Consolidate admin required fields, add a way to hide ContentTypeDefinitionSettings, and a demo about the brand-new Secure Media feature! Let's see the details! Orchard Core updates Consolidate admin required fields Content fields and some parts added to a content type can be set as required, but there is no visualization before submitting changes. The validation error messages for required fields have inconsistent text messages (some contain a dot at the end, some don't, some are using '' for value, and some have explicit value names in the text. Also, validation error messages are included in the validation summary only, and not under the required field, but for example, in TitlePart everything is correct. All error messages should be written in the same format and text, for example: Please add value for '{0}'. At least some CSS class should be added on all required field labels to be able to identify required fields in the content item form and required validation messages should be displayed under each validated field. As you can see in the screen below, the community consolidated the admin required fields by making the following steps: Add star char for all required fields. Add validation message for required input field like in TitlePart. Consolidated color for start and validation error messages. Consolidated error message texts. Removed client validation from inputs because of inconsistent form behavior dependent on the used browser, selected locale, etc. Add a way to hide ContentTypeDefinitionSettings The intention behind this change was to add a configuration to show/hide the creatable, listable, draftable, versionable, and securable flags. We have a new ContentTypeDefinitionDriverOptions class which contains boolean values that you can use to show or hide the creatable, listable, draftable, versionable, and securable options when editing the content definition of a content type on the admin UI. The ContentTypeDefinitionOptions class offers a method for configuring content type definitions to either display or conceal global settings from appearing on the UI. In certain cases, like when creating CustomSettings or CustomUserSettings, these options are useless. So, it would be nice to hide them instead since they do nothing. So, to quickly demonstrate this change, we enabled the Custom User Settings feature under Configuration -> Features. After, we navigated to Content -> Content Definition -> Content Types and created a new content type called UserProfile. We added some fields to it and set the stereotype to CustomUserSettings to be able to use this content type as a custom user setting. As you can see, only the Securable checkbox is here, we can't set the other content type definitions like creatable, listable, etc. And the reason for that is in the Startup.cs file of the OrchardCore.Users module, we set up the boolean values of the ContentTypeDefinitionDriverOptions class where the stereotype is CustomUserSettings. But we haven't touched the value of the ShowSecurable, so it can be kept its true value. Demos Secure Media feature This demo is about the brand-new Secure Media feature for additional control over who can access media files. The key features include: Restricted Access to Media Folders: A view permission is created for the root media folder and each first-level folder within the media root, allowing administrators to restrict access based on user roles. Enhanced Viewing Permissions: Introduces permissions to view one's own media files and/or those of others, expanding upon the existing ManageOwnMedia permission. Consistent Access Rules for Media and Content Items: Media attached to content items will adhere to the ViewContent permission of the respective content item. This alignment ensures consistent access rules between media and content items. Protection for Temporary Attached Media Files: Secures temporary attached media files in a manner similar to personal user files. Improved Management Permissions in Admin: Refines the manage media permissions to allow media management only when viewing permissions are also granted. This prevents users from managing media they cannot view. Additionally, the creation and deletion buttons in the admin interface are disabled for folders that are not accessible post-creation or for special folders like "_Users" and "mediafields". Handling Unauthorized Access: Introduces a middleware that returns a 404 NotFound response for unauthenticated access attempts to secured media files. This approach not only restricts access but also conceals the existence of the file. Configurable Cache-Control for Secured Files: Sets the Cache-Control header of secured files to no-store by default, preventing their caching. This setting is configurable to suit different needs. Bearer Token Authentication for API Access: Enables bearer token authentication for media files, aligning with Orchard Core's API capabilities. This feature is particularly useful for headless CMS scenarios and external application integrations. We will not do a deep dive here but will try to demonstrate some of the mentioned features. First of all, you need to enable the feature itself by heading to Configuration -> Features where you will find the Secure Media feature. After enabling it, let's add a new folder to the root of the media library under Content -> Media Library. We named it secure and placed a file into this library. Now, let's navigate to Security -> Roles, and find a section called Secure Media. By default, everyone can see everything, so nothing will change if you enable the feature. It's currently only using the root folder and the first folder level; this means you can only have one tier of secured media folder. And as you can see here, you can define who can view media content in our newly created folder, called secure. Now let's play a little bit with the permissions and say that Anonymous users and Editor users don't have permission to view media content inside the secure folder. To test this out, we created a new user with the Editor role and logged in with this user. Head to the admin UI of Orchard Core and open up the Media Library. As you can see, this user can't see the folder called secure and can't access the files inside the folder. As always, if you want to see more about this new feature, head to YouTube for a recording! News from the community Orchard Dojo Newsletter Lombiq's Orchard Dojo Newsletter has 471 subscribers! We have started this newsletter to inform the community around Orchard of the latest news about the platform. By subscribing to this newsletter, you will get an e-mail whenever a new post is published to Orchard Dojo, including This week in Orchard of course. Do you know of other Orchard enthusiasts who would like to read our weekly articles? Tell them to subscribe here! If you are interested in more news about Orchard and the details of the topics above, don't forget to check out the recording of this Orchard meeting!

