From b13f2299ef0e19201e86c0841c36d0269a3981a5 Mon Sep 17 00:00:00 2001
From: Mike Alhayek <mike@crestapps.com>
Date: Mon, 9 Dec 2024 12:32:13 -0800
Subject: [PATCH 1/4] Update ElasticsearchQueryHandler.cs

---
 .../Services/ElasticsearchQueryHandler.cs                       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/OrchardCore/OrchardCore.Search.Elasticsearch.Core/Services/ElasticsearchQueryHandler.cs b/src/OrchardCore/OrchardCore.Search.Elasticsearch.Core/Services/ElasticsearchQueryHandler.cs
index 03df57c890e..b3d25986eee 100644
--- a/src/OrchardCore/OrchardCore.Search.Elasticsearch.Core/Services/ElasticsearchQueryHandler.cs
+++ b/src/OrchardCore/OrchardCore.Search.Elasticsearch.Core/Services/ElasticsearchQueryHandler.cs
@@ -15,7 +15,7 @@ public override Task UpdatingAsync(UpdatingQueryContext context)
 
     private static Task UpdateQueryAsync(DataQueryContextBase context)
     {
-        if (context.Query.Source == ElasticQuerySource.SourceName)
+        if (context.Query.Source != ElasticQuerySource.SourceName)
         {
             return Task.CompletedTask;
         }

From 913046f8c551f41a6523307460873e33c0b1b71b Mon Sep 17 00:00:00 2001
From: Mike Alhayek <mike@crestapps.com>
Date: Thu, 12 Dec 2024 09:05:44 -0800
Subject: [PATCH 2/4] Roles with no permission are auto migrated to
 Administrator roles (#17226)

---
 mkdocs.yml                                    |  1 +
 .../Migrations/RolesMigrations.cs             | 32 +++++++++++----
 src/docs/releases/2.1.3.md                    | 41 +++++++++++++++++++
 3 files changed, 67 insertions(+), 7 deletions(-)
 create mode 100644 src/docs/releases/2.1.3.md

diff --git a/mkdocs.yml b/mkdocs.yml
index 6c76174cdbd..10f168a4691 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -55,6 +55,7 @@ validation:
 # Add files here that are intentionally not in the navigation and thus omitted_files shouldn't warn about them.
 not_in_nav: |
   samples/
+  releases/2.1.3.md
 
 # Extensions
 markdown_extensions:
diff --git a/src/OrchardCore.Modules/OrchardCore.Roles/Migrations/RolesMigrations.cs b/src/OrchardCore.Modules/OrchardCore.Roles/Migrations/RolesMigrations.cs
index 023f8319221..eae78a2ce3a 100644
--- a/src/OrchardCore.Modules/OrchardCore.Roles/Migrations/RolesMigrations.cs
+++ b/src/OrchardCore.Modules/OrchardCore.Roles/Migrations/RolesMigrations.cs
@@ -1,5 +1,6 @@
 using Microsoft.AspNetCore.Identity;
 using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 using OrchardCore.BackgroundJobs;
 using OrchardCore.Data.Migration;
@@ -15,10 +16,14 @@ public sealed class RolesMigrations : DataMigration
     private static readonly string _alternativeAdminRoleName = "SiteOwner";
 
     private readonly SystemRoleOptions _systemRoleOptions;
+    private readonly ILogger _logger;
 
-    public RolesMigrations(IOptions<SystemRoleOptions> systemRoleOptions)
+    public RolesMigrations(
+        IOptions<SystemRoleOptions> systemRoleOptions,
+        ILogger<RolesMigrations> logger)
     {
         _systemRoleOptions = systemRoleOptions.Value;
+        _logger = logger;
     }
 
 #pragma warning disable CA1822 // Mark members as static
@@ -41,10 +46,8 @@ public int Create()
                     continue;
                 }
 
