No specific time line yet. At this stage I am trying to prioritize those items which provide much higher value to developers who are building applications on the framework, as opposed to those items which would require broad sweeping changes across the framework code base with a high risk of regression bugs and very little actual benefit to developers.
@mikecasas I totally agree! The IIS deployment blog I wrote this week is a good example of why documentation is important - it helped 2-3 people get up and running on Oqtane. I posted in #570 this week that I would like to move forward with the docfx solution from @iJungleboy
Hey @sbwalker about the third party DLL, I found out that when deleting the module, those extra dll's remain on the server and don't get deleted. I'm partly ok with that because they are no longer being referenced, and the possible case where another unrelated module happens to also use those dll's
I think keeping track of who uses what it's way too complicated... but maybe installing the modules in a location similar to /Modules/[module-name]/ like the resources inside wwwroot... Could that be possible? I really have no idea how the assemblies referencing thing works
and I plan to use it as the basis of a video tutorial to help module developers get started on Oqtane
Great
Emmmm... I was creating a new Module, so I decided to start based on a previous Module I had created... copy, paste, rename..... Long story short.. terrible idea, so I decided to modify the External template, that way a new module from scratch has entityId and Policies authorization, with a bonus that Client.Index.razor includes pre coded the SettingsService to get the module settings if needed... repo here if anybody want to try it or find it usefull
I also plan on creating several open source modules in the near future
Can you have custom modules in your custom theme? I see in the cerulean theme it references controls/components from the framework, so they are guaranteed to be there, but if you have a custom theme, how can you be sure the external module is there?https://github.com/oqtane/oqtane.theme.cerulean/blob/master/Default.razor#L4-L17
I think custom controls/components should be easier to implement, maybe override?? but auto install and configure custom modules... maybe seeding the DB and finding a way to copy the .nupkg during theme installation... Reading the Oqtane.Infrastructure.InstallationManager, the Themes installation, uses the same Module installation core module, with "Themes" folder, so in theory, packaging everything into a .nupkg, all modules, and custom ModuleManager, etc.... sorry for the rambling, but yeah... seems posible
@mikecasas modules and themes are designed to be independent of one another - they are combined dynamically at run-time based on configuration information in the database to create a "page". However you can develop them as part of the same assembly. And you can package them in the same Nuget package.
@drakozero the external module template used in the Module Creator should be updated to use the authorization policy
@sbwalker feel free to review/compare the changes to the template I made, and include them in Oqtane, I don't know if a pull request for that is needed/necessary, I think it would be better if templates could be installable, that way there could be multiple templates, and private templates as needed Eg: Simple CRUD, With Policies, With extra services, etc.
the segments are not normalized.
@drakozero if you look at the latest HtmlText module you will see that a base class and a method were introduced for making the integration of auth policies simpler. In addition you should probably be aware that there is a security flaw in the external module template you posted. The Get(int id) method needs to check that the ModuleId of the model returned matches the entityid.
The auth policy concept may seem a bit complicated at first - but its important to understand the 2 dimensions of it. First, when an entityid is passed on the querystring, the auth policy can use it to check the permissions for the entity type ie. [Authorize(Policy = "ViewModule")] - this would check if the user has View permissions for a Module with a specific ModuleId ( "entityid" is used generically as this auth policy can be applied to other entities as well ). If the auth policy validation is successful there is still a secondary level of validation that is often required. For example, the Get(int id) method is retrieving a specific custom entity being managed by a Module ( the id in this case is not a ModuleId ). The controller method will get the object from the repository however it needs to verify that the object is actually associated to the specific ModuleId - ie. it needs to check if (object.ModuleId == entityid). If this secondary validation is not done then a user with permissions to view a specific module's data would be able to access ANY module's data ( ie. by passing any id ). This is obviously true for other API methods as well such as Put, Post, Delete... in fact it is even more important to do the secondary validation on these methods as they modify data.
ModuleId represents an instance of a module in a site. Each module has its own distinct content and its own permissions. A module can be displayed on one or more pages in a site. Each instance of a module on a page is represented by a PageModuleId. ModuleState is a cascading parameter which can be used in razor components to get easy access to state such as ModuleId or PageModuleId. EntityId is a generic parameter used in some framework services that support multiple types of entities within the same API ( ie. Site, Page, Module, etc... )
So if I put two Modules of the same type, on the same page, each one has a different ModuleId, and when the same module is used in multiple pages (Eg. as a fixed banner or sidebar -> Display on All Pages=yes) ModuleId remains the same, but PageModuleId is different for each page?
And EntityId is a global naming standard, that usually is equal to ModuleId, except if I understood the PageModuleId correctly, only for those cases where fine grained authorization is required for certain pages?
@sbwalker Is there a roadmap for the next couple of weeks for oqtane? There are a couple of tickets in github that needs architectural decisions to go on with them. When will we start doing these decisions?
e.g. I would like to start to enhance model value validation server-side as well as client-side in terms of robustness and stability. I have found that the happy path is working mostly perfect but if there are "wrong" values within the input model than this often leads to db exceptions or other errors. For versions 1.0.x this is totally fine but imho in a version 1.x some of the currently open things should be done. To do the validation we need a architectural discussion about the way we want do it.