SSbits - all things SilverStripe

A _config.php Cheatsheet

Fri, 02 Jul 2010 00:00:00 -0500

If your anything like me, you've probably found yourself going through your previous sites looking for that line of code to put in your _config.php file. Well, now you nolonger need to, simply bookmark this page and return to it any time you need to add a line to your config! And if I've missed out anything leave a comment and I'll make sure it gets added :)

<?php /********************** * * Errors / Dev * **********************/ // //Force enviroment to Dev ** REMOVE FOR LIVE SITES ** Director::set_environment_type("dev"); // //Force cache to flush on page load if in Dev mode (prevents needing ?flush=1 on the end of a URL) if (Director::isDev()) { SSViewer::flush_template_cache(); } //(v2.4) Log errors to an email address SS_Log::add_writer(new SS_LogEmailWriter('me@mydomain.com'), SS_Log::ERR); // //(v2.4) Log errors to a file SS_Log::add_writer(new SS_LogFileWriter('error_log.txt'), SS_Log::ERR); // /********************** * * CMS Rebranding * **********************/ // //Set the CMS application name, logo and loading image LeftAndMain::setApplicationName("My application"); LeftAndMain::setLogo("themes/MyTheme/images/CMSLogo.png", "margin-top: -3px;"); LeftAndMain::set_loading_image('themes/MyTheme/images/CMSLoading.gif'); // /********************** * * Security * **********************/ // //Set default login Security::setDefaultAdmin('admin','pass'); // //Define the password validator $pwdValidator = new PasswordValidator(); $pwdValidator->minLength(8); $pwdValidator->checkHistoricalPasswords(2); $pwdValidator->characterStrength(2,array('lowercase','digits')); Member::set_password_validator($pwdValidator); // // Set the site locale i18n::set_locale('en_UK'); // /********************** * * Templates / ULRs * **********************/ // //Remove Prototype / Behaviour validation and use your own Validator::set_javascript_validation_handler('none'); // // Set the theme SSViewer::set_theme('FBO'); //Enable Search, use $SearchForm in template FulltextSearchable::enable(); // //Turn off # link rewriting SSViewer::setOption('rewriteHashlinks', false); // //Force redirect to www. Director::forceWWW(); // //(v2.4) enable nested URLs for this site (e.g. page/sub-page/) SiteTree::enable_nested_urls(); // // Set the Breadcrumb divider SiteTree::$breadcrumbs_delimiter = " >> "; // // Set the resizing image quality GD::set_default_quality(95); // /********************** * * CMS UI * **********************/ // //Hide a main CMS Tab LeftAndMain::remove_menu_item('Reports'); // //Make a data objects sortable (for DOM) SortableDataObject::add_sortable_classes(array( 'DataObject', 'AnotherDataObject' )); // //Set HTML EDitor Config HtmlEditorConfig::get('cms')->setOption('convert_fonts_to_spans', false); // HtmlEditorConfig::get('cms')->enablePlugins('searchreplace'); // HtmlEditorConfig::get('cms')->insertButtonsAfter('pasteword', 'replace'); // HtmlEditorConfig::get('cms')->setOptions(array( 'content_css' => 'static/css/editor.css' )); // //Add requirments to the CMS LeftAndMain::require_javascript('mysite/javascript/jquery.cms.js'); // LeftAndMain::require_css('themes/mytheme/css/cms.css'); // /********************** * * Classes / Objects * **********************/ // //Add an extention to an object and DataObject Object::add_extension('SiteConfig', 'CustomSiteConfig'); DataObject::add_extension('DataObject', 'DataObjectExtension'); // // Use a custom class instead of a core one Object::useCustomClass('MemberLoginForm', 'CustomLoginForm'); // //Set allowed file types File::$allowed_extensions[] = "f4v"; // /********************** * * Emails * **********************/ // //Set the admin email address Email::setAdminEmail('me@mydomain.com'); // //Set to CC all emails to Email::cc_all_emails_to('me@mydomain.com'); // /********************** * * Comments * **********************/ // //Enable comment spam protection MathSpamProtection::setEnabled(); // //Enable comment moderation PageComment::enableModeration(); // //Force user to be logged in to post a comment PageCommentInterface::set_comments_require_login(true);

