Composr - a few questions

Hello All,

I ran into Composr in my quest for a CMS that offers out-of-the-box many of the capabilities that are only available via a plugin in WordPress et al. I I liked much of what I read so I stayed on.  I am going to download and try out Compsr for myself but in the mean time I have a few questions which I hope will be answered by someone over here.

• The application I currently have in mind for Composr requires a far degree of security than is provided by the likes of WordPress.  A system that lays bare the soul of the business if the database is somehow hacked is no good.  WordPress does not, and never will, encrypt its database.  Does Composr do this?  Or can it be adapted to do so?
• Composr boasts that it needs few addons because so much is already built in.  Very nice but it would be nice to be able to quickly identify just what can be done.
  • Can it be configured to use an external transactional email service for handling all mailings?
  • Can it/ or can it be modified to provide encryption of all files shared between user groups at the point where it matters - prior to the file leaving the user's machine
  • Can it use two factor authentication?
• Can I create a membership based system with Compsr the way I woudl currently create one using WordPress + BuddyPress/UltimateMember?
• One of the really nice things about WordPress is its shortcode system.  Developing in-house shortcodes to handle customization is a very powerful tool.  Does Compsr offer something similar?
• I know that Compsr is a re-incarnation of ocPortal.  What I have round rather hard to establish is the names of the people behind Composr.  Who are they?  Where are they based?  How long have they been doing this?  Will they still be around tomorrow?

I'd be most grateful to anyone who can provide some answers.

Welcome. I will attempt to answer some of your questions as a fellow member (not an official of any kind).

I believe Composr is as secure, and probably even more secure than WordPress. The Standards section of the Features page should give you a quick glimpse of what's under the hood security wise and there are several Security Tutorials (some old, some new) that cover some additional features and techniques, but I think all the bases are extremely well covered.

Encryption currently only exists for certain profile fields that contain sensitive data (afaik). Speaking as someone who used BuddyPress for a short while, Composr has a similar offering of features (from memory, limited). Members can have Blogs, Galleries, an Activity wall (via an Addon) and so forth. There is a friend  system in place, facebook style header notifications and I can't think of anything that BuddyPress had that Composr lacks in one way or another. Composr uses Comcode and you can add your own Custom Comcode. Not quite the same as Shortcodes because Comcode is also used to construct blocks which can be added from the Editor, but they do have some similarities.

The main name behind behind Composr is Chris Graham (based in the UK) who created ocPortal in 2004 and is still running the show. With the recent rebrand to Composr, I very much hope that Composr will be around for at least another 12 years, but I can safely predict that it will still be here tomorrow. There is more information on the history of ocPortal and other key names @ Wikipedia.

Pretty sure someone else will fill in the gaps with the questions I didn't have an answer for, but as a blanket statement I would say if you cannot configure something as you would like, ask on the forums or post a feature request on the tracker, Changes are happening all the time, a lot of them as requests and feedback from the Community. Chris is a very dedicated creator :)

Thank you!  Would you by any chance know if the design of the system encapsulates database access in a layer which I can modify/replace to ensure that everything in the database is encyrpted?

Hi,

The application I currently have in mind for Composr requires a far degree of security than is provided by the likes of WordPress.  A system that lays bare the soul of the business if the database is somehow hacked is no good.  WordPress does not, and never will, encrypt its database.  Does Composr do this?  Or can it be adapted to do so?

I don't believe encrypting a database is possible in the general sense like you describe.

It's certainly possible to encrypt a MySQL database at the disk level. For example, you can host it on an encrypted partition.

However, that is only good as a defence for if physical drives are stolen really, and it likely does cause severe performance degredation.

Encrypting the contents of a database isn't possible because queries need to be possible. You can't do SQL joins, and general queries, when the database's query engine can't get into the data. You can't even do a search based on matching encrypted values with encrypted values as it's not guaranteed that encryption will always produce the same output for the same input. Any kind of language-smart searching would be broken by encryption (e.g. finding the words in sentences in order to do a full-text search), as would wildcard searching.

And then, if things are being encrypted and decrypted on the fly, the application would need to have the decryption key on hand, and it's not unlikely a hacker who can download a whole database an also some how find and download a key.

You could encrypt individual fields that don't need querying or searching on. This is what we've done with the CPF encryption support. Composr can't even decrypt them unless an admin puts in the key decryption password each time. This works well but doesn't generalise at all because it's a really specific scenario when you want to make people type a password each time.

I'm sure we could do more, we could create some kind of engine for encrypting/decrypting particular sets of fields as they go into/out-of the database engine, knowing that those chosen couldn't be searched - or moving search out to some other search server rather than it being done at the database layer. But it would only provide very limited defense due to needing to know that decryption key, hurt performance, an be costly to implement.

Can it be configured to use an external transactional email service for handling all mailings?

Sure, we can connect through to remote SMTP.

Can it/ or can it be modified to provide encryption of all files shared between user groups at the point where it matters - prior to the file leaving the user's machine

Well, SSL handles the connection security case.

Can it use two factor authentication?

Yes, the IP validation feature is an example of two factor authentication.
When a user in a group with this enabled logs in then they need to confirm their login via e-mail.

Two factor authentication via SMS or mobile app key generators isn't currently an option. It would be nice for it to be, but someone would need to sponsor a few days development.

