.0. If you would like to know more don't forget to check out a previous This week in Orchard post, where we first wrote about this topic. And as always, here comes the recording of this demo! News from the community Orchard Dojo Newsletter Lombiq's Orchard Dojo Newsletter has 196 subscribers! We have started this newsletter to inform the community around Orchard with the latest news about the platform. By subscribing to this newsletter, you will get an e-mail whenever a new post published to Orchard Dojo, including This week in Orchard of course. Do you know of other Orchard enthusiasts who you think would like to read our weekly articles? Tell them to subscribe here! If you are interested in more news around Orchard and the details of the topics above, don't forget to check out the recording of this week's Orchard meeting!