Currently the email documentation provides an example of how to use the SMTP adapter in SwiftMailer, but this example hardcodes the password in the config file which is a security issue. It is possible to reference environment variables instead, so we should document and encourage this.
* DOCS File migration changes for 4.4.0
See https://github.com/silverstripe/silverstripe-versioned/issues/177
* Update docs/en/02_Developer_Guides/14_Files/03_File_Security.md
Co-Authored-By: chillu <ingo@silverstripe.com>
* Corrected statements on archived/versioned files
* Corrected statement on filesystem paths of protected vs. public
* Update docs/en/02_Developer_Guides/14_Files/03_File_Security.md
Co-Authored-By: chillu <ingo@silverstripe.com>
* Clarify redirect behaviour
The upgrading docs reference webconfig.php, which is incorrect and has never existed. I presume the docs mean to reference web.config, which is the IIS configuration file.
I've also fixed a couple of minor spelling mistakes and mentioned Apache for htaccess and IIS for web.config so people know what they're for.
[ci skip]
Following the example will give the following error;
```[Emergency] Uncaught Error: Class {my namespace}\Permission not found```
Added the missing class
Update example code for disabling anchors on a per-instance basis. The previous code was unclear and statically called a non-static method on SSViewer (presumably this was SS3 code)
* Add missing rollback operation in scaffolding example
* Update block_id references to id to allow query to read query to run successfully in conjunction with HistoryViewerField
We're adopting CVSS (https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator),
which allows us to classify the impact of security issues
based on industry standard metrics.
While there is still a lot of room for interpretation,
it is more objective than our previous system of "critical/high/medium/low",
with one sentence descriptions on how we interpret that "severity rating".
This effectively changes our process to only apply
security fixes to release lines in "limited support" (currently 3.6 and 3.7)
if they're considered "critical" (CVSS > 9.0).
We've already limited preannounces to CVSS >7.0 in these docs.
Moved the guts to "making a core release", since it's only really relevant to that audience.
There's more work to do around making security and non-security releases the same (less special handling),
but I think this is a good start.
[ci-skip]
