How good is XenForo plugin architecture?

[Rigel Kentaurus]

Well I don't think being somewhere in the middle is going to be of much use... "We reviewed this and we think it's good and safe to use... but if it's not, don't blame us."

Regardless of the fine-print or notices put up, the end users are going to be pissed at the reviewers because they recommended it, but it turned out to have something exploitable that ruined their forum/site.

I think something more along the lines of a rating system where used OF the addon could rate it would be nice. But giving people a false sense of security by telling people "all looks good to me" probably isn't the best thing to do...

It is done like that all the time, stores sell goods in their store, but the liability they take for the product is none (as long you didn't get hurt in the store itself), if it explodes on your face at home, it is the manufacturers' fault

Apple "curates" the apps, but they do not warrant it will run in your device, nor will give any kind of support for 3rd party app ..

The point is, it would create a point of reference, to know that the app you downloaded at least was checked for malware. Things happen, sure. Clever developers hiding it really well, sure. It has happened to the ios platform and Apple takes the app down after user complaints.

The fact that it is not a perfect solution does not mean it would not be extremely useful and it could be done.

----------------

On another topic, when I installed mods for UBB (ah, such days), I usually browsed by area, for example, I would look for "something to enhance my showthread, more features for private messages", that is probably a higher concern for XenForo right now. I see myself browsing the addon releases in two ways: one, by date, to see what's new, and two, by most replies (or most views, or most likes) to see what people are installing because that is probably hot.

I would really like to see options for browsing by category, by author, etc.

 

[Paul B]

I do not expect XenForo to take the liability for other people's bad addons, but I sincerely feel if the addons will be distributed through XF, they could be reviewed, with a score next to it that lets the downloading user make decisions easily, without having to download and inspect the code, because a "professional reviewer" has already done that job. Another firm could be hired just to do that.

And once the add-on has been reviewed, what's to stop the author from editing it to add in some malicious/rubbish code and uploading it again?

It really is a nonsensical suggestion to expect XenForo.com to take responsibility for all 3rd party add-ons.

The forthcoming Resource Manager will have a rating feature, so good add-ons will receive a high rating, poor add-ons a low one.

 

[Andy.N]

Otherwise installing an addon will always be betting your entire forum installation on it

That should have always been the case, shouldn't it? The responsibility rests on the forum owner when he decides to install any addon. Even Xenforo 1.1 beta comes with "Should not be installed on production sites" and many people have installed it, myself included. We are not going to blame XF because that's what we decided to do knowing all the risk.

 

[Rigel Kentaurus]

And once the add-on has been reviewed, what's to stop the author from editing it to add in some malicious/rubbish code and uploading it again?

It really is a nonsensical suggestion to expect XenForo.com to take responsibility for all 3rd party add-ons.

The forthcoming Resource Manager will have a rating feature, so good add-ons will receive a high rating, poor add-ons a low one.

I do not think my suggestion is nonsensical, I think it is a valid suggestion that has been proven right in other domains, and i am translating that to XenForo

You are free to disagree with it and you are also free to think that it won't work. I do not think it is nonsensical at all.

If the XF team wants to solve this with the rating, fine. If there are only resources to do as much, fine.
Ratings is just the same thing that has been done everywhere, nothing new there.

 

[digitalpoint]

I do not think my suggestion is nonsensical, I think it is a valid suggestion that has been proven right in other domains, and i am translating that to XenForo

I don't think the suggestion is nonsensical. It would be a wonderful thing to be able to do... But I *do* think the suggestion isn't practical. You would need an insane amount of competent developers doing nothing but reviewing addons and then re-reviewing them when new versions come out. Setting them up in high-load/traffic environments to see if they still work properly, etc. To do it *right* it could take days or an entire week to do it properly for a single version of a single addon.

It's just a difference between something I would like that is technically possible and something that is realistic/practical. I'd also like a flying car... and while the technology exists today, it's not practical for car manufacturers to build them.

