{* $Id$ *}

{icon name="group"} {tr}Admin Groups{/tr} {icon name="user"} {tr}Admin Users{/tr} {permission_link mode=link label="{tr}Manage permissions{/tr}" icon_name="key" addclass="btn btn-link"}

{remarksbox type="tip" title="{tr}Tip{/tr}"} {tr}For additional security settings, Please see {/tr}{tr}Security Admin{/tr} {tr}on Tiki's documentation site{/tr}. {/remarksbox}

{ticket}

{include file='admin/include_apply_top.tpl'}

{tabset} {tab name="{tr}General Security{/tr}"}

{if $haveMySQLSSL}{if $mysqlSSL}{$sslInfoType = 'info'}{else}{$sslInfoType = 'warning'}{/if}{else}{$sslInfoType = 'tip'}{/if} {remarksbox type=$sslInfoType title='{tr}MySQL SSL connection{/tr}'} {if $haveMySQLSSL} {if $mysqlSSL}

{icon name="lock" iclass="text-success"} {tr}MySQL SSL connection is active{/tr} {icon name="help"}

{else}

{icon name="unlock"} {tr}MySQL connection is not encrypted{/tr}
{tr}To activate SSL, copy the keyfiles (.pem) to db/cert folder and enable "Use SSL connection". The filenames must end with "-key.pem", "-cert.pem", "-ca.pem" in cases the set of keys has 3 files and when using a single key it must end with "-ca.cert".{/tr} {icon name="help"}

{/if} {else}

{icon name="lock" iclass="text-warning"} {tr}MySQL Server does not have SSL activated{/tr} {icon name="help"}

{/if} {/remarksbox}

{tr}Smarty and Features Security{/tr} {preference name=smarty_security}

{preference name=smarty_security_functions} {preference name=smarty_security_modifiers} {preference name=smarty_security_dirs}

{preference name=feature_purifier} {preference name=feature_htmlpurifier_output} {preference name=session_protected} {preference name=login_http_basic}

{tr}Please also see:{/tr} {tr}HTTPS (SSL) and other login preferences{/tr}

{preference name=pass_blacklist} {preference name=users_admin_actions_require_validation} {preference name=newsletter_external_client} {preference name=tiki_check_file_content} {preference name=tiki_allow_trust_input} {preference name=feature_quick_object_perms} {preference name=zend_http_sslverifypeer} {preference name=zend_http_use_curl} {preference name=feature_debug_console} {preference name=feature_view_tpl} {preference name=feature_edit_templates} {preference name=feature_editcss}

{tr}User Encryption{/tr}{help url="User Encryption"} {preference name=feature_user_encryption}

{if $sodium_available} {tr}Requires the Sodium PHP extension for encryption.{/tr} {tr}You have Sodium installed.{/tr}
{elseif $openssl_available} {tr}Requires the OpenSSL PHP extension for encryption.{/tr} {tr}You have OpenSSL installed.{/tr}
{else} {remarksbox type="warning" title="{tr}Sodium is not loaded{/tr}"} {tr}User Encryption requires the PHP extension Sodium for encryption.{/tr}
{tr}You should activate Sodium before activating User Encryption{/tr}. {/remarksbox} {/if} {tr}You may also want to add the Domain Password module somewhere.{/tr}

{tr}Comma-separated list of password domains, e.g.: Company ABC,Company XYZ{/tr}
{tr}The user can add passwords for a registered password domain.{/tr} {preference name=feature_password_domains} {if $prefs.feature_user_encryption eq 'y' and $show_user_encyption_stats eq 'y'} {tr}Statistics for existing data:{/tr}

Sodium: {$user_encryption_stat_sodium}
OpenSSL: {$user_encryption_stat_openssl}
MCrypt: {$user_encryption_stat_mcrypt}

{tr}When no data which was encoded by MCrypt in Tiki versions prior to 18 is present, User Encryption does not need the MCrypt PHP extension.{/tr} {/if}

{tr}CSRF security{/tr}{help url="Security"}

{tr}Use these options to protect against cross-site request forgeries (CSRF){/tr}.

{preference name=site_short_lived_csrf_tokens}

{preference name=site_security_timeout}

{preference name=feature_ticketlib}

{tr}HTTP Headers{/tr}{help url="Security"}

{tr}Use these options to add options related with security to the HTTP Headers{/tr}.

{preference name=http_header_frame_options}

{preference name=http_header_frame_options_value}

{preference name=http_header_xss_protection}

{preference name=http_header_xss_protection_value}

{preference name=http_header_content_type_options} {preference name=http_header_content_security_policy}

{preference name=http_header_content_security_policy_value}

{preference name=http_header_strict_transport_security}

{preference name=http_header_strict_transport_security_value}

{preference name=http_header_public_key_pins}

{preference name=http_header_public_key_pins_value}

{/tab} {tab name="{tr}Spam Protection{/tr}"} {remarksbox type="tip" title="{tr}Tip{/tr}"} {tr _0='' _1="" _2="" _3="" _4='' _5="" _6='' _7="" _8='' _9=""}You can additionally protect from spam enabling the '%0moderation queue on forums%1', or through %2banning%3 multiple ip's from the '%4Action log%5', from '%6Users registration%7', or from the '%8Comments moderation queue%9' itself{/tr}. {/remarksbox}

{tr}CAPTCHA{/tr} {preference name=feature_antibot}

{preference name=captcha_wordLen} {preference name=captcha_width} {preference name=captcha_noise} {preference name=recaptcha_enabled}

{preference name=recaptcha_pubkey} {preference name=recaptcha_privkey} {preference name=recaptcha_theme} {preference name=recaptcha_version}

{preference name=captcha_questions_active}

{preference name=captcha_questions}

{preference name=feature_wiki_protect_email} {preference name=feature_wiki_ext_rel_nofollow} {preference name=feature_banning}

{preference name=feature_banning_email}

{preference name=feature_comments_moderation} {preference name=comments_akismet_filter}

{preference name=comments_akismet_apikey} {preference name=comments_akismet_check_users}

{preference name=useRegisterPasscode}

{preference name=registerPasscode} {preference name=showRegisterPasscode}

{preference name=registerKey} {/tab} {tab name="{tr}Search results{/tr}"} {preference name=feature_search_show_forbidden_cat} {preference name=feature_search_show_forbidden_obj} {/tab} {tab name="{tr}Site Access{/tr}"} {preference name=site_closed}

{preference name=site_closed_title} {preference name=site_closed_msg}

{button _text='{tr}Test site closed message{/tr}' href="tiki-admin.php?page=security&test_closed=y" _class='btn-sm' _type='info'}

{preference name=use_load_threshold}

{preference name=load_threshold} {preference name=site_busy_title} {preference name=site_busy_msg}

{button _text='{tr}Test site busy message{/tr}' href="tiki-admin.php?page=security&test_busy=y" _class='btn-sm' _type='info'}

{preference name=ids_enabled}

{tr}Admin IDS custom rules{/tr}

{preference name=ids_custom_rules_file} {preference name=ids_mode} {preference name=ids_threshold} {preference name=ids_log_to_file} {*{preference name=ids_log_to_database}*}

{/tab} {tab name="{tr}Tokens{/tr}"} {remarksbox type="tip" title="{tr}Tip{/tr}"} {tr _0='' _1="" _2='' _3=''}To manage tokens go to %0Admin Tokens%1 page. Tokens are also used for the Temporary Users feature (see %2Admin Users%3).{/tr} {/remarksbox} {preference name=auth_token_access} {preference name=auth_token_access_maxtimeout} {preference name=auth_token_access_maxhits} {preference name=auth_token_share} {preference name=auth_token_preserve_tempusers} {/tab} {tab name="{tr}OpenPGP{/tr}"}

{tr}OpenPGP functionality for PGP/MIME encrypted email messaging{/tr} {remarksbox type="tip" title="{tr}Note{/tr}"} {tr}Experimental OpenPGP fuctionality for PGP/MIME encrypted email messaging.{/tr}

{tr}All email-messaging/notifications/newsletters are sent as PGP/MIME-encrypted messages, signed with the signer-key, and are completely 100% opaque to outsiders. All user accounts need to be properly configured into gnupg keyring with public-keys related to their tiki-account-related email-addresses.{/tr} {/remarksbox} {preference name=openpgp_gpg_pgpmimemail}

{preference name=openpgp_gpg_home} {preference name=openpgp_gpg_path} {preference name=openpgp_gpg_signer_passphrase_store}

{preference name=openpgp_gpg_signer_passphrase}
{tr}If you use preferences option for the signer passphrase, clear the file option just for security{/tr}

{preference name=openpgp_gpg_signer_passfile}
{tr}If you use file for the signer passphrase, clear the preferences option just for security{/tr}

{remarksbox type="tip" title="{tr}Note{/tr}"} {tr _0='' _1=""}The email of preference %0'sender_email'%1 is used as signer key ID, and it must have both private and public key in the gnupg keyring.{/tr} {/remarksbox}

