We’re excited to bring you our latest minor release of Silverstripe CMS, version 4.6, which focuses on ensuring you have the information you need to avoid accidental leakage of restricted content stored in the CMS. We’ll go over what ‘restricted content’ might cover for your content and introduce new file indicators for your Content Managers.
With CMS 4.6, you’ll also see security improvements to User Forms, a simple image editing flow, commercial support for PHP 7.4, media type validation by default, and some fantastic contributions from the open-source community—be sure to check out the changelog to see who’s contributed!
As usual, this release follows semantic versioning, so it’s ready to be used in any current Silverstripe CMS project right now.
What’s new in Silverstripe CMS 4.6?
An upgrade to the latest version introduces several new features to benefit Content Managers, including:
- Securing uploaded files received through User Forms
- New file indicators for restricted files and folders
- Direct access to editing inserted files
- Tighter security defaults for site search
And for Developers:
We unpack each of these new features below. Or, if you’re keen to get your upgrade underway now, we’ve got some next steps for you to get started.
For Content Managers
Collecting and managing personal data safely
With heightened awareness around the need to protect Personally Identifying Information our team set about minimising the risk of similar events happening with websites built using Silverstripe CMS.
Looking at sites running on our own managed platforms, we’ve seen hundreds of web projects include the User Forms functionality that allows Content Managers to collect data from site visitors with forms they can create.
Creating a form to collect job applications on a careers page, allow submission of documents to verify someone's identity, or collect photos to be shared in an online gallery are all easy to set up with this feature. However, these different use-cases have very different levels of risk and responsibility with regard to data protection and integrity.
We know that many of our own client sites use these forms to collect information that should not be shared publicly. While the form data is always protected by the CMS, if files are submitted through the form, the Content Manager needs to consider whether these files should be restricted in the CMS and only be visible to certain users or groups. If the files are not restricted they have the possibility of being publicly viewable regardless of whether the file is placed on a web page or not.
Securing files uploaded through User Forms
Joining the release of CMS 4.6 is a new release to the User Forms module.
Now, when choosing to add a File Upload field to any new form, the Content Manager will be presented with a new prompt, suggesting to create a new folder in the Files area under the restricted-by-default ‘Form-submissions’ folder and be guided through file security considerations.
The new module release is version 5.3.
Indicating file permissions
New file icons have been introduced to help identify the original source of a file and whether caution should be taken when using it.
Restricted access
Files stored in a folder with restricted access to certain users or groups will now show a clear indicator of their restricted access.
Files received through User Forms
Files uploaded through a User Form now have icons reflecting two different states: form submission and form submission with warning.
Form submission
This indicates a file is associated with a form submission. This file could contain information that should not be publicly available and care should be taken so that it is not published on the website.
Form submission with warning
This indicates that a file associated with a form submission does not have the recommended permissions applied to it, making the file publicly available.
You will find these icons in different areas of the CMS where common interactions with files occur.
Want to learn more about these icons? We’ve covered all you need to know in the Silverstripe CMS User help.
Direct access to editing inserted files
The flow for editing the details of a file already added to a content block or page has been simplified, enabling direct access to update file information like the title, filename, location, plus any custom field, without the need to navigate to the Files area.
This is made available through a new ‘Details’ button as shown below.
More sensible site search defaults (with Solr)
In focusing on how to avoid unintended leaks of restricted information in the CMS, it’s also important to look at other areas where a site could be exposed. Site search fits this scenario.
Projects implementing site search with Apache’s Solr and the Silverstripe CMS commercially supported module, FullTextSearch, will be interested in a new release of the module, made available at the time of the CMS 4.6.0 release, to introduce more secure defaults. Notably, ensuring draft and restricted content will no longer be indexed by default for site search.
Be sure to talk to your Digital Agency or Development team to see if your project uses this functionality and how this may affect your search results. The CMS 4.6.0 changelog provides detailed information for Developers.
For Developers
Commercial support for PHP 7.4
The long-awaited support for PHP 7.4 is now available! All commercially supported modules have had their automated test suite updated to test for PHP 7.4 and will continue to be monitored.
Media type (MIME) validation added to core
Historically provided as opt-in functionality through the MIME validator module, Developers are able to reduce the risk of malicious cyber attacks to web projects by limiting what file types are allowed to be uploaded, especially to the CMS.
Now, following an upgrade to CMS 4.6, this functionality is provided by default with a predefined whitelist of secure file types. This can be tweaked based on project needs, with the information provided in the CMS Developer Documentation and changelog.
Keen to get your upgrade underway?
Talk to your Digital Agency or Developer about upgrading
Haven’t got a Developer or Agency? No problem! Browse the Silverstripe CMS & Framework Developer Directory or the Silverstripe Professional Partner Directory and filter by location to find a Silverstripe CMS & Framework Developer near you.
Developers, check out our documentation
This release announcement does not cover the full detail of what is included in the release. Be sure to review the full changelog before planning your next site upgrade.
Head to our Developer Docs to view the CMS 4.6 changelog.
Content Managers, see the Silverstripe CMS User help
To understand the new file icons in more detail, be sure to check out the Silverstripe CMS User help guides:
- Visit CMS User help for File permissions
- Visit CMS User help for new User Form security guidance
Post your comment
Comments
No one has commented on this page yet.
RSS feed for comments on this page | RSS feed for all comments