Improved Defense in Depth Security Strategy
I could write a book on this one, but will try to sum it up in just a few words. We have migrated away from using the easily cracked MD5 hashing algorithm for passwords. We have re-engineered how the long term cookie works (this is the ‘Remember Me’ feature that allows you to automatically login for a period of time). We no longer use the hashed password value in the cookie (it is bad practice to expose the hashed password to the browser). Finally, we have implemented the requirement that a user must re-authenticate before accessing any administrative functions. This means you must enter your password again the very first time you access any administrative function. Even if you just logged into the site, if you hit the Command & Control link, you will need to re-authenticate. We realize this is an additional burden, but we believe the protection it offers is well worth the minor inconvenience. The key concept here is any good security strategy must be comprised of multiple layers of defense, i.e.; defense in depth.
The handling of the username was anything but consistent in prior releases of glFusion. We have now standardized the username filtering and implemented the following rule. A username can contain any character except " < > $ % & * / characters. We have implemented this standard throughout glFusion and its plugins to ensure a consistent handling of usernames.
Mark Howard has reworked many of the administrative screens to be much more user friendly and functional, as well as, much prettier. We’ve expanded the user editor to now include all attributes of the user, meaning you can now edit any field on the user’s record including plugin preferences. We’ve added the ability to define groups that will automatically be assigned to new users when they register. Last, but not least, we have implemented a new Global User Preference Editor which allows you to change certain user preferences for all users of the site.
We’ve received a lot of feature requests for the Forum Plugin. As a result, we’ve reworked the moderation screens to be much more user friendly and added the ability to merge posts into existing topics. We’ve redesigned the editor window to be a bit larger and moved the smileys into a hidden window that is only displayed when needed. We’ve added the ability to have URLs automatically become clickable links. Finally, we’ve given the user the ability to select which editor they prefer (if both the WYSIWYG editor and BBcode editor are available). These are just a few of the highlights for the upcoming Forum Plugin that is bundled with glFusion.
We’ve spent a lot of time making sure features are implemented consistently throughout glFusion and its plugins. For example, all plugins will now support the ability to define which blocks (right, left, both, or none) display when showing a plugin’s content. We’ve updated the ‘login required’ handling to now display a login screen with the message that access to this portion of the site requires you to login. Once the user enters their username and password, they will be automatically redirected to their original request. In the past a user might see the login screen or a message telling them to login or even an access denied message.
Improved Plugin Interaction
We’ve enhanced the plugin application programming interface (API) to provide improved plugin to plugin communication and integration. While technically cool, it probably doesn’t excite you too much. Here is an example of how this can benefit you. If you use the Tag Plugin, the current version only supports tags in stories, static pages, and media gallery. With glFusion v1.1.9 (and the next Tag release which will be at the same time), you can now put tags in any plugin. This means you can have tags in your DokuWiki pages, calendar events, etc. As new plugins are developed, as long as they take advantage of the standard glFusion plugin interfaces, they will be able to interact with the Tag plugin (or any other plugin that supports interaction) without any modifications.
This is just a quick overview of some of the new or enhanced features coming in glFusion v1.1.9. There are several other small tweaks and enhancements scattered throughout the system as well. Much of this work is a direct result of your feedback. We appreciate your continued support!