We’re excited to bring you our latest minor release of CWP, version 2.6, which focuses on ensuring you have the information you need to avoid accidental leakage of restricted content stored in the CMS. We’ll go over what ‘restricted content’ might cover for your content and introduce new file indicators for your Content Managers.
With CWP 2.6, you’ll also see security improvements to User Forms, a simple image editing flow, commercial support for PHP 7.4, safer defaults for site search, and some fantastic contributions from the open-source community—be sure to check out the changelog to see who’s contributed!
As usual, this release follows semantic versioning(external link), so it’s ready to be used in any current CWP project right now.
What’s new in CWP 2.6?
An upgrade to the latest version includes Silverstripe CMS version 4.6 and introduces several new features to benefit Content Managers, including:
- Securing uploaded files received through User Forms
- New file indicators for restricted files and folders
- Direct access to editing inserted files
- Tighter security defaults for site search
And for Developers:
We unpack each of these new features below. Or, if you’re keen to get your upgrade underway now, we’ve provided some next steps.
For Content Managers
Collecting and managing personal data safely
With heightened awareness around the need to protect Personally Identifying Information our team set about minimising the risk of similar events happening with websites built using Silverstripe CMS.
Almost all sites on the Common Web Platform include the User Forms functionality that allows Content Managers to collect data from site visitors with forms they can create.
Creating a form to collect job applications on a careers page, allow submission of documents to verify someone's identity, or collect photos to be shared in an online gallery are all easy to set up with this feature. However, these different use-cases have very different levels of risk and responsibility with regard to data protection and integrity.
While the form data is always protected by the CMS, if files are submitted through the form, the Content Manager needs to consider whether these files should be restricted in the CMS and only be visible to certain users or groups. If the files are not restricted they have the possibility of being publicly viewable regardless of whether the file is placed on a web page or not.
Joining the release of CWP 2.6 is a new release to the User Forms module(external link).
Now, when choosing to add a File Upload field to any new form, the Content Manager will be presented with a new prompt, suggesting to create a new folder in the Files area under the restricted-by-default ‘Form-submissions’ folder and be guided through file security considerations.
The new module release is version 5.3.
New file icons have been introduced to help identify the original source of a file and whether caution should be taken when using it.
Files stored in a folder with restricted access to certain users or groups will now show a clear indicator of their restricted access.
Files received through User Forms
Files uploaded through a User Form now have icons reflecting two different states: form submission and form submission with warning.
This indicates a file is associated with a form submission. This file could contain information that should not be publically available and care should be taken so that it is not published on the website.
Form submission with warning
This indicates that a file associated with a form submission does not have the recommended permissions applied to it, making the file publicly available.
You will find these icons in different areas of the CMS where common interactions with files occur.
Want to learn more about these icons? We’ve covered all you need to know in the Silverstripe CMS User help.
The flow for editing the details of a file already added to a content block or page has been simplified, enabling direct access to update file information like the title, filename, location, plus any custom field, without the need to navigate to the Files area.
This is made available through a new ‘Details’ button as shown below.
In focusing on how to avoid unintended leaks of restricted information in the CMS, it’s also important to look at other areas where a site could be exposed. Site search fits this scenario.
Projects using CWP’s default site search functionality with Apache’s Solr and the Silverstripe CMS commercially supported module, FullTextSearch(external link), will be interested in a new release of the module made available at the time of the CWP 2.6 release to introduce more secure defaults. Notably, ensuring draft and restricted content will no longer be indexed by default.
Be sure to talk to your Digital Agency or Development team to see if your project uses this functionality and how this may affect your search results. The CWP 2.6.0 changelog provides detailed information for Developers.
The long-awaited support for PHP 7.4 is now available! All commercially supported modules have had their automated test suite updated to test for PHP 7.4 and will continue to be monitored.
Talk to your Digital Agency or Developer about upgrading
Haven’t got a Developer or Agency? You can request support with your upgrade through the CWP Service Desk.
This release announcement does not cover the full detail of what is included in the release. Be sure to review the full changelog before planning your next site upgrade.
To understand the new file icons in more detail, be sure to check out the Silverstripe CMS User help guides:
- Visit CMS User help for File permissions(external link)
- Visit CMS User help for new User Form security guidance(external link)