Obsolete SiteOwner claim and fix OpenId (#17089)

MikeAlhayek · web-flow · commit 1682bdb58b60 · 2024-11-27T20:50:25.000-08:00
diff --git a/src/OrchardCore.Modules/OrchardCore.Roles/Services/RoleClaimsProvider.cs b/src/OrchardCore.Modules/OrchardCore.Roles/Services/RoleClaimsProvider.cs
@@ -33,17 +33,19 @@ public async Task GenerateAsync(IUser user, ClaimsIdentity claims)
             return;
         }
 
+        var roleNames = await _userManager.GetRolesAsync(user);
+
         var isAdministrator = false;
 
-        if (await _userManager.IsInRoleAsync(user, await _systemRoleNameProvider.GetAdminRoleAsync()))
+        foreach (var roleName in roleNames)
         {
-            claims.AddClaim(StandardClaims.SiteOwner);
-
-            isAdministrator = true;
+            if (await _systemRoleNameProvider.IsAdminRoleAsync(roleName))
+            {
+                isAdministrator = true;
+                break;
+            }
         }
 
-        var roleNames = await _userManager.GetRolesAsync(user);
-
         foreach (var roleName in roleNames)
         {
             claims.AddClaim(new Claim(_identityOptions.ClaimsIdentity.RoleClaimType, roleName));
diff --git a/src/OrchardCore.Modules/OrchardCore.Settings/OrchardCore.Settings.csproj b/src/OrchardCore.Modules/OrchardCore.Settings/OrchardCore.Settings.csproj
@@ -23,6 +23,7 @@
     <ProjectReference Include="..\..\OrchardCore\OrchardCore.Navigation.Core\OrchardCore.Navigation.Core.csproj" />
     <ProjectReference Include="..\..\OrchardCore\OrchardCore.Liquid.Abstractions\OrchardCore.Liquid.Abstractions.csproj" />
     <ProjectReference Include="..\..\OrchardCore\OrchardCore.Recipes.Abstractions\OrchardCore.Recipes.Abstractions.csproj" />
+    <ProjectReference Include="..\..\OrchardCore\OrchardCore.Roles.Core\OrchardCore.Roles.Core.csproj" />
     <ProjectReference Include="..\..\OrchardCore\OrchardCore.Settings.Core\OrchardCore.Settings.Core.csproj" />
     <ProjectReference Include="..\..\OrchardCore\OrchardCore.Setup.Abstractions\OrchardCore.Setup.Abstractions.csproj" />
   </ItemGroup>
diff --git a/src/OrchardCore.Modules/OrchardCore.Settings/Services/SuperUserHandler.cs b/src/OrchardCore.Modules/OrchardCore.Settings/Services/SuperUserHandler.cs
@@ -1,5 +1,6 @@
 using System.Security.Claims;
 using Microsoft.AspNetCore.Authorization;
+using OrchardCore.Roles;
 using OrchardCore.Security;
 
 namespace OrchardCore.Settings.Services;
@@ -10,10 +11,14 @@ namespace OrchardCore.Settings.Services;
 public class SuperUserHandler : IAuthorizationHandler
 {
     private readonly ISiteService _siteService;
+    private readonly ISystemRoleNameProvider _systemRoleNameProvider;
 
-    public SuperUserHandler(ISiteService siteService)
+    public SuperUserHandler(
+        ISiteService siteService,
+        ISystemRoleNameProvider systemRoleNameProvider)
     {
         _siteService = siteService;
+        _systemRoleNameProvider = systemRoleNameProvider;
     }
 
     public async Task HandleAsync(AuthorizationHandlerContext context)
@@ -25,7 +30,7 @@ public async Task HandleAsync(AuthorizationHandlerContext context)
             return;
         }
 
