XF 2.1 One-click upgrades and add-on install/upgrade from ZIP files

And here we are, already at the penultimate entry in our "Have you seen...?" series for XF 2.1. If you haven't seen the previous entries about what's coming in XF 2.1, check them out here.

As ever, to ensure you're kept up to date, we strongly recommend giving that "Watch forum" link a... well... click, I guess... and make sure you enable email notifications if you haven't done so already 🙂
 

The Dark Wizard

Well-known member
Sounds interesting, though for security reasons I do not feel comfortable giving our application servers write access to all files.

Will the infrastructore (for downloading & installing packages) also work in CLI?
Right now, it doesn't, but it's something we're interested in adding if there is time.

I've been using something that does this fir a while now from @Xon. You out all the zips somewhere on your server and you have a CLI command that unzips then all and then a command tonejther mass install or update any pending addons

Give him a poke as I'm not best a computer right now and able to find his Extra CLI add-on.
 

DragonByte Tech

Well-known member
Briefly security wise, a user must be logged in and licenses verified (both XF and mine) to download an add-on from my site. Any connection from another server to download an add-on has about an 80% chance of being denied at the system level before the request ever hits the web site itself. It's rather convoluted, but it works.
Sounds like the new REST API would solve that, since the API key will be tied to the individual user account so any requests using this API key will be authenticated with that user.

Once 2.1 hits, you could write a profile for the ThemeHouse I&U add-on that calls custom-built API endpoints @ your site that could do all sorts of interesting logging and security checks before throwing back the zip file :)


Fillip
 

Tealk

Well-known member
This should be possible to deactivate
 

DragonByte Tech

Well-known member
Add-on install/upgrade from archive
I forgot to ask about this feature; does it disable the addon(s) while this process is on-going? I imagine it does, but it's best to ask just to be sure :)

Reason why I ask is that on more than one occasion we've had issues with people upgrading addons where modifications to existing event listeners depend on code from a new event listener that hasn't been installed yet, which kills the site and forces a enableListeners tweak to complete the upgrade. Not everyone knows how to do that config.php tweak and so they get frustrated, understandably so.

I of course try to avoid that whenever possible but sometimes it can't really be helped.


Fillip
 

Chris D

XenForo developer
Staff member
This should be possible to deactivate
It is, you simply renew your license ;)

Joking aside, obviously you can ignore it too, which is also fine. It's for information only. Serves as a handy reminder and would help make it clear to people why update notifications have stopped (we only notify you of updates you have available to you).
 

Chris D

XenForo developer
Staff member
I forgot to ask about this feature; does it disable the addon(s) while this process is on-going? I imagine it does, but it's best to ask just to be sure :)

Reason why I ask is that on more than one occasion we've had issues with people upgrading addons where modifications to existing event listeners depend on code from a new event listener that hasn't been installed yet, which kills the site and forces a enableListeners tweak to complete the upgrade. Not everyone knows how to do that config.php tweak and so they get frustrated, understandably so.

I of course try to avoid that whenever possible but sometimes it can't really be helped.


Fillip
We only have what we have now which is that the add-on goes into the is_processing state.

For this kind of thing, it's really your own responsibility to make the code "safe".

The best way to do that, is using conditions based on the version ID of the add-on so that the code only runs after it has been upgraded. That said, code events depending on code events doesn't sound ideal, it'd also be worth trying to explore safer approaches.

The same thing can happen with class extensions too, I guess, but then method calls could be wrapped in method_exists checks etc.
 

Xon

Well-known member
Sounds interesting, though for security reasons I do not feel comfortable giving our application servers write access to all files.
XF2 requires writable php files which are executed on every page load. Without it, you can't change any style properties, styles, phrases or navigation bar changes.

This particular ship has sailed a long time ago.
 

Chris D

XenForo developer
Staff member
They're all confined to one parent directory, though, so I don't think that's what Kirby was getting at.
 

Xon

Well-known member
"add-on batch", sounds familiar :D

I've been using something that does this fir a while now from @Xon. You out all the zips somewhere on your server and you have a CLI command that unzips then all and then a command tonejther mass install or update any pending addons

Give him a poke as I'm not best a computer right now and able to find his Extra CLI add-on.
Also installs/upgrades certain add-on in right order :p
It needs some cleanup before a public release. The order dependency stuff requires a custom field in the addon.json to work well with conditional dependencies, but does do sorting from the add-on's requires field.

@Chris D would there be any easy way to hook the web install process to define the install order? :) And do you guys try to sort the install order based off the requires info into addon.json ?

They're all confined to one parent directory, though, so I don't think that's what Kirby was getting at.
For Wordpress once you have strong unique passwords, the single greatest security feature is to turn on auto-updating and ensure everything is kept up to date. Security wise, making it complex to update just means people don't update.
 
Top