[wp-hackers] WP Plugins --> was::RE: [wp-forums] questionable...

Sat Aug 5 17:56:11 GMT 2006

In WordPress? Most, if not all, of the user options are in the database
_options table. These don't get removed as far as I know when you deactivate
a plugin, so it's still there when you reactivate it.

On 8/5/06, Dave W <dabbaking at gmail.com> wrote:
>
> Before deactivation of a plugin on an upgrade, it should check if the
> plugin
> has user defined options with it and store them before activation. So,
> if/when the user decides to reactivate the plugin, their settings aren't
> lost.
>
> On 8/5/06, Christopher J. Hradil <chradil at comcast.net> wrote:
> >
> > As I stated, based on all of the negative buzz in the past few weeks
> over
> > security issues I probably 'read' more into the question than might have
> > been there. As far as the issue itself, the OP stated:
> >
> > /snip
> > I've been using phpBB for ages and I've been using other (shock, horror)
> > blog software and what I deeply like about both is there repository of
> > Plugins that have been validated by the core team thus I have someone to
> > trust on a Plugins validity.
> > /snip
> >
> > Personally, I've been involved with the phpBB project since 2001 with
> > varying degrees of activity based on what else I've had going on, that
> > project has had more than it's share of controversy, the *community* can
> > be
> > abrasive at times and is definitely not very open-minded or forward
> > thinking
> > in terms of planning and decision making. Jim Finn (one of the founders
> of
> > the project) is surely a bright and talented young individual with lots
> on
> > his plate, and does a pretty good job of keeping things running smoothly
> > (ironically his personal site is proudly powered of course by
> > wordpress...),
> > but many of the key developers on the project seem to like the
> > "dictatorship" model of operation, and often resist ideas and
> > contributions
> > from the community which don't match up with their personal opinions.
> One
> > of
> > the things I've worked hard on there with a small group of other
> > individuals
> > is the idea of pushing phpBB in the direction of standards compliance
> and
> > a
> > bit more 'modular' of a plugin architecture. Unfortunately neither of
> > these
> > concepts are very well received by many of the decision makers (although
> > we've never really pushed the issues hard with Jim personally which I
> know
> > would probably lead to an eventual change in the phpBB paradigm). These
> > two
> > particular issues are a constant FAQ and often controversial topic as
> new
> > users adopt the platform, with questions like why can't I.... a)
> > permalinks/friendly Uri's b)xhtml/css compliance c)the last upgrade
> ruined
> > my site and DB because all of my modules had made so many edits to the
> > core
> > files... etc.
> >
> > It's a given, that phpBB is a completely different animal than WP, but
> > architecture wise, there is much to be learned from how others have done
> > things and the mistakes they've made. With regards to the plugin topic
> > specifically, the current WP architecture as a theory is what I would
> > consider a 'best of breed' solution, even though at the moment there may
> > be
> > some specific issues with regards to it's implementation. As I stated in
> > my
> > forum post, products like phpBB which allow (or often require) that a
> > module
> > or plugin 'edit' (albeit transparently to most users) core system files
> > (and
> > the DB architecture) in order to 'just work', are in my opinion a way
> less
> > than desirable situation. Unfortunately many users don't fully
> understand
> > a)
> > that this happens at all, b) what's really happening when they install a
> > mod
> > or plugin, or c) it's potential effect later on.
> >
> > The disadvantages (which are clearly demonstratable via things like the
> > phpBB support forums) are as follows:
> > 1)Upgrades to the core are risky and difficult after a plugin/mod has
> been
> > installed, the upgrade scripts simply can't account for all of the
> changes
> > made by the mods/plugins, this often leads to completely 'broken' sites
> > which need to be re-installed from the ground up.
> > 2) A failed mod/plugin install has no rollback mechanism requirement, so
> > users are left with partially edited/broken core system files and often
> no
> > clue as to how/where to attempt to fix things.
> > 3) Even though it may appear that something like phpBB plugins are
> > *blessed*
> > via the phpbb.com site's mod repository, there are no [enforced]
> > requirements for a plugin to adhere to any particular set of standards,
> > most
> > importantly IMO - CLEAN UP AFTER ITSELF IF A USER UNINSTALLS IT. I can
> not
> > emphasize how critical an issue this is, sure, go to your phpBB admin
> > interface and 'uninstall' a mod, then go look at all of the code changes
> > to
> > core system files and the database that the plugin made when it was
> > installed which were not 'removed' after you've uninstalled it.
> >
> > there are a couple of others, but those are the big points.
> >
> > by contrast, wordpress is really clean in terms of the plugin
> > architecture.
> > this leads me to the point of this dissertation. the existing
> methodology
> > and design of the plugin portion of WP is extremely elegant and powerful
> -
