Starting December 2015, I've decided to develop a content management system from scratch. Since September 2017, it runs on this website already.
I am very well aware that "you shouldn't reinvent the wheel" - on the other hand, if all the available wheels do not fit your needs and become more and more bumpy, why not "go for it" - if your security knowledge is sufficient to protect your installation and your customer's data by using "best practice" ideas?
Which considerations fueled my design process?
- Every business or even association has customers or members, so we need a user list for logins.
- Indefinite menu levels, they have to mirror the folder structure of the URLs
- It looks like business needs tend to be very diverse while in reality the core functions (access policy, content protection, group management) very frequently aren't.
- Still, the CMS needs to be very extendable to special demands of unique installations.
- Extending functionality of an installation should be done by just configuring additional data tables and fields and we should avoid to write code as far as possible. If new code does make sense, it should be added to the entire standard CMS because it will be helpful for many even if some implementations will not be using some features.
- We should aim at the minimal lines of code to accomplish our goals. Less code means less probability for error and the remaining code gets seen or audited more often.
- The user list should be manageable directly in the web for no one wants to move data from a - let's say - contact form to an Excel sheet and back and forth.
- It should be trivial to send automated, personal mails, for example with a greeting email when registering.
- Automatic PDF generation for lists, items, basically any data type should be included.
- Besides list and item views, there should be output types like paginated articles, blog article sequences, discussion forum structure with replys possible, also automatic versioning of a page (content) - in different languages
- Autogeneration of tables of content / sitemaps
- Automatic multi language support is a must.
- Users should be able to click on a (secure) link within a mail in order to confirm settings.
- Users will divide into different categories so we need groups where we are able to give each user an indefinite number of "tags" (equals "groups"). There should not be fixed capabilities as "author", "editor" - just groups that have different access permissions and functions.
- Depending on those group memberships, customers might see different or limted parts of the website. Groups generally have no fixed meaning unless they are bound to certain objects that can be made accessible for this group.
- Protected files / images should not have guessable but random looking unique names
- Files should be storeable having the same filename while in many versions
- Automatic deduplication for stored content should be standard
- In order to measure the number of downloads etc. hidden content must be automatically checked to comply with access permissions and delivered only via a delivery filter.
- Only index.php must be the only "public" file in addition to public content (like CSS, public images etc.)
- Mailings can be done depending on the "group membership" or labels the users have.
- The mailing tool allows for some very sophisticated generation of sets of users to be used in a mailing.
- Users need to be able to edit their own address data.
- I want the "backend" for an administrator look exactly like the public-facing "frontend" but with more menu items and options and buttons for data manipulation.
- Not accessible options must be not visible for an non-authorized users / customers
- The user should be able to manage as many details as possible of the offered contracts or service.
- The CMS has to be very aware of possible attackers (brute force, DDoS attacks, even slow spiders that try bad things) and act accordingly to the identified risk in an efficent way.
- It has to be very fast - also to kapp the attack surface for DoS attacks as small as possible.
- Everything is a table: It has to be easy to add more columns to existing tables (like the user table for example)
- Adding code to the proect needs to be avoided: Tables and table columns with their filters for content, sorting, pagination and much more has to be offered by the CMS in a consistent and generalized way.
- Training on the job: The CMS starts with a predefined standard set of datasets and tables and depending on the use case, the integrator has to add or modify more tables and columns to the tables, also table views or dataset view.
- Rather complex data formats have to be dealt with: A user may have only one account but more than one postal address with various meanings ("home", "work", "previous address") and a list of other contact datasets with their significance.
- It is to be expected that new users register on their own via Internet - maybe they start approaching with a question.
- Not every business is a shop, so "standard products" do not always apply. Specialized services (like my little "phone company") need special tools to manage data like connection recorde, recurring events and a facturation that easily is capable of producing and sending out over 2000 receipts per year, including the production of well-formatted PFD documents.
- Payment data should be transferrable at least to the European SEPA bank draft XML format
- It should be possible to not only hide inaccessible parts of the website, but also make documents and web content only available to the appropriate customers oder users of the website.
