There have been a number of features or configuration settings that have been built into the mandatory CWP code base, most specifically through the mandatory cwp/cwp and cwp/cwp-core modules. While each repository readme provide some information, there is not a definitive list.
After many years of adding on features as part of sponsored development, and configuration options as platform requirements evolve, it's time to take stock of what CWP sites are getting out of the box.
With this information we can start to conduct some further research into:
what needs to present for CCL (Revera) hosting
what is deemed to still be necessary to provide OOTB, or now has such a reliance by project users that it should be retained
what could be removed, or planned to migrate to a separate module
Note: Anyone reading this, please feel free to add your own feedback on the feature set provided by these modules.
ACs
[x] source code of cwp/cwp is reviewed with specific features, configuration, or other logic summarised
[x] source code of cwp/cwp-core is reviewed with specific features, configuration, or other logic summarised
[x] best effort is made to find corresponding user/ developer documentation for each feature/ config setting
[x] logic specific to CCL/ Revera hosting is noted as such
hybridsessions - session storage for revera - allows using SilverStripe on multiple servers without sticky sessions - store session in encrypted cookie if possible, fallback to storing session data in database.
environmentcheck - Adds health/check - A public URL that performs a quick check that this environment is functioning. This could be tied to a load balancer, for example
auditor - used to record: login attempts, logouts, page manipulations, security related changes such as members being added to gropus or permission changes
Enables egress proxy - Used to allow external http requests - cwp docs
Disable CMS ping for security? Ping keeps session alive if browser window still open.
Set session timeout to 24 minutes (default is 0 meaning none, session should still timeout via other means, not sure how many minutes this would be)
Disable password autocomlete (default is disabled)
Lock out after 5 incorrect logins (default is 10)
Lock out delay of 15 minutes (default is 15)
Send email notification on password change (default is no notification)
Set login recording to false (default is false) - presumbably the auditor module handles this?
Enable CWP-specifc middleware which
a) does things to support the egress proxy
b) adds 'X-XSS-Protection' header
c) has support for adding HSTS header (though this header would normally be added via .htaccess, or a 3rd party module)
Sets a default quality setting of 90 for upload image compression
If mimevalidator module is installed, set the mime upload validator as the default upload validator. This is a bit weird, mimevalidator should probably do this out of the box.
Can be used as the base for project page. Comes linked up to Taxonomy Terms, RelatedPages, if restfulserver is installed will automatically expose most fields in the API (these fields are already exposed as rendered HTML)
This report provides various statistics for this site. The "total live page count" is the number that be compared against the instance size specifications.
Looks like it only count the number of pages split by subsite
Overview
There have been a number of features or configuration settings that have been built into the mandatory CWP code base, most specifically through the mandatory cwp/cwp and cwp/cwp-core modules. While each repository readme provide some information, there is not a definitive list.
After many years of adding on features as part of sponsored development, and configuration options as platform requirements evolve, it's time to take stock of what CWP sites are getting out of the box.
With this information we can start to conduct some further research into:
Note: Anyone reading this, please feel free to add your own feedback on the feature set provided by these modules.
ACs