Create system roles by default

src/OrchardCore.Modules/OrchardCore.Roles/Migrations/SystemRolesMigrations.cs

@@ -0,0 +1,42 @@
+using Microsoft.AspNetCore.Identity;
+using Microsoft.Extensions.Logging;
+using OrchardCore.Data.Migration;
+using OrchardCore.Security;
+
+namespace OrchardCore.Roles.Migrations;
+
+public sealed class SystemRolesMigrations : DataMigration
+{
+    private readonly ISystemRoleProvider _systemRoleProvider;
+    private readonly RoleManager<IRole> _roleManager;
+    private readonly ILogger _logger;
+
+    public SystemRolesMigrations(
+        ISystemRoleProvider systemRoleProvider,
+        RoleManager<IRole> roleManager,
+        ILogger<RolesMigrations> logger)
+    {
+        _systemRoleProvider = systemRoleProvider;
+        _roleManager = roleManager;
+        _logger = logger;
+    }
+
+    public async Task<int> CreateAsync()
+    {
+        var systemRoles = await _systemRoleProvider.GetSystemRolesAsync();
+
+        foreach (var systemRole in systemRoles)
+        {
+            var role = await _roleManager.FindByNameAsync(systemRole.RoleName);
+
+            if (role is null)
+            {
+                await _roleManager.CreateAsync(role);
+            }
+        }
+
+        _logger.LogInformation("The system roles have been created successfully.");
+
+        return 1;
+    }
+}

src/OrchardCore.Modules/OrchardCore.Roles/Recipes/RolesStep.cs

@@ -13,15 +13,15 @@ namespace OrchardCore.Roles.Recipes;
 public sealed class RolesStep : NamedRecipeStepHandler
 {
     private readonly RoleManager<IRole> _roleManager;
-    private readonly ISystemRoleNameProvider _systemRoleNameProvider;
+    private readonly ISystemRoleProvider _systemRoleProvider;
 
     public RolesStep(
         RoleManager<IRole> roleManager,
-        ISystemRoleNameProvider systemRoleNameProvider)
+        ISystemRoleProvider systemRoleProvider)
         : base("Roles")
     {
         _roleManager = roleManager;
-        _systemRoleNameProvider = systemRoleNameProvider;
+        _systemRoleProvider = systemRoleProvider;
     }
 
     protected override async Task HandleAsync(RecipeExecutionContext context)
@@ -59,7 +59,7 @@ protected override async Task HandleAsync(RecipeExecutionContext context)
                     r.RoleClaims.RemoveAll(c => c.ClaimType == Permission.ClaimType);
                 }
 
-                if (!await _systemRoleNameProvider.IsAdminRoleAsync(roleName))
+                if (!await _systemRoleProvider.IsAdminRoleAsync(roleName))
                 {
                     if (roleEntry.PermissionBehavior == PermissionBehavior.Remove)
                     {

src/OrchardCore.Modules/OrchardCore.Roles/Services/RoleClaimsProvider.cs

@@ -11,18 +11,23 @@ public class RoleClaimsProvider : IUserClaimsProvider
 {
     private readonly UserManager<IUser> _userManager;
     private readonly RoleManager<IRole> _roleManager;
-    private readonly ISystemRoleNameProvider _systemRoleNameProvider;
+    private readonly ISystemRoleProvider _systemRoleProvider;
     private readonly IdentityOptions _identityOptions;
 
     public RoleClaimsProvider(
         UserManager<IUser> userManager,
         RoleManager<IRole> roleManager,
+#pragma warning disable CS0618 // Type or member is obsolete
+#pragma warning disable IDE0060 // Remove unused parameter
         ISystemRoleNameProvider systemRoleNameProvider,
+#pragma warning restore IDE0060 // Remove unused parameter
+#pragma warning restore CS0618 // Type or member is obsolete
+        ISystemRoleProvider systemRoleProvider,
         IOptions<IdentityOptions> identityOptions)
     {
         _userManager = userManager;
         _roleManager = roleManager;
-        _systemRoleNameProvider = systemRoleNameProvider;
+        _systemRoleProvider = systemRoleProvider;
         _identityOptions = identityOptions.Value;
     }
 
