PHPackages                             ci4-cms-erp/ci4ms - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. ci4-cms-erp/ci4ms

ActiveProject[Authentication &amp; Authorization](/categories/authentication)

ci4-cms-erp/ci4ms
=================

Modular CodeIgniter 4 CMS featuring RBAC admin, theming, blog/page management, elFinder media integration, and CLI tooling for rapid customization.

0.33.2.0(yesterday)2735911[3 issues](https://github.com/ci4-cms-erp/ci4ms/issues)MITJavaScriptPHP ^8.2CI passing

Since Nov 6Pushed 1w ago4 watchersCompare

[ Source](https://github.com/ci4-cms-erp/ci4ms)[ Packagist](https://packagist.org/packages/ci4-cms-erp/ci4ms)[ Docs](https://github.com/ci4-cms-erp/ci4ms)[ Patreon](https://patreon.com/bertugfahriozer)[ RSS](/packages/ci4-cms-erp-ci4ms/feed)WikiDiscussions master Synced today

READMEChangelog (10)Dependencies (109)Versions (65)Used By (0)Security (36)

CI4MS
=====

[](#ci4ms)

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. It combines CMS workflows, developer-focused CLI commands, an extensible module system, and customizable front-end themes in a single package.

[![Release](https://camo.githubusercontent.com/4f82455da3ae70b5a308e8aa1ff772564a160cba520cea7aa3c7c7f517e5b356/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f762f72656c656173652f6369342d636d732d6572702f6369346d733f7374796c653d666f722d7468652d6261646765266c6162656c3d72656c65617365)](https://github.com/ci4-cms-erp/ci4ms/releases)[![License](https://camo.githubusercontent.com/ba5840611ee46bde5d50ae39ce6d1f2e265d67be579932a76ac5361321d12360/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6c6963656e73652f6369342d636d732d6572702f6369346d733f7374796c653d666f722d7468652d6261646765)](https://github.com/ci4-cms-erp/ci4ms/blob/main/LICENSE)[![Build](https://camo.githubusercontent.com/58e2d3a8fca62c41799915a3e19e4a14d30c10537f72b398dd1b48589b22158f/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f616374696f6e732f776f726b666c6f772f7374617475732f6369342d636d732d6572702f6369346d732f646f636b65722d746573742e796d6c3f7374796c653d666f722d7468652d6261646765266c6162656c3d6275696c64)](https://github.com/ci4-cms-erp/ci4ms/actions)[![PHP](https://camo.githubusercontent.com/6423e3d6ad24ee5528fba1abe0ea6df504f09f40bbb1bcef22356f90596489d4/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f5048502d253345253344382e322d3737374242343f7374796c653d666f722d7468652d6261646765266c6f676f3d706870266c6f676f436f6c6f723d7768697465)](https://camo.githubusercontent.com/6423e3d6ad24ee5528fba1abe0ea6df504f09f40bbb1bcef22356f90596489d4/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f5048502d253345253344382e322d3737374242343f7374796c653d666f722d7468652d6261646765266c6f676f3d706870266c6f676f436f6c6f723d7768697465)[![CodeIgniter](https://camo.githubusercontent.com/63b6f3887283ef8c09808762ee6a1905cf8ffcd307ec30b8c196d9690f5d5306/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f436f646549676e697465722d342e782d4546343232333f7374796c653d666f722d7468652d6261646765266c6f676f3d636f646569676e69746572266c6f676f436f6c6f723d7768697465)](https://camo.githubusercontent.com/63b6f3887283ef8c09808762ee6a1905cf8ffcd307ec30b8c196d9690f5d5306/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f436f646549676e697465722d342e782d4546343232333f7374796c653d666f722d7468652d6261646765266c6f676f3d636f646569676e69746572266c6f676f436f6c6f723d7768697465)[![Packagist Downloads](https://camo.githubusercontent.com/af0d1464aeef5ec070528e59521d1e8f4f33eaa47c8be2628b312bbce3acc6d5/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f6369342d636d732d6572702f6369346d733f7374796c653d666f722d7468652d6261646765)](https://camo.githubusercontent.com/af0d1464aeef5ec070528e59521d1e8f4f33eaa47c8be2628b312bbce3acc6d5/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f6369342d636d732d6572702f6369346d733f7374796c653d666f722d7468652d6261646765)[![Stars](https://camo.githubusercontent.com/feea06ef01b90fba33affd6a81afe9a822c4e4c958d448b1849fd4d17015177f/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f73746172732f6369342d636d732d6572702f6369346d733f7374796c653d666f722d7468652d6261646765)](https://github.com/ci4-cms-erp/ci4ms/stargazers)[![Forks](https://camo.githubusercontent.com/ea923cc3264575db8524f86d804572d1da92b71bf684761d2b85b0d6dd88bf63/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f666f726b732f6369342d636d732d6572702f6369346d733f7374796c653d666f722d7468652d6261646765)](https://github.com/ci4-cms-erp/ci4ms/network/members)