Migrate the OpenID module to OpenIddict 5, fixing FormatException when the login screen is posted with values other than true/false for RememberMe, and announcing Orchard Core 1.8.2! Without any further ado, let's get started! Orchard Core updates Migrate the OpenID module to OpenIddict 5 This is about updating the OpenID module to use OpenIddict 5.0, which shipped in December. With OpenIddict 5.0 being now generally available, the previous version, OpenIddict 4.0, stops being supported and won't receive bug fixes or security updates. As such, it is recommended to migrate to OpenIddict 5.0 to continue receiving bug and security fixes. So, this change reacts to the breaking changes introduced by this new major version by adding new store methods are updating the ones whose signature has changed. Note that while OpenIddict 5.0 supports new features, this change doesn't expose them via the Orchard Core admin UI. If you want to know more about the latest version of OpenIddict, check out this great post from Kévin Chalet! Fixing FormatException when the login screen is posted with values other than true/false for RememberMe If on the login screen, any non-boolean value (e.g., "1", "cicaisahungarianword") is set for the RememberMe input field, then you'll get an exception. This is of course not what a normal user would do, but is surfaced by the pentest attacks of Zed Attack Proxy (ZAP). This is a very popular open-source project, which is a security scanner. It can check your application for security issues. If you don't know ZAP and would like to know more about it, check out our post from last month, where you can learn more about it. So, adding input validation here would be necessary to avoid 500s. And you can easily reproduce this issue by following these steps: Go to /Login. Set the value attribute of RememberMe to anything but "true" or "false" from e.g., the Dev Tools of Google Chrome. Tick the checkbox. Click Log in. See the HTTP 500 error page. From now on, a validation error appears instead of a 5xxx one. News from the community Orchard Core 1.8.2 Orchard Core 1.8.2 was released a few days after the 1.8.1 one to address two issues of the 1.8.1 release. The first issue was that the admin language switcher (admin culture picker) was not working. It stayed in the same language regardless of what you chose. The second is about fixing the display name of the content fields. Let's just add a boolean field to a content type as follows. Let's use the name MyBooleanField as the technical name and My Boolean Field as the display name. As you can see in the screen below, the Display Name was equal to the Technical Name. If you open up nuget.org and search for the OrchardCore.Application.Cms.Targets package, you will find the newest released version of Orchard Core! Upgrade your solution to 1.8.2 now! Feel free to drop on the dedicated Gitter chat or use the Discussions on GitHub and ask questions! As we mentioned, Orchard Core is available as a NuGet package which you can easily add to your ASP.NET Core solution. Here's how you can get started with Orchard Core. Orchard Dojo Newsletter Lombiq's Orchard Dojo Newsletter has 480 subscribers! We have started this newsletter to inform the community around Orchard of the latest news about the platform. By subscribing to this newsletter, you will get an e-mail whenever a new post is published to Orchard Dojo, including This week in Orchard of course. Do you know of other Orchard enthusiasts who would like to read our weekly articles? Tell them to subscribe here! If you are interested in more news about Orchard and the details of the topics above, don't forget to check out the recording of this Orchard meeting!

Introducing ConfigureAsync method and the IAsyncConfigureOptions interface, demo about Security scanning with ZAP in the Lombiq UI Testing Toolbox, and some photos of our Christmas event! Let's see the details! Orchard Core updates Introducing ConfigureAsync method In the Startup files, you can use the Configure method to configure the tenant pipeline. Now, if you implement the IAsyncStartup interface, you will be able to configure the tenant pipeline asynchronously by using the new ConfigureAsync method. This means the initialization of the tenants will be much faster in the future in a SaaS environment. Here, you can see an example of how to use this method in the Startup file of the Localization module, where we don't need to call the GetAwaiter() and the GetResult() methods when getting the default culture and the supported cultures. IAsyncConfigureOptions interface In this PR, Jean-Thierry Kéchichian introduced the IAsyncOptions and IAsyncConfigureOptions<TOptions> interfaces that can be used globally across your Orchard Core solution. The IAsyncConfigureOptions can be used to configure asynchronously a type of options just after a tenant container is created, and the IAsyncOptions marks a type of option intended to be registered as a singleton and configured asynchronously by an IAsyncConfigureOptions<TOptions> just after a tenant container is created. For example, here the BlobOptions will be registered once as a singleton and configured asynchronously once by BlobOptionsSetup.ConfigureAsync() just after a tenant container is created using this single line of code: services.Configure<BlobOptions, BlobOptionsSetup>(). Demos Security scanning with ZAP in the Lombiq UI Testing Toolbox Maybe you have already heard about the Lombiq UI Testing Toolbox, our web UI testing toolbox mostly for Orchard Core applications. Everything you need to do UI testing with Selenium for an Orchard app is here. We wrote about it several times here as well, first when we open-sourced it, when we added some Orchard Core Features tests to it when we added the automated monkey testing feature to it, and when we introduced the Visual verification testing. At the end of last year, we showed you the latest updates about integrating UI testing into Orchard Core and the way you can use WebApplicationFactory, a fake video capture source, or the interactive mode. This time, we will check out a slightly different topic, security scanning! Of course, security is important, you don't want your web app to be used for spamming or cryptocurrency mining, or you don't want your users' data to be lost or get into the hands of others. So, you want