 

[Rigel Kentaurus]

I don't think the suggestion is nonsensical. It would be a wonderful thing to be able to do... But I *do* think the suggestion isn't practical. You would need an insane amount of competent developers doing nothing but reviewing addons and then re-reviewing them when new versions come out. Setting them up in high-load/traffic environments to see if they still work properly, etc. To do it *right* it could take days or an entire week to do it properly for a single version of a single addon.

It's just a difference between something I would like that is technically possible and something that is realistic/practical. I'd also like a flying car... and while the technology exists today, it's not practical for car manufacturers to build them.

I kind of agree with you that it is not practical, but some middle ground can be found. I am sure that just by inspecting the code (and without even running it) it is possible to catch some things that just do not "seem right". I do that with the addons I download, I open them with a text editor first, if I see something awful, I give up.

Somebody could save me the time of downloading it, opening the code, and having a quick look.
And, for people that cannot do that themselves, that is useful.

 

[Andy.N]

Somebody could save me the time of downloading it, opening the code, and having a quick look.
And, for people that cannot do that themselves, that is useful.

As an addon user, I would very much like that to happen. But the time and cost will be embedded somewhere somehow, right?
I don't know if you mean all of this to be free.

 

[Forsaken]

The only way I could see Rigel's idea working is as a community review. Other developers would be capable of reviewing the add-ons, and submitting anything they've found for the team to review, cutting down the time they'd spend.

 

[Astrum]

Because of missing dev tutorials & documentation=> As i started coding my first "big" add-on it was a horror because it took several days/weeks to find the necessary steps(e.g. rebuild the node/content type cache after creating own node/content type) but it's IMO always better to read & try understand the code instead of reading simple examples....
Yes, everybody is sometimes in the "rush"(hope that's the right word for it) and don't want to read dozen files until he's able to code it, but i prefer mike & kier work @xenforo and not writing documentation

I concur. I'm learning Ruby on Rails right now. I've been pouring through documentation for the past two weeks or so. I am still at a loss as to the flow of the framework. I understand how to do things, but I don't really understand what's going on in many areas.

That's the problem with documentation/tutorials though. They always say how to do X, such as create an event listener, or a new model, or something like that, but for me all that does is tell me how to do X. It doesn't tell me how to do Y, for that I need another piece of documentation.

Now XenForo has tutorials which helped me start out a bit. However, I didn't understand XenForo until I started reading the comments in the PHP source files. I now understand how XenForo works from request to response. If I don't understand some specific aspect of XenForo then I know where in the source code to look to figure it out. In other words I don't need documentation (aside from PHP comments) or a tutorial to do something within XenForo. If all else fails, I can ask someone more knowledgeable as well.

I'd prefer an article which explains how XenForo works and references the source code heavily rather than any other form of documentation. If you want quality add-ons, have developers understand the base software.

...
5) The quality of the code (OO design, hardcoded values, use of phrases, etc)

I'm going to have to call you on this a bit. Is object-oriented design something which is required? There is tons of PHP code out there that is not designed with objects in mind. Perhaps someone would like to use some of this code (which they may not have written) which may be incredibly stable and efficient and possibly even better suited to the problem. Object-oriented design is great and all, but don't use a hammer when you need a screwdriver. Further, if it's coded well and is efficient, it shouldn't matter if it's object-oriented or not. True you can throw that word out as a buzzword to make your project look fancy, but if it runs well, does it matter? Object-oriented design is really good for XenForo, the base software. It makes things a lot easier for add-on developers. Unless add-ons themselves need to be extremely extensible, it's not really that big of a deal.

The only way I could see Rigel's idea working is as a community review. Other developers would be capable of reviewing the add-ons, and submitting anything they've found for the team to review, cutting down the time they'd spend.

I don't think you understand the heart of a developer. I'm pretty sure code auditors have no soul, because every developer I've ever known would go nuts reviewing code. They'd see certain decisions that were made and want to change it, or fix a bunch of things, or make it more general. I know I would never look at a piece of code and say, "Yeah, it's perfect, 5 stars!". I'd always have a different vision of what the software should or could be.

 

[Forsaken]

I don't think you understand the heart of a developer. I'm pretty sure code auditors have no soul, because every developer I've ever known would go nuts reviewing code. They'd see certain decisions that were made and want to change it, or fix a bunch of things, or make it more general. I know I would never look at a piece of code and say, "Yeah, it's perfect, 5 stars!". I'd always have a different vision of what the software should or could be.