[![Patreon](https://camo.githubusercontent.com/987a33646c89a408df4ec117ebabf76521a2082a82ea5150d7145c4c74bbed36/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f50617472656f6e2d537570706f72742532304d652d4639363835343f7374796c653d666f722d7468652d6261646765266c6f676f3d70617472656f6e266c6f676f436f6c6f723d7768697465)](https://patreon.com/cw/bertugfahriozer)

[![ci4ms-screenshot](https://camo.githubusercontent.com/3c22a4da67b932252419f29dfbd03eeb3b6e4391282e92c98a75fe6aa121e50c/68747470733a2f2f62657274756766616872696f7a65722e636f6d2f75706c6f6164732f6d656469612f6369346d732d73637265656e73686f742e77656270)](https://camo.githubusercontent.com/3c22a4da67b932252419f29dfbd03eeb3b6e4391282e92c98a75fe6aa121e50c/68747470733a2f2f62657274756766616872696f7a65722e636f6d2f75706c6f6164732f6d656469612f6369346d732d73637265656e73686f742e77656270)

Key Features
------------

[](#key-features)

- **Authentication &amp; RBAC:** `Modules\Auth` handles user login, lockouts, and password resets via CodeIgniter Shield. Permissions map to `auth_permissions_pages` records.
- **Modular backend:** Each feature ships as an independent module (Blog, Pages, Menu, Media, Users, Settings, Theme, etc.) under `modules/*`.
- **Flexible content management:** Page and blog entries include SEO metadata, categories, tags, and full comment workflows.
- **Media &amp; files:** Includes elFinder-powered media management, a built-in file editor, and an in-panel log viewer.
- **Automatic Updates:** Modernized `UpdateService` provides a "One-Click Update" system with atomic file operations, automated GitHub version discovery (bypassing 300-file limits), and secure rollback management.
- **Security Architecture:** Global CSRF protection across all AJAX endpoints, strict HTTP security headers (CSP, HSTS, X-Frame-Options), executable file upload blacklists, and HTMLPurifier sanitization to prevent XSS and RCE attacks.
- **Backup Support:** Updates automatically trigger a full backup of modified files before applying patches, with a dedicated management interface for restores.
- **Theme system:** The `public/templates/*` structure and the `Modules\Theme` module enable installing or upgrading themes from ZIP packages.
- **Setup &amp; automation:** Offers a web-based installer (`/install`) plus a single CLI command (`php spark ci4ms:setup`) for automated installation, default data seeding, and route generation. Module scaffolding is available via `php spark make:module`.
- **Docker support:** Ships with a production-ready `Dockerfile`, `docker-compose.yml`, and a GitHub Actions CI workflow out of the box.
- **SEO helpers:** `ci4seopro` builds meta tags and JSON-LD, while `CommonLibrary` centralizes email, breadcrumbs, and inline shortcode utilities.

Requirements
------------

[](#requirements)

- PHP **8.2** or newer (`intl`, `json`, `mbstring`, `gd`, `curl`, `openssl` extensions required)
- Composer 2.5+
- MySQL / MariaDB (or any CodeIgniter 4-supported driver)
- Writable directories: `writable/`, `public/uploads/`, optionally `public/templates/`

See `composer.json` for the full dependency list (e.g. `bertugfahriozer/ci4commonmodel`, `bertugfahriozer/sql2migration`, `ci4-cms-erp/ext_module_generator`, `claviska/simpleimage`, `gregwar/captcha`, `studio-42/elfinder`).

