Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#28462] - [4.0] Add locked field to extensions table, prevent uninstalling core extensions, restructure protected extension list

? ? ? ? Pending

User tests: Successful: Unsuccessful:

avatar Quy
Quy
26 Mar 2020

Porting of PR #17219 to J4

All credits to @mbabker. Thank you!

Thanks @richard67 for updating the SQL files.

Text below copied from PR #17219.

Summary of Changes

This is PR #13037. See the original PR for added context and past conversation.

The long and short is this adds a new field, locked, to the extensions table, and splits the current definition of the protected field. This also updates the protected extension list to make the list only include admin components, core libraries, and the files extension that Joomla tracks itself with (this means all modules and plugins are now unprotected and can be enabled/disabled consistently).

Current:

  • protected indicates an extension which cannot be disabled or uninstalled

New:

  • protected indicates an extension which cannot be disabled

  • locked indicates an extension which cannot be uninstalled

Why This Distinction Matters

Uninstalling core extensions can be problematic, and honestly it's not very effective given our current packaging and upgrading solutions. Even if you do uninstall the extensions, they end up back on your site's filesystem during the update process because we don't make the package extraction step aware of the database and inherently the installed extensions. Also, uninstalling components takes their tables with them, and if an update includes a SQL delta for one of those tables, it causes the update to fail over. So we should take an extra step to protect users from doing things that could be dangerous for their sites. Next, an uninstallable extension should not mean that the extension must be enabled. The only extensions which should be protected are those which if disabled would critically bring down the site, every other aspect of the extension listing should be controllable by the site administrator.

Testing Instructions

It needs to test the same changes in 2 scenarios:

  1. New installation with this PR applied.
  2. Update from 3.10-dev or 3.10-alpha to J4 + this PR with a patched updated package.

Then, after the new installation or the update, it needs to test in both cases:

  • The user should be unable to uninstall any core extension (on a correct install this is any extension with an ID less than 10000).
  • The user should not be able to disable extensions which are critical to the management of the site (i.e. the extension manager, plugin manager, or update component, any of the libraries, or Joomla files extension) or are coupled to the core application stack (i.e. com_categories or com_content). All other extensions should be able to be disabled through the Extension Manager interface.

For scenario 1 new installation, apply the patch of this PR to a clean 4.0-dev branch when having a git clone, or use the patched full package download for this PR (see below).

For scenario 2, use the patched update package download for this PR (see below).

You can find a link to the downoads page when expanding the test results at the bottom of this PR on GitHub, if not already expanded:
j4-pr-28462-link-to-packages-1

j4-pr-28462-link-to-packages-2

The link leads to a download page where you can donwnload patched installation and update packages for this PR. By the commit number you can check if they fit to the last commit of this PR, i.e. they are up to date:
j4-pr-28462-link-to-packages-3

There is also a custom update URL given for the update package so you can use the online update with that custom URL.

Btw. this is a standard feature for new or newly modified PR's on the 4.0-dev branch, so it can be used in the same way for testing other PR's, too.

Documentation Changes Required

We should probably add a page explaining the various extension states and what these columns exist for if one doesn't already exist.

avatar Quy Quy - open - 26 Mar 2020
avatar Quy Quy - change - 26 Mar 2020
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 26 Mar 2020
Category SQL Administration com_admin Postgresql com_installer Language & Strings Installation
avatar alikon
alikon - comment - 26 Mar 2020

i guess we need to add com_privacy & com_actionlogs to the list of core component

avatar alikon
alikon - comment - 26 Mar 2020

plus com_csp

avatar richard67
richard67 - comment - 26 Mar 2020

And someone has to check PostgreSQL, system tests for postgres are failing in drone. I don't have time now.

avatar richard67
richard67 - comment - 26 Mar 2020

List of core extension here should be up to date, so just use this as master: https://github.com/joomla/joomla-cms/blob/4.0-dev/libraries/src/Extension/ExtensionHelper.php#L46.

(posted wrong link for staging before, now is correct 4.0-dev)

avatar brianteeman
brianteeman - comment - 26 Mar 2020

it seems crazy to me that we have one hard coded list already and to add a second one is even more bizarre

avatar richard67
richard67 - comment - 26 Mar 2020

@Quy See Quy#1 for fixing system-test-postgresql in drone.

avatar richard67
richard67 - comment - 26 Mar 2020

@Quy I think @alikon is right, they are missing in the update sql's.

avatar Quy Quy - change - 26 Mar 2020
Labels Added: ? ?
avatar richard67
richard67 - comment - 26 Mar 2020

@alikon @wilsonge Update sql is up to date now ?

avatar richard67
richard67 - comment - 26 Mar 2020

What remains to be done is to check and if necessary update the list of core extensions in section "Now protect from disabling essential core extensions" at the bottom of the update sql. These values for protected and enabled should be the same as in joomla.sql I think.

avatar richard67
richard67 - comment - 26 Mar 2020

What remains to be done is to check and if necessary update the list of core extensions in section "Now protect from disabling essential core extensions" at the bottom of the update sql. These values for protected and enabled should be the same as in joomla.sql I think.