Customise buttons in userforms module

Sat, 12 Jun 2010 00:00:00 -0500

I wanted more control over the styling of submit buttons in the userforms module. The standard button use either an <input> tag or a <button> tag. I needed an extra span so I could style the button super pretty, à la:
<button><span>Submit!</span></button>

So I extended UserDefinedForm by putting the file 'MyForm' in mysite/code:
class MyForm extends UserDefinedForm { } class MyForm_Controller extends UserDefinedForm_Controller { /** * Customise User Defined Form. Add a prettier submit button * * (Actually overriding the model, but template calls this controller function) * * @return Form */ public function Form() { $form = parent::Form(); $submit = new FormAction("process", $form->SubmitButtonText); $submit->useButtonTag = true; $submit->setButtonContent('<span>Submit</span>'); $form->actions = new FieldSet($submit); return $form; } }

Customize the Redirect after a successful Member Login

Mon, 31 May 2010 00:00:00 -0500

The Member system that comes with SilverStripe offers substantial control over your site's authentication capabilities. It often requires the developer to build out or extend most common functionality to websites. This is great in that you are never "stuck" with the out-of-the-box offerings, but as any SS dev knows you end up with a little bag of Member tricks that gets used across many projects. Presented here is one that I use often.

When a Member logs in to /Security/login without a ?BackURL= specified, they are always redirected back to the form with a success message and form without any fields. While this works great to keep the code/form tight, it is a less than ideal use experience. Modifying this behavior is a little tricky as much of the controller and rendering actions are fixed in the Security class. This is further complicated by the use of Director::redirect calls that set response headers when the login form is processed. I find by overriding the form and replacing it with the excellent useCustomClass call works well.

The Problem: Base /Security/login form redirects to itself on success, always tagging ?BackURL=/home looks sort of messy across your site.

The Solution: Make the base MemberLoginForm redirect somewhere useful on success.

We begin by extending the MemberLoginForm and the method that does all the dirty work; dologin(). Create the file GoHomeLoginForm.php and add the following code:

<?php /** * Overriding the base login form to redirect somewhere useful, * in this case to the site index */ class GoHomeLoginForm extends MemberLoginForm { public function dologin($data) { parent::dologin($data); if( Director::redirected_to() and Member::currentUserID() ) { $this->controller->response->removeHeader('Location'); Director::redirect(Director::baseURL()); } } }

Now we need to override the MemberLoginForm with our GoHomeLoginForm in our _config.php:

/* Always redirect somewhere meaningful */ Object::useCustomClass('MemberLoginForm', 'GoHomeLoginForm');

Now do a /dev/build/flush=all and you're gold.

Testing for a redirect being set and a current member set in the session ensures that only users who have successfully logged in will get our custom destination. You can override with any destination you please, such as a '/myaccount/' section or even plain old '/'.

This has been tested on SS 2.3 and 2.4 using the default Member Authenticator.

2.4 - Using Short Codes to embed a YouTube video

Wed, 28 Apr 2010 00:00:00 -0500

What are shortcodes?

SilverStripe 2.4 has introduced shortcodes to the CMS editor. Simply, the CMS user can now add short BBCode style code to the editor area and it can then be replaced using a predefined function. For example [link id=23] could be replaces by the link to Page with an ID of 23. In fact that is exactly how internal links created in the links sidebar work in 2.4, preventing them from breaking when URLs change.

The aim of this tutorial

The aim of this tutorial is to allow the CMS user to enter the short code:

[YouTube id=3UTu6lV8ppY]

[YouTube id=3UTu6lV8ppY]A video about SilverStripe[/YouTube]

we will also allow them to add more custom attributes. We will then use this to embed a YouTube video automatically for the user.

Short code structure

Shortcodes are made up of three parts, the actual ShortCode (YouTube) its arguments (id) and its content (the text surrounded buy the tags - 'A video about SilverStripe').

The Short Code Parser

The first thing we need to do is to set-up our parser function that will handle the tag, its arguments and its content.

In Page.php we need to add our handler:
class Page extends SiteTree { ... public static function YouTubeShortCodeHandler($arguments,$content = null,$parser = null) { } ... }

$arguments will be an associative array and $content will be a string.

