[TYPO3-core] RFC #14387: Remove the feature "Enable extensions without review (basic security check)" from EM

Lars Houmark lars at houmark.com
Thu May 13 20:21:59 CEST 2010 

Hi,

This is a SVN patch request.

Type: Bugfix / Clean up

BT reference: http://bugs.typo3.org/view.php?id=14387

Branches: trunk

Problem:
	The Extension Manager has a feature (which is enabled by default) to 
only lookup "reviewed" extensions. The problem is though, no extensions 
is reviewed anymore. In relation to that, the update feature of the EM 
uses the same logic to only update extensions that is reviewed if the 
setting is set to "reviewed only". This can prevent users from updating 
to the newest release of an extension, which is bad, because the latest 
release may be a security release.

Solution:
	Remove the feature.

How to test:
	- Put the EM setting to "reviewed only"
	- Look up tt_news and realurl - notice the old versions you are presented
	- Download tt_news (no need to install) in the version presented
	- Use the Update function of the EM, make sure to check "Include not 
loaded extensions into listing"
	- No updates should be presented
	- Apply the patch
	- Run the Update feature again, for tt_news you should now be presented 
with an updated that is about 12 versions (or 4 years 10 months) never 
than the one you just downloaded
	- Go lookup an extension, i.e. realurl, notice it is now the newest version

Notes:
	This RFC is proposed after starting a recent discussion in the dev 
list. There was all positive feedback, besides from 1 person. I 
therefore find it time to get rid of this annoying checkbox.

	$GLOBALS['LANG']->getLL('list_or_look_up') includes %s in order to 
inject "all" or "reviewed" in into the "List or look up extensions" 
depending on the user setting which is removed with this RFC. Since I do 
not want to introduce a new language label, which is the same label, 
just with no "%s", I simply keep the sprintf with a replace for '' (for 
other languages). I think that's a decent solution. Correct me if I am 
wrong.

At the same time I updated the list_or_look_up label, and removed the 
"%s". This way the translation-tool should pick that up show a changed 
status. But even if it is not translated, it will still render correctly.

The functions class.em_xmlhandler->checkReviewState and 
class.em_xmlhandler->checkReviewStateGlobal is not being used at all 
(searched the entire core), so I removed them in the same run.

Some has asked for another Flash Message, in order to "warn" the user. 
Instead of creating a new one below or on top of the current one, that 
explains to contact the security team, I have merged the new text with 
the current one. The text was proposed by Benni.

I have long-term ideas for improving the review thing in the EM, but 
these needs discussions and opinions in order to make the *right* 
solution in take two.

--
Lars Houmark

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 14387.diff
Type: text/x-diff
Size: 11215 bytes
Desc: not available
URL: <http://lists.typo3.org/pipermail/typo3-team-core/attachments/20100513/2676a155/attachment-0001.diff>

More information about the TYPO3-team-core mailing list