-        if (user.HasClaim(StandardClaims.SiteOwner.Type, StandardClaims.SiteOwner.Value))
+        if (user.IsInRole(await _systemRoleNameProvider.GetAdminRoleAsync()))
         {
             SucceedAllRequirements(context);
 
diff --git a/src/OrchardCore.Modules/OrchardCore.Settings/Startup.cs b/src/OrchardCore.Modules/OrchardCore.Settings/Startup.cs
@@ -11,6 +11,7 @@
 using OrchardCore.Recipes;
 using OrchardCore.Recipes.Services;
 using OrchardCore.ResourceManagement;
+using OrchardCore.Roles;
 using OrchardCore.Security.Permissions;
 using OrchardCore.Settings.Deployment;
 using OrchardCore.Settings.Drivers;
@@ -65,7 +66,9 @@ public override void ConfigureServices(IServiceCollection services)
 
         services.AddScoped<ISetupEventHandler, SetupEventHandler>();
         services.AddPermissionProvider<Permissions>();
-        services.AddScoped<IAuthorizationHandler, SuperUserHandler>();
+
+        services.AddRolesCoreServices()
+            .AddScoped<IAuthorizationHandler, SuperUserHandler>();
 
         services.AddRecipeExecutionStep<SettingsStep>();
         services.AddSingleton<ISiteService, SiteService>();
diff --git a/src/OrchardCore.Modules/OrchardCore.Users/Liquid/UserFilters.cs b/src/OrchardCore.Modules/OrchardCore.Users/Liquid/UserFilters.cs
@@ -5,19 +5,20 @@
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
 using OrchardCore.Liquid;
-using OrchardCore.Security;
+using OrchardCore.Roles;
 using OrchardCore.Security.Permissions;
 
 namespace OrchardCore.Users.Liquid;
 
 public static class UserFilters
 {
-    public static ValueTask<FluidValue> HasClaim(FluidValue input, FilterArguments arguments, TemplateContext ctx)
+    public static async ValueTask<FluidValue> HasClaim(FluidValue input, FilterArguments arguments, TemplateContext ctx)
     {
         if (input.ToObjectValue() is LiquidUserAccessor)
         {
             var context = (LiquidTemplateContext)ctx;
             var httpContextAccessor = context.Services.GetRequiredService<IHttpContextAccessor>();
+            var systemRoleNameProvider = context.Services.GetRequiredService<ISystemRoleNameProvider>();
 
             var user = httpContextAccessor.HttpContext?.User;
             if (user != null)
@@ -45,7 +46,7 @@ public static ValueTask<FluidValue> HasClaim(FluidValue input, FilterArguments a
                 // {% assign isAuthorized = User | has_permission: "AccessAdminPanel" %}
                 // ```
                 if (string.Equals(claimType, Permission.ClaimType, StringComparison.OrdinalIgnoreCase) &&
-                    user.HasClaim(StandardClaims.SiteOwner.Type, StandardClaims.SiteOwner.Value))
+                    user.IsInRole(await systemRoleNameProvider.GetAdminRoleAsync()))
                 {
                     var logger = context.Services.GetRequiredService<ILogger<Startup>>();
 
diff --git a/src/OrchardCore/OrchardCore.Infrastructure.Abstractions/Security/StandardClaims.cs b/src/OrchardCore/OrchardCore.Infrastructure.Abstractions/Security/StandardClaims.cs
@@ -1,4 +1,4 @@
-﻿using System.Security.Claims;
+using System.Security.Claims;
 
 namespace OrchardCore.Security;
 
@@ -7,5 +7,6 @@ public static class StandardClaims
     /// <summary>
     /// This claim is assigned by the system during the login process if the user belongs to the Administrator role.
     /// </summary>
+    [Obsolete("This claim is obsolete and will be removed in the next major version.")]
     public static readonly Claim SiteOwner = new("SiteOwner", "true");
 }
diff --git a/src/OrchardCore/OrchardCore.Roles.Core/ServiceCollectionExtensions.cs b/src/OrchardCore/OrchardCore.Roles.Core/ServiceCollectionExtensions.cs
@@ -1,11 +1,14 @@
 using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection.Extensions;
 
 namespace OrchardCore.Roles;
 
