I downloaded the 1.0.4 version of the cmsms, and I have to admit that I like it. However, (IMHO) the login page, and all other pages which include transmission of a confidential material should be secured. De facto implementation is thus using the SSL-connection in previously described situations (as people have already stated in the forum).
I was unable (inpatient, anxious to code myself, ...) to find a fitting solution for my needs, so here is my solution.
I simply have a site in which I installed the CMSMS. I just wanted a SSL-secured connections enabled for the parts which I have previously described.
To simplify my scenario, I point the apache www-root to the same directory and therefore the only modification I need was to add configuration for a https-site (determined by the $config['ssl_root_url']) and to replace the $config['root_url'] with $config['ssl_root_url'] in appropriate places.
The way I proceeded with code modifications was just to listen Firefox's complaiment about sending information through unsecured connections - view the source HTML, did a couple of grep -R "plaa", and modified the code. The modifications are documented with the patch.
Below is part of apache configuration from SSL-configured VirtualHost:
What it does is just to force the admin-section to be viewed securely.RewriteEngine on RewriteRule ^.*/admin(.*)$ https://mycmsmssite.invalid.org:443/admin$1 [R]
I'm more than happy to hear your comments (especially if I can use some official SSL-support-module etc): mail me at takku <ät> users.dev.cmsmadesimple.org