🪴 Project Activity
==================

[](#-project-activity)

[![Alt](https://camo.githubusercontent.com/b284b1d6577ca78a18a42dd77b377634d9aba9b51491e81445bf750bcaee07b8/68747470733a2f2f7265706f62656174732e6178696f6d2e636f2f6170692f656d6265642f396632363331636531646366616533646238346635313133666561303861633063376165386432392e737667 "Repobeats analytics image")](https://camo.githubusercontent.com/b284b1d6577ca78a18a42dd77b377634d9aba9b51491e81445bf750bcaee07b8/68747470733a2f2f7265706f62656174732e6178696f6d2e636f2f6170692f656d6265642f396632363331636531646366616533646238346635313133666561303861633063376165386432392e737667)

Installation
------------

[](#installation)

### Fresh Project (recommended)

[](#fresh-project-recommended)

```
composer create-project ci4-cms-erp/ci4ms myproject
cd myproject
```

### Clone Existing Repository

[](#clone-existing-repository)

```
git clone  ci4ms
cd ci4ms
composer install
```

### Docker (recommended for development &amp; CI)

[](#docker-recommended-for-development--ci)

```
cp env .env           # configure database, baseURL, etc.
cp app/Config/DefaultRoutes.php app/Config/Routes.php
docker compose up -d --build
docker exec ci4ms_app composer install
docker exec ci4ms_app php spark ci4ms:setup
```

Refer to `DOCKER_SETUP.md` for full Docker configuration details.

### Environment &amp; Configuration

[](#environment--configuration)

1. Create your `.env` from the template:

```
cp env .env
```

2. Update these core settings in `.env`:

    - `app.baseURL`
    - `database.default.*`
    - Optional: `cookie.*`, `honeypot.*`, `security.*`
3. Prepare the routes file:

```
cp app/Config/DefaultRoutes.php app/Config/Routes.php
```

4. If you prefer the web installer, open `/install` in the browser and follow the wizard. Use the CLI step below to skip the wizard.

### One-Command Setup (CLI)

[](#one-command-setup-cli)

```
php spark ci4ms:setup
```

This single command runs all migrations, seeds default data (modules, permissions, sample content), and creates the initial administrator account. No separate migrate or seed commands are needed.

### Run the Dev Server

[](#run-the-dev-server)

```
php spark serve
```

Access the backend via: `https:///backend`

Directory Layout
----------------

[](#directory-layout)

```
app/                 Application code (controllers, config, libraries, filters)
modules/             Feature modules (Auth, Backend, Blog, etc.)
public/
  index.php          Front controller
  be-assets/         Admin UI build artifacts (CSS/JS)
  templates/         Front-end themes
  media/             Media storage (must be writable)
writable/            Cache, logs, temporary files (must be writable)
vendor/              Composer packages
.docker/             Dockerfile, Apache, and PHP configuration
docs/                Developer documentation

```

Key files:

- `app/Commands/` — CLI tooling (`make:a*`, `create:route`, `ci4ms:setup`).
- `app/Filters/Ci4ms.php` — Install guard, maintenance mode redirect, menu cache.
- `app/Config/DefaultRoutes.php` — Routes template; copy to `Routes.php` on setup.
- `modules/*` — Each module includes its own `Config/Routes.php`, `Controllers`, `Models`, `Views`, `Language`, `Libraries`, `Filters`.
- `public/templates/` — Theme assets; each theme requires `info.xml` and `screenshot.png`.
- `writable/` — Cache, logs, temporary files.

Modules
-------

[](#modules)

ModulePurposeHighlightsAuthAuthentication lifecycleShield-based, CAPTCHA, email activation, reset tokensBackendAdmin shellDashboard stats, shared base controllerBlogBlog CRUDCategories, tags, comments, bad-word filtersPagesStatic page managementSEO fields, inline shortcode parsingMenuMenu builderDrag-and-drop ordering, slug helpersMediaMedia managerelFinder integration, optional WebP conversionFileeditorProject file editorSafe read/write/rename; dangerous extension blacklistSettingsSystem configurationOne-click updates, company/social/mail settings, i18n supportUsersUser &amp; role managementShield groups, reset trackingMethodsRoute → permission mappingModule toggling, router scanLogsLog viewerBrowses CodeIgniter log files inside the backendModulesInstallerModule ZIP installerUpload + cache invalidationThemeTheme managerZIP upload, DB migration support, duplicate checksInstallWeb installerCreates `.env`, triggers migrationsBackupDatabase backup managerCreate, download, and restore with SQL sanitizationDashboardWidgetsDashboard statisticsModular widget system for admin overviewLanguageManagerLanguage file managerEdit and manage translation files from the backendSee `docs/architecture.md` for deeper architectural notes.