@Quy See Quy#2.

avatar Quy Quy - change - 26 Mar 2020
Labels Added: ?
avatar richard67
richard67 - comment - 26 Mar 2020

@Quy You can remove the sentence about SQL files to be reviewed from the description since I’ve reviewed them.

avatar Quy Quy - change - 26 Mar 2020
The description was changed
avatar Quy Quy - edited - 26 Mar 2020
avatar richard67 richard67 - change - 28 Mar 2020
The description was changed
avatar richard67 richard67 - edited - 28 Mar 2020
avatar richard67 richard67 - change - 28 Mar 2020
The description was changed
avatar richard67 richard67 - edited - 28 Mar 2020
avatar richard67 richard67 - change - 28 Mar 2020
The description was changed
avatar richard67 richard67 - edited - 28 Mar 2020
avatar richard67 richard67 - change - 28 Mar 2020
The description was changed
avatar richard67 richard67 - edited - 28 Mar 2020
avatar richard67 richard67 - change - 28 Mar 2020
The description was changed
avatar richard67 richard67 - edited - 28 Mar 2020
avatar ReLater
ReLater - comment - 29 Mar 2020

I have tested this item successfully on 793bd1d

avatar ReLater ReLater - test_item - 29 Mar 2020 - Tested successfully
avatar ReLater
ReLater - comment - 29 Mar 2020

Addition to test: #28462 (comment)

=============
System Information

php: Linux dd46134 4.15.0-91-generic #92~16.04.1-Ubuntu SMP Fri Feb 28 14:57:22 UTC 2020 x86_64
dbserver: mysql
dbversion: 5.7.28-nmm1-log
dbcollation: utf8_general_ci
dbconnectioncollation: utf8mb4_general_ci
dbconnectionencryption:
dbconnencryptsupported: true
phpversion: 7.4.2
server: Apache
sapi_name: fpm-fcgi
version: Joomla! 4.0.0-beta1-dev+pr.28462 Development [ Mañana ] 17-October-2019 20:21 GMT
useragent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0

avatar astridx
astridx - comment - 29 Mar 2020

Scenario 1 Mysql and Postgres

  1. I applied this patch and made a new installation.
  2. I tried to uninstall a lot of core extensions and get all the time the message that it is not possible.
    Extensions Manage test Administration(3)
  3. Then I installed one of my extensions. Uninstalling this extension was possible.

By the way I wonder why there is sometimes a icon that shows to you, that the extension is protected and sometimes this icon is missing. I know that this icon is for protecting publishing and unpublished. But it is a little bit confusing for new Joomlers.
Extensions Manage test Administration(2)

System Information
php: Linux astrid-TravelMate-5760G 4.15.0-91-generic #92-Ubuntu SMP Fri Feb 28 11:09:48 UTC 2020 x86_64
dbserver: mysql
dbversion: 5.7.29-0ubuntu0.18.04.1
dbcollation: utf8mb4_unicode_ci
dbconnectioncollation: utf8mb4_general_ci
dbconnectionencryption:
dbconnencryptsupported: true
phpversion: 7.2.28-3+ubuntu18.04.1+deb.sury.org+1
server: Apache/2.4.29 (Ubuntu)
sapi_name: apache2handler
version: Joomla! 4.0.0-beta1-dev+pr.28462 Development [ Mañana ] 17-October-2019 20:21 GMT
useragent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0

System Information
php: Linux astrid-TravelMate-5760G 4.15.0-91-generic #92-Ubuntu SMP Fri Feb 28 11:09:48 UTC 2020 x86_64
dbserver: postgresql
dbversion: 12.2 (Ubuntu 12.2-2.pgdg18.04+1)
dbcollation: en_GB.UTF-8
dbconnectioncollation: en_GB.UTF-8
dbconnectionencryption: TLSv1.3 (TLS_AES_256_GCM_SHA384)
dbconnencryptsupported: true
phpversion: 7.2.29-1+ubuntu18.04.1+deb.sury.org+1
server: Apache/2.4.29 (Ubuntu)
sapi_name: apache2handler
version: Joomla! 4.0.0-beta1-dev+pr.28462 Development [ Mañana ] 17-October-2019 20:21 GMT
useragent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0

avatar Quy
Quy - comment - 29 Mar 2020

@astridx Please read Why This Distinction Matters section for explanation.