-                // When a new tenant is created, the RoleClaims will be empty for Admin roles.
-                var hasSiteOwner = r.RoleClaims is null ||
-                r.RoleClaims.Count == 0 ||
-                r.RoleClaims.Any(x => x.ClaimValue == "SiteOwner");
+                // Check to see if the role contains the obsolete 'SiteOwner' permission claim.
+                var hasSiteOwner = r.RoleClaims is not null && r.RoleClaims.Any(x => x.ClaimValue == "SiteOwner");
 
                 if (r.RoleName.Equals(OrchardCoreConstants.Roles.Administrator, StringComparison.OrdinalIgnoreCase))
                 {
@@ -54,16 +57,24 @@ public int Create()
                         // We'll need to create a new role name that does not exists and assign it as the system 'Administrator' role.
                         adminSystemRoleName = GenerateNewAdminRoleName(roles);
 
+                        _logger.LogInformation("The {DefaultAdministratorRoleName} does not contain SiteOwner permission. Creating a new AdminRoleName as the system admin name. The new role name is {NewAdminRoleName}.", OrchardCoreConstants.Roles.Administrator, adminSystemRoleName);
+
                         await roleManager.CreateAsync(new Role
                         {
                             RoleName = adminSystemRoleName,
                         });
+
                     }
                     else
                     {
+                        _logger.LogInformation("Removing all existing permission claims from the default {DefaultAdministratorRoleName} Administrator name.", OrchardCoreConstants.Roles.Administrator);
+
                         r.RoleClaims.Clear();
 
                         await roleManager.UpdateAsync(r);
+
+                        // Don't processed to avoid adding the default 'Administrator' role to the adminRoles collection;
+                        continue;
                     }
                 }
 
@@ -84,9 +95,14 @@ await HttpBackgroundJob.ExecuteAfterEndOfRequestAsync("MigrateAdminUsersToNewAdm
                     {
                         var users = await userManager.GetUsersInRoleAsync(adminRole.RoleName);
 
-                        foreach (var user in users)
+                        if (users.Count > 0)
                         {
-                            await userManager.AddToRoleAsync(user, adminSystemRoleName);
+                            _logger.LogInformation("Migrating all users {Count} users from {PreviousRoleName} to {NewRoleName}", users.Count, adminRole, adminSystemRoleName);
+
+                            foreach (var user in users)
+                            {
+                                await userManager.AddToRoleAsync(user, adminSystemRoleName);
+                            }
                         }
                     }
                 });
@@ -98,6 +114,8 @@ await HttpBackgroundJob.ExecuteAfterEndOfRequestAsync("MigrateAdminUsersToNewAdm
                 var shellSettings = scope.ServiceProvider.GetRequiredService<ShellSettings>();
                 var shellHost = scope.ServiceProvider.GetRequiredService<IShellHost>();
 
+                _logger.LogInformation("The {DefaultAdministratorRoleName} does not contain SiteOwner permission. Creating a new AdminRoleName as the system admin name and storing it in the tenant app settings provider. The new name is {NewAdminRoleName}", OrchardCoreConstants.Roles.Administrator, adminSystemRoleName);
+
                 shellSettings["AdminRoleName"] = adminSystemRoleName;
 