Can I create a membership based system with Compsr the way I woudl currently create one using WordPress + BuddyPress/UltimateMember?

Community is very core to what we do with Composr. I can't really speak to what these particular other products may do though.

One of the really nice things about WordPress is its shortcode system.  Developing in-house shortcodes to handle customization is a very powerful tool.  Does Compsr offer something similar?

Yes, Comcode, or Custom Comcode for custom ones.

I know that Compsr is a re-incarnation of ocPortal.  What I have round rather hard to establish is the names of the people behind Composr.  Who are they?  Where are they based?  How long have they been doing this?  Will they still be around tomorrow?

We have a full-time team of around 5 people, doing a variety of projects, some Composr-based, some not. Things are stable, but please ensure that if you have ambition for an incredible project powered by an incredible product, you need to be able to fund world-class developers to keep things moving forward. Some of the things you've listed really require the skills of the kind of people working at Google and Facebook, so don't expect just a volunteer effort to provide all you want. World-class expectations = world-class budgets, frankly, even with Open Source.

Would you by any chance know if the design of the system encapsulates database access in a layer which I can modify/replace to ensure that everything in the database is encyrpted?

Yes, everything goes through a layer. But you'd run into the challenges I described, so it would be a lot of work vetting each individual field and disabling any code potentially querying on it.

Thank you for taking the time out to provide such a detailed and comprehensive response, Chris.  For the specific project I have in mind here I need a cross between the capabilities of a CMS and a social network.  To that end the two routes I am evaluating are 

1. Use Composr - adapt it, write plugins for etc to fill the gaps
2. Use OxWall - ditto

The project is being executed for a business sector with deep pockets so ensuring that I have the team on hand to take things in-house is not going to be an issue.

I have successfully done database encryption for some of my own projects.  The general approach I take is this

• Take all the database code out of PHP and write it up as a PHP extension - I have typically done this using https://zephir-lang.com.
• Ensure that the plugin cannot be loaded unless it passes a sequence of security checks - in the event that the actual plugin is somehow stolen
• Run Nginx + PHP5/7-FPM
• Provide for encryption/decryption of strings within the extension using OpenSSL encrypt/decrypt
• Encrypt all strings prior to performing SQL INSERTs, UPDATEs & prepare statement EXECUTES and, where applicable, in SELECT WHERE clauses

Does all of this entail a performance hit?  Inevitably yes but given the resources to throw more server fire power at the job it can be done.

File Encryption:  As you rightly point out SSL ensures that file contents are encrypted whilst they are en-route.  However, that is not quite what I had in mind.  The issue I need to resolve is offering members who form their own closed communities the security of knowing that any files they exchange amongst themselves cannot be viewed/used by anyone else.  To that end I need to encrypt any file data owned by the user before it leaves the confines of their browser.  I do this using AES encryption with the pass phrase used for encryption provided by the user each time they attempt a file up/download and then thrown away immediately afterwards.

Should I go down the adapt Composr - as opposed to adapt OxWall - route I will get back here and post you on my progress.

For creating a traditional social network Oxwall it's a surefire contender and it looks great (some nice themes). Composr offers a lot more under the hood and covers most of what Oxwall does, but yeah, the battle is on. I think Composr will eventually win the war once it comes out of alpha and gets more exposure. Oxwall offer a free Open Source version, but you could likely spend a fair bit of money in the store unless you plan to code everything else you may need. Composr is free, which should factor in the equation

The project is being executed for a business sector with deep pockets so ensuring that I have the team on hand to take things in-house is not going to be an issue.

Ok, reassuring to hear .

I have successfully done database encryption for some of my own projects.  The general approach I take is this
Take all the database code out of PHP and write it up as a PHP extension - I have typically done this using https://zephir-lang.com.
Ensure that the plugin cannot be loaded unless it passes a sequence of security checks - in the event that the actual plugin is somehow stolen

Oh, that's smart. So the key isn't even in disk, it's buried inside an extension. Ok, well that solves the key problem nicely.

Still, I think the breakage of things like 'LIKE' queries and MySQL fulltext search is a concern, you'll need to vet every query, and if you want search you'll need to implement something like Sphinx (0001479: Implement sphinx - Composr CMS feature tracker).

Composr uses a database layer, but it does not have a strict model layer. We use constructs like query_insert/query_update/query_delete which go through sources/database.php. Raw SQL is rare, but it does happen for some cases where things don't fit the "WHERE AND map" pattern we use for these abstractions.
So it would be some work vetting all the existing queries for each field for cases where we might do manual SQL.

File Encryption:  As you rightly point out SSL ensures that file contents are encrypted whilst they are en-route.  However, that is not quite what I had in mind.  The issue I need to resolve is offering members who form their own closed communities the security of knowing that any files they exchange amongst themselves cannot be viewed/used by anyone else.  To that end I need to encrypt any file data owned by the user before it leaves the confines of their browser.  I do this using AES encryption with the pass phrase used for encryption provided by the user each time they attempt a file up/download and then thrown away immediately afterwards.

Ok, I've never really heard of doing encryption of file data in JavaScript. Even the ability to juggle binary data has only been really possible cross-browser for a couple of years. But I suppose it's possible. I'd worry about large files though; you seem to know what you're talking about, but I can imagine tabs freezing on large amounts of data, especially on phones/tablets.