@@ -39,7 +44,7 @@ public async Task GenerateAsync(IUser user, ClaimsIdentity claims)
 
         foreach (var roleName in roleNames)
         {
-            if (await _systemRoleNameProvider.IsAdminRoleAsync(roleName))
+            if (await _systemRoleProvider.IsAdminRoleAsync(roleName))
             {
                 isAdministrator = true;
                 break;

src/OrchardCore.Modules/OrchardCore.Roles/Services/RoleStore.cs

@@ -13,7 +13,7 @@ namespace OrchardCore.Roles.Services;
 public class RoleStore : IRoleClaimStore<IRole>, IQueryableRoleStore<IRole>
 {
     private readonly IServiceProvider _serviceProvider;
-    private readonly ISystemRoleNameProvider _systemRoleProvider;
+    private readonly ISystemRoleProvider _systemRoleProvider;
     private readonly IDocumentManager<RolesDocument> _documentManager;
     protected readonly IStringLocalizer S;
     private readonly ILogger _logger;
@@ -22,7 +22,7 @@ public class RoleStore : IRoleClaimStore<IRole>, IQueryableRoleStore<IRole>
 
     public RoleStore(
         IServiceProvider serviceProvider,
-        ISystemRoleNameProvider systemRoleProvider,
+        ISystemRoleProvider systemRoleProvider,
         IDocumentManager<RolesDocument> documentManager,
         IStringLocalizer<RoleStore> stringLocalizer,
         ILogger<RoleStore> logger)

src/OrchardCore.Modules/OrchardCore.Roles/Services/RoleUpdater.cs

@@ -15,7 +15,7 @@ public class RoleUpdater : FeatureEventHandler, IRoleCreatedEventHandler, IRoleR
     private readonly ShellDescriptor _shellDescriptor;
     private readonly IExtensionManager _extensionManager;
     private readonly IDocumentManager<RolesDocument> _documentManager;
-    private readonly ISystemRoleNameProvider _systemRoleNameProvider;
+    private readonly ISystemRoleProvider _systemRoleProvider;
     private readonly IEnumerable<IPermissionProvider> _permissionProviders;
     private readonly ITypeFeatureProvider _typeFeatureProvider;
     private readonly ILogger _logger;
@@ -26,15 +26,18 @@ public RoleUpdater(
         ShellDescriptor shellDescriptor,
         IExtensionManager extensionManager,
         IDocumentManager<RolesDocument> documentManager,
-        ISystemRoleNameProvider systemRoleNameProvider,
+#pragma warning disable IDE0060 // Remove unused parameter
+        ISystemRoleProvider systemRoleNameProvider,
+#pragma warning restore IDE0060 // Remove unused parameter
+        ISystemRoleProvider systemRoleProvider,
         IEnumerable<IPermissionProvider> permissionProviders,
         ITypeFeatureProvider typeFeatureProvider,
         ILogger<RoleUpdater> logger)
     {
         _shellDescriptor = shellDescriptor;
         _extensionManager = extensionManager;
         _documentManager = documentManager;
-        _systemRoleNameProvider = systemRoleNameProvider;
+        _systemRoleProvider = systemRoleProvider;
         _permissionProviders = permissionProviders;
         _typeFeatureProvider = typeFeatureProvider;
         _logger = logger;
@@ -204,7 +207,7 @@ private Task<bool> UpdateRolesForEnabledFeatureAsync(Role role, IEnumerable<IPer
 
     private async Task<bool> UpdatePermissionsAsync(Role role, IEnumerable<string> permissions)
     {
-        if (await _systemRoleNameProvider.IsAdminRoleAsync(role.RoleName))
+        if (await _systemRoleProvider.IsAdminRoleAsync(role.RoleName))
         {
             // Don't update claims for admin role.
             return true;

src/OrchardCore.Modules/OrchardCore.Roles/Startup.cs

@@ -33,7 +33,10 @@ public Startup(IShellConfiguration shellConfiguration)
     public override void ConfigureServices(IServiceCollection services)
     {
         services.AddScoped<IUserClaimsProvider, RoleClaimsProvider>();
-        services.AddDataMigration<RolesMigrations>();
+
+        services.AddDataMigration<SystemRolesMigrations>()
+            .AddDataMigration<RolesMigrations>();
+
         services.AddScoped<RoleStore>();
         services.Replace(ServiceDescriptor.Scoped<IRoleClaimStore<IRole>>(sp => sp.GetRequiredService<RoleStore>()));
         services.Replace(ServiceDescriptor.Scoped<IRoleStore<IRole>>(sp => sp.GetRequiredService<RoleStore>()));