                 await shellHost.UpdateShellSettingsAsync(shellSettings);
diff --git a/src/docs/releases/2.1.3.md b/src/docs/releases/2.1.3.md
new file mode 100644
index 00000000000..669ca32a011
--- /dev/null
+++ b/src/docs/releases/2.1.3.md
@@ -0,0 +1,41 @@
+## Orchard Core 2.1.3
+
+**Release Date:** Not yet released
+
+This release includes critical security fixes that grant unintentionally full access to certain users.
+
+## Changelog
+
+### Important Security Notice: Role Assignment Issue After Upgrade
+
+If you have recently upgraded from a previous version of Orchard Core to version 2.1.0, 2.0.1, or 2.0.2, please be aware of a potential security issue that may impact your system. Specifically, if a role is assigned with **no permissions**, any user assigned to that role will automatically be granted the **Administrator** role after the upgrade, potentially giving them full access to your site.
+
+#### Example Scenario:
+
+Let's say your app includes a role named **Director**, which has no permissions assigned. If a user like **Mike** is assigned to this role, after the upgrade, **Mike** will automatically be granted the **Administrator** role, giving them full control over your site. This could pose a significant security risk if not addressed promptly.
+
+#### Mitigation Steps:
+
+To ensure your site's security, we strongly recommend that you review the users who currently have the **Administrator** role. If you find users who should not have administrative privileges, you should remove the **Administrator** role from their account immediately.
+
+#### How to Check Users Assigned to the Administrator Role:
+
+1. **Identify the Administrator Role:**
+   - Go to the `/Admin/Roles/Index` page on your site. Check if the **Administrator** role has a **System** badge.  
+
+   - If the **Administrator** role **has the System badge**, proceed with the following steps:
+
+     1. Go to the `/Admin/Users/Index?q=role:Administrator` page.
+     2. Review the list of users assigned the **Administrator** role.
+     3. For any users who should not have **Administrator** privileges, click **Edit** on their account and remove the role.
+
+   - If the **Administrator** role **does not have the System badge**, follow these steps:
+
+     1. Look for the role with the **System** badge. This role is typically named **SiteOwner** or something similar (e.g., **SiteOwner1**, **SiteOwner2**, etc.).
+     2. Once identified, replace `Site__Owner_RoleName_Goes_Here` with the correct role name and visit the `/Admin/Users/Index?q=role:{Site__Owner_RoleName_Goes_Here}` page on your site.
+     3. Review the list of users with the site owner role.
+     4. For any users who should not have site owner privileges, click **Edit** on their account and remove the role.
+
+### Final Reminder:
+
+We recommend that you take immediate action to verify user roles and ensure that only authorized users have administrative or site owner access. Failing to do so could expose your application to significant security risks.

From d83bcd42d37e781288cc419ee179f3f45fed5928 Mon Sep 17 00:00:00 2001
From: Mike Alhayek <mike@crestapps.com>
Date: Thu, 12 Dec 2024 09:12:46 -0800
Subject: [PATCH 3/4] Fix intermittent redirects during external auto-login
 (#17227)

---
 .../OrchardCore.Users/Services/ExternalLoginFormEvents.cs  | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/OrchardCore.Modules/OrchardCore.Users/Services/ExternalLoginFormEvents.cs b/src/OrchardCore.Modules/OrchardCore.Users/Services/ExternalLoginFormEvents.cs
index 98b58eeca09..b21bb5b970d 100644
--- a/src/OrchardCore.Modules/OrchardCore.Users/Services/ExternalLoginFormEvents.cs
+++ b/src/OrchardCore.Modules/OrchardCore.Users/Services/ExternalLoginFormEvents.cs
@@ -39,7 +39,12 @@ public Task IsLockedOutAsync(IUser user)
         => Task.CompletedTask;
 
     public Task LoggedInAsync(IUser user)
-        => Task.CompletedTask;
+    {
+        var tempData = _tempDataDictionaryFactory.GetTempData(_httpContextAccessor.HttpContext);
+        tempData.Remove(ExternalLoginAutoRedirectKeyName);
+
+        return Task.CompletedTask;
+    }
 
     public async Task<IActionResult> LoggingInAsync()
     {

From 294657cc2c94e0fef83330f4d5ad08c0e3a28ddb Mon Sep 17 00:00:00 2001
From: Mike Alhayek <mike@crestapps.com>
Date: Thu, 12 Dec 2024 09:25:32 -0800
Subject: [PATCH 4/4] Release 2.1.3 (#17228)

