New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[FEATURE REQUEST] - Show Extras that have updates available in home of dashboard #14182

Open
daygon2007 opened this Issue Dec 5, 2018 · 15 comments

Comments

Projects
None yet
10 participants
@daygon2007
Copy link

daygon2007 commented Dec 5, 2018

Feature request

Summary

Create a widget in the main (home) dashboard to show plugins/extras with available updates or in the MODX dashboard navigation menu (NOT IN A DROP DOWN) for better visibility when there are updates that are present... especially security updates.

Why is it needed?

More visibility into knowing when plugins have been updated for features or, more importantly, security updates. Many times the installer section is not a section that is visited unless there is a specific action that a user is looking to take, ie... Add or remove an extra.

Suggested solution(s)

Add a dashboard widget to the main dashboard view or add some sort of notification within the MODX Dashboard Navbar

@sottwell

This comment has been minimized.

Copy link
Contributor

sottwell commented Dec 5, 2018

@kolbykruger

This comment has been minimized.

Copy link

kolbykruger commented Dec 6, 2018

This also seems to be a feature coming with MODX 3.0, although it will be some time before it's release.

@OptimusCrime

This comment has been minimized.

Copy link
Contributor

OptimusCrime commented Dec 6, 2018

I do not see why this have to be a part of the core. This can easily be done with a dashboard extra.

I suggest closing this.

@Ruslan-Aleev

This comment has been minimized.

Copy link
Contributor

Ruslan-Aleev commented Dec 6, 2018

@OptimusCrime Will there be such a widget in the core? :)
In demo screens there are 2 widget types:

  1. With updating only MODX
  2. With update packages and MODX

Correct varinat - with update packages and MODX.

dashboard_1
dashboard_2

@JoshuaLuckers

This comment has been minimized.

Copy link
Collaborator

JoshuaLuckers commented Dec 6, 2018

Related issues:

@Alroniks Alroniks added this to the v3.0.0-alpha milestone Dec 6, 2018

@Alroniks Alroniks added the feature label Dec 6, 2018

@Alroniks

This comment has been minimized.

Copy link
Collaborator

Alroniks commented Dec 6, 2018

Some time ago I had an idea to move upgrademodx into the core to make widgets on mockups working. So yes, it should be implemented (I hope soon).

@daygon2007

This comment has been minimized.

Copy link

daygon2007 commented Dec 7, 2018

@OptimusCrime I see your point, but from coming from a security background, each extra is the potential for an exploit. I'm not going to say all extras need to be part of the core CMS, that would be ignorant, but something like this where you don't have immediate visibility of out of date plugins can cost a company using MODX a lot of money unless you have someone going to the installer section every day to see if there's an update.

Example, I had a client who patched the MODX 2.6.4 vulnerability and upgraded to MODX 2.6.5 as well as all of their plugins a few days after the announcement, but they were also using the Gallery extra which had not been updated in about 4 years. The plugin was updated about a week and a half later to patch the vulnerability but since there's no kind of notification that tells users that an update is available the site got compromised months later as a result. Thankfully the results of the compromise were not visible to front-end users, but the attackers were able to do things on the server. But the attacker could have defaced the site and cause the company a lot and hurt their brand. Had there been some notification of an out-of-date plugin this could have prevented. Since now I have the knowledge of this plugin I have absolutely installed it for that visibility, but me personally I don't think this extra should be an extra it should be in the core because of how vital it is.

Additionally, it's impossible for someone maintaining a site to know every plugin/extra for MODX so if someone does not know about this extra like myself, they are missing out on some vital information that most CMS's include in their core.

@Alroniks - Cheers for, hopefully, implementing this into the core soon, I'm sure MODX users around the world will love you for that.

@JoshuaLuckers

This comment has been minimized.

Copy link
Collaborator

JoshuaLuckers commented Dec 7, 2018

I couldn’t have said it better @daygon2007 !

@OptimusCrime

This comment has been minimized.

Copy link
Contributor

OptimusCrime commented Dec 7, 2018

@daygon2007 Sure, you have a valid point, and perhaps this is one of the cases where putting it in the core is justifiable. I am just, generally, against bloating the core with more and more features. The MODX core is already gigantic, and I personally think it does way more than it have to. An ideal core in my opinion would provide us with features that everyone would always use, and features that are 100% necessary.

For example, this dashboard widget would be redundant for our workflow. We monitor extras using other services, like SiteDash, and other tools. The customers themselves are never supposed to update the extras, as this might result in unpredicted behavior, bugs or errors. It is our task to make sure the sites are not vulnerable to attacks.

The Gallery exploit in particular is something that was discussed a lot in the community, and we were made aware of this in many channels. Perhaps more people would have upgraded Gallery if they saw that an update was available, but I also think that few people update every single extra that has an available update all the time. Unless it was somehow made clear that this was a very important update for Gallery, I think that most people would just skip updating it. A new dashboard widget would not fix this.

Regardless, I am not going to fight a battle against making this a part of the core. If most people are positive to this, then fine by me. I would just personally prefer to make a good extra out of it, and allow people to make it a part of their default setup, if they chose to, instead of forcing it on everyone.

Perhaps this approach make more sense in a framework, instead of a CMS, like MODX.

@JoshuaLuckers

This comment has been minimized.

Copy link
Collaborator

JoshuaLuckers commented Dec 7, 2018

I think this is a great opportunity to have a good discussion where possible solutions are proposed.

One of the problems I can deduct is not being aware of important security updates. Maybe we should focus on how that can be improved?

@Jako

This comment has been minimized.

Copy link
Collaborator

Jako commented Dec 8, 2018

It is necessary to put an update method in the core! For security reason! And some warning for insecure extras should be in the core too. For security reason.

@philipwhiuk

This comment has been minimized.

Copy link

philipwhiuk commented Dec 8, 2018

One option is to have a small ‘core’ but then a release that provides a bunch of recommended add ons on top.

@sottwell

This comment has been minimized.

Copy link
Contributor

sottwell commented Dec 8, 2018

Like I said, what, 10 years ago? MODX Lite!

@OptimusCrime

This comment has been minimized.

Copy link
Contributor

OptimusCrime commented Dec 8, 2018

@Jako Update methods for extras already exists, we are debating whether or not we have to place it on the dashboard for everyone to see, including customers that have no technological understanding, and might be confused over what it means. Naturally, it can be hidden, but it seem like extra work for something that should be opt-in in my opinion.

@Jako

This comment has been minimized.

Copy link
Collaborator

Jako commented Dec 8, 2018

@OptimusCrime Ok, it is necessary to put a check for a core update in the core, too (wherever it is displayed). And some webservice where the current available version is requested. Updater and simpleUpdater have their own webservice and UpgradeMODX relies on GitHub which is a bit annoying. I don't see any reason, why this should stay in an extra, that has to be promoted/found and installed separate from the core.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment