Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

 

Announcing the release of Silverstripe CMS 4.6! Avoiding accidental content leaks and keeping the defaults secure but flexible

We’re excited to bring you our latest minor release, Silverstripe CMS 4.6. We've stayed focused on how to keep your content within Silverstripe CMS secure to avoid any potential content leaks.

Read post

We’re excited to bring you our latest minor release of Silverstripe CMS, version 4.6, which focuses on ensuring you have the information you need to avoid accidental leakage of restricted content stored in the CMS. We’ll go over what ‘restricted content’ might cover for your content and introduce new file indicators for your Content Managers.

With CMS 4.6, you’ll also see security improvements to User Forms, a simple image editing flow, commercial support for PHP 7.4, media type validation by default, and some fantastic contributions from the open-source community—be sure to check out the changelog to see who’s contributed!

As usual, this release follows semantic versioning, so it’s ready to be used in any current Silverstripe CMS project right now.

What’s new in Silverstripe CMS 4.6?

An upgrade to the latest version introduces several new features to benefit Content Managers, including:

And for Developers:

We unpack each of these new features below. Or, if you’re keen to get your upgrade underway now, we’ve got some next steps for you to get started.

For Content Managers

Collecting and managing personal data safely

With heightened awareness around the need to protect Personally Identifying Information our team set about minimising the risk of similar events happening with websites built using Silverstripe CMS.

Looking at sites running on our own managed platforms, we’ve seen hundreds of web projects include the User Forms functionality that allows Content Managers to collect data from site visitors with forms they can create.

User Form in Silverstripe CMS 4.6

Example of the User Forms feature in the CMS

Creating a form to collect job applications on a careers page, allow submission of documents to verify someone's identity, or collect photos to be shared in an online gallery are all easy to set up with this feature. However, these different use-cases have very different levels of risk and responsibility with regard to data protection and integrity.

We know that many of our own client sites use these forms to collect information that should not be shared publicly. While the form data is always protected by the CMS, if files are submitted through the form, the Content Manager needs to consider whether these files should be restricted in the CMS and only be visible to certain users or groups. If the files are not restricted they have the possibility of being publicly viewable regardless of whether the file is placed on a web page or not.

Securing files uploaded through User Forms

Joining the release of CMS 4.6 is a new release to the User Forms module.

Now, when choosing to add a File Upload field to any new form, the Content Manager will be presented with a new prompt, suggesting to create a new folder in the Files area under the restricted-by-default ‘Form-submissions’ folder and be guided through file security considerations.

New guidance for forms collecting uploaded files

New guidance for forms collecting uploaded files

The new module release is version 5.3.

Indicating file permissions

New file icons have been introduced to help identify the original source of a file and whether caution should be taken when using it.

New icons indicating file permissions in the CMS

New icons indicating file permissions in the CMS

Restricted access

The new icon showing restricted access in the CMS

Files stored in a folder with restricted access to certain users or groups will now show a clear indicator of their restricted access.

Files received through User Forms

The new icons for files received through User Forms in the CMS

Files uploaded through a User Form now have icons reflecting two different states: form submission and form submission with warning.

Form submission

This indicates a file is associated with a form submission. This file could contain information that should not be publicly available and care should be taken so that it is not published on the website.

Form submission with warning

This indicates that a file associated with a form submission does not have the recommended permissions applied to it, making the file publicly available.

You will find these icons in different areas of the CMS where common interactions with files occur.

Want to learn more about these icons? We’ve covered all you need to know in the Silverstripe CMS User help.

Direct access to editing inserted files

The flow for editing the details of a file already added to a content block or page has been simplified, enabling direct access to update file information like the title, filename, location, plus any custom field, without the need to navigate to the Files area.

This is made available through a new ‘Details’ button as shown below.

The new Details button in the CMS

The new 'Details' button in the CMS

More sensible site search defaults (with Solr)

In focusing on how to avoid unintended leaks of restricted information in the CMS, it’s also important to look at other areas where a site could be exposed. Site search fits this scenario.

Projects implementing site search with Apache’s Solr and the Silverstripe CMS commercially supported module, FullTextSearch, will be interested in a new release of the module, made available at the time of the CMS 4.6.0 release, to introduce more secure defaults. Notably, ensuring draft and restricted content will no longer be indexed by default for site search.

Be sure to talk to your Digital Agency or Development team to see if your project uses this functionality and how this may affect your search results. The CMS 4.6.0 changelog provides detailed information for Developers.

For Developers

Commercial support for PHP 7.4

The long-awaited support for PHP 7.4 is now available! All commercially supported modules have had their automated test suite updated to test for PHP 7.4 and will continue to be monitored.

Media type (MIME) validation added to core

Historically provided as opt-in functionality through the MIME validator module, Developers are able to reduce the risk of malicious cyber attacks to web projects by limiting what file types are allowed to be uploaded, especially to the CMS.

Now, following an upgrade to CMS 4.6, this functionality is provided by default with a predefined whitelist of secure file types. This can be tweaked based on project needs, with the information provided in the CMS Developer Documentation and changelog.

Keen to get your upgrade underway?

Talk to your Digital Agency or Developer about upgrading

Haven’t got a Developer or Agency? No problem! Browse the Silverstripe CMS & Framework Developer Directory or the Silverstripe Professional Partner Directory and filter by location to find a Silverstripe CMS & Framework Developer near you.

Developers, check out our documentation

This release announcement does not cover the full detail of what is included in the release. Be sure to review the full changelog before planning your next site upgrade.

Head to our Developer Docs to view the CMS 4.6 changelog.

Content Managers, see the Silverstripe CMS User help

To understand the new file icons in more detail, be sure to check out the Silverstripe CMS User help guides:

About the author
Bryn Whyman

Bryn is one of SilverStripe's Product Owners. He's here to make sure our users are given a megaphone to have their ideas heard and ensure our products allow them to excel and enrich their communities.

Post your comment

Comments

No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments