Add Ajax to Plugin and Themes Screen

[ronalfy]

Resolves #65

This is a concept PR that demonstrates Ajax enabling/disabling of plugins. Would love to discuss this more and flesh it out more for themes as well if this concept is accepted.

Thanks,

Ronald Huereca

[paaljoachim]

Looks Good Ron..:)

[ronalfy]

Looks Good Ron..:)

Thanks! I'll try to attend the next meeting and bring this up.

[pbiron]

Related: https://wordpress.slack.com/archives/CULBN711P/p1585694448060400, #47

[ronalfy]

Thanks @pbiron

[paaljoachim]

So it sounds like it is outside the scope of this plugin.
Perhaps this is more of a WordPress trac issue to bring Ajax into the Installed plugins screen so one can activate/deactivate plugins by using Ajax.

I am guessing that Ajax is being used when initially installing and activating a plugin. (Atleast it does not jump to the top of the screen when installing/activating a plugin for the first time.)

That means on the Plugins -> Install New seems to have Ajax activated.
But that the Installed plugins screen does not.

[pbiron]

Thanks @pbiron

Thank you for the POC PR!

[pbiron]

So it sounds like it is outside the scope of this plugin.
Perhaps this is more of a WordPress trac issue to bring Ajax into the Installed plugins screen so one can activate/deactivate plugins by using Ajax.

No, it's perfectly within scope for the plugin. The implementation may change when merged into core, but that's the same with a lot of what's in the plugin.

[ronalfy]

@paaljoachim @pbiron updated the PR for the themes screen on multisite. I'll do another test on single-site to make sure everything behaves as expected.

One thing I noticed is we need some do_action or apply_filters when anything is updated and removed for third-party plugin compatibility such as Easy Updates Manager (200,000+ installs) so they can keep track of what's enabled/disabled. I'm imagining another PR to accomplish this.

[ronalfy]

Also would be good to abstract out the HTML creation so Ajax and non-Ajax use the same markup.

[ronalfy]

This does not work for the themes screen on single-site. I'll be happy to do another PR to get that fixed with this PR as a dependency.

Needed:

1. Abstraction of HTML for use in Ajax and non-Ajax settings.
2. Uniform set of classes to target for JS integration.
3. Uniform set of strings to i18n for enabled/disabled settings. I notice the themes screen on single-site has different verbiage for enabled/disabled states.

I'll be happy to discuss at the next open meeting.

Regards,

Ronald Huereca

[pbiron]

One thing I noticed is we need some do_action or apply_filters when anything is updated and removed for third-party plugin compatibility such as Easy Updates Manager (200,000+ installs) so they can keep track of what's enabled/disabled. I'm imagining another PR to accomplish this.

Thanx Ronald! Can you open an issue about other things we could do (e.g., other hooks we could/should add) to help and/or avoid conflicts with existing update plugins?

[ronalfy]

Thanx Ronald! Can you open an issue about other things we could do (e.g., other hooks we could/should add) to help and/or avoid conflicts with existing update plugins?

Done. Thank you. #63

[ronalfy]

@paaljoachim @pbiron I updated the PR to cover single-site themes.

This is ready for review/scrutiny :)

[pedro-mendonca]

Suggestion for some more consistent wording:

[ronalfy]

Suggestion for some more consistent wording:

Yeah, we'll definitely want to tweak the wording. Thanks!

[pbiron]

I'm not sure why, but the colors on the Enable/Disable links in the Theme Details modal are wrong after applying this PR, see

Can you look into that?

[ronalfy]

@pbiron shall I keep this PR up to date with changes, or wait until the 0.6 milestone to finalize?

[pbiron]

@pbiron shall I keep this PR up to date with changes, or wait until the 0.6 milestone to finalize?

It's probably easier to wait, but that's up to you.

Also, with regard to adding $hook === 'site-themes.php' to the conditional, see #69 which I just opened...so definitely wait to make that change.

[ronalfy]

@pbiron this has been updated with the latest 0.5.1 changes.

[pbiron]

On quick inspection things seem to work great. I'll have to go over the code in detail later.

The other thing I notice is that without the dashicon animating while processing is happening it's unclear to a user that anything is happening :-( Yes, the wording changes from Enable auto-updates to Enabling auto-updates but that change is so minor I didn't really see it the first couple of times.

I don't really know what to do about that. Maybe one thing would be to change the text to Enabling auto-updates ... (append ellipsis). Even better would be if the ellipsis could be animated; that is, draw one full-stop, then two, then 3, then back to 1, then 2, then 3, etc. I have no idea whether that would be possible.

Also see the 3 comments attached to specific lines (e.g., the version arg when enqueueing the JS, and about the blur() in the on.click handlers.

[audrasjb]

Thanks all and particularly @ronalfy for all the great work on this pull request.
Currently testing it, and all looks fine on my side for the moment…
I have some accessibility concerns, but I think it’d be easier to handle them once the current workaround is merged.

[TimothyBJacobs]

For consistency with other WordPress Ajax functions, like wp_ajax_update_plugin it might be worth using check_ajax_referer instead.

[ronalfy]

@TimothyBJacobs Changed with bbc30fd

[ronalfy]

@TimothyBJacobs @audrasjb @pbiron ready for re-review. Made the CSS changes and removes the filter_inputs. Thanks for allowing me to be apart of this.

[audrasjb]

I think this pull request will need a security audit before merge 🙂

[audrasjb]

I’m a bit worried about using sanitize_text_field as it's only sanitization. Shouldn't we also escape unwanted HTML bits?

Pinging @whyisjake as WordPress security team maintainer for further consideration.

[ronalfy]

Yeah, great idea.

[ronalfy]

Coding standards want me to use wp_unslash and then a sanitization before even touching the variable. But I'll let the security team come up with the suggestions.

[whyisjake]

There are a few nits here, overall, looks good.

[whyisjake]

Can you add an absint here?

Suggested change

	'enabled_count' => '(' . $enabled_count . ')',
	'enabled_count' => '(' . absint( $enabled_count ) . ')',

[whyisjake]

Let's add an absint here too.

Suggested change

	'enabled_count' => '(' . $enabled_count . ')',
	'enabled_count' => '(' . absint( $enabled_count ) . ')',

[whyisjake]

Wondering if we should add another esc_ function here. I can see the parts above look great, but...

[whyisjake]

Same comment here as above about thinking about late escaping.

[ronalfy]

@whyisjake is wp_kses_post sufficient for late escaping of the HTML, or do you want to be stricter than that?

[ronalfy]

See af2480b please.

[whyisjake]

WFM.

[pbiron]

see https://github.com/WordPress/wp-autoupdates/pull/61/files#r411760174

[pbiron]

there are some WPCS related things that should be addressed at some point, but don't think those need to be done before this is merged. So, once the others sign off, I think it's good to go.

[whyisjake]

💥