March docs updates

content/en/blog/news/2024-02-29-polyfill-vulnerability.md

@@ -0,0 +1,45 @@
+---
+title: Polyfill Security Notice
+date: 2024-02-29
+description: A change in an upstream JavaScript library may break the functionality of some sites.
+---
+
+## Summary
+
+YMCA Website Services relies on some external code to provide broad browser support to JavaScript applications (like Virtual Y, Activity Finder, and Group Schedules). One of those codebases recently changed owners, which resulted in sporadic failures.
+
+Users can incorporate the [use Fastly polyfill patch for the `openy_custom` module](https:/open-y-subprojects/openy_custom/pull/66) as soon as possible to mitigate the issue.
+
+## What is the problem?
+
+> Polyfill is a service that makes web development less frustrating by selectively polyfilling just what the browser needs.
+
+In late February 2024, some YMCA websites reported sporadic outages in their Virtual Y applications. After some investigation, the core team discovered the outages were the result of the Polyfill library not being available, which temporarily caused Virtual Y not to load.
+
+A full discussion of the problem can be found on:
+- [Is it true that polyfill.io hosting is going to be owned by a Chinese company? (GitHub)](https:/polyfillpolyfill/polyfill-service/issues/2834)
+- [no-version scenario changed, maybe?](https:/polyfillpolyfill/polyfill-service/issues/2833)
+- [Pollykill.io](https://polykill.io/)
+
+## How bad is it?
+
+While the change could theoretically be exploited to inject malicious code, there is no known risk of data loss or the ability for third parties to compromise sites.
+
+The only known impact is the sporadic loss of functionality of some pieces of YMCA sites.
+
+Using the [Drupal Security Risk Calculator](https://security.drupal.org/riskcalc) this risk has been assessed as 8/25 (Less Critical) `AC:Complex/A:None/CI:None/II:None/E:Theoretical/TD:Default`.
+
+Here's what that means:
+
+* Access complexity: It is a complex/unintuitive process for an attacker to leverage the vulnerability.
+* Authentication: No authentication is needed for an exploit to be successful.
+* Confidentiality Impact: The vulnerability does not cause non-public data to become accessible.
+* Integrity Impact: The vulnerability can not allow system data to be compromised.
+* Zero-day Impact: An documented exploit does exist in the wild.
+* Target Distribution: Default module configurations are exploitable, but a config change can disable the exploit.
+
+## What do we do?
+
+Fastly (a trusted CDN provider) has taken a snapshot of the code before it was sold and is [hosting it independently](https://polyfill-fastly.io).
+
+Please ask your agency partners to incorporate the [use Fastly polyfill patch for the `openy_custom` module](https:/open-y-subprojects/openy_custom/pull/66) as soon as possible. For those with Virtual Y websites hosted with YMCA’s Cloud Hosting Service, the team will roll out the patch for you and there is no action needed on your part.

content/en/docs/development/Install-Solr-site-search-for-Open-Y/_index.md

@@ -66,7 +66,39 @@ Watch a [video tutorial](https://youtu.be/-Sq3uZb5K_U) on how to switch an exist
 
 ## Layout Builder and Solr search
 
-Solr search can be used with [Layout Builder](../../user-documentation/layout-builder), and requires a few extra steps:
+Solr search can be used with [Layout Builder](../../user-documentation/layout-builder), and requires a few extra steps.
+
+### Configure Solr to index the new content types
+
+In order for Solr to index the new content types, they need to be added to the index.
+
+1. Enable the YMCA Website Services Search API (`openy_search_api`) module if not already enabled.
+2. Go to **Admin** > **Configuration** > **Search and metadata** > **Search API**, then **Edit** the **Search content** index. (`/admin/config/search/search-api/index/search_content/edit`)
+3. Configure Solr to index the Layout Builder content types:
+ - Scroll down, expand **Configure the _Content_ datasource**, and check the content types that should be indexed for search. !["Configure the content datasource" options](solr--choose-content-types.png)
+ - Save the form.
+4. Configure how Solr indexes the Layout Builder content types:
+ - From the **Search API** configuration, open the dropdown for the **Search content** index and choose **Fields**. ![The "fields" option in the options dropdown of the Search API configuration](solr--edit-fields.png)
+ - To the right of the **Rendered HTML output** field options, choose **Edit**.
+ - For each newly added content type, switch "Don't include the rendered item" to the right view mode. ![Choose the view mode for each content type.](solr--view-modes.png)
+ - In general, new Layout Builder specific content types will use the "Default" view mode, while older Layout Builder-compatible content types should use the "Full content" view mode.
+
+ | Content type | View mode |
+ |---------------------|-----------|
+ | Article (LB) | Default |
+ | Branch | Full |
+ | Event (LB) | Default |
+ | Camp | Full |
+ | Camp Subpage | Full |
+ | Facility | Full |
+ | Landing Page (LB) | Default |
+ | Program | Full |
+ | Program Subcategory | Full |
+
+ - Save the page.
+5. Once your changes have been saved, re-index the content to see the changes reflected in search results.
+
+### Set up a Layout Builder search page
 
 1. If you have an existing site, disable the old search page:
  - Go to `/search`.

content/en/docs/howto/track-users/_index.md

@@ -140,6 +140,18 @@ Analytics provides code that does this automatically with standard `<a>` links,
 >
 > Successful cross-domain tracking also requires the destination application to retain the passed query strings and load them into the corresponding tracking property.
 
+### Requesting cross-domain tracking support
+
+Many Customer Relation Management (CRM) systems and Member Management Systems integrate with YMCA websites. Those systems often need guidance on hwo to maintain cross-domain tracking support.
+
+Entrance to the CRM/MMS often involves multiple redirects which may drop the required query strings.
+
+When discussing cross-domain support with your vendor, we recommend requesting:
+
+> Please support passing query strings/parameters through redirects, specifically maintaining the `_gl` parameter.
+
+You may also need to request that your GTM/GA code be added to the CRM/MMS to report back these parameters.
+
 ### Configuration
 
 1. Enable the "YMCA Website Services Cross-domain Tracking (XDT)" module at **Administration** > **Extend**, or via drush:

content/en/docs/howto/use-2fa/_index.md

@@ -0,0 +1,29 @@
+---
+title: How to use two-factor authentication
+linkTitle: "use two-factor authentication"
+description: Enabling multiple levels of identity verification can protect your site from malicious users.
+---
+
+Enabling two-factor authentication (2FA or TFA) adds a layer of security to selected roles like admin while allowing other users to log in to the site only with basic authentication with a Drupal username and password.
+
+The community-contributed [TFA module](https://www.drupal.org/project/tfa) is the recommended path to requiring 2FA for users.
+
+## Requirements
+
+The TFA module requires the PHP OpenSSL extension. This is installed with most modern stacks, but you can check to see if it is running with: `php -i | grep openssl`.
+
+Add the TFA module and its soft dependency:
+
+```shell
+composer require drupal/tfa drupal/real_aes
+```
+
+## Installing
+
+We recommend you follow the full installation instructions [for the 8.x branch](https://git.drupalcode.org/project/tfa/-/blob/8.x-1.x/README.md) or [the 2.x branch](https://project.pages.drupalcode.org/tfa/).
+
+Once you configure an encryption key and an encryption profile, you will then be able to enable TFA at **Admin** > **Configuration** > **People** > **TFA** (`/admin/config/people/tfa`).
+
+Once you enable TFA, you will have the option to require it for specific roles.
+
+![A screenshot showing "Roles required to set up TFA" with checkboxes for each role on the site.](2fa-roles.png)