---
 README.md                                                 | 2 +-
 mkdocs.yml                                                | 2 +-
 src/OrchardCore.Build/OrchardCore.Commons.props           | 2 +-
 .../Modules/Manifest/ManifestConstants.cs                 | 2 +-
 src/docs/README.md                                        | 2 +-
 src/docs/getting-started/templates/README.md              | 8 ++++----
 src/docs/guides/add-admin-menu/README.md                  | 6 +++---
 src/docs/guides/create-blazor-cms/README.md               | 2 +-
 src/docs/guides/create-cms-application/README.md          | 2 +-
 src/docs/guides/create-modular-application-mvc/README.md  | 2 +-
 src/docs/guides/decoupled-cms/README.md                   | 2 +-
 src/docs/releases/2.1.3.md                                | 2 +-
 12 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/README.md b/README.md
index 40e9009b0da..08942c37cbd 100644
--- a/README.md
+++ b/README.md
@@ -25,7 +25,7 @@ Nightly (`main`):
 [![Build status](https://github.com/OrchardCMS/OrchardCore/actions/workflows/preview_ci.yml/badge.svg)](https://github.com/OrchardCMS/OrchardCore/actions?query=workflow%3A%22Preview+-+CI%22)
 [![Cloudsmith](https://api-prd.cloudsmith.io/badges/version/orchardcore/preview/nuget/OrchardCore.Application.Cms.Targets/latest/x/?render=true&badge_token=gAAAAABey9hKFD_C-ZIpLvayS3HDsIjIorQluDs53KjIdlxoDz6Ntt1TzvMNJp7a_UWvQbsfN5nS7_0IbxCyqHZsjhmZP6cBkKforo-NqwrH5-E6QCrJ3D8%3D)](https://cloudsmith.io/~orchardcore/repos/preview/packages/detail/nuget/OrchardCore.Application.Cms.Targets/latest/)
 
-## Project Status: v2.1.2
+## Project Status: v2.1.3
 
 The software is production-ready, and capable of serving large mission-critical applications as well, and we're not aware of any fundamental bugs or missing features we deem crucial. Orchard Core continues to evolve, with each version bringing new improvements, and keeping up with the cutting-edge of .NET.
 
diff --git a/mkdocs.yml b/mkdocs.yml
index 10f168a4691..069d13cb541 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -55,7 +55,6 @@ validation:
 # Add files here that are intentionally not in the navigation and thus omitted_files shouldn't warn about them.
 not_in_nav: |
   samples/
-  releases/2.1.3.md
 
 # Extensions
 markdown_extensions:
@@ -274,6 +273,7 @@ nav:
       - Owners: resources/owners/README.md
       - Workshops: resources/workshops/README.md
   - Releases:
+      - 2.1.3: releases/2.1.3.md
       - 2.1.2: releases/2.1.2.md
       - 2.1.1: releases/2.1.1.md
       - 2.1.0: releases/2.1.0.md
diff --git a/src/OrchardCore.Build/OrchardCore.Commons.props b/src/OrchardCore.Build/OrchardCore.Commons.props
index 2650e5872b6..0e88215786d 100644
--- a/src/OrchardCore.Build/OrchardCore.Commons.props
+++ b/src/OrchardCore.Build/OrchardCore.Commons.props
@@ -2,7 +2,7 @@
 
   <PropertyGroup>
     <LangVersion>12.0</LangVersion>
-    <VersionPrefix>2.1.1</VersionPrefix>
+    <VersionPrefix>2.1.3</VersionPrefix>
     <VersionSuffix>preview</VersionSuffix>
     <VersionSuffix Condition="'$(VersionSuffix)'!='' AND '$(BuildNumber)' != ''">$(VersionSuffix)-$(BuildNumber)</VersionSuffix>
     <WarningsNotAsErrors>612,618</WarningsNotAsErrors>
diff --git a/src/OrchardCore/OrchardCore.Abstractions/Modules/Manifest/ManifestConstants.cs b/src/OrchardCore/OrchardCore.Abstractions/Modules/Manifest/ManifestConstants.cs
index e3ced4090b6..3632e052961 100644
--- a/src/OrchardCore/OrchardCore.Abstractions/Modules/Manifest/ManifestConstants.cs
+++ b/src/OrchardCore/OrchardCore.Abstractions/Modules/Manifest/ManifestConstants.cs
@@ -5,7 +5,7 @@ public static class ManifestConstants
 {
     public const string OrchardCoreTeam = "The Orchard Core Team";
 
