SPIKE: Definitive list of features/ config built into CWP core

[brynwhyman]

Overview

There have been a number of features or configuration settings that have been built into the mandatory CWP code base, most specifically through the mandatory cwp/cwp and cwp/cwp-core modules. While each repository readme provide some information, there is not a definitive list.

After many years of adding on features as part of sponsored development, and configuration options as platform requirements evolve, it's time to take stock of what CWP sites are getting out of the box.

With this information we can start to conduct some further research into:

• what needs to present for CCL (Revera) hosting
• what is deemed to still be necessary to provide OOTB, or now has such a reliance by project users that it should be retained
• what could be removed, or planned to migrate to a separate module

Note: Anyone reading this, please feel free to add your own feedback on the feature set provided by these modules.

ACs

• [x] source code of cwp/cwp is reviewed with specific features, configuration, or other logic summarised
• [x] source code of cwp/cwp-core is reviewed with specific features, configuration, or other logic summarised
• [x] best effort is made to find corresponding user/ developer documentation for each feature/ config setting
• [x] logic specific to CCL/ Revera hosting is noted as such

[emteknetnz]

Note: recipe features, notably when setting up a site with cwp-installer, are recorded here

[emteknetnz]

cwp-core 2.8

composer.json

Modules added

• hybridsessions - session storage for revera - allows using SilverStripe on multiple servers without sticky sessions - store session in encrypted cookie if possible, fallback to storing session data in database.
• environmentcheck - Adds health/check - A public URL that performs a quick check that this environment is functioning. This could be tied to a load balancer, for example
• auditor - used to record: login attempts, logouts, page manipulations, security related changes such as members being added to gropus or permission changes

config.yml

• Enables egress proxy - Used to allow external http requests - cwp docs
• Disable CMS ping for security? Ping keeps session alive if browser window still open.
• Set session timeout to 24 minutes (default is 0 meaning none, session should still timeout via other means, not sure how many minutes this would be)
• Disable password autocomlete (default is disabled)
• Lock out after 5 incorrect logins (default is 10)
• Lock out delay of 15 minutes (default is 15)
• Send email notification on password change (default is no notification)
• Set login recording to false (default is false) - presumbably the auditor module handles this?
• Enable CWP-specifc middleware which a) does things to support the egress proxy b) adds 'X-XSS-Protection' header c) has support for adding HSTS header (though this header would normally be added via .htaccess, or a 3rd party module)
• Sets a default quality setting of 90 for upload image compression

documentconverter.yml

• If documentconverter module installed, set some config - this is kind of weird, config should be in documentconverter module instead

editor.yml

• Enable server side WYSIWYG HTML sanisation (default is disabled) - will remove <script> tags and other tags not in the tag allowlist

encryptors.yml

• Enable pdkdf2_sha512 password encryptor for NZISM compliance

live-config.yml

• Enable cookie_secure (default is disabled) - use seperate cookies for http and https requests

logging.yml

• Config for cwp revera graylog

oembed.yml

• Proxy config for youtube embeds on cwp revera e.g. youtube embeds

queuedjobs.yml

• If queuedjobs is installed, use the doorman queue runner (I think the default is doorman, though possiby it wasn't always like that)

security.yml

• Password minimum length 10 (default is 8)
• Min test score is 3 (default is none) - test score is a mixuture of lowercase, uppercase, digits, punctuation
• Historic count is 6 (default is 6) - means new password cannot be one of the last 6 passwords used
• Force /Security/ and /api/ to use https
• Allow users added to ip whitelist to bypass basic auth
• Enforce basic auth and https on UAT
• Enforce https for any domains listed in the CWP_SECURE_DOMAIN platform stack variable (which is probably all of them)

textextraction.yml

• If textextraction module installed, set some config - this is kind of weird, config should be in textextraction module instead

version.yml

• Set the version number in the bottom left corner of the CMS e.g. CWP 2.8

RichLinksExtension.php

• Adds capability to augment links with extra attributes and meta information
• e.g. will add an external link icon to external hyperlinks
• Will only work with content produced by HtmlEditorField.

CwpAtomFeed.php

• This class is used to create an Atom feed.

