I clearly see the use case for this. But might it not be against the whole idea of automated updates when a plugin can stop it. I see this problematic when a high security release is shipped and a plugin blocks the update. Leaves a site vulnerable for an amount of time. Not saying this is a bad idea, but needs probably also some way to ignore it in emergency cases.

But might it not be against the whole idea of automated updates when a plugin can stop it

Allowing users to disable automated updates is also aginst the whole idea ;)

At the end of the day, we can only offer the service as an option, it's up to the users to decide if and how they use it.

In my opinion the feature should be fully transparent.
User must be able to look the configuration and clearly say "is it enabled" or "is it disabled", nothing in between.

Because for example when I enable autoupdate, and it suddenly stop working because some extension decided to stop it, what should I do, how I find a reason? I will go to Joomla and complain "your stuff is broken".
It going to be a negative experience for end User.

User must be able to look the configuration and clearly say "is it enabled" or "is it disabled", nothing in between.

So, how would that work with the mentioned example of a backup extension enforcing a backup created within the last x hours? It's a pretty obvious usecase. Should that extension disable the respective parameter in the config of com_joomlaupdate?

I think some kind of lock file, method that is often used for avoiding such conflicts.
User also can check for they present in case of misbehavior.

Probably 2:
update.lock for active update process, when it is present then the backup extension do not start;
backup.lock for active backup process, when it is present then the update (and autoupdate) do not start;

But we would need a lockfile per extension to avoid locks of extension A being cleared by extension B, so that quickly becomes complex. It would also require extensions to do periodic checks if the update conditions are still met to write that lockfile upfront, leading to potential race-condition-like situations where an update could be installed now, but the extension has not cleared the lock yet.

I'm not necessarily against it, just trying to weight effort (for initial implementation and maintenance) against the extra benefit.

But we would need a lockfile per extension to avoid locks of extension A being cleared by extension B, so that quickly becomes complex.

Hm, why? we just need one, for common agreement the backup extension will use the one. it could hold timestamp, and extension name when needed, but could work just empty.

upd: I mean, internally each backup extension could use anything, own lock file etc. But for Joomla they have to provide the lock file that we agree.

hm, but if the following message is logged somewhere

Then use the event is probably fine

hm, but if the following message is logged somewhere

You mean logfile-like logging? Or something that's UI-accessible?

You mean logfile-like logging? Or something that's UI-accessible?

Log file.
Could also be something in our Actionlog. Similar as we have for update.

I have one: currently: 5.4.0-alpha3-dev
I did the following:
Update Server: Standard

Autoupdatepreventer Zip installed & activated.
Automated Updates: activated.
I also received an update token after saving the second time.
Patch activated (= OK?)
I don't know (yet) whether my steps were/are OK or whether they were successful.
(I just didn't understand the last few posts).

Update Server: Standard

@ChristineWk Did you install Alpha Update Server plugin from 45540? If you install it, then you are using the Alpha Joomla Update Server:

After installation of the plugin, you can try Joomla check for (manual) update and version 5.4.110 will be offered. Do not install manually! Enable automated updates and within 24 hours the update should be done and you will receive an email like I did last night. Good luck

@muhme Thank you for your information!

• I installed Alpha Update Server and it was automatically activated. It was not visible in Update Source.

• After (re)enabling Automated Updates:

• Error while registering to automated update service: cURL error 28: Failed to connect to my site port 443 after 5001 ms: Timeout was reached (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://my site /api/index.php/v1/joomlaupdate/healthcheck (500).

• I tried again and now it appears hurray:

• Should I do Start update? I haven't done it yet.
• I haven't activated Patch Tester. Should I do now?
  Because: It should prevent the update via the Autoupdatepreventer zip. Correct?
  Sorry if I'm doing something wrong.

@ChristineWk I assume it's a publicly available site, not a local instance, correct?

@ChristineWk I assume it's a publicly available site, not a local instance, correct?

Yes (sorry) it's a public test-site.

@ChristineWk

It was not visible in Update Source.

It is visible if you go to System > Plugins > System - Alpha Update Server

Should I do Start update?

No, this is the manual Joomla update. You have to wait 24 hours for automated update happens.

Once the Automated Update was successul, then you have verified Automated Update is working without this PR. Next step is to install again fresh, this time from full package build (see All checks passed > Download > Joomla_5.4.0-alpha3-dev+pr.45696-Development-Full_Package.zip or having standard 5.4-dev installation and install Patch Tester and Apply Patch 45696. Then you install and enable the demo plugin plg_autoupdatepreventer.zip. No automatic update should take place within the next 24 hours. You can also test that with this PR and without plg_autoupdatepreventer the Automated Update is still working.