src/OrchardCore.Modules/OrchardCore.Settings/Services/SuperUserHandler.cs

@@ -11,14 +11,19 @@ namespace OrchardCore.Settings.Services;
 public class SuperUserHandler : IAuthorizationHandler
 {
     private readonly ISiteService _siteService;
-    private readonly ISystemRoleNameProvider _systemRoleNameProvider;
+    private readonly ISystemRoleProvider _systemRoleProvider;
 
     public SuperUserHandler(
         ISiteService siteService,
-        ISystemRoleNameProvider systemRoleNameProvider)
+#pragma warning disable CS0618 // Type or member is obsolete
+#pragma warning disable IDE0060 // Remove unused parameter
+        ISystemRoleNameProvider systemRoleNameProvider,
+#pragma warning restore IDE0060 // Remove unused parameter
+#pragma warning restore CS0618 // Type or member is obsolete
+        ISystemRoleProvider systemRoleProvider)
     {
         _siteService = siteService;
-        _systemRoleNameProvider = systemRoleNameProvider;
+        _systemRoleProvider = systemRoleProvider;
     }
 
     public async Task HandleAsync(AuthorizationHandlerContext context)
@@ -30,7 +35,9 @@ public async Task HandleAsync(AuthorizationHandlerContext context)
             return;
         }
 
-        if (user.IsInRole(await _systemRoleNameProvider.GetAdminRoleAsync()))
+        var adminRole = await _systemRoleProvider.GetAdminRoleAsync();
+
+        if (user.IsInRole(adminRole.RoleName))
         {
             SucceedAllRequirements(context);
 

src/OrchardCore.Themes/TheAdmin/Recipes/blank.recipe.json

@@ -69,11 +69,6 @@
     {
       "name": "Roles",
       "Roles": [
-        {
-          "Name": "Administrator",
-          "Description": "A system role that grants all permissions to the assigned users.",
-          "Permissions": []
-        },
         {
           "Name": "Moderator",
           "Description": "Grants users the ability to moderate content.",
@@ -93,16 +88,6 @@
           "Name": "Contributor",
           "Description": "Grants users the ability to contribute content.",
           "Permissions": []
-        },
-        {
-          "Name": "Authenticated",
-          "Description": "A system role representing all authenticated users.",
-          "Permissions": []
-        },
-        {
-          "Name": "Anonymous",
-          "Description": "A system role representing all non-authenticated users.",
-          "Permissions": []
         }
       ]
     }

src/OrchardCore.Themes/TheAdmin/Recipes/headless.recipe.json

@@ -64,11 +64,6 @@
     {
       "name": "Roles",
       "Roles": [
-        {
-          "Name": "Administrator",
-          "Description": "A system role that grants all permissions to the assigned users.",
-          "Permissions": []
-        },
         {
           "Name": "Moderator",
           "Description": "Grants users the ability to moderate content.",
@@ -97,11 +92,6 @@
             "ExecuteGraphQL",
             "ExecuteApiAll"
           ]
-        },
-        {
-          "Name": "Anonymous",
-          "Description": "A system role representing all non-authenticated users.",
-          "Permissions": []
         }
       ]
     },

src/OrchardCore.Themes/TheAgencyTheme/Recipes/agency.recipe.json

@@ -73,11 +73,6 @@
     {
       "name": "Roles",
       "Roles": [
-        {
-          "Name": "Administrator",
-          "Description": "A system role that grants all permissions to the assigned users.",
-          "Permissions": []
-        },
         {
           "Name": "Moderator",
           "Description": "Grants users the ability to moderate content.",
@@ -97,16 +92,6 @@
           "Name": "Contributor",
           "Description": "Grants users the ability to contribute content.",
           "Permissions": []
-        },
-        {
-          "Name": "Authenticated",
-          "Description": "A system role representing all authenticated users.",
-          "Permissions": []
-        },
-        {
-          "Name": "Anonymous",
-          "Description": "A system role representing all non-authenticated users.",
-          "Permissions": []
         }
       ]
     },