[emteknetnz]

cwp 2.8

composer.json

Modules added

• taxonomy - The Taxonomy module add the capability to add and edit simple taxonomies within SilverStripe.
• gridfieldextensions - Adds extra functionalities to gridfields such as search, drag and drop reordering, etc

advancedworkflow.yml

• If advancedworkflow module is installed, add the CWP workflow definition - Content Authors can write content and Content Publishers can approve/reject

ckan.yml

• If ckan module is installed, set the default endpoint to https://catalogue.data.govt.nz/

comments.yml

• If comments module is installed, add the cwp commenting extension which adds fields for email (which won't be published) and optional website name

config.yml

• Adds fields in site settings for google analyics code, facebook url, twitter url
• Adds checkbox to pages in CMS to 'ShowPageUtilities' - unsure what this does
• Adds taxonomy terms to pages
• Format member titles as "{FirstName} {Surname}"

export.yml

• Wait 15 seconds before marking gridfield export as csv job as complete to ensure assets have synchronised

extensions.yml

• Add backlink tracking to pages "This list shows all pages where the file has been added through a WYSIWYG editor" - unsure about accuracy of this

maintenance.yml

• If bringyourownideas/silverstripe-maintenance module installed, configure to work with proxy changing SS/CMS labels to CWP

mimevalidator.yml

• If mimevalidator module is installed, set the mime upload validator as the default upload validator. This is a bit weird, mimevalidator should probably do this out of the box.

spellcheck.yml

• If spellcheck module is installed, coniguration to work with the cwp WYWIWYG editor and has mi_NZ as an available locale

CwpSiteSummaryExtension.php

• Updates the site summary report to remove silverstripe/framework, and add cwp/cwp and silverstripe/cms

Quicklink.php

• DataObject of a hyperlink, either internal or external
• Presumably similar to https://github.com/silverstripe/silverstripe-linkfield/

BaseHomePage.php

• Can be used to be the base for the project home page Provides support for FeatureOne and FeatureTwo (Title, Category, Content, CTA button)
• note: for all cwp page types, I've only include the pagetyes and not the corresponding controllers or "holder" classes.

BasePage.php

• Can be used as the base for project page. Comes linked up to Taxonomy Terms, RelatedPages, if restfulserver is installed will automatically expose most fields in the API (these fields are already exposed as rendered HTML)

DatedUpdatePage.php

• Not sure, involves taxonomy terms and dates. I think it may relate to EventPages

EventPage.php

• Describes an event occurring on a specific date

FooterHolder.php

• Holder page that displays all child pages as links in the footer
• Using a Page instead of a DataObject seems strange

NewsPage.php

• Describes an item of news

SitemapPage.php

• Lists all pages on the site
• Should probably use https://github.com/wilr/silverstripe-googlesitemaps instead

CwpStatsReport.php

• This report provides various statistics for this site. The "total live page count" is the number that be compared against the instance size specifications.
• Looks like it only count the number of pages split by subsite

[emteknetnz]

Readme's / module docs

cwp/cwp-core README.md

• Mentions X-XSS-Protection header - note: this header has poor support - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
• Mentions the CWP revera egress proxy
• There is no cwp-core/docs folder

cwp/cwp README.md

• Nothing
• There is no cwp/docs folder

cwp.govt.nz

https://www.cwp.govt.nz/features/ - Software features

• (Note: many of these would require recipes)
• Content blocks, page types, forms, and themes designed for government content.
• An easy-to-use content editor.
• Publishing workflow with approval notifications. A bulk campaign publishing feature. Versioning to meet government accountability and auditing needs.
• Tools to classify and organise content.
• Site search with easy to manage keywords, PDF and Word content can be searchable.
• Import content from Microsoft Word or present open data (e.g. share info. from data.govt.nz).
• Templates that meet NZ government web accessibility standards.
• User permissions you can manage.
• Integrate with Google Analytics.
• Drag and drop page hierarchy (information architecture).
• Blogs with managed feedback and spam protection that comply with the NZ Public Records Act.
• Integrate with other government tools like RealMe

https://www.cwp.govt.nz/features/software-features/

• Overview of features within recipes
• See https://github.com/silverstripeltd/product-issues/issues/409

https://www.cwp.govt.nz/developer-docs/en/2/features/

• (Lists features of "the default codebase", which is cwp-installer i.e. ALL cwp recipes)
• Pre-configuration of CWP codebase
• Solr search
• Active directory single sign-on - CMS3 only
• Blogging
• Content review
• Creating forms in the CMS
• Publish searchable data (registry)
• Multiple sites
• PDF export of website pages
• RealMe Authentication
• Related pages
• CMS reports
• Rich links
• Working with translations