Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#17575] - [4.0] Download key manager - GSoC Expand Extensions Manager

? ? Failure

User tests: Successful: Unsuccessful:

avatar NunoLopes96
NunoLopes96
17 Aug 2017

Introduction

Currently there is no clear overview of which extensions have download keys to make users download their extensions with an extra_query with their keys included to allow the download. Developers have been currently hacking this system by creating their own view to add a download key to the extra_query field in the #__update_sites table (Example of an extra_query field: dlid=%s&dummy=my.zip (%s is the download key)).
Each extension developer may have a different way to build this extra query so the idea is to make a view to manage and insert the download keys of all extensions in a single view in com_installer.

Testing Instructions

Here are the extensions to test the feature:

Component

Plugin:
plg_csviaddon_virtuemart_csvi_7.1.0.zip

Template:
jpeople.zip

Module:
mod_weblinks.zip

Package:
pkg_weblinks_3.4.1-changelog (3).zip

Library:
lib_fof30-3.1.0-changelog (1).zip

File:
cli2zoombie.zip

To allow the prefix and sufix of the download key you need to have an tag with prefix and sufix in your installation file (here lists.xml) like this:

<dlid prefix="dlid=" sufix="&amp;dummy=my.zip"/>
(note: remember to close />)

Install the component and go to Extensions -> Download Keys Manager

screenshot from 2017-07-16 17-57-50

You will not create or delete download keys so there will be only the edit button, the Download Key you see has the prefix and the suffix hidden, so the extra_query of this extension is:

dlid=asd123asd&dummy=my.zip

In the edit view, you will also have the prefix and sufix hidden, so the user don't have to worry about that.
Only the developer will be responsible to define the prefix and sufix of the download key:

screenshot from 2017-07-16 18-03-32

Modal button in com_plugins

The Downloadkeys view will probably be not known to all users, so to reinforce this new feature, a new modal button can be added to the extension when opened in com_plugins:

screenshot from 2017-07-24 18-43-23

Every plugin that has an update_site linked to it and a <dlid> tag on its xml installation file will pop this Download Key button in the toolbar, that will open a remote iframe to the DownloadKey view:

screenshot from 2017-07-24 18-48-40

screenshot from 2017-07-24 18-49-41

Modal button in com_modules

The same will happen also to modules working the same way as com_plugins:
You can try this extension with an invalid updatesite and and dlid to testing porpuses:
mod_weblinks.zip

screenshot from 2017-07-25 22-27-52
screenshot from 2017-07-25 22-28-23
screenshot from 2017-07-25 22-28-50

Expected result

A simple a intuitive way to the user manage his download keys and less work to the developers to create a view to generate the extra_query

Actual result

Documentation Changes Required

b1674fd 16 Jul 2017 avatar NunoLopes96 phpcs
120f6c1 25 Jul 2017 avatar NunoLopes96 phpcs
b03260f 17 Aug 2017 avatar NunoLopes96 merge
avatar joomla-cms-bot joomla-cms-bot - change - 17 Aug 2017
Category Administration com_installer com_modules com_plugins Language & Strings Modules Libraries
avatar NunoLopes96 NunoLopes96 - open - 17 Aug 2017
avatar NunoLopes96 NunoLopes96 - change - 17 Aug 2017
Status New Pending
avatar NunoLopes96 NunoLopes96 - change - 17 Aug 2017
Labels Added: ? ?
avatar brianteeman
brianteeman - comment - 17 Aug 2017

Not going to comment on every xml codestyle error
Please review https://developer.joomla.org/coding-standards/xml.html

avatar brianteeman
brianteeman - comment - 20 Aug 2017

Can you look at resolving the conflicts so that this can be tested please.

avatar joomla-cms-bot joomla-cms-bot - change - 21 Aug 2017
Category Administration com_installer com_modules com_plugins Language & Strings Modules Libraries Administration com_installer com_modules com_plugins Language & Strings Libraries
avatar roland-d roland-d - assigned - 5 Mar 19
avatar roland-d
roland-d - comment - 4 Apr 2019

@wilsonge I started refactoring this for J4.

avatar franz-wohlkoenig franz-wohlkoenig - change - 11 Apr 2019
Category Administration com_installer com_modules com_plugins Language & Strings Libraries Administration com_installer com_modules com_plugins Libraries
avatar roland-d
roland-d - comment - 14 Jul 2019

Closing this in favour of #25553

avatar roland-d roland-d - change - 14 Jul 2019
Status Pending Closed
Closed_Date 0000-00-00 00:00:00 2019-07-14 15:54:33
Closed_By roland-d
avatar roland-d roland-d - close - 14 Jul 2019
avatar joomla-cms-bot joomla-cms-bot - change - 14 Jul 2019
Category Administration com_installer com_modules com_plugins Libraries Administration com_installer com_modules com_plugins Language & Strings Libraries
avatar ka3media
ka3media - comment - 15 Oct 2019

As far as I can see the keys will be shown and stored in the clear.

From my practical experience there are several situations where you use your own key for client pages or nonsalaried work (for example for a club). And you are not always able to hide it using user access.

This will be a problem with normal keys, but a critical problem if those keys are related to
volume-based billing, e.g picture optimizing.

Is there a way to hash the keys or or at least hide them in the backend?

avatar brianteeman
brianteeman - comment - 15 Oct 2019

@ka3media please create a new issue for your question. Closed issues are rarely seen

avatar roland-d
roland-d - comment - 15 Oct 2019

@ka3media Perhaps add it to this issue: https://issues.joomla.org/tracker/joomla-cms/26583

Add a Comment

Login with GitHub to post a comment