We now need to set-up some default values for the YouTube video we are going to embed, such as size, height and quality. We need to also merge the defaults with the passed arguments and then return the embed code using a template that we will create next.
public static function YouTubeShortCodeHandler($arguments,$caption = null,$parser = null) { // first things first, if we dont have a video ID, then we don't need to // go any further if (!$arguments['id']) { return; } $customise = array(); /*** SET DEFAULTS ***/ $customise['YouTubeID'] = $arguments['id']; //play the video on page load $customise['autoplay'] = false; //set the caption $customise['caption'] = $caption ? Convert::raw2xml($caption) : false; //set dimensions $customise['width'] = 640; $customise['height'] = 385; //overide the defaults with the arguments supplied $customise = array_merge($customise,$arguments); //get our YouTube template $template = new SSViewer('YouTube'); //return the customised template return $template->process(new ArrayData($customise)); }

It is worth noting that the keys of the $arguments array will always be in lowercase.

The Template

In your themes folder you can now add a template called YouTube.ss; I have it in themes/mytheme/Includes as this means I can also use it hard coded into my other page templates if I need to.

YouTube.ss:
<div class="YouTube"> <object type="application/x-shockwave-flash" data="http://www.youtube-nocookie.com/v/$YouTubeID<% if autoplay %>&autoplay=1<% end_if %> width="$width" height="$height"> <embed name="movie" value="http://www.youtube-nocookie.com/v/$YouTubeID<% if autoplay %>&autoplay=1<% end_if %>" /> </object> <p>$VideoCaption</p> </div>

This is XHTML valid YouTube embedding code which uses our custom parameters.

Registering the Parser

Finally, we need to register the parser in our _config.php file:
... //shorcodes ShortcodeParser::get()->register('YouTube',array('Page','YouTubeShortCodeHandler'));

That is it, we have now created our Short Code handler and when a CMS user wants to embed a video from YouTube, they can with ease.

Example usage

[YouTube id=4af1bFh3duo width=300 height=150 related=0]blah[/YouTube]

Controlling the order of CSS includes

Fri, 23 Apr 2010 00:00:00 -0500

Usually CSS developers are lazy -even more so than php developers! What usually happens is (as you can see in firebug) that styles get redefined by sub CSS files depeding on a parent containing div -so it's important to include these CSS files in the correct order, otherwise they will be overwritten incorrectly and the style wont appear as you wish.

Your probably already using Requirements::themedCSS but there is another function called Requirements::insertHeadTags. This is great for including custom style sheets because you can call it AFTER your usuall CSS. An example would be something like;

class Page_Controller extends ContentController { public function init() { parent::init(); Requirements::themedCSS("main"); Requirements::themedCSS("panels"); // Include the conditional css for ie6 & ie7 $tags = '</mce:style><style type="text/css" mce_bogus="1"> @import url(/themes/myamazingtheme/css/ie6.css); </style> <![endif]--> </mce:style><style type="text/css" mce_bogus="1"> @import url(/themes/myamazingtheme/css/ie7.css); </style> <![endif]-->'; Requirements::insertHeadTags($tags); } }

This is not very often picked up on as developers use firefox (and firebug) without any real IE6/7 testing, and if you view source on this site you will see that ie6/7 css are being included after standard stylesheets. This means any special styles that overwrite previous styles to create a fix wont work -as they are being called in the wrong order.

Hopefully this helps someone, as Id spent alot of time editing stylesheets and flushing all only to see no change -its useful to note when creating complex design sites.

2.4 - Working with SiteConfig

Mon, 19 Apr 2010 00:00:00 -0500

One of the great new features of 2.4 is the introduction of a Site Config page. This allows you to put all of those fields which are not page related, such as The sites title, root access permissions and even the current theme. The SiteConfig class is simply a dataobject and so can easily be extended to include fields, relationships and functions which you can then access from anywhere in your site.

