Deprecate SiteOwner permission and retain Administrator as system role

src/OrchardCore.Modules/OrchardCore.ContentFields/Settings/UserPickerFieldSettingsDriver.cs

@@ -3,6 +3,7 @@
 using OrchardCore.ContentTypes.Editors;
 using OrchardCore.DisplayManagement.Handlers;
 using OrchardCore.DisplayManagement.Views;
+using OrchardCore.Infrastructure.Security;
 using OrchardCore.Security.Services;
 
 namespace OrchardCore.ContentFields.Settings;
@@ -24,8 +25,7 @@ public override IDisplayResult Edit(ContentPartFieldDefinition partFieldDefiniti
             model.Hint = settings.Hint;
             model.Required = settings.Required;
             model.Multiple = settings.Multiple;
-            var roles = (await _roleService.GetRoleNamesAsync())
-                .Except(RoleHelper.SystemRoleNames, StringComparer.OrdinalIgnoreCase)
+            var roles = (await _roleService.GetRoleNamesAsync(role => role.Type != RoleType.System))
                 .Select(roleName => new RoleEntry
                 {
                     Role = roleName,

src/OrchardCore.Modules/OrchardCore.Roles/Controllers/AdminController.cs

@@ -10,6 +10,8 @@
 using OrchardCore.Environment.Extensions;
 using OrchardCore.Environment.Extensions.Features;
 using OrchardCore.Environment.Shell;
+using OrchardCore.Infrastructure.Security;
+using OrchardCore.Roles.Core;
 using OrchardCore.Roles.ViewModels;
 using OrchardCore.Security;
 using OrchardCore.Security.Permissions;
@@ -28,6 +30,7 @@ public sealed class AdminController : Controller
     private readonly IShellFeaturesManager _shellFeaturesManager;
     private readonly IRoleService _roleService;
     private readonly INotifier _notifier;
+    private readonly IRoleTracker _roleTracker;
 
     internal readonly IStringLocalizer S;
     internal readonly IHtmlLocalizer H;
@@ -41,6 +44,7 @@ public AdminController(
         IShellFeaturesManager shellFeaturesManager,
         IRoleService roleService,
         INotifier notifier,
+        IRoleTracker roleTracker,
         IStringLocalizer<AdminController> stringLocalizer,
         IHtmlLocalizer<AdminController> htmlLocalizer)
     {
@@ -52,6 +56,7 @@ public AdminController(
         _shellFeaturesManager = shellFeaturesManager;
         _roleService = roleService;
         _notifier = notifier;
+        _roleTracker = roleTracker;
         S = stringLocalizer;
         H = htmlLocalizer;
     }
@@ -67,7 +72,12 @@ public async Task<ActionResult> Index()
 
         var model = new RolesViewModel
         {
-            RoleEntries = roles.Select(BuildRoleEntry).ToList()
+            RoleEntries = roles.Select(role => new RoleEntry
+            {
+                Name = role.RoleName,
+                Description = role.RoleDescription,
+                Type = role.Type,
+            }).ToList()
         };
 
         return View(model);
@@ -110,11 +120,25 @@ public async Task<IActionResult> Create(CreateRoleViewModel model)
 
         if (ModelState.IsValid)
         {
-            var role = new Role { RoleName = model.RoleName, RoleDescription = model.RoleDescription };
+            var role = new Role
+            {
+                RoleName = model.RoleName,
+                RoleDescription = model.RoleDescription,
+                Type = RoleHelper.SystemRoleNames.Contains(model.RoleName)
+                ? RoleType.System
+                : model.IsOwnerType ? RoleType.Owner : RoleType.Standard,
+            };
+
             var result = await _roleManager.CreateAsync(role);
+
             if (result.Succeeded)
             {
+                if (role.Type == RoleType.Owner)
+                {
+                    await _roleTracker.AddAsync(role);
+                }
                 await _notifier.SuccessAsync(H["Role created successfully."]);
+
                 return RedirectToAction(nameof(Index));
             }
 
@@ -126,7 +150,7 @@ public async Task<IActionResult> Create(CreateRoleViewModel model)
             }
         }
 
-        // If we got this far, something failed, redisplay form
+        // If we got this far, something failed, redisplay form.
         return View(model);
     }
 
@@ -145,10 +169,22 @@ public async Task<IActionResult> Delete(string id)
             return NotFound();
         }
 
