[#11689] - [com_joomlaupdate] Make updating from 3.5.1 to 3.6.x possible without steps between
- Fixed in Code Base
- 6 Sep 2016
- Medium
- Build: staging
- # 11689
- Diff
- zero-24:update-test-2
- Success continuous-integration/drone the build was successful Details
- Success continuous-integration/travis-ci/pr The Travis CI build passed Details
User tests: Successful: Unsuccessful:
Pull Request for Update Issues since 3.6.2
Summary of Changes
Based on the work by @andrepereiradasilva
With this changes it is possible to update from 3.x direct to 3.6.3
Testing Instructions
- install 2.5.28
- set this update server
http://www.jah-tz.de/downloads/core/list4.xml - Update to 3.5.1 (this step is still needed)
- Update to 3.6.2 with the update provided by the update component
- you need to login to make sure you use this.
confirm you are on 3.6.2
install 3.5.1 (or any other 3.x)
- set the update server
http://www.jah-tz.de/downloads/core/list4.xml - Update to 3.6.2
- you need to login to make sure you use this.
- confirm you are on 3.6.2
Documentation Changes Required
There is no step between 3.* and 3.6.x anymore
There is a step between 2.5 and 3.6.x (3.5.1)
Image
Currently it looks like
I'm happy on any feedback e.g. @wilsonge @mbabker @rdeutz @sinpersister @roland-d on the sec point of the issue as it migrates the sec problem with a login page if that is ok for you guys.
Thanks again to @andrepereiradasilva
joomla-cms-bot
- | Category | ⇒ | Administration Components Language & Strings |
| Status | New | ⇒ | Pending |
| Labels |
Added:
?
?
|
||
@andrepereiradasilva please test the new package. it looks like this now:
3.5.0 -> 3.6.3 => Login
3.6.1 -> 3.6.3 => no Login
Yes but i have currently no git client i hope i can fix this later today or tomorrow.
Sorry for being late to the party. We definitely need the cancel button that you removed :( #11689 (comment) - because if people access this URL directly (the whole point of this security issue) they need a way to easily exit the process and not proceed any further.
Sorry for being late to the party. We definitely need the cancel button that you removed :( #11689 (comment) - because if people access this URL directly (the whole point of this security issue) they need a way to easily exit the process and not proceed any further.
You have several ways to exit :) the joomla admin menu above, the browser address bar, or even close the browser or turn of your computer
But i don't mind the Cancel button as long you have a confirm dialog box to avoid "mistakes".
Please review 1f0e746 @andrepereiradasilva @wilsonge
On code review IMHO it's ok (except for the fact the cancel button doesn't have a confirm js dialog).
Anyway it's your update server sincronized with this latest changes?
Anyway it's your update server sincronized with this latest changes?
done.
Prerequisites: Using Your custom update server or Your custom Update package in com_joomlaupdate
3.5.0 -> Your Custom 3.6.2
-
Upgrade method: Direct from update server
Result: CONFIRM user/pass form at finalise.
3.6.0 -> Your Custom 3.6.2
Upgrade method: Direct from update server
Result: CONFIRM user/pass form at finalise.Upgrade method: Upload & Install
Result: CONFIRM user/pass form at finalise.
3.6.2 -> Your Custom 3.6.2
Upgrade method: Direct from update server
Result: Not possible (already on 3.6.2)Upgrade method: Reinstall Joomla core files
Result: No confirm at finalise.Upgrade method: Upload & Install
Result: No confirm at finalise.
Note: didn't test 3.6.1, 3.5.1 and pre 3.5.0 versions
Thanks
i mean like 3.2.7, 3.4.8 to Your Custom 3.6.2 or something
Doubt: Doesn't com_joomlaupdate manifest needs to be updated too?
i mean like 3.2.7, 3.4.8 to Your Custom 3.6.2 or something
pre 3.2.7
Needs another workarround (3 Logins now wtf) see f64609e
How it works to update to 3.6.3 / How to test 3.2.7 -> 3.6.3
- Install 3.2.7
- set my update server
- click install
- relogin (Finalisation step)
- relogin (Session destroy)
- relogin (Cleanup step)
- Update to 3.6.3
?
3.4.8
Just tested successfull.
@wilsonge please let me know if we should go that route (3 logins if you come from pre and eq 3.2.7) or we should we lock them first to 3.5.1?
So we get 3.2.7 -> 3.5.1 (re login because of the session problem) -> 3.6.3 (relogin because of that problem here).
BTW: Please let us merge that update me first PR #11493 so we have better ways to avoid such problems in the future please!
Is there anything missing in order to test this or is there just no need to implement a more easy update prozess? Or do i miss something about the sec why this can't or should not be implemented?
I have tested this item
Forget to mark the test as success before.
Only tested from 3.5.0 up as commented in #11689 (comment)
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/11689.
Thanks
OK I'm happy with this from a code/security perspective. @brianteeman can you just check the language and make sure we are happy with the wording. This screen should only show as a one off updating Joomla from a version less than 3.6.1 to a version greater than 3.6.1. Once Brian's happy I'll get it merged :)
Will check in the morning
seems ok to me
| Status | Pending | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2016-09-06 10:06:43 |
| Closed_By | ⇒ | wilsonge |
Thanks!
i'm still not sure we should have a "Cancel" button there ... i mean if people press the "Cancel" then they will have a broken upgrade (final steps are not run). IMO, at least we need a confirm cancel js message with a clear warning if the button stays.