to secure your application. There are many layers to that, and many layers to enforcing or ensuring your application is secure including manual reviews and static code analysis. Another layer is penetration testing. It means that somebody going to your application and trying to break it in some way, get into it in a way that they shouldn't be able to. Pen testers use some tools, and one of the most widely used tools is the Zed Attack Proxy (ZAP). This is a very popular open-source project, which is a security scanner. It can check your application for security issues. This is a JAVA application, and it checks web apps for general web application security issues. It can do generally dangerous attacks, it can do that actively and passively, so let's see that in action and see how to automate those scans! The easiest way is to clone Lombiq's Open-Source Orchard Core Extensions solution. This Orchard Core Visual Studio solution contains most of Lombiq's open-source Orchard modules and themes, as well as related utilities and libraries, containing our UI Testing Toolbox for Orchard Core, which contains a feature for ZAP. Here you can see quite detailed documentation about this but what's more important we also have some samples. Here, you can run ZAP with a DotNet API. It's just a simple scan but you can utilize the DotNet API more if you add some more configuration as you can see on the screen. This SecurityScanWithCustomConfigurationShouldPass method adds some configuration, like you can exclude URLs from the scan, disable rules for just a given URL, can authenticate and while we are talking about testing, you can also assert on the results. The results are not just available on a human-readable HTML report but also as a sarif-json which is a standard way of sharing such scan results. Do you want to know more about how to do an automated security scan of your Orchard Core app with ZAP? Check out our post in Orchard Dojo about it, and don't forget to head to YouTube for a recording to see how you can run these tests from Visual Studio! News from the community Christmas in Lombiq Sometimes we do stuff. Together. Not (just) in front of computer screens. These are some usual events in Lombiq that are all announced and arranged in advance. We periodically have an event called RnDay: this is a few hour-long event where we share what we recently worked on and what we plan to do. E.g., If we recently finished a project, then the project's team members demo what they've done. We had our last RnDay for this year in the Loffice, which is a coworking and event space where we held this event. And at the end of the day, we visited a nearby restaurant to have dinner together. We would like to thank you all for reading our posts and making the Orchard community stronger together with us! We hope that we can give you valuable news and demos about the happenings around Orchard and Orchard Core from time to time by reading our posts and of course the This week in Orchard newsletter. We would like to wish everyone a Merry Christmas with some photos of our latest event! Orchard Dojo Newsletter Lombiq's Orchard Dojo Newsletter has 486 subscribers! We have started this newsletter to inform the community around Orchard of the latest news about the platform. By subscribing to this newsletter, you will get an e-mail whenever a new post is published to Orchard Dojo, including This week in Orchard of course. Do you know of other Orchard enthusiasts who would like to read our weekly articles? Tell them to subscribe here! If you are interested in more news about Orchard and the details of the topics above, don't forget to check out the recording of this Orchard meeting!

You don't want malicious people to crack your web apps to use them for spamming, cryptocurrency mining, and spreading malware, nor do you want them to get access to your users' personal data (if you actually do want to cooperate with criminals, you don't need to read further). Thus, you want your app to be secure. One aspect of achieving this is to do penetration testing on your app. Thankfully, much of this can be automated, and with the help of Lombiq UI Testing Toolbox for Orchard Core and Zed Attack Proxy (ZAP) you can conveniently do this for your Orchard Core app. Let's see how! First, install v8.2.1-alpha.6.osoe-351 or greater of the UI Testing Toolbox from NuGet because that's the one that added security scanning. There are a couple of minor breaking changes that should affect nobody, really, in this, so it'll be part of the upcoming v.9.0.0 (but for that, we're waiting for Orchard Core 1.8). Set up UI testing as explained in the UI Testing Toolbox's documentation. While we're focusing on security scanning here, the UI Testing Toolbox can do a lot, and I really mean a lot more, including one-liners to test if the basic Orchard Core features still work in your app, or unleashing automated monkey testing to try to break your app. We never work on an Orchard Core app without its safety net! Add one or more test cases to run ZAP's security scan. Since all the configuration of ZAP is available to you, customization is unlimited, but to give you a glimpse, this is how a basic security scan that's already a good start would look like: [Fact] public Task BasicSecurityScanShouldPass() => ExecuteTestAfterSetupAsync(context => context.RunAndAssertBaselineSecurityScanAsync()); And that's it! OK, I might have omitted the last step here: 4. Fix all the security issues ZAP finds, because it'll definitely find at least a couple of them! This was just a short teaser, but be sure to check out the UI Testing Toolbox's security scanning documentation, because we tried to summarize everything necessary to get you going there, including samples that you can just copy-paste. Do you want to see security scanning in action? Check out the demo video too! Also, security starts with quality code. Check out our Lombiq .NET Analyzers project to get automated checks for your code too, including pointing out potential security issues even before running the app. Did you like this post? It's part of our Orchard Core Nuggets series where we answer common Orchard questions, be it about user-facing features or developer-level issues. Check out the other posts for more such bite-sized Orchard Core tips and let us know if you have another question!