CLI Commands
------------

[](#cli-commands)

CommandDescription`php spark ci4ms:setup`Full automated installation: migrations, seeding, default data`php spark make:module Blog`Scaffold a new module (Config, Controllers, Views, language files)`php spark make:abview dashboard`Generate a backend view from the AdminLTE template`php spark create:route`Rebuild `app/Config/Routes.php` from the template`php spark migrate --all`Run all pending migrations across modules`php spark cache:clear`Clear all application cachesStandard CodeIgniter commands (`php spark db:seed`, `php spark key:generate`, etc.) are also available.

Developer Notes
---------------

[](#developer-notes)

- **Cache keys**: `settings` (24h), `menus_{locale}` (per-locale, 24h), `{userId}_permissions`. Clear with `php spark cache:clear` or `cache()->delete()`.
- **Base controller**: Extend `Modules\Backend\Controllers\BaseController` for new backend controllers; it prepares session user, navigation, mail settings, and shared data.
- **Permissions**: Register new secured routes in `Modules\Methods` (or via the database) so the permission filter recognizes them.
- **Slug generation**: `seflink()` handles transliteration (including Turkish characters).
- **Form security**: Global CSRF is enabled; backend AJAX endpoints opt out via `BackendConfig::$csrfExcept`.
- **Comment moderation**: `CommonLibrary::commentBadwordFiltering` handles bad word filtering and moderation rules.
- **Theme uploads**: Each theme must include `info.xml` and `screenshot.png`; missing files trigger a backend warning.

Testing &amp; Maintenance
-------------------------

[](#testing--maintenance)

- `composer test` — runs PHPUnit.
- The GitHub Actions workflow (`.github/workflows/docker-test.yaml`) automatically builds the Docker image and runs migrations on every push to `master`.
- **Maintenance mode**: When `settings.maintenanceMode.scalar == 1`, the `Ci4ms` filter redirects visitors to `maintenance-mode`.
- **Security**: `Fileeditor` enforces `realpath` guards and a dangerous extension blacklist (`.php`, `.phtml`, `.phar`, `.htaccess`) to prevent RCE; destructive operations (`deleteFileOrFolder`, `renameFile`) additionally validate against an extension allowlist to block renaming or deleting critical application files. `Backup` restore uses SQL statement whitelist to block malicious queries (`LOAD_FILE`, `GRANT`, etc.). `HTMLPurifier` config is hardened against XSS bypass (`data:` URIs blocked, `CSS.Trusted` disabled) and `CustomRules::getClean()` output is persisted on every `create` and `update` flow in Blog and Pages controllers to prevent Stored XSS. All `$_SERVER` reads replaced with CI4 `base_url()`/`site_url()` helpers. Configure `App.php::$proxyIPs` if behind Cloudflare/Nginx.

Additional Docs
---------------

[](#additional-docs)

- `docs/architecture.md` — Architecture, flow, permissions, and extension guidance.
- `docs/developer-handbook.md` — Environment setup, coding standards, deployment checklist.
- `docs/theme_development.md` — Theme folder structure, routing, and `base.php` variables.
- `DOCKER_SETUP.md` — Docker environment configuration and usage.
- `CHANGELOG.md` — Full release history.

Questions or contributions? Open an issue or pull request.

🏆 Security Hall of Fame
-----------------------

[](#-security-hall-of-fame)

A huge thank you to the security researchers who have helped make **ci4ms** more secure by finding and reporting vulnerabilities.