+        if (currentRole.Type == RoleType.System)
+        {
+            await _notifier.ErrorAsync(H["System roles cannot be deleted."]);
+
+            return RedirectToAction(nameof(Index));
+        }
+
         var result = await _roleManager.DeleteAsync(currentRole);
 
         if (result.Succeeded)
         {
+            if (currentRole.Type == RoleType.Owner)
+            {
+                await _roleTracker.RemoveAsync(currentRole);
+            }
+
             await _notifier.SuccessAsync(H["Role deleted successfully."]);
         }
         else
@@ -186,6 +222,7 @@ public async Task<IActionResult> Edit(string id)
             Role = role,
             Name = role.RoleName,
             RoleDescription = role.RoleDescription,
+            IsOwnerType = role.Type == RoleType.Owner,
             EffectivePermissions = await GetEffectivePermissions(role, allPermissions),
             RoleCategoryPermissions = installedPermissions
         };
@@ -194,7 +231,7 @@ public async Task<IActionResult> Edit(string id)
     }
 
     [HttpPost, ActionName(nameof(Edit))]
-    public async Task<IActionResult> EditPost(string id, string roleDescription)
+    public async Task<IActionResult> EditPost(string id, string roleDescription, bool hasFullAccess)
     {
         if (!await _authorizationService.AuthorizeAsync(User, CommonPermissions.ManageRoles))
         {
@@ -206,39 +243,50 @@ public async Task<IActionResult> EditPost(string id, string roleDescription)
             return NotFound();
         }
 
+        if (hasFullAccess)
+        {
+            role.Type = RoleType.Owner;
+        }
+
         role.RoleDescription = roleDescription;
 
-        // Save.
-        var rolePermissions = new List<RoleClaim>();
-        foreach (var key in Request.Form.Keys)
+        if (!hasFullAccess)
         {
-            if (key.StartsWith("Checkbox.", StringComparison.Ordinal) && Request.Form[key] == "true")
+            var rolePermissions = new List<RoleClaim>();
+            foreach (var key in Request.Form.Keys)
             {
-                var permissionName = key["Checkbox.".Length..];
-                rolePermissions.Add(new RoleClaim { ClaimType = Permission.ClaimType, ClaimValue = permissionName });
+                if (key.StartsWith("Checkbox.", StringComparison.Ordinal) && Request.Form[key] == "true")
+                {
+                    var permissionName = key["Checkbox.".Length..];
+                    rolePermissions.Add(new RoleClaim
+                    {
+                        ClaimType = Permission.ClaimType,
+                        ClaimValue = permissionName,
+                    });
+                }
             }
-        }
 
-        role.RoleClaims.RemoveAll(c => c.ClaimType == Permission.ClaimType);
-        role.RoleClaims.AddRange(rolePermissions);
+            role.RoleClaims.RemoveAll(c => c.ClaimType == Permission.ClaimType);
+            role.RoleClaims.AddRange(rolePermissions);
+        }
 
         await _roleManager.UpdateAsync(role);
 
+        // After updating the document manager, update the role tracker.
+        if (role.Type == RoleType.Owner)
+        {
+            await _roleTracker.AddAsync(role);
+        }
+        else
+        {
+            await _roleTracker.RemoveAsync(role);
+        }
+
         await _notifier.SuccessAsync(H["Role updated successfully."]);
 
         return RedirectToAction(nameof(Index));
     }
 
-    private RoleEntry BuildRoleEntry(IRole role)
-    {
-        return new RoleEntry
-        {
-            Name = role.RoleName,
-            Description = role.RoleDescription,
-            Selected = false
-        };
-    }
-
     private async Task<IDictionary<PermissionGroupKey, IEnumerable<Permission>>> GetInstalledPermissionsAsync()
     {
         var installedPermissions = new Dictionary<PermissionGroupKey, IEnumerable<Permission>>();

src/OrchardCore.Modules/OrchardCore.Roles/OrchardCore.Roles.csproj

@@ -4,9 +4,11 @@
     <AddRazorSupportForMvc>true</AddRazorSupportForMvc>
     <!-- NuGet properties-->
     <Title>OrchardCore Roles</Title>
-    <Description>$(OCCMSDescription)
-
-    The roles module adds the ability to manage roles and assign permissions to roles.</Description>
+    <Description>
+      $(OCCMSDescription)
+
+      The roles module adds the ability to manage roles and assign permissions to roles.
+    </Description>
     <PackageTags>$(PackageTags) OrchardCoreCMS</PackageTags>
   </PropertyGroup>
 

src/OrchardCore.Modules/OrchardCore.Roles/Recipes/RolesStep.cs

@@ -1,9 +1,11 @@
 using System.Text.Json.Nodes;
 using Microsoft.AspNetCore.Identity;
+using OrchardCore.Infrastructure.Security;
 using OrchardCore.Recipes.Models;
 using OrchardCore.Recipes.Services;
 using OrchardCore.Security;
 using OrchardCore.Security.Permissions;
+using OrchardCore.Security.Services;
 
 namespace OrchardCore.Roles.Recipes;
 
@@ -42,11 +44,17 @@ public async Task ExecuteAsync(RecipeExecutionContext context)
             {
                 role = new Role
                 {
-                    RoleName = importedRole.Name
+                    RoleName = importedRole.Name,
                 };
             }
 