Accessing items in your SiteConfig is as easy as preceding each item with $SiteConfig. For example this would display the Title field:
<h1>$SiteConfig.Title</h1>

Or alternatively:
<% control SiteConfig %> <h1>$Title</h1> <% end_control %>

Accessing SiteConfig from the Controller

So accessing it from the template is super simple and so it turns out is accessing it from a Controller:
$this->SiteConfig();

Or alternatively:
ContentController::SiteConfig()

Customizing SiteConfig

So of course there's not much point in the SiteConfig unless we can add or own fields, relationships and functions. To do so we use the DataObjectDecorator class which allows us to 'decorate' other classes with fields, functions and relationships. We need to decorate SiteConfig instead of extend it with our own class because the core SiteConfig class is the one that SilverStripe will look for. Here is an example of a CustomSiteConfig class which extends DataObjectDecorator:

CustomSiteConfig.php
<?php class CustomSiteConfig extends DataObjectDecorator { function extraStatics() { return array( 'db' => array( 'Spiel' => 'Text' ), 'has_one' => array( 'SiteLogo' => 'Image' ) ); } public function updateCMSFields(FieldSet &$fields) { $fields->addFieldToTab("Root.Main", new TextareaField("Spiel")); $fields->addFieldToTab("Root.Main", new ImageField("SiteLogo", "Logo")); } public function getPooSpiel(){ return '<h3>Poo!</h3>' . $this->owner->Spiel; } }

So here we are adding an extra field to $db and a $has_one relationship. We then add the appropriate form fields to the CMS and we also define a new function. The function is not particularly useful in this case and simple adds the header 'poo' to the start of our Spiel field. However, notice that we use $this->owner to refer to the Spiel field. This is the syntax you must use when extending a DataObject using the DataObjectDecorator so that SilverStripe refers to the object that is being extended rather than the Extention class it self.

Now inorder to get SilverStripe to recognize this extention we need to add this line to our _config.php:
DataObject::add_extension('SiteConfig', 'CustomSiteConfig');

Now in our template we can use these new fields like so:
$SiteConfig.SiteLogo <% control SiteConfig.SiteLogo %> $CroppedImage(100,100) <% end_control %> <p>$SiteConfig.Spiel</p> <p>$SiteConfig.PooSpiel</p>

Using DataObjectManager (and ComplextableField) in SiteConfig

So although this should be as simple as using the DataObjectManager on a page, because we are effectively relating 2 DataObjects instead of a page and a DataObject, for some reason SilverStripe is unable to set the ParentID on the DataObject and so it doesn't work. There is however a workaround which is to extend the DataObjectManager class and add a function to explicitly set the sourceID. So to do this all we need to do is create a new class after our CustomSiteConfig class. We could do this in a seperate file, but as it is only used for the SiteConfig it makes sense to keep it there. We also need to adjust our DataObjectManger definition from usual to set the sourceID and make sure it picks up the correct controller:

CustomSiteConfig.php
<?php class CustomSiteConfig extends DataObjectDecorator { function extraStatics() { return array( 'has_many' => array( 'SomeDataObjects' => 'DataObjectClass' ) ); } public function updateCMSFields(FieldSet &$fields) { $manager = new SiteConfig_DataObjectManager( $this->owner, 'SomeDataObjects', 'DataObjectClass', array('SomeField' => 'Some Field'), 'getCMSFields_forPopup' ); $manager->setSourceID($this->owner->ID); $fields->addFieldToTab("Root.DOM", $manager); } } class SiteConfig_DataObjectManager extends DataObjectManager { function setSourceID($val) { if (is_numeric($val)) { $this->sourceID = $val; } } function sourceID() { if (isset($this->sourceID) && $this->sourceID !== null && is_numeric($this->sourceID)) { return $this->sourceID; } return parent::sourceID(); } }

So as you can see instead of using $this we use $this->owner to set the DOM controller. We also use the SiteConfig_DataObjectManager class that we define at the bottom so that we can call our custom setSourceID() function and set the sourceID to $this->owner->ID, which is the ID of the SiteConfig.

Special thanks to Dan Hensby for providing the DOM extension code. You can see the forum post here.

So there you have it, the new SiteConfig. Very useful and easy when you know how! :)

Thanks to Johannes Fischer for suggesting this post.

Automatically ?flush when in 'dev' mode

Thu, 15 Apr 2010 00:00:00 -0500

Often when doing development work on a website - and particularly the templates - it can be a pain having to remember to add ?flush to the end of the URL to make sure all of your changes have come through.

I'm sure that all of us have had that "d'oh" moment when we have spent too much time wondering why our changes weren't working, only to find a simple flush fixed it.

If you have set up a domain in your set_dev_servers array or added Director::set_environment_type('dev') to your _config.php file then you can also add:

if (Director::isDev()) { SSViewer::flush_template_cache(); }

This will flush the template cache on every page load.