src/OrchardCore.Themes/TheBlogTheme/Recipes/blog.recipe.json

@@ -87,11 +87,6 @@
     {
       "name": "Roles",
       "Roles": [
-        {
-          "Name": "Administrator",
-          "Description": "A system role that grants all permissions to the assigned users.",
-          "Permissions": []
-        },
         {
           "Name": "Moderator",
           "Description": "Grants users the ability to moderate content.",
@@ -111,16 +106,6 @@
           "Name": "Contributor",
           "Description": "Grants users the ability to contribute content.",
           "Permissions": []
-        },
-        {
-          "Name": "Authenticated",
-          "Description": "A system role representing all authenticated users.",
-          "Permissions": []
-        },
-        {
-          "Name": "Anonymous",
-          "Description": "A system role representing all non-authenticated users.",
-          "Permissions": []
         }
       ]
     },

src/OrchardCore.Themes/TheComingSoonTheme/Recipes/comingsoon.recipe.json

@@ -70,11 +70,6 @@
     {
       "name": "Roles",
       "Roles": [
-        {
-          "Name": "Administrator",
-          "Description": "A system role that grants all permissions to the assigned users.",
-          "Permissions": []
-        },
         {
           "Name": "Moderator",
           "Description": "Grants users the ability to moderate content.",
@@ -94,16 +89,6 @@
           "Name": "Contributor",
           "Description": "Grants users the ability to contribute content.",
           "Permissions": []
-        },
-        {
-          "Name": "Authenticated",
-          "Description": "A system role representing all authenticated users.",
-          "Permissions": []
-        },
-        {
-          "Name": "Anonymous",
-          "Description": "A system role representing all non-authenticated users.",
-          "Permissions": []
         }
       ]
     },

src/OrchardCore/OrchardCore.Roles.Abstractions/Extensions/SystemRoleProviderExtensions.cs

@@ -0,0 +1,31 @@
+using OrchardCore.Security;
+
+namespace OrchardCore.Roles;
+
+public static class SystemRoleProviderExtensions
+{
+    public static async ValueTask<IRole> GetAdminRoleAsync(this ISystemRoleProvider systemRoleNameProvider)
+    {
+        var systemRoles = await systemRoleNameProvider.GetSystemRolesAsync();
+
+        return systemRoles.SingleOrDefault(role => role.RoleName.Equals(OrchardCoreConstants.Roles.Administrator, StringComparison.OrdinalIgnoreCase));
+    }
+
+    public static async ValueTask<bool> IsSystemRoleAsync(this ISystemRoleProvider systemRoleNameProvider, string name)
+    {
+        ArgumentException.ThrowIfNullOrEmpty(name, nameof(name));
+
+        var systemRoles = await systemRoleNameProvider.GetSystemRolesAsync();
+
+        return systemRoles.Any(role => role.RoleName.Equals(name, StringComparison.OrdinalIgnoreCase));
+    }
+
+    public static async ValueTask<bool> IsAdminRoleAsync(this ISystemRoleProvider systemRoleNameProvider, string name)
+    {
+        ArgumentException.ThrowIfNullOrEmpty(name, nameof(name));
+
+        var adminRole = await systemRoleNameProvider.GetAdminRoleAsync();
+
+        return adminRole.RoleName.Equals(name, StringComparison.OrdinalIgnoreCase);
+    }
+}

src/OrchardCore/OrchardCore.Roles.Abstractions/ISystemRoleNameProvider.cs

@@ -2,6 +2,7 @@
 
 namespace OrchardCore.Roles;
 
+[Obsolete("This interface has been deprecated, use ISystemRoleProvider instead.")]
 public interface ISystemRoleNameProvider
 {
     ValueTask<string> GetAdminRoleAsync();

src/OrchardCore/OrchardCore.Roles.Abstractions/ISystemRoleProvider.cs

@@ -0,0 +1,8 @@
+using OrchardCore.Security;
+
+namespace OrchardCore.Roles;
+
+public interface ISystemRoleProvider
+{
+    ValueTask<IEnumerable<IRole>> GetSystemRolesAsync();
+}