-    public const string OrchardCoreVersion = "2.1.1";
+    public const string OrchardCoreVersion = "2.1.3";
 
     public const string OrchardCoreWebsite = "https://orchardcore.net";
 
diff --git a/src/docs/README.md b/src/docs/README.md
index 510a0d5d7a8..d50cb711e33 100644
--- a/src/docs/README.md
+++ b/src/docs/README.md
@@ -58,7 +58,7 @@ Orchard Core CMS supports all major site building strategies:
 
 ## Status
 
-The latest released version of Orchard Core is `2.1.2`. The release notes can be found under [Releases](releases/2.1.2.md).
+The latest released version of Orchard Core is `2.1.3`. The release notes can be found under [Releases](releases/2.1.3.md).
 
 ## Getting Started
 
diff --git a/src/docs/getting-started/templates/README.md b/src/docs/getting-started/templates/README.md
index e4fab2dd70a..f7beb43544c 100644
--- a/src/docs/getting-started/templates/README.md
+++ b/src/docs/getting-started/templates/README.md
@@ -9,13 +9,13 @@ More information about `dotnet new` can be found at <https://docs.microsoft.com/
 Once the .NET Core SDK has been installed, type the following command to install the templates for creating Orchard Core web applications:
 
 ```CMD
-dotnet new install OrchardCore.ProjectTemplates::2.1.2
+dotnet new install OrchardCore.ProjectTemplates::2.1.3
 ```
 
 This will use the most stable release of Orchard Core. In order to use the latest `main` branch of Orchard Core, the following command can be used:
 
 ```CMD
-dotnet new install OrchardCore.ProjectTemplates::2.1.2-* --nuget-source https://nuget.cloudsmith.io/orchardcore/preview/v3/index.json  
+dotnet new install OrchardCore.ProjectTemplates::2.1.3-* --nuget-source https://nuget.cloudsmith.io/orchardcore/preview/v3/index.json  
 ```
 
 ## Create a new website
@@ -44,7 +44,7 @@ Options:
 
   -ov|--orchard-version  Specifies which version of Orchard Core packages to use.
                          string - Optional
-                         Default: 2.1.2
+                         Default: 2.1.3
 ```
 
 Logging can be ignored with this command:
@@ -133,7 +133,7 @@ Options:
 
   -ov|--orchard-version  Specifies which version of Orchard Core packages to use.
                          string - Optional
-                         Default: 2.1.2
+                         Default: 2.1.3
 ```
 
 ```CMD
diff --git a/src/docs/guides/add-admin-menu/README.md b/src/docs/guides/add-admin-menu/README.md
index 3061d8e7437..1acc41a5f85 100644
--- a/src/docs/guides/add-admin-menu/README.md
+++ b/src/docs/guides/add-admin-menu/README.md
@@ -19,7 +19,7 @@ There are different ways to create sites and modules for Orchard Core. You can l
 
 You can install the latest released templates using this command:
 
-```dotnet new install OrchardCore.ProjectTemplates::2.1.2-*```
+```dotnet new install OrchardCore.ProjectTemplates::2.1.3-*```
 
 !!! note
     To use the development branch of the template add `--nuget-source https://nuget.cloudsmith.io/orchardcore/preview/v3/index.json`
@@ -40,10 +40,10 @@ The next step is to reference the module from the application, by adding a proje
 
 We also need a reference to the `OrchardCore.Admin` package in order to be able to implement the required interfaces:
 
-```dotnet add .\MyModule\MyModule.csproj package OrchardCore.Admin --version 2.1.2-*```
+```dotnet add .\MyModule\MyModule.csproj package OrchardCore.Admin --version 2.1.3-*```
 
 !!! note
-    To use the development branch of the template add ` --source https://nuget.cloudsmith.io/orchardcore/preview/v3/index.json --version 2.1.2-*`
+    To use the development branch of the template add ` --source https://nuget.cloudsmith.io/orchardcore/preview/v3/index.json --version 2.1.3-*`
 
 ## Adding our controller and views
 
diff --git a/src/docs/guides/create-blazor-cms/README.md b/src/docs/guides/create-blazor-cms/README.md
index 90405a316ce..275f5639f12 100644
--- a/src/docs/guides/create-blazor-cms/README.md
+++ b/src/docs/guides/create-blazor-cms/README.md
@@ -632,7 +632,7 @@ In our `OCBlazorLib` blazor Library project, Let's enrich our `/content` page to
 - In `OCBlazorLib.csproj` Add a NuGet package reference to `OrchardCore.ContentManagement`
 