NB: This will not regenerate cached images, if you want to do that you will have to add $_GET['flush'] = 1; inside the above conditional statement.

Review: The SilverStripe Book

Tue, 30 Mar 2010 00:00:00 -0500

I’ve recently been working with Silverstripe, which was relatively new to me, so I got the book. This post is a review of the book “Silverstripe. The Complete Guide to CMS Development” by Ingo Schommer and Steven Broschart; I wanted to share my thoughts about this title.

When I say I’m working with SilverStripe, I mostly get blank looks. Few people have heard of it, even amongst PHP developers; so firstly what is SilverStripe?

SilverStripe is an open source CMS which ships with the MVC framework (called Sapphire) that it is built on. Development started in 2005 in New Zealand with the first stable release in February 2007. The product has grown in popularity and is rapidly gaining a foothold in Europe. It won ‘Most Promising Open Source CMS’ in the PacktPub awards in 2008 and was joint runner-up in 2009 for their ‘Open Source CMS Award’. Ibuildings became SilverStripe partners in Spring 2009 and I have been working on SilverStripe projects since joining Ibuildings in late 2009.

With the combination of CMS and framework it is possible to build complex web applications that can be managed by non-technical users through an admin interface remarkably quickly and easily. The product’s website has an API (sadly not always up to date) and a few very introductory tutorials. However once you have worked your way through those it is not easy to know what can else be achieved and how to approach further development, which is where this book comes in. With most technical topics there is a shelf-full of titles to choose from, but with SilverStripe this book is a first, which makes it very significant, and with no other options it is just as well this book is pretty good!

The book has been produced through the collaboration between a developer of the product, Ingo Schommer who works for SilverStripe Ltd, and an experienced user, Steven Broshart who works for German online marketing agency Cyberpromote GmbH. It is a combination that works well. The book is convincingly authoritative but also down to earth; it is a practical guide from people who know what they are talking about and can explain it clearly citing realistic examples.

The translator, Julian Seidenberg grew up in Germany but has lived in the UK and now New Zealand where he started to work for SilverStripe Ltd in 2009. He has a PhD and has also published other titles.

The book was originally written in German and published in February 2009. It was then modified, extended and translated before being published in English in November 2009. The translation has been done very well; apart from in one small section in the Recipes chapter where the language is cumbersome, it does not feel like a translated book but like one written in English and for a technical book is very readable without being dumbed-down in any way.

As SilverStripe is written in object oriented PHP to be able to produce more than a website with very straightforward content pages, you need to be a PHP developer who understands object-oriented programming. So not surprisingly the book is aimed at PHP developers, although it claims to have some value for non-technical readers. I was recently talking about SilverStripe with an experienced front-end developer and the subject of the book came up, he had not found it helpful and felt it was because he didn’t have more than a very superficial understanding of PHP.

The book starts with some introductory chapters on the product, installation and a useful explanation of the underlying architecture and concepts.

The meat of the book for me is chapters 4 to 6 which work through implementing a sample application, starting with using out-of-the-box features, gradually extending it to involve ever more complex elements. These chapters are of most value when they are read in sequence. The explanations are accompanied by code snippets and screenshots of the expected output. The code is also available to download from the companion website. The projects described makes an invaluable springboard for generating ideas of how to do things and perhaps most importantly inspiring the reader with ideas of the possibilities of the product and how to harness the Sapphire framework.

This is followed by freestanding chapters on important issues like security, maintenance, testing (SilverStripe comes with its own unit testing infrastructure based on PHPUnit and SimpleTest) and localisation/internationalisation. Then a selection of recipes (how-to’s) and finally how to extend the product by producing your own extensions, along with an introduction to a number of useful modules other developers have contributed.

A full list of the contents can be found on the publisher’s website (http://eu.wiley.com/WileyCDA/WileyTitle/productCd-0470681837.html).

The book is sub-titled “The Complete Guide to CMS Development” which is a very big claim! Does it live up to this? No, as it doesn’t consider other CMS systems at all. Even to be the complete guide to CMS development using SilverStripe is a lot to ask. It does not succeed in that either but I am not sure a book twice the size would appeal to many people! Hopefully there may be future cookbook style books to carry on where this book leaves the reader.