@ChristineWk your webhost is blocking incoming connections from the update server

@muhme
Thank you again for your informations! David is so kind to take a look.

Thank you: @SniperSister
David: Aha, yes, how can I prevent this? :-)

So, current status:
Version 5.4.110 is available. I'm not updating!
Automated updates are enabled.
Thanks for your help!
I had trbls with host.

The 24 hours should be over.
No automatic update has taken place.
The update to 5.4.110 is still being offered (currently).

@ChristineWk as far as I can see, the site has just been updated to 5.4.100 - can you please double check?

@ChristineWk as far as I can see, the site has just been updated to 5.4.100 - can you please double check?
Done!
You're right. Now I see:

Phew... now there's part 2 open, oh, oh. "Next step" from Muhme ...

Thanks for your help

Tried to install:
Download > Joomla_5.4.0-alpha3-dev+pr.45696-Development-Full_Package.zip

No success at the moment (after attempting to update the package in backend)

BTW. demo plugin plg_autoupdatepreventer.zip. It's been installed and activated since yesterday.

Last night I tried a new Joomla with the package mentioned above. There were server issues, so it's not finished yet.

I have tested this item 🔴 unsuccessfully on b4db17b

Installed fresh from Joomla_5.4.0-alpha3-dev+pr.45696-Development-Full_Package.zip two times joomla-test.heikol.de and joomla-test2.heikol.de

• Installed additional plg_system_autoupdatepreventer and enabled (only on joomla-test.heikol.de)
• Log Almost Everything enabled
• Installed additional System - Alpha Update Server
• Checked with Joomla Update to Joomla! 5.4.110 is available (note: have to do it second time after fixing database)
• Enabled Automated Update
• ✅ 1st site (with enabled plg_system_autoupdatepreventer) is not updated
• ✅ 2nd site is updated to 5.4.110 and email was sent
• ❌ 1st site is sending confusing email 9:00 UTC 16 July (joomla_update.php log contains only 4 times download:

Your site could not be updated from 5.4.0-alpha3-dev+pr.45696 to 5.4.0-alpha3-dev+pr.45696.
Please check the logfile '/administrator/logs/joomla_update.php' for further debugging information.

Additional observations:

• Automated Update was disabled over night, I re-enabled it in the Morning
• In the everything.log both sites have error message all 15 minutes

2025-07-16T03:45:14+00:00       CRITICAL 52.14.131.139  error   Uncaught Throwable of type Tobscure\JsonApi\Exception\InvalidParameterException thrown with message "Invalid token". Stack trace: #0 [ROOT]/api/components/com_joomlaupdate/src/Controller/HealthcheckController.php(52): Joomla\Component\Joomlaupdate\Api\Controller\BaseController->validateUpdateToken()
#1 [ROOT]/libraries/src/MVC/Controller/BaseController.php(730): Joomla\Component\Joomlaupdate\Api\Controller\HealthcheckController->show()
#2 [ROOT]/libraries/src/Dispatcher/ApiDispatcher.php(61): Joomla\CMS\MVC\Controller\BaseController->execute()
#3 [ROOT]/libraries/src/Component/ComponentHelper.php(361): Joomla\CMS\Dispatcher\ApiDispatcher->dispatch()
#4 [ROOT]/libraries/src/Application/ApiApplication.php(433): Joomla\CMS\Component\ComponentHelper::renderComponent()
#5 [ROOT]/libraries/src/Application/ApiApplication.php(116): Joomla\CMS\Application\ApiApplication->dispatch()
#6 [ROOT]/libraries/src/Application/CMSApplication.php(304): Joomla\CMS\Application\ApiApplication->doExecute()
#7 [ROOT]/api/includes/app.php(50): Joomla\CMS\Application\CMSApplication->execute()
#8 [ROOT]/api/index.php(31): require_once('...')
#9 {main}

• 16.7. 8:05 EST test2 Automated Updates are disabled??? -> enabled

  ---

  _{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/45696.}

@muhme that's a pretty wild mess, so let's sort it out:

1st site is sending confusing email 9:00 UTC 16 July

Code-wise that's expected: the automated update failed because it was blocked by the plugin, so the site owner is notified about the failure.

In the everything.log both sites have error message all 15 minutes

Expected behavior: your test sites are currently registered twice in the update server, with both the old and the new update token; the update server will re-try "unconnected" sites with the old token for a grace period and then remove them if the connection can not be restored

Automated Update was disabled over night, I re-enabled it in the Morning

Can you provide the params of the com_joomlaupdate extension from the DB in that "disabled" state?