 ```dotnetcli
-dotnet add ./OCBlazorLib/OCBlazorLib.csproj package OrchardCore.ContentManagement --version 2.1.2
+dotnet add ./OCBlazorLib/OCBlazorLib.csproj package OrchardCore.ContentManagement --version 2.1.3
 ```
 
 - Add the following `using` statements in `_Imports.razor`
diff --git a/src/docs/guides/create-cms-application/README.md b/src/docs/guides/create-cms-application/README.md
index 1149d27eddd..b3e8062ee7a 100644
--- a/src/docs/guides/create-cms-application/README.md
+++ b/src/docs/guides/create-cms-application/README.md
@@ -13,7 +13,7 @@ There are different ways to create sites and modules for Orchard Core. You can l
 
 In this guide we will use our "Code Generation Templates". You can install the latest stable release of the templates using this command:
 
-```dotnet new install OrchardCore.ProjectTemplates::2.1.2-*```
+```dotnet new install OrchardCore.ProjectTemplates::2.1.3-*```
 
 !!! note
     To use the development branch of the template add `--nuget-source https://nuget.cloudsmith.io/orchardcore/preview/v3/index.json`.
diff --git a/src/docs/guides/create-modular-application-mvc/README.md b/src/docs/guides/create-modular-application-mvc/README.md
index 5d60e0c80c8..5d6f797732d 100644
--- a/src/docs/guides/create-modular-application-mvc/README.md
+++ b/src/docs/guides/create-modular-application-mvc/README.md
@@ -18,7 +18,7 @@ There are different ways to create sites and modules for Orchard Core. You can l
 
 In this guide we will use our [Code Generation Templates](../../getting-started/templates/README.md). You can install the latest stable release of the templates using this command:
 
-```dotnet new install OrchardCore.ProjectTemplates::2.1.2-*```
+```dotnet new install OrchardCore.ProjectTemplates::2.1.3-*```
 
 !!! note
     To use the development branch of the template add `--nuget-source https://nuget.cloudsmith.io/orchardcore/preview/v3/index.json`
diff --git a/src/docs/guides/decoupled-cms/README.md b/src/docs/guides/decoupled-cms/README.md
index 1772a7d1ade..df08d39980b 100644
--- a/src/docs/guides/decoupled-cms/README.md
+++ b/src/docs/guides/decoupled-cms/README.md
@@ -69,7 +69,7 @@ This will allow for the Razor Pages to be reloaded without the need to recompile
 
 ```xml
 <ItemGroup>
-  <PackageReference Include="OrchardCore.Application.Cms.Core.Targets" Version="2.1.2" />
+  <PackageReference Include="OrchardCore.Application.Cms.Core.Targets" Version="2.1.3" />
 </ItemGroup>
 ```
 
diff --git a/src/docs/releases/2.1.3.md b/src/docs/releases/2.1.3.md
index 669ca32a011..13246caa936 100644
--- a/src/docs/releases/2.1.3.md
+++ b/src/docs/releases/2.1.3.md
@@ -1,6 +1,6 @@
 ## Orchard Core 2.1.3
 
-**Release Date:** Not yet released
+**Release Date:** December 12, 2024
 
 This release includes critical security fixes that grant unintentionally full access to certain users.