I received a different response. See attached images.

I logged in again but the module I uploaded was NOT installed. I checked "Discover" and it was not found.

Joomla 3.6 (updated from 3.5.1) local installation (LAMPP).

Nope you received the same response
"Your site has been successfully updated. Your Joomla version is now 3.6.0-alpha"
Just that you are using 3.6.0-alpha not 3.6.0-alpha2-dev.

Did you you click 'Discover' in Extensions >>> Discover or just navigate to the Extensions >>> Discover ?

But the extension was not installed. Running discover discovered nothing.

sf http://www.studiofive.ca/

On 16-05-28 12:25 PM, Kevin Griffiths wrote:

Nope you received the same response
"/Your site has been successfully updated. Your Joomla version is now
3.6.0-alpha/"
Just that you are using 3.6.0-alpha not 3.6.0-alpha2-dev.

Did you you click 'Discover' in Extensions >>> Discover or just
navigate to the Extensions >>> Discover ?

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#10656 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/AEEn72GIA3Kq9LX6vjsjYbxoHTRy2Ae_ks5qGHqlgaJpZM4IpE7L.Web
Bug from
https://github.com/notifications/beacon/AEEn781YDodLnYQUeLSHZsUcVfaEhflTks5qGHqlgaJpZM4IpE7L.gif

No ... but the message at the bottom of the screen says
Your site has been successfully updated. Your Joomla version is now

And when I tested the 3rd party extension zip was unzipped.

Unzipped to where? I cannot find the module I uploaded in either the modules folder or the tmp folder.

It probably depends on the structure of the zipfile. If the extensions zipfile mimics the location on the server (eg using /components/com_foo in the zip) then discover works afterwards. If there is a different structure, it will be extracted as well but into useless locations. You may want to check your servers files if there are funny folders.

I uploaded JCE via the Joomla update component and the files were extracted to /Components etc.

In any case the message on the screen says
Your site has been successfully updated. Your Joomla version is now

It appears the various files from the module are strewn around the site. The *.php and *.xml files are in the root folder. Various other files (such as *.css and *.png) are in different folders. Not a good idea to do that!

Just as it is not a good idea to use something called joomlaupdate
component, enter username and password to confirm and read all the warnings
and then do somehting completely different. YCFS

On 28 May 2016 at 21:40, Robert G Mears notifications@github.com wrote:

It appears the various files from the module are strewn around the site.
The *.php and *.xml files are in the root folder. Various other files (such
as *.css and *.png) are in different folders. Not a good idea to do that!

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#10656 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/ABPH8UOzDHVYzNCbAKfdyLV73Jvx6wwUks5qGKgqgaJpZM4IpE7L
.

Brian Teeman
Co-founder Joomla! and OpenSourceMatters Inc.
http://brian.teeman.net/

The update component is NOT triggering the JInstaller extension install library to do the install/update. It uses a separate extraction process than the extension adapters to place files (specifically, it unzips everything to root because that's where the Joomla package lives). Should it be practical/possible to add a safeguard against this (odds are it probably isn't without either filename parsing or extracting the uploaded package to the system temp directory, booting JInstaller, using it to find the package manifest for the uploaded ZIP, then going through a cleanup routine afterwards to not leave clutter in the temp directory), that wouldn't happen. But for the same reasons it's difficult/impractical to redirect the Extension Manager to the update component when you try uploading the core package there, the same arguments apply in reverse for extension packages in the update component.

YCFS. Agreed @brianteeman. I can't imagine doing that without Kevin having asked someone to replicate the issue. Still, if there is some way to make it not possible, that would be a good thing. Perhaps an MD5 checker or some such as is used to verify that downloads of large files are valid.

BTW, will it be necessary to go through the second login on future Joomla updates?

besides the YCFS, joomla update should never say "Your site has been successfully updated" if it was not....

That's the only part that should be fixed -anything else is a waste if time
and resources

Then the alert should say in brackets:

Are you sure you want to install the file you uploaded? (Not recommended!)

BTW, will it be necessary to go through the second login on future Joomla updates?

If you're doing the manual upload it looks like yes. Nothing changed if you're doing the download from remote server update path.

Perhaps an MD5 checker or some such as is used to verify that downloads of large files are valid.

Just checking file sizes isn't a good idea. Some of these extension packages could easily match or exceed the 11MB ZIP files Joomla produces. MD5 checking is a major architectural overhaul in both Joomla core and the joomla.org network (architecture to set that up, ensure its security, and ensuring the data isn't compromised in transit for starters), so that's not a strong option either.