+            var isSystemRole = RoleHelper.SystemRoleNames.Contains(importedRole.Name);
+
             role.RoleDescription = importedRole.Description;
+            role.Type = isSystemRole
+                ? RoleType.System
+                : importedRole.HasFullAccess ? RoleType.Owner : RoleType.Standard;
+
             role.RoleClaims.RemoveAll(c => c.ClaimType == Permission.ClaimType);
             role.RoleClaims.AddRange(importedRole.Permissions.Select(p => new RoleClaim
             {
@@ -74,6 +82,10 @@ public sealed class RolesStepModel
 public sealed class RolesStepRoleModel
 {
     public string Name { get; set; }
+
     public string Description { get; set; }
+
+    public bool HasFullAccess { get; set; }
+
     public string[] Permissions { get; set; }
 }

src/OrchardCore.Modules/OrchardCore.Roles/Startup.cs

@@ -7,6 +7,7 @@
 using OrchardCore.Modules;
 using OrchardCore.Navigation;
 using OrchardCore.Recipes;
+using OrchardCore.Roles.Core;
 using OrchardCore.Roles.Deployment;
 using OrchardCore.Roles.Recipes;
 using OrchardCore.Roles.Services;
@@ -20,6 +21,8 @@ public sealed class Startup : StartupBase
 {
     public override void ConfigureServices(IServiceCollection services)
     {
+        services.AddScoped<IAuthorizationHandler, RolesPermissionHandler>();
+        services.AddScoped<IRoleTracker, RoleTracker>();
         services.AddScoped<RoleStore>();
         services.Replace(ServiceDescriptor.Scoped<IRoleClaimStore<IRole>>(sp => sp.GetRequiredService<RoleStore>()));
         services.Replace(ServiceDescriptor.Scoped<IRoleStore<IRole>>(sp => sp.GetRequiredService<RoleStore>()));

src/OrchardCore.Modules/OrchardCore.Roles/ViewModels/CreateRoleViewModel.cs

@@ -8,4 +8,6 @@ public class CreateRoleViewModel
     public string RoleName { get; set; }
 
     public string RoleDescription { get; set; }
+
+    public bool IsOwnerType { get; set; }
 }

src/OrchardCore.Modules/OrchardCore.Roles/ViewModels/EditRoleViewModel.cs

@@ -7,8 +7,11 @@ namespace OrchardCore.Roles.ViewModels;
 public class EditRoleViewModel
 {
     public string Name { get; set; }
+
     public string RoleDescription { get; set; }
 
+    public bool IsOwnerType { get; set; }
+
     [BindNever]
     public IDictionary<PermissionGroupKey, IEnumerable<Permission>> RoleCategoryPermissions { get; set; }
 

src/OrchardCore.Modules/OrchardCore.Roles/ViewModels/RolesViewModel.cs

@@ -1,3 +1,5 @@
+using OrchardCore.Infrastructure.Security;
+
 namespace OrchardCore.Roles.ViewModels;
 
 public class RolesViewModel
@@ -8,6 +10,10 @@ public class RolesViewModel
 public class RoleEntry
 {
     public string Name { get; set; }
+
     public string Description { get; set; }
+
     public bool Selected { get; set; }
+
+    public RoleType Type { get; set; }
 }

src/OrchardCore.Modules/OrchardCore.Roles/Views/Admin/Create.cshtml

@@ -6,14 +6,23 @@
 <div asp-validation-summary="ModelOnly"></div>
 <form asp-action="Create" method="post" class="no-multisubmit">
     <div class="mb-3" asp-validation-class-for="RoleName">
-        <label asp-for="RoleName" class="form-label">@T["Role name"]</label>
+        <label asp-for="RoleName" class="form-label">@T["Name"]</label>
         <input asp-for="RoleName" class="form-control" autofocus />
         <span asp-validation-for="RoleName" class="text-danger"></span>
     </div>
 
     <div class="mb-3" asp-validation-class-for="RoleDescription">
-        <label asp-for="RoleDescription" class="form-label">@T["Role description"]</label>
-        <input asp-for="RoleDescription" class="form-control" autofocus />
+        <label asp-for="RoleDescription" class="form-label">@T["Description"]</label>
+        <input asp-for="RoleDescription" class="form-control" />
+        <span asp-validation-for="RoleDescription" class="text-danger"></span>
+    </div>
+
+    <div class="mb-3">
+        <div class="form-check">
+            <input type="checkbox" class="form-check-input" asp-for="IsOwnerType" checked="@Model.IsOwnerType" role="button" />
+            <label class="form-check-label" asp-for="IsOwnerType">@T["Site Owner?"]</label>
+            <span class="hint dashed">@T["Roles with the Owner type will automatically grant the user full access to all permissions."]</span>
+        </div>
     </div>
 
     <div class="mb-3">