{/tab} {tab name='{tr}Encryption{/tr}' key='encryption'}
{remarksbox type="note" title="{tr}About encryption{/tr}"} {tr}Encryption page allows you to create different encryption keys and share them securely with team members.{/tr}
{tr}Find out more here:{/tr}{help url="Encryption"} {/remarksbox} {if $encryption_enabled neq 'y'} {remarksbox type="error" title="{tr}Error{/tr}"} {tr}Openssl extension is required to use this module.{/tr} {/remarksbox} {/if} {if $encryption_shares} {remarksbox type="warning" title="{tr}Encryption keys{/tr}"} {tr}Encryption key has been generated. Accessing content encrypted with the key would only be possible if you use one of the following requested keys. If you chose existing users, the keys are stored securely in their accounts. Otherwise, make sure you copy and send them to the right team members as these won't be saved on the server. Each of the following keys can be used to encrypt and decrypt data.{/tr}

{$key}

{/remarksbox} {/if} {tabset name='encryption'} {tab name='{tr}Available keys{/tr}'}

{if $encryption_algos} {/if} {foreach $encryption_keys as $key} {if $encryption_algos} {/if} {foreachelse} {norecords _colspan=7} {/foreach}

{tr}Name{/tr}	{tr}Description{/tr}	{tr}Algorithm{/tr}	{tr}Number of shares{/tr}	{tr}Users{/tr}	{tr}Encrypted fields{/tr}	{tr}Edit{/tr}	{tr}Delete{/tr}
{$key.name\|escape}	{$key.description\|escape}	{$key.algo}	{$key.shares}	{$key.users}	{foreach $encrypted_fields[$key.keyId] as $field} {$field.name\|escape} {foreachelse} None {/foreach}	{icon name='pencil' href='tiki-admin.php?page=security&encryption_key='\|cat:$key.keyId}

{if not empty($smarty.request.encryption_key)} {button name='add' id='key_add' _text='Create' _class='btn btn-info' _script='tiki-admin.php?page=security&new_key'} {/if} {if isset($smarty.request.new_key)} {jq}$("a[href='#contentencryption-2']").tab("show");{/jq} {/if}

{/tab} {if not empty($smarty.request.encryption_key)} {$tabname='Edit Key'} {jq}$("a[href='#contentencryption-2']").tab("show");{/jq} {else} {$tabname='Create Key'} {if not isset($smarty.request.new_key)} {jq}$("a[href='#contentencryption-1']").tab("show");{/jq} {/if} {/if} {tab name=$tabname} {if $encryption_error} {remarksbox type="error" title="{tr}Error{/tr}"} {$encryption_error} {/remarksbox} {/if}

{tr}General information{/tr}

{tr}Key name or domain{/tr}

{tr}Description{/tr}

{if $encryption_key.keyId}

{tr}Regenerate shares{/tr}

{icon name=information}

{if $encryption_setup neq 'y'} {/if} {/if}

{tr}Users to share with{/tr}

{if $prefs.feature_user_encryption eq 'y'} {user_selector multiple='true' name='users' class='form-control' user=$encryption_key.users select=$encryption_key.users_array editable=y} {else} Depends on "User encryption". {/if}

{if $encryption_algos}

{tr}Encryption algorithm{/tr}

{/if} {if $prefs.feature_user_encryption neq 'y'}

{tr}No. of people to share{/tr}

{/if}

{/tab} {/tabset} {/tab} {tab name="{tr}API{/tr}" key="api"}
{remarksbox type="tip" title="{tr}Tip{/tr}"} {tr _0="tiki-admin.php?page=login#contentadmin_login-12" _1="tiki-admin_oauthserver.php"}Enable API access and manage authentication tokens here. In addition, you can use Tiki as an OAuth 2.0 server, configure here and manage clients here.{/tr}
{tr _0="api/"}API documentation is available here.{/tr} {/remarksbox} {preference name=auth_api_tokens}

{service_inline controller=api_token action=list}

{/tab} {tab name="{tr}Webhooks{/tr}" key="webhooks"}
{remarksbox type="tip" title="{tr}Tip{/tr}"} {tr}Configure Tiki to receive webhooks from 3rd party servers. Setup verification here and bind your event listener to tiki.webhook.received event.{/tr}
{tr}URL to receive webhooks:{/tr} {$base_url}tiki-webhooks.php
{tr}TODO: add a link to _custom/lib/setup/code explanation.{/tr} {/remarksbox} {preference name=auth_webhooks}

{service_inline controller=webhook action=list}

{/tab} {/tabset} {include file='admin/include_apply_bottom.tpl'}