Although not stable enough yet for the 'master' branch, commit 1fdd4fe of the 'unstable' branch includes several new security upgrades to ConnextCMS. Here is a list of the upgrades:
- Users can now change their password, login, and name by navigating to the page /edituser. You must log in in order to bring access and change your user information. Only superusers and the logged in user can change their user information (like the password).
- Two classes of admins have been created: Admins and Superusers. Admins will be directed to the ConnextCMS dashboard when they log in, and restricted to that dashboard. They can edit the site but can not change user information for normal users. Superusers can access both the ConnextCMS dashboard as well as the KeystoneJS Admin UI. They will be directed to the Admin UI upon login, and a link at the top of the page will take them to the ConnextCMS dashboard.
- These are not the same roles as KeystoneJS uses. KeystoneJS Admin settings are set in the /models/user.js model. ConnextCMS Admin and Superuser roles are assigned by adding the User GUID to an array in the top-level keystone.js file that is run to start the server.
Eventually the Keystone Admin role will be phased out. With the creation of the /edituser path, and the ability for users to edit their own User model, it's not a good place to store the isAdmin flag that Keystone uses, as users can now make themselves Keystone Admins by setting that flag. A new model called UserData will be created in the future that will hold user data that is only editable by Superusers.
- CORS (Cross Origin Resource Sharing) has been re-enabled. To facilitate rapid development, CORS protection was disabled from earlier versions of ConnextCMS. This caused some problems, as out-of-the-box any ConnextCMS clones would point back to the demo site and would updated the database on that site. The /public/js/serversettings.js file had to be updated to point to the correct server IP address. This was a huge security hole that has been patched.
- Update, Create, and Delete API calls now require Admin privileges, and require a valid CSRF token. Get and List API calls are still open and publically accessible. Previously all API calls were open and anyone could send malicious instructions.
As you can see, the security updates are many and very important. If you'd like to update your installation to take advantage of these changes, change to the 'unstable' branch by typing 'git branch unstable' and then 'git checkout 1fdd4fe' or 'git pull' to get the latest changes.