Update basic auth instructions

[brynwhyman]

"Enabling in production" section is outdated, and needs to be updated to reference BasicAuthMiddleware configuration instead.

https://www.cwp.govt.nz/developer-docs/en/2/how_tos/basic_auth/

[hanify]

A better fix would be to change the 'Allow users to use their accounts to access the UAT server' permissions flag, to 'Allow users to use their accounts to bypass basic auth' and have something like the second solution suggested.

These are two ways that developers have implemented this:

1. If you set the SilverStripe\Security\BasicAuth::entire_site_protected_code config flag to a different permission code, it will allow non-admin users to access the site with basic auth.

E.g.

  entire_site_protected: true
  entire_site_protected_code: CMS_ACCESS_CMSMain

2. Using the CMS_ACCESS_CMSMain permission meant we had to give the CMS 'Access to Pages' privilege to our 'read-only' role, which wasn't ideal (as this allowed our read-only role to add/edit/publish pages on the site).

We changed it to use the same flag that allows users access on the UAT server ('Allow users to use their accounts to access the UAT server'):

SilverStripe\Security\BasicAuth:
  entire_site_protected: true
  entire_site_protected_code: ACCESS_UAT_SERVER

[noizyboy]

Hi team - just giving this a bump. The old (incorrect) instructions are still on the CWP site. The second of the two solutions was the one we implemented (and which works fine), so maybe just update the docs to suggest that config?

[ScopeyNZ]

The docs are maintained in this repo:

https://github.com/silverstripe/cwp/blob/master/docs/en/03_How_tos/basic_auth.md

We welcome any contributions to update the docs 🙂