What's being reported is borderline architecturally cannot fix. The update component doesn't parse the package as an extension ZIP file and as such that library and its logic never comes into play. Summing up what I said before (here and on the mailing list), any check is essentially going to mean booting up the extension installation library, extracting the package, validating contents, and aborting if conditions aren't met. For someone updating in this manner, it means the Joomla ZIP package is written to the filesystem twice (either extracted to temp and copied from there or extracted to temp, deleted from temp after the validations are done, then extracting to "live" as the normal functions run).

It's the same problem that exists trying to upload the Joomla package to the Extension Manager. Actually even worse there because the Joomla package (finally) is not a valid extension file (no manifest in the root). And again all that pre-processing would have to happen before the install routine starts because the library has no environmental awareness of what component triggered the installation or what rules apply to certain packages.

Are you sure you want to install the file you uploaded? (Not recommended!)

Then I'd say rip out the feature if a blatant "Not recommended" warning is going to be added. The feature was explicitly added for people who did their updates by the Extension Manager way because for whatever reason their site could not reach out to update.joomla.org, find that an update was available by parsing the returned XML files, reaching out to GitHub (which forwards to Amazon S3) to download the ZIP package, and process the update.

joomla update should never say "Your site has been successfully updated" if it was not....

It says "site successfully updated" because it has no idea that some user used the update component to install JCE, patch tester, Akeeba, etc. It's only awareness is of Joomla core packages. Loop back to the above issues to see how you'd cope with the message.

Then the alert should say in brackets:

Are you sure you want to install the file you uploaded? (Please be aware that this is only for Joomla core installs or updates!)

You have already read a message before selecting the zip

You can use this feature to update Joomla if your server is behind a
firewall or otherwise unable to contact the update servers. First download
the Joomla Upgrade Package in ZIP format from the official Joomla
download page https://www.joomla.org/download.html. Then use the fields
below to upload and install it.

Then after selecting the ip you have another message

Are you sure you want to install the file you uploaded?

Make sure that the update file you have uploaded comes from the official
Joomla download page. Afterwards, please confirm that you want to install
it by re-entering the login information for your site below.

and then had to confirm everything that you have done by entering the
username and password - ycfs

On 28 May 2016 at 23:39, Robert G Mears notifications@github.com wrote:

Then the alert should say in brackets:

Are you sure you want to install the file you uploaded? (Please be aware
that this is only for Joomla core installs or updates!)

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#10656 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/ABPH8UP4ZxwjGlSXl0ZAVlE7TRHlNfR-ks5qGMQZgaJpZM4IpE7L
.

Brian Teeman
Co-founder Joomla! and OpenSourceMatters Inc.
http://brian.teeman.net/

@brianteeman

You have already read a message before selecting the zip

Yes but if a user ignores the message they get another message that tells them they have successfully updated. True we can't account for all PEBKAC's but displaying a message telling the user (that tries to install a 3rd party extension) that they have successfully updated ?

Is there no way to recognise if the file name contains 'Stable-Full_Package' or 'Stable-Update_Package' ... before processing the zip file ?

@rgmears

I can't imagine doing that without Kevin having asked someone to replicate the issue

Strictly speaking I was asked to create the tracker after I found it out by experimenting.

When you spend as much time in the forum as I do then you learn to be prepared for users doing stupid things. Yeah agreed YCFS but newbies have so much to learn and understand that overlooking messages (in their panic to fix a broken site) is easily done.

I doubt if any of us here can truthfully say that we have never made stupid mistakes but that's how we learn. But displaying a message saying the site has been successfully updated .. to a user who has made a mistake ... will just add to the confusion of a newbie.

Is there no way to recognise if the file name contains 'Stable-Full_Package' or 'Stable-Update_Package' ... before processing the zip file ?

That would be an idea, but would restrict us in future to use that specific naming convention.

After reading Michaels explanation I don't think there is a simple solution, and given that there were warnings and an explicit login request before it was processed, I think we can leave it to that. If people on purpose or out of ignorance are going to break their site, then they're going to do that.

@Webdongle

I was not suggesting that you are stupid Kevin.

Unless I had participated in this conversation I would not have known there are two distinct installers being used by Joomla. The six people here and the 300+ people who have viewed the original discussion on the Joomla! CMS Development Group are not what one would call a significant sample group. I would suggest an additional caveat of some kind on the upload page. And returning a successful message when Joomla has not been updated is wrong.

Perhaps -- on the second login page -- a check box beside a statement such as "I have read the manual upload instructions." With a link to the instructions.

a check box beside a statement such as "I have read the manual upload instructions."

Isn't that "checkbox" the same as the login credentials we request? The instructions are on the same page and the page before.

