[pmwiki-devel] One click installation process...

Patrick R. Michaud pmichaud at pobox.com
Sun Nov 26 14:50:35 CST 2006


On Sun, Nov 26, 2006 at 11:52:43AM -0500, The Editor wrote:
> Someone just posted a suggestion for a one click module installation
> feature.  After a bit of thought, it occurred to me something like
> this might be reasonably doable...  Thought I would post some ideas
> and see if there was any feedback.

For security reasons, it's almost a non-starter.  Consider:

> First, for a one click module installation feature, we'd need to 1)
> have a way to automatically download the recipe (so we don't have to
> include them all automatically with the basic download). 

Ick.  This means that the directory containing recipes (i.e.,
executable code) has to be writable by the webserver.  Bad.

> And 2)
> automatically write one or more lines to the configuration file to
> enable it. 

Ick.  This means that the (executable) configuration files have to be 
writable by the webserver.  Also Bad.

Personally, I think the automatic download of scripts is in general
a bad idea -- indeed, this is why PmWiki doesn't have something
like an "?action=upgrade" feature to automatically upgrade the PmWiki
software.  To me, it's just too dangerous to have the script files and
script directories writable by the webserver.

So, at best we could provide a web interface for configuring
recipes, but no matter how good the interface is, we'll always be
limited to only handling a subset of the available options and 
features.  There would always be some things that could only
be done directly in .php configuration files.  And just as a person 
with two clocks is never certain of the time, an admin with two or
more configuration interfaces has to worry about how the settings
in one interface are interacting with the settings of the other.

(PITS #00394 has some similar discussion on this topic.)

> Also, 3) it might be nice to optionally setup a help page
> for each recipe and/or a configuration page for the recipe.  

Recipes can already do this; in fact, many skins already do.

If someone wants to create a module that allows for
automatic downloading and/or modifying configuration files,
that's fine, but given the wide variety of webserver and
PmWiki configurations (and the associated scripting
security issues) I'd personally be quite wary of ever using it
or recommending its use to others.

Pm


P.S.:  Since writing PITS #00394 I have toyed with the idea of
coming up with a form-based configuration system for some of
the more common PmWiki and recipe settings -- i.e., an admin
would simply do

    include_once('cookbook/formconfig.php');

and then use the form for lots of basic configuration settings,
which could then be augmented or overridden by other statements
in the config.php file.  But things still get complex when we
start thinking about per-group or per-page customizations --
where do those get stored?  Ultimately I get the feeling that we're
just increasing the complexity rather than reducing complexity
or simplifying it.




More information about the pmwiki-devel mailing list