HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Idea: Addon Installation from Dashboard via GitHub

Jonathan WJonathan W Scranton, PA

I was just thinking, since the majority of addon developers here seem to use GitHub, all we usually end up doing to install an add-on is to git clone in the proper directory. Isn't there a way we could securely do this from the Dashboard? Just have a text field where we can paste the GitHub repo link, and then run the git clone command server-side to install the addon. This could also lead into a way to ping GitHub for addon updates and alert the administrator when something has been updated. I haven't played with it, but I'm sure GitHub has some sort of API for this.

Not that it's hard to ssh into a server and do this :)

The only major issues I can see are:
1) Security. Any time PHP is allowed to run commands on the host system, it makes me nervous
2) Permissions. Unless some sort of wrapper script is used, this is going to install things under the user:group of the web server. Could cause issues for some.
3) Addons that require server-side tweaking to work properly would make this feature useless.

Comments

  • vrijvlindervrijvlinder Papillon-Sauvage MVP
    edited April 2015

    Not worth the trouble... It makes me nervous more and it is unnecessary in my opinion. We had the option to delete addons fom the dashboard and it was horrible and caused the entire plugins folder to be deleted, I was one of those people...

    You can add any method you want yourself just fork it for yourself, but hairbrained ideas are a dime dozen :p

    Not a good idea...

  • It is not secure by virtue of using a web application do file management.

    grep is your friend.

  • hgtonighthgtonight ∞ · New Moderator

    @Jonathan W said:
    I was just thinking, since the majority of addon developers here seem to use GitHub, all we usually end up doing to install an add-on is to git clone in the proper directory. Isn't there a way we could securely do this from the Dashboard? Just have a text field where we can paste the GitHub repo link, and then run the git clone command server-side to install the addon. This could also lead into a way to ping GitHub for addon updates and alert the administrator when something has been updated. I haven't played with it, but I'm sure GitHub has some sort of API for this.

    Not that it's hard to ssh into a server and do this :)

    The only major issues I can see are:
    1) Security. Any time PHP is allowed to run commands on the host system, it makes me nervous
    2) Permissions. Unless some sort of wrapper script is used, this is going to install things under the user:group of the web server. Could cause issues for some.
    3) Addons that require server-side tweaking to work properly would make this feature useless.

    I prefer to clone the plugin repos outside of my server folder. Then I checkout a bare working directory to the appropriate folder through git hooks. This way, there is never any leaking of information and I can use multiple repos in unison without them really knowing about each other in any way.

    In direct response to your idea, I don't think it is really that much more convenient than ssh and it is definitely less secure.

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

  • Jonathan WJonathan W Scranton, PA

    I certainly conceed my point! Perhaps this wasn't the best tought idea I've had. :)

  • I think part of the problem is people don't want to think of themselves as the person responsible for managing their server, or at least that aspect of it. They want convenience without respectability. As hgtonight say it is not any less convenient, you just have learn about it, and you will better off doing that becuase you will understand better how things actually work.

    Cheap webhosts (not all) are largely responsible for selling the myth that hosting a site is a doodle. What's more they don't give their clients the ability to do it properly, whist giving them a hole load of superfluous stuff.

    grep is your friend.

  • Jonathan WJonathan W Scranton, PA

    Oh I agree with all that. My forums are on a do-it-yourself VPS. I'm no stranger to the how. Sometimes I just get lazy. Though to quote a line from a good book;
    Confident, Cocky, Lazy, Dead

Sign In or Register to comment.