On the Joomla 3.6.0 Alpha is out thread I commented:

Like many, I suppose, when there is an update I just install it however I need to. If I have trouble then I read the DOCs.

Jim Holloman concurred.

What is being discussed here is a subtle but significant change. Some people will wreck their sites and blame Joomla even though they SHOULD have read the instructions.

And, no, the "checkbox" is not the same as the login credentials request. That just puzzled me. I wondered, "What's that about?"

And, no, the "checkbox" is not the same as the login credentials request. That just puzzled me. I wondered, "What's that about?"

From the page where you have to enter the credentials again:

Are you sure you want to install the file you uploaded?
Make sure that the update file you have uploaded comes from the official Joomla download page. Afterwards, please confirm that you want to install it by re-entering the login information for your site "Joomla 3.5" below.

I think the checkbox would do exactly the same as this and people who don't read stuff will just check it as always with those AGB stuff. ????

But the problem being discussed here is that the Joomla updater is distinct from the extensions installer/updater. If all someone is doing is updating Joomla core files then there is no problem and the second login is -- as I said -- puzzling.

This warning needs to be bigger and worded differently. And so does the subsequent page.

Even though @brianteeman is correct -- YCFS -- stupid blames the other, invariably.

Is there no way to recognise if the file name contains 'Stable-Full_Package' or 'Stable-Update_Package' ... before processing the zip file ?

That's not safe enough. If one of the language distros or any extension uses the same naming convention, it would still pass. The only safe way is basically going through the extension install API to validate the package, and that's adding a lot of overhead to the request to the point on the cheap hosts that people flock to you have to legitimately start considering timeout issues (I don't know how memory intensive extracting a ZIP package, scanning a directory for a manifest, loading it into memory as a SimpleXMLElement object, and then deleting that temp extraction is but that could possibly be a concern too on lower end systems).

This warning needs to be bigger and worded differently. And so does the subsequent page.

That warning isn't part of the Joomla core; that's a snapshot from https://www.joomla.org/download.html

I know where the WARNING comes from.

The colour orange, where I come from, is used to indicate poison or toxic. And the word WARNING underscores that, which is not what is being conveyed. Something like this may be better:

Even still, the issue isn't that people can upload Joomla updates, if need be, in the Joomla core updater. The issue is to prevent the odd person from using the Joomla updater to install other extensions.

You will never be able to prevent odd people doing odd things.

@brianteeman
In Canada the phrase "the odd person" does not refer to "odd" people. It means someone out there.

@rgmears
In the UK 'the odd person' also means the same. The phrase 'An odd person' refers to 'odd' people.

But semantics aside ...

• How many users are going to try installing that way ?
• And is it worth all the problematic coding to prevent it happening

Probably only a few and the fix (if the mistake is made) will only take about 20 mins. It's just the 'Success' message that needs changing imho

@Webdongle

It's just the 'Success' message that needs changing imho

Agreed.

Still that initial documentation page is very off-putting. But that's a separate issue.

It's just the 'Success' message that needs changing imho

Without knowing what package is installed though it's hard to say "don't show the 'successfully updated' part of the message if user gave an extension package". So it's either always use that message regardless of what the user uploaded or never use it at all.

@mbabker

Without knowing what package is installed though it's hard to say "don't show the 'successfully updated' part of the message if user gave an extension package". So it's either always use that message regardless of what the user uploaded or never use it at all.

But at the top of the screen it triggers a message 'refresh manifest cache ... extension not installed'
Is it not possible to use what detects that to trigger an IFELSE for the success message ?

The refresh manifest cache step is done as part of the post-update processing for core to refresh the manifest caches of all core extensions. That step happens regardless of update path so it can't be used to tell the manual upload step anything viable, plus then it couples the update script to a very specific implementation of the update paths.

The only way to make that level of detection work is to get the JInstaller library involved. It's very taxing to do that though. My patch I added a bit ago for detecting a Joomla core package in the Extension Manager works because com_installer triggers code that causes the ZIP package to be extracted before ever booting JInstaller, so it's already unpacked the large Joomla ZIP into the temp directory and we can scan its contents from there.

@mbabker

So it's either always use that message regardless of what the user uploaded or never use it at all

If I understand you correctly ...

A message telling the user that their site has been successfully updated ... is displayed irrespective of whether or not the site has been updated ?

If the user uploaded a ZIP package to the manual upload part of the update component and the process completes successfully, then yes, that message will be displayed. In an error condition the appropriate message is displayed.

The site may have been updated to a newer version or it may have had the current version's files re-installed and the full post-update routine executed. In either scenario you're doing an update to the site in some form. The scenario that's the issue, which we've already beaten like a dead horse, is user uploading an extension package.