 public static class ServiceCollectionExtensions
 {
     public static IServiceCollection AddRolesCoreServices(this IServiceCollection services)
     {
-        return services.AddSingleton<ISystemRoleNameProvider, DefaultSystemRoleNameProvider>();
+        services.TryAddSingleton<ISystemRoleNameProvider, DefaultSystemRoleNameProvider>();
+
+        return services;
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -33,17 +33,19 @@ public async Task GenerateAsync(IUser user, ClaimsIdentity claims)`
`33`	`33`	`return;`
`34`	`34`	`}`
`35`	`35`
	`36`	`+ var roleNames = await _userManager.GetRolesAsync(user);`
	`37`	`+`
`36`	`38`	`var isAdministrator = false;`
`37`	`39`
`38`		`- if (await _userManager.IsInRoleAsync(user, await _systemRoleNameProvider.GetAdminRoleAsync()))`
	`40`	`+ foreach (var roleName in roleNames)`
`39`	`41`	`{`
`40`		`- claims.AddClaim(StandardClaims.SiteOwner);`
`41`		`-`
`42`		`- isAdministrator = true;`
	`42`	`+ if (await _systemRoleNameProvider.IsAdminRoleAsync(roleName))`
	`43`	`+ {`
	`44`	`+ isAdministrator = true;`
	`45`	`+ break;`
	`46`	`+ }`
`43`	`47`	`}`
`44`	`48`
`45`		`- var roleNames = await _userManager.GetRolesAsync(user);`
`46`		`-`
`47`	`49`	`foreach (var roleName in roleNames)`
`48`	`50`	`{`
`49`	`51`	`claims.AddClaim(new Claim(_identityOptions.ClaimsIdentity.RoleClaimType, roleName));`
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,6 @@`
`1`	`1`	`using System.Security.Claims;`
`2`	`2`	`using Microsoft.AspNetCore.Authorization;`
	`3`	`+using OrchardCore.Roles;`
`3`	`4`	`using OrchardCore.Security;`
`4`	`5`
`5`	`6`	`namespace OrchardCore.Settings.Services;`
`@@ -10,10 +11,14 @@ namespace OrchardCore.Settings.Services;`
`10`	`11`	`public class SuperUserHandler : IAuthorizationHandler`
`11`	`12`	`{`
`12`	`13`	`private readonly ISiteService _siteService;`
	`14`	`+ private readonly ISystemRoleNameProvider _systemRoleNameProvider;`
`13`	`15`
`14`		`- public SuperUserHandler(ISiteService siteService)`
	`16`	`+ public SuperUserHandler(`
	`17`	`+ ISiteService siteService,`
	`18`	`+ ISystemRoleNameProvider systemRoleNameProvider)`
`15`	`19`	`{`
`16`	`20`	`_siteService = siteService;`
	`21`	`+ _systemRoleNameProvider = systemRoleNameProvider;`
`17`	`22`	`}`
`18`	`23`
`19`	`24`	`public async Task HandleAsync(AuthorizationHandlerContext context)`
`@@ -25,7 +30,7 @@ public async Task HandleAsync(AuthorizationHandlerContext context)`
`25`	`30`	`return;`
`26`	`31`	`}`
`27`	`32`
`28`		`- if (user.HasClaim(StandardClaims.SiteOwner.Type, StandardClaims.SiteOwner.Value))`
	`33`	`+ if (user.IsInRole(await _systemRoleNameProvider.GetAdminRoleAsync()))`
`29`	`34`	`{`
`30`	`35`	`SucceedAllRequirements(context);`
`31`	`36`
Original file line number	Diff line number	Diff line change
`@@ -1,11 +1,14 @@`
`1`	`1`	`using Microsoft.Extensions.DependencyInjection;`
	`2`	`+using Microsoft.Extensions.DependencyInjection.Extensions;`
`2`	`3`
`3`	`4`	`namespace OrchardCore.Roles;`
`4`	`5`
`5`	`6`	`public static class ServiceCollectionExtensions`
`6`	`7`	`{`
`7`	`8`	`public static IServiceCollection AddRolesCoreServices(this IServiceCollection services)`
`8`	`9`	`{`
`9`		`- return services.AddSingleton<ISystemRoleNameProvider, DefaultSystemRoleNameProvider>();`
	`10`	`+ services.TryAddSingleton<ISystemRoleNameProvider, DefaultSystemRoleNameProvider>();`
	`11`	`+`
	`12`	`+ return services;`
`10`	`13`	`}`
`11`	`14`	`}`