avatar astridx
astridx - comment - 29 Mar 2020

Scenario 2 MySQL and Postgres

  1. I downloaded the current nightly build of 3.10 from here: https://developer.joomla.org/nightly-builds.html
  2. After that I made an update with the zip of this patch: Joomla_4.0.0-beta1-dev+pr.28462-Development-Full_Package.zip
  3. I tried to uninstall a few core extensions. It was not possible.
  4. I installed my own extension and I was allowed to uninstall it.

By the way: After the update I saw this errors using postgres and using mysql.
Joomla Update test Administration(1)
Extensions Manage test Administration(5)

System Information
php: Linux astrid-TravelMate-5760G 4.15.0-91-generic #92-Ubuntu SMP Fri Feb 28 11:09:48 UTC 2020 x86_64
dbserver: postgresql
dbversion: 12.2 (Ubuntu 12.2-2.pgdg18.04+1)
dbcollation: en_GB.UTF-8
dbconnectioncollation: en_GB.UTF-8
dbconnectionencryption: TLSv1.3 (TLS_AES_256_GCM_SHA384)
dbconnencryptsupported: true
phpversion: 7.2.29-1+ubuntu18.04.1+deb.sury.org+1
server: Apache/2.4.29 (Ubuntu)
sapi_name: apache2handler
version: Joomla! 4.0.0-beta1-dev+pr.28462 Development [ Mañana ] 17-October-2019 20:21 GMT
useragent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0
php: Linux astrid-TravelMate-5760G 4.15.0-91-generic #92-Ubuntu SMP Fri Feb 28 11:09:48 UTC 2020 x86_64
dbserver: postgresql
dbversion: 12.2 (Ubuntu 12.2-2.pgdg18.04+1)
dbcollation: en_GB.UTF-8
dbconnectioncollation: en_GB.UTF-8
dbconnectionencryption: TLSv1.3 (TLS_AES_256_GCM_SHA384)
dbconnencryptsupported: true
phpversion: 7.2.29-1+ubuntu18.04.1+deb.sury.org+1
server: Apache/2.4.29 (Ubuntu)
sapi_name: apache2handler
version: Joomla! 4.0.0-beta1-dev+pr.28462 Development [ Mañana ] 17-October-2019 20:21 GMT
useragent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0

System information
php: Linux astrid-TravelMate-5760G 4.15.0-91-generic #92-Ubuntu SMP Fri Feb 28 11:09:48 UTC 2020 x86_64
dbserver: mysql
dbversion: 5.7.29-0ubuntu0.18.04.1
dbcollation: utf8_general_ci
dbconnectioncollation: utf8mb4_general_ci
dbconnectionencryption:
dbconnencryptsupported: true
phpversion: 7.2.29-1+ubuntu18.04.1+deb.sury.org+1
server: Apache/2.4.29 (Ubuntu)
sapi_name: apache2handler
version: Joomla! 4.0.0-beta1-dev+pr.28462 Development [ Mañana ] 17-October-2019 20:21 GMT
useragent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0

avatar Quy
Quy - comment - 29 Mar 2020

#28510 For the first issue.
#28505 Fixed for the second issue.

avatar astridx
astridx - comment - 29 Mar 2020

Que #28510 For the first issue.
#28505 Fixed for the second issue.

Thank you. I was just thinking about opening new issues :)

avatar astridx
astridx - comment - 29 Mar 2020

I have tested this item successfully on 793bd1d

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/28462.

avatar astridx astridx - test_item - 29 Mar 2020 - Tested successfully
avatar Quy Quy - change - 29 Mar 2020
Status Pending Ready to Commit
avatar Quy
Quy - comment - 29 Mar 2020

RTC

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/28462.

avatar wilsonge wilsonge - change - 31 Mar 2020
Status Ready to Commit Fixed in Code Base
Closed_Date 0000-00-00 00:00:00 2020-03-31 13:42:13
Closed_By wilsonge
Labels Added: ?
avatar wilsonge
wilsonge - comment - 31 Mar 2020

Thanks guys!

avatar infograf768
infograf768 - comment - 1 Apr 2020

Any reason to lock the Language Switcher module and not the Language Filter system plugin?

avatar infograf768
infograf768 - comment - 1 Apr 2020

See issue #28527

Add a Comment

Login with GitHub to post a comment