Notice: CMSB v3.14 Beta 5 (August 7, 2018)

Great news.

It would be cool to get a bit more explanation on the new security aspects.  Something a bit more end-user marketing focus that I can pass on to clients about what this actually means in laymen's terms.  Would that be possible?

Nice. Happy to see the flash uploaded finally get upgraded.

I think the ability to be able to specify a secure upload field would be great, so that the uploaded files are stored outside of the web root folder and only accessible via CMSB functions.

Is anything like this on the roadmap?

Paul.

Hi all,

It would be cool to get a bit more explanation on the new security aspects.  Something a bit more end-user marketing focus that I can pass on to clients about what this actually means in laymen's terms.  Would that be possible?

• The "Encrypt Database Connections" setting is helpful to keep information secure on sites with a remote database, i.e.: when the database is on a different server than the website. When turned on, this setting requires the website and database to transmit all information securely and is analogous to accessing a website through HTTPS rather than HTTP. This does require the remote database be set up to accept secure connections.
• The Data Encryption option can be used to specify specific fields in the CMS to be encrypted in the database, meaning that the contents of the field can only be accessed through CMSB functions. This is helpful if the database is being used to store any confidential or personal information so that if someone were to gain illegitimate access to the database or its backups the encrypted fields would remain inaccessible.
• Moving the data folder outside of the web root adds an additional level of security to its contents, such as schema data, backups, and site settings. The data folder does already have measures in place to prevent it being accessed by the public, but placing it outside of the web root is a much more robust method to secure it.
  
  

I think the ability to be able to specify a secure upload field would be great, so that the uploaded files are stored outside of the web root folder and only accessible via CMSB functions.

Is anything like this on the roadmap?

Currently, CMSB can be configured to do this for all uploaded files (General Settings > Directories & Urls > Upload Directory). However, building a viewer to access these uploads would require some custom work, and be dependant on the needs of the specific project. We don't have any plans to add this sort of feature for individual upload fields, but we will keep it under consideration.

If you have a project you'd like to implement this on, I can try to point you in the right direction for a possible solution - I'd just need a few more details about the particulars of what you want to accomplish.

Thanks,

Hi Daniel,

Thanks for the reply.  There isn't a specific project at the moment but I have had requests for this functionality in the past so that secure documents can be uploaded and only accessed via PHP and not a direct URL.

If I have a specific need then I'll get in touch to see if you can help but I think this would be a good feature for CMSB in general, maybe to have a 'secure storage' checkbox on upload fields that if selected stores them outside of web root and then uses PHP to retrieve them instead of just giving the user a direct URL to the file.  Uploads without this checked will work in the same way.

Just a thought for now!

Regards, Paul.