Can you provide the params of the com_joomlaupdate extension from the DB in that "disabled" state?

Side note: that's unrelated from this PR, so let's have a separate ticket for it please

Finally, I installed a new Jooma with the J 5.4.0-alpha3-dev .... above package.
Before that, I had problems uploading FTP.

When activating Automated Updates, I received and continue to receive an error message:

Error while registering to automated update service: cURL error 28: Failed to connect to .......... at port 443 after 5000 ms: Timeout was reached (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://...... /api/index.php/v1/joomlaupdate/healthcheck (500)

The reason: The host is blocking the update server.
I wrote to the host (repeatedly):

The IP ..... belongs to the update server of the Joomla project (joomla.org) and must therefore be permanently approved. The server performs regular status checks and updates Joomla pages; these are therefore automated processes.
Please add the IP to a permanent whitelist

Unless that's OK, I can't proceed.

@ChristineWk I can confirm that the plugin works on your site, the update server is unable to start the available update because the plugin blocks it.

I'm a little confused after multiple installations. Do you mean B. site? :-)
If so, I thought you could only check after the 24 hours are up?
Thank you.

Do you mean B. site? :-)

Yes

Can you provide the params of the com_joomlaupdate extension from the DB in that "disabled" state?

Side note: that's unrelated from this PR, so let's have a separate ticket for it please

Next time it happens again, I will not continue and create an issue. thx

@SniperSister We have PHPstan errors here: https://github.com/joomla/joomla-cms/actions/runs/16826769169/job/47665049300?pr=45696

Another attempt to test: Installed from Joomla_5.4.0-alpha4-dev+pr.45696-Development-Full_Package.zip two times joomla-test.heikol.de and joomla-test2.heikol.de

• Unregistered from Automated Updates
• Only on joomla-test.heikol.de installed additional plg_system_autoupdatepreventer and enabled it
• Log Almost Everything enabled
• Installed 'System - Alpha Update Server' plugin
• Checked with manual update 'Joomla Update to Joomla! 5.4.112 is available
  • This step took some hours for first site, unknown what was the reason, even reinstalling didn't help and it states: 'Update not possible because the offered update has expired.', expired timestamp on alpha tuf needs to be fixed
  • For 2nd site, first check gave 'Update not possible because the offered update has expired.', second check is working and offering 5.4.112
  • Updated 'Database Table Structure Up to Date' as this is mandatory requirement for update
• Enabled Automated Update
• 10 Aug 11:46 UTC 1st site (with enabled plg_system_autoupdatepreventer)
• 10 Aug 11:56 UTC 2nd site is updated to 5.4.110 and email was sent

Results after > 24 hours

• ✅ 1st site (with enabled plg_system_autoupdatepreventer) is not updated

  • ✅ 1st site email was sent (and 24 hours later again, assume this will continue)
  • ❌ email and log file give no indication of the reason
    • email contains 'Your site could not be updated from 5.4.0-alpha4-dev+pr.45696 to 5.4.0-alpha4-dev+pr.45696. Please check the logfile '/administrator/logs/joomla_update.php' for further debugging information.'
    • Logfile contains only four times 'Downloading update file', no logging of failed update or the reason
    • Could we give the correct numbers (not be updated from 5.4.0-alpha4-dev+pr.45696)? And could we give the reason e.g. blocked by plugin, or other times seen preconditions are not fullfilled in either the email or the log file, or both?
    • ❌ administrator/logs/everything.php contains, starting every 15 minutes:

    2025-08-10T18:15:06+00:00       CRITICAL 52.14.131.139  error   Uncaught Throwable of type
        Tobscure\JsonApi\Exception\InvalidParameterException thrown with message "Invalid token". Stack trace: #0 [ROOT]/api/components/com_joomlaupdate/src/Controller/HealthcheckController.php(52): Joomla\Component\Joomlaupdate\Api\Controller\BaseController->validateUpdateToken()
    #1 [ROOT]/libraries/src/MVC/Controller/BaseController.php(730): Joomla\Component\Joomlaupdate\Api\Controller\HealthcheckController->show()
    #2 [ROOT]/libraries/src/Dispatcher/ApiDispatcher.php(61): Joomla\CMS\MVC\Controller\BaseController->execute()
    #3 [ROOT]/libraries/src/Component/ComponentHelper.php(361): Joomla\CMS\Dispatcher\ApiDispatcher->dispatch()
    #4 [ROOT]/libraries/src/Application/ApiApplication.php(433): Joomla\CMS\Component\ComponentHelper::renderComponent()
    #5 [ROOT]/libraries/src/Application/ApiApplication.php(116): Joomla\CMS\Application\ApiApplication->dispatch()
    #6 [ROOT]/libraries/src/Application/CMSApplication.php(304): Joomla\CMS\Application\ApiApplication->doExecute()
    #7 [ROOT]/api/includes/app.php(50): Joomla\CMS\Application\CMSApplication->execute()
    #8 [ROOT]/api/index.php(31): require_once('...')
    #9 {main}
    