ContributorContributionDate**[Lars van Mil](https://github.com/Far-Horizons)**Identified Critical RCE and Information Disclosure vulnerabilities.Jan 2026**[0xAlchemist](https://github.com/bugmithlegend)**Identified Critical Stored DOM XSS vulnerabilities across Company Info, Social Media, and Mail Settings modules, and a Session Invalidation flaw, leading to Account Takeover, Privilege Escalation, and potential Platform Compromise.Feb 2026**[peeefour](https://github.com/peeefour)**Identified Stored DOM XSS vulnerabilities leading to Account Takeover.Feb 2026**[Hunter.](https://github.com/LAW6ZX7)**Identified Critical Stored XSS in Backend &amp; Blog modules allowing Session Hijacking.Feb 2026**[m1scher](https://github.com/m1scher)**Assisted with vulnerability triaging and security testing.Feb 2026**[alpernae](https://github.com/alpernae)**Assisted with vulnerability triaging and security testing.Feb 2026**[offset](https://github.com/offset)**Identified Critical vulnerabilities including multiple Stored XSS (Blog &amp; Pages content via broken `html_purify` validation), Authorization Bypass in Fileeditor destructive operations (delete/rename extension allowlist missing), Install Guard Bypass, and CRLF Injection.Apr – May 2026**[fg0x0](https://github.com/fg0x0)**Identified Critical Arbitrary File Write (Zip Slip RCE) vulnerabilities in Theme::upload and Backup::restore modules.Apr 2026**[0xAlchemist](https://github.com/bugmithlegend)** , **[peeefour](https://github.com/peeefour)** and **[DexterHK](https://github.com/DexterHK)**Identified Critical Full Account Takeover and Privilege Escalation via Stored DOM Blind XSS in Backup Management (v2).Apr 2026**[dapickle](https://github.com/dapickle)**Identified Critical Authenticated RCE in Theme installation, Arbitrary Database Table Drop in Theme module, and a Session Management Bypass.Apr 2026**[iltosec](https://github.com/iltosec)**Identified Broken Access Control in Media module, Unsafe Reflection in Dashboard Widgets, RCE via template-function parsing in Pages, and Stored XSS in Pages Cover Image URL leading to Account Takeover (the residual instance of the same Cover Image URL Stored XSS class in Blog Categories was subsequently hardened as well).Jun 2026> If you find a security vulnerability, please report it via [Security Policy](SECURITY.md).

🐞 Bug Reporters
---------------

[](#-bug-reporters)

Thanks to the community members who report functional bugs and help us catch regressions before they hit more users.

ContributorContributionDate**[spreaderman](https://github.com/spreaderman)**Reported two installation-blocking regressions in v0.31.10.0: the web installer returning `404 GET install/dbsetup` after the configuration step, and `php spark ci4ms:setup` aborting on the `users.profileIMG` migration due to a `TEXT` column with a default value (rejected by MySQL/MariaDB strict mode).May 2026> Found a non-security bug? Please [open an issue](https://github.com/ci4-cms-erp/ci4ms/issues) with reproduction steps.

###  Health Score

52

—

FairBetter than 96% of packages

Maintenance96

Actively maintained with recent releases

Popularity28

Limited adoption so far

Community13

Small or concentrated contributor base

Maturity60

Established project with proven stability

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~16 days

Recently: every ~10 days

Total

62

Last Release

1d ago

PHP version history (3 changes)0.21.0PHP ^7.4 || ^8.0

0.21.3.7PHP ^8.1

0.31.0.0PHP ^8.2

### Community

Maintainers

![](https://avatars.githubusercontent.com/u/20905215?v=4)[Bertuğ Fahri ÖZER](/maintainers/bertugfahriozer)[@bertugfahriozer](https://github.com/bertugfahriozer)

---

Top Contributors

[![bertugfahriozer](https://avatars.githubusercontent.com/u/20905215?v=4)](https://github.com/bertugfahriozer "bertugfahriozer (201 commits)")

---

Tags

admin-dashboardauthenticationauthorizationblog-enginecli-toolscmscodeigniter-templatecodeigniter4composer-packagecontent-management-systemfile-managermariadbmodular-cmsmysqlphprbacrolesseo-toolstheme-managementuser-management

###  Code Quality

TestsPHPUnit

Static AnalysisPHPStan

Type Coverage Yes

### Embed Badge

![Health badge](/badges/ci4-cms-erp-ci4ms/health.svg)

```
[![Health](https://phpackages.com/badges/ci4-cms-erp-ci4ms/health.svg)](https://phpackages.com/packages/ci4-cms-erp-ci4ms)
```

###  Alternatives

[getkirby/cms

The Kirby core

1.5k584.8k472](/packages/getkirby-cms)[matomo/matomo

Matomo is the leading Free/Libre open analytics platform

21.7k38.9k](/packages/matomo-matomo)[simplesamlphp/simplesamlphp

A PHP implementation of a SAML 2.0 service provider and identity provider.

1.1k13.0M218](/packages/simplesamlphp-simplesamlphp)[chameleon-system/chameleon-base

The Chameleon System core.

1028.6k5](/packages/chameleon-system-chameleon-base)[sproutcms/cms

Enterprise content management and framework

242.5k4](/packages/sproutcms-cms)[oat-sa/tao-core

TAO core extension

66143.7k122](/packages/oat-sa-tao-core)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