I have found this book enormously useful in bringing SilverStripe to life and have fed a number of ideas from the book into the projects I have been working on. It is readable without being jokey and patronising, and its understandable and inspiring style makes it score more highly than many technical books I have read

Inevitably there are things you wished they’d covered or key details for implementing something that has been left out. In particular I hate the sort of tutorial books for complex systems that say something like ‘once you have completed steps x, y and z you should see…’, because they never say what to do if having completed the steps you don’t see the expected output. Many of these applications have aids to debugging built into them and SilverStripe is no exception, but there is little coverage in the book which I think is a shame.

Sadly as is common with technical books it will date as new releases are brought out and I hope they are already working on the next edition.

Is it worth having? Undoubtedly, even if you have been developing in SilverStripe for a while, as you are likely to find fresh inspiration and it is a must for those who are new to it.

Using other systems together with Silverstripe

Mon, 22 Mar 2010 00:00:00 -0500

Silverstripe uses mod_rewrite to catch all calls to your website in the form of urls and route them to sapphire/main.php. This behavior is implemented with the rules in your .htaccess file in the root of your site. This can become a problem when you want to use other systems together with Silverstripe because you simply can not reach the url of those other systems.

An example: if your want to use phplists as a newsletter system, it is usually installed under yoursite.com/lists. However, under normal circumstances you can not have your visitors reach yoursite.com/lists when using Silverstripe because it is rerouted to sapphire/main.php?url=lists.

This behavior can be changed by adding a rule to your .htaccess file. I use this one:

RewriteCond %{REQUEST_URI} !^/_.*/.*

(This snippet has to appear before the RewriteRule that routes everything to sapphire/main.php otherwise it wont work.)

What does this do? If someone tries to access an address on your site in a folder starting with an underscore (_) do not apply rules to it (and therefore do not route it to sapphire/main.php).

What can you do with it? If you create a folder in your site starting with an underscore (for example: _lists) it will be ignored by silverstripe. So if you install phplists there (or any other system or a static html/flash site) you can simply use it without problem along with Silverstripe in the same site.

I have tested this with Silverstripe 2.3+ and 2.4 Beta1

Securing your site

Fri, 12 Mar 2010 00:00:00 -0600

PHP has a very shallow learning curve, it's free and anyone can have a go at making a website by following a few tutorials and implementing their experience with other languages. However, coding for the web can be a risky business, especially with dynamic websites that take some kind of user (or external) input and use that to get data from a database.

Old school websites will use an id to get a pages content, eg: www.example.com/index.php?id=3. This can lead to a few problems if the id is not sanitised before being added to an SQL query.

Sanitising Variables

Here is how it would work if calling /index?id=1

<?PHP $id = $_GET['id']; $sql = 'SELECT `Content` FROM `Page` WHERE ID = ' . $id; ...

This leaves us in a very sticky situation. If someone were to put in a non-numeric id into the GET var or were to do something worse like '1; DROP TABLE `Page`;' then you will find yourself with a big mess to clean up.

SQL Injection

This is known as SQL Injection and is just one of the many security holes that people can get into. If a user submits data you should always make sure it is valid and sanitised.

Solving the problem

Validating your inputs is very simple and effective way of stopping this problem for the id example, if you are expecting a number, check it is by using the is_numeric function.

Sanitise your variables before they are put into the SQL query by using silverstripes Convert class. The Convert class converts strings from one format to another so that they can be included in different document types without security or parsing implications.

Here is how to deal with a typical situation in SilverStripe, when getting a DataObject from the DB depending on an actions URL:

function getPageByIDParam() { $action = Director::urlParam('ID'); // in this case it is a string return DataObject::get('Page','URLSlug = "' . Convert::raw2sql($action) . '"',null,null,1); }

Now you wont be a victim of SQL injection.

Controller Actions

In SilverStripe, methods in the controller are called by using the action part of the URI (www.example.com/URLSegment/Action/ID/OtherID) and this can be bad for security as we don't really want people to be able to call any method via the action.

To stop users from being able to call any action, use the Controllers Static var $allowed_actions. Which is an array that lists the actions that can be called through the action parameter in the URL:

class Page_Controller extends ContentController { static $allowed_actions = array( 'SomeFunction', 'AnotherFunction' ); }

More information

SilverStripe have great information on secruity:

http://doc.silverstripe.org/doku.php?id=secure-development

http://doc.silverstripe.org/doku.php?id=security