• ✅ 2nd site is updated to 5.4.112

  • ❌ Only one email with 'our site could not be updated from 5.4.0-alpha4-dev+pr.45696 to 5.4.112. Please check the logfile '/administrator/logs/joomla_update.php' for further debugging information.' was received, Successful update email is missing
  • ✅ administrator/logs/verything.php contains:

  2025-08-10T11:56:45+00:00       INFO 52.14.131.139      update  Update to version 5.4.112 is complete.
  

  • ❌ but also the same exception every 15 minutes
  • ✅ administrator/logs/joomla_update.php contains:

  ...
  2025-08-10T11:56:45+00:00       INFO 52.14.131.139      update  Update to version 5.4.112 is complete.
  

  If email or log file content is helpful I can upload or send.

@muhme

❌ administrator/logs/everything.php contains, starting every 15 minutes:
❌ but also the same exception every 15 minutes

As mentioned before:

Expected behavior: your test sites are currently registered twice in the update server, with both the old and the new update token; the update server will re-try "unconnected" sites with the old token for a grace period and then remove them if the connection can not be restored

Could we give the correct numbers (not be updated from 5.4.0-alpha4-dev+pr.45696)? A

Unrelated from this PR.

And could we give the reason e.g. blocked by plugin, or other times seen preconditions are not fullfilled in either the email or the log file,

Added to the log file

✅ 2nd site is updated to 5.4.112

The frontend has an error message, please double check: https://joomla-test2.heikol.de/ - for the same reason no information message could be sent to you, the site returned an exception

Thank you @SniperSister and my summary after our discussion:

• The missing success email is caused by the automatic update with the outdated build package and leads to a partially defective instance in this current development status
• InvalidParameterException "Invalid token" is caused by registering the domain multiple times for Automated Updates, they are unavoidable and will end after grace period (currently 7 days)
• Out of scope of this PR created #45895
• Out of scope of this PR created #45897
• Missing reason for failed update is added to the email and can be tested
• As soon as we have created a new update package we can repeat the test

@muhme I included the fix for #45895 in this PR too as it otherwise would have been complicated to reliably create "failed" update attempts without the block mechanism implemented here

@muhme I included the fix for #45895 in this PR too as it otherwise would have been complicated to reliably create "failed" update attempts without the block mechanism implemented here

Hi @SniperSister, I have just tested this and I have this in my joomla_update.php, is that a successful test in your mind? (just unsure if that is what I am supposed to get)

#Fields: datetime priority clientip category message
2025-08-15T09:30:11+00:00 INFO 52.14.131.139 update Downloading update file from https://downloads.joomla.org/cms/joomla5/5-4-113/Joomla_5.4.113-Stable-Update_Package.zip.
2025-08-15T09:30:11+00:00 INFO 52.14.131.139 update Downloading update file from https://downloads.joomla.org/cms/joomla5/5-4-113/Joomla_5.4.113-Stable-Update_Package.zip.
2025-08-15T09:30:11+00:00 INFO 52.14.131.139 update Downloading update file from https://github.com/joomla/joomla-cms/releases/download/5.4.113/Joomla_5.4.113-Stable-Update_Package.zip.
2025-08-15T09:30:12+00:00 INFO 52.14.131.139 update Downloading update file from https://update.joomla.org/releases/5.4.113/Joomla_5.4.113-Stable-Update_Package.zip.
2025-08-15T09:30:13+00:00 ERROR 52.14.131.139 update Update stopped by plugin.
2025-08-15T10:45:11+00:00 ERROR 52.14.131.139 update Update stopped by plugin.
2025-08-15T12:15:12+00:00 ERROR 52.14.131.139 update Update stopped by plugin.
2025-08-15T13:30:12+00:00 ERROR 52.14.131.139 update Update stopped by plugin.

@exlemor looks good to me! I assume you also received notification mails?

I have tested this item ✅ successfully on 63998ca

I have successfully tested this. Thanks @SniperSister!

@exlemor looks good to me! I assume you also received notification mails?

yes :)