> > both from a technical AND a marketing perspective. Continuing along the
> > current path and improving on it is without doubt a worthy cause. It's a
> > tremendous selling point for the WP platform moving forward to emphasize
> > the
> > flexibility, power and secure nature of the basic plugin architecture.
> > When
> > a new user makes a forum post stating something like "I installed x
> plugin
> > and now my site doesn't work..." the ability to point them to the codex
> or
> > simply state - "just delete the plugin file or directory", then like
> magic
> > everything works again is really impressive. The fact WP plugins don't
> > need
> > to interfere with the core system is a HUGE advantage over other
> > platforms.
> > Upgrades are normally a breeze, personally I've upgraded 20+ installs so
> > far
> > (most from 2.0.2 directly to 2.0.4) and had not a single issue or
> problem
> > with one of them (fingers crossed, since I left the 3 biggest sites for
> > last). From my view, improvements to the current system are as follows:
> >
> > (grouped in two categories - WP Core Dev changes, and Plugin Author
> > requirements)
> >
> > 1)Develop a core function to 'check' a plugin prior to
> install/activation
> > to
> > ensure that the plugin cleans up after itself (mostly in the area of any
> > DB
> > changes they might make, since we don't have to worry about plugins
> > editing
> > core files). If it doesn't have a "compliant" 'remove_me' function
> > disallow
> > activation. This places the responsibility for these types of issues
> with
> > the plugin authors rather than WP system devs. Ditto for autoupdate,
> > version
> > check, and a wp-security check (to be sure things like current_user_can
> > are
> > implemented).
> > 2)I know that computerguru has done some work in the past week or so on
> > the
> > 'autoupdate' system, so that's handled.
> > 3) slight re-vamp to requirements for a 'public' release of a plugin via
> > either the codex repo or wp-plugins.net, require plugins to have it's
> own
> > directory called plugin_name, and includes all plugin files, plus an
> > install.txt and readme.txt with at least a minimalist amount of
> > documentation on use and installation.
> > 4)a 'deactivate_all_plugins' function for use during WP core
> > uptates/upgrades.  this could either be a plugin itself or part of core
> -
> > (I
> > wrote a perl script to do this for me directly against the DB for my own
> > purposes since I had to upgrade a bunch of sites)
> > 5) a *warning* notification so that if someone is about to install or
> > activate a plugin that will function but doesn't comply with the
> > 'standard'
> > at least they're aware that they're about to use something that's
> > *unsupported*
> > 6) an updated set of requirements and guidelines for plugin authors
> which
> > explains how to structure and 'release' a 'supported' plugin (whether it
> > be
> > via the actual wp repository or their own site).
> >
> >
> >
> > /**************************************
> > Christopher J. Hradil
> > chradil at comcast.net
> > http://www.hradil.us
> > 973-809-4606
> > **************************************/
> >
> >
> >
> > > -----Original Message-----
> > > From: wp-forums-bounces at lists.automattic.com
> > > [mailto:wp-forums-bounces at lists.automattic.com] On Behalf Of Michael B
> > > Sent: Friday, August 04, 2006 12:09 PM
> > > To: wp-forums at lists.automattic.com
> > > Subject: Re: [wp-forums] questionable...
> > >
> > > Truth is, IMO, that's a valid question from a new user.  I
> > > believe I recently saw a post on the hackers list about this,
> > > as well as have there been several threads about shout boxes
> > > and spam, which in some ways overlaps the question.
> > >
> > > I'm going to post that indeed most plugins are caveat emptor,
> > > however if they search the forums for top 10 lists, they can
> > > assume that if enough users recommend certain plugins, that
> > > they can assume the plugin has been vetted.
> > >
> > > ~miklb
> > > I'm also going to remove the resolved as I'd prefer the user
> > > mark it resolved in this case.
> > >
> > > Thanks Christopher for all your time in the forums, and on
> > > these lists.
> > >
> > >
> > >
> > > On 8/3/06, Christopher J. Hradil <chradil at comcast.net> wrote:
> > > >
> > > > http://wordpress.org/support/topic/82005
> > > >
> > > > when I spotted that one he was an 8 minute old member, it may be
> > > > benign (in which case I'm just paranoid based on last weeks
> > > > plugins/security debates), so I've posted an appropriate
> > > reply, tagged
> > > > it modlook and resolved. It just seemed to me like someone
> > > trying to
> > > > 'stir the pot'..
> > > >
> > > > /**************************************
> > > > Christopher J. Hradil
> > > > chradil at comcast.net
> > > > http://www.hradil.us
> > > > **************************************/
> > > >
> > > >
> > > > _______________________________________________
> > > > wp-forums mailing list
> > > > wp-forums at lists.automattic.com
> > > > http://lists.automattic.com/mailman/listinfo/wp-forums
> > > >
> > > _______________________________________________
> > > wp-forums mailing list
> > > wp-forums at lists.automattic.com
> > > http://lists.automattic.com/mailman/listinfo/wp-forums
> > >
> >
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
>
>
>
> --
> Dave W
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>