- The accessibility of web pages ist the first way to control very complex access patterns to any content.
- The CMS needs to impement a RESTful API or at least something very close to it. JSON / XML / CSV or even OpenDocument file format exports will be easy.
- The new CMS has to be very secure, there or modules from third parties should be avoided.
- Funtion and user experience goes above design flexibility.
- Modules for added functionality are to be avoided: Although it might not look like at the frst glance, all users on all websites appear to have very similar demands.
- The CMS must be extremely secure in the way that the code neds to be "fixed" in a way that it is impossible to add or execute code from anywhere.
- In order to improve speed, "fixed" data like translated text and immuteable configuration variables should be stored in static PHP files - so they can be used as precompiled PHP code, no database access needed at all. A possible additional security layer could be that no file may be modified or added in certain folders of the code.
- I'm sampathetic to a "readme driven design"
- The installer has to check each and every precondition frist, try to "repair" every unmet dependencies by asking the install user and / or suggestoing reasonable defaults. It should thus be able to "repair itself".
- While checking the install process, the CMS should automatically update code from a secure and cerified repository
- No external scripts or even fonts must be used, ony stand-alone versions.
- A context-sensitive search function must be inclided and has to very context-sensitive: Only content the user has access permission to must be found in the results set.
- The CMS should contain tables like postal addresses, bank contacts, various contacts, ticket system, task list, calendar(s), redirection lists from start. In installations where this may not be needed, it is easy to delete superfluous data fields or tables.
- An update mechanism is identical with the installer, it checks all the prerequisites and even is able to repair the basic table structure and replace standard nodes (pages) if missing.
- Automatic CSS file generation form all the different content parts.
Pitfalls I tried to avoid
- Even without composer and all those nifty tools, it shoud be trivial to install the CMS by just executiing some "insall.php" script - and manage alle the dependencies automatically.
- I think that a different layout for "frontend" (for the public) and "backend" (for authros and admins) has to be avoided. Clearly, this will be one of the major distinguishing factory compared to other CMSes.
- I think the "design flexibilty" is overrategd in most websites. Very often are following a fashion only, like the current sliding JS gimmicks. This is not printable and might be a nightmare to find stuff, especially navigation when you have three different navigations on one page.
NowCMS is not Open Source, I use it for several customers. The main goal of "NowCMS" is to handle not only texts and images, files like any other CMS but to be able to display any SQL table and edit, view, delete its contents even without the need of more and more "add-ons" etc. - I wanted to be as independent as possible.
NowCMS is a content management system that focuses more on presentation of arbitrary table data and data handling, presenting any data types from any tables. Compared to other CMSes, it may be less flexible when a certain web design should be implemented. It is written in PHP (5.6 onward) and makes use of a database engine like MySQL or MariaDB (others to follow).
Start installing NowCMS by uploading the single install.php script to the web folder that must be publicly accessible from a browser. No other downloading necessary, ever. You may even start with an outdated version of install.php and it will update itself first and ask you to reload your browser..
Upon calling install.php, the script will check every single precondition on the webserver and if not met (like write permissions), ask you to modiify the settings, add a PHP / Apache module or ask you about the credentials of the database server, non-public folders to start hidden content and so on. It will then proceed to download, update and install all the necessary software and update itself.
All downloads are encrypted and only possible if you have a license for your given domain name.
If not present, the installer will also create the initial database and fill with reasonable defaults, create a first administration account for you. It might try to repair if certain imtem like mandatory tables and / or data fields are not present. It does this by not deleting existing data but modifying carefully.
The installer install.php contains also the upgrade capabilities of NowCMS: Whenever you repeat the exceution of install.php, the mechanism will re-check all preconditions and update dependencies
As soon as the CMS itself is usable and running, an admin user is present, the installer will be blocked and made usable only by users with admin permissions
Created by: ande 01.01.2017 00:00, last changed by: ande 06.02.2019 15:21, 1816 hits