[TYPO3-core] RFC #14387: Remove the feature "Enable extensions without review (basic security check)" from EM

Sat May 22 23:30:17 CEST 2010

Hey Lars,

+1 after reading and testing, taking the ":" into account.

Also, please provide an updated patch that also adds some piece of 
information in NEWS.txt. k?

Benni.

On 13.05.10 20:21, Lars Houmark wrote:
> Hi,
>
> This is a SVN patch request.
>
> Type: Bugfix / Clean up
>
> BT reference: http://bugs.typo3.org/view.php?id=14387
>
> Branches: trunk
>
> Problem:
> The Extension Manager has a feature (which is enabled by default) to
> only lookup "reviewed" extensions. The problem is though, no extensions
> is reviewed anymore. In relation to that, the update feature of the EM
> uses the same logic to only update extensions that is reviewed if the
> setting is set to "reviewed only". This can prevent users from updating
> to the newest release of an extension, which is bad, because the latest
> release may be a security release.
>
> Solution:
> Remove the feature.
>
> How to test:
> - Put the EM setting to "reviewed only"
> - Look up tt_news and realurl - notice the old versions you are presented
> - Download tt_news (no need to install) in the version presented
> - Use the Update function of the EM, make sure to check "Include not
> loaded extensions into listing"
> - No updates should be presented
> - Apply the patch
> - Run the Update feature again, for tt_news you should now be presented
> with an updated that is about 12 versions (or 4 years 10 months) never
> than the one you just downloaded
> - Go lookup an extension, i.e. realurl, notice it is now the newest version
>
> Notes:
> This RFC is proposed after starting a recent discussion in the dev list.
> There was all positive feedback, besides from 1 person. I therefore find
> it time to get rid of this annoying checkbox.
>
> $GLOBALS['LANG']->getLL('list_or_look_up') includes %s in order to
> inject "all" or "reviewed" in into the "List or look up extensions"
> depending on the user setting which is removed with this RFC. Since I do
> not want to introduce a new language label, which is the same label,
> just with no "%s", I simply keep the sprintf with a replace for '' (for
> other languages). I think that's a decent solution. Correct me if I am
> wrong.
>
> At the same time I updated the list_or_look_up label, and removed the
> "%s". This way the translation-tool should pick that up show a changed
> status. But even if it is not translated, it will still render correctly.
>
> The functions class.em_xmlhandler->checkReviewState and
> class.em_xmlhandler->checkReviewStateGlobal is not being used at all
> (searched the entire core), so I removed them in the same run.
>
> Some has asked for another Flash Message, in order to "warn" the user.
> Instead of creating a new one below or on top of the current one, that
> explains to contact the security team, I have merged the new text with
> the current one. The text was proposed by Benni.
>
> I have long-term ideas for improving the review thing in the EM, but
> these needs discussions and opinions in order to make the *right*
> solution in take two.
>
> --
> Lars Houmark
>