I wasn't suggesting someone audit the code to that extent, but more that they check for security risks, or places where it could have an impact on performance.

And while every developer hates reviewing someone elses code, chances are if they use that add-on, they will do at least a cursory audit of the add-on. I'm sure you or many other developers audit any code they use, as I know my partner and I do as we're not able to trust someone elses work without knowing them.

 

[EasyTarget]

But I *do* think the suggestion isn't practical. You would need an insane amount of competent developers doing nothing but reviewing addons and then re-reviewing them when new versions come out.

Agreed right now it isn't practical. However, that is because XF would need to setup an automated test environment set up. Do you think the ios QA team actually looks at every piece of software and tries every thing the software can or can't do. No. Not possible.

My suggestion and it would aid the XF community as a whole, and it would make XF stand out from the competition is to have an add-on reviewer.

The reviewer wouldn't be responsible for ensuring the integrity of the add-on, i.e. no guarantee that it will in your particular setup, i.e. it may conflict with other add-ons. Althought the reviewer could ensure the add-on worked with current versions. The automated testing suite would then see what happens with a simulated load of 100, 500, 1000 concurrent users, with a large forum database. What are the memory requirements, cpu requirements, mysql load, etc... Then it could be discovered if an add-on could potentially put a huge hurt on a user's system.

I think the community would really find this as invaluable resource. I know the add-on is guaranteed to work with version x.xx and there aren't a bunch of crazy queries that are going to crush my server.

 

[Trekkan]

A tiered rating system based on usergroups.

Pro-xF Coder

- Intermediate xF Coder​

- Beginner xF Coder​

​

Only someone within the same level or higher can rate the code of a mod.

Anyone else, gets a "user rating" that they can do on the mod, so you have two ratings, one to do with the code quality and one to do with the end user "happiness" basically. (Same thing we have now for ratings everywhere)

Of course, this begs the question of how coders are rated (assigned groups) and who makes these determinations. Ok, so it's not a perfect system, but I'm just typing while I brainstorm a little. heh

 

[Onimua]

In the end I think it will be the marketplace/general community that will recommend and self-moderate who is a "good" add-on/resource developer and who is not.

 

[Digital Doctor]

The solution is obvious:
Better documentation, more example plugin code with best practices demonstrated and documented.
As a consumer rather than creator of plugins, I don't know, by looking at the code, that a plugin is written well or poorly. With example code, I can do a rudimentary audit to see how far off the track the plugin's author has gone. "Best practices" doesn't have to be a 1,000 page opus. It can be rough notes which someone else can cleanup.

Agree on this point. We need documentation if you want XenForo to be a platform..

I think some form of community-driven documentation (KAM-BJ don't have time) would be the method needed here.
Has anyone seen a coding community that has excellent examples and documentation to help each other ?

 

[Mancunian]

The rule of thumb should be to get the feature function into the core product and not rely on third party code.
There seems to be a plethora of add-ons appearing weekly. Some are so specific and only likely to be used by a minority but some are so 'invasive' and extensively used that in reality some or all the functionality should be in the core product.
I personally think it is wrong for the XF team to rely too heavily on third party add-ons to supplement their product.

Fact is some third party add-on developers will be here today and gone tomorrow.
It is similar to Firefox - good product but gets impacted by potentially poor quality add-on code. Get a bug in Firefox and the stock response is - uninstall your add-ons till you find which one caused the problem.

 

[Digital Doctor]

Any ideas how to accomplish that here at xenforo.com ?

Goal: Low Cost, High Quality Addons with reasonable support is what the goal should be.

Xenforo is still using the vBorg model, which was never optimal, and certainly doesn't make sense in 2013.

 

[Robbo]

This is simple. Learn to pay a proper price for software in such a small market and good developers won't leave. Also learn to up your standards, there is so much rubbish made for XenForo that people seem to think is the best thing since sliced bread. There aren't many professional programmers around these parts and the ones that were here have since left.