[FEATURE REQUEST] - Show Extras that have updates available in home of dashboard

[daygon2007]

Feature request

Summary

Create a widget in the main (home) dashboard to show plugins/extras with available updates or in the MODX dashboard navigation menu (NOT IN A DROP DOWN) for better visibility when there are updates that are present... especially security updates.

Why is it needed?

More visibility into knowing when plugins have been updated for features or, more importantly, security updates. Many times the installer section is not a section that is visited unless there is a specific action that a user is looking to take, ie... Add or remove an extra.

Suggested solution(s)

Add a dashboard widget to the main dashboard view or add some sort of notification within the MODX Dashboard Navbar

[ghost]

https://modx.com/extras/package/updater

[kolbykruger]

This also seems to be a feature coming with MODX 3.0, although it will be some time before it's release.

[OptimusCrime]

I do not see why this have to be a part of the core. This can easily be done with a dashboard extra.

I suggest closing this.

[Ruslan-Aleev]

@OptimusCrime Will there be such a widget in the core? :) In demo screens there are 2 widget types:

1. With updating only MODX
2. With update packages and MODX

Correct varinat - with update packages and MODX.

[JoshuaLuckers]

Related issues:

• 14020

• 14007

• 7616

[alroniks]

Some time ago I had an idea to move upgrademodx into the core to make widgets on mockups working. So yes, it should be implemented (I hope soon).

[daygon2007]

@OptimusCrime I see your point, but from coming from a security background, each extra is the potential for an exploit. I'm not going to say all extras need to be part of the core CMS, that would be ignorant, but something like this where you don't have immediate visibility of out of date plugins can cost a company using MODX a lot of money unless you have someone going to the installer section every day to see if there's an update.

Example, I had a client who patched the MODX 2.6.4 vulnerability and upgraded to MODX 2.6.5 as well as all of their plugins a few days after the announcement, but they were also using the Gallery extra which had not been updated in about 4 years. The plugin was updated about a week and a half later to patch the vulnerability but since there's no kind of notification that tells users that an update is available the site got compromised months later as a result. Thankfully the results of the compromise were not visible to front-end users, but the attackers were able to do things on the server. But the attacker could have defaced the site and cause the company a lot and hurt their brand. Had there been some notification of an out-of-date plugin this could have prevented. Since now I have the knowledge of this plugin I have absolutely installed it for that visibility, but me personally I don't think this extra should be an extra it should be in the core because of how vital it is.

Additionally, it's impossible for someone maintaining a site to know every plugin/extra for MODX so if someone does not know about this extra like myself, they are missing out on some vital information that most CMS's include in their core.

@Alroniks - Cheers for, hopefully, implementing this into the core soon, I'm sure MODX users around the world will love you for that.

[JoshuaLuckers]

I couldn’t have said it better @daygon2007 !

[OptimusCrime]

@daygon2007 Sure, you have a valid point, and perhaps this is one of the cases where putting it in the core is justifiable. I am just, generally, against bloating the core with more and more features. The MODX core is already gigantic, and I personally think it does way more than it have to. An ideal core in my opinion would provide us with features that everyone would always use, and features that are 100% necessary.

For example, this dashboard widget would be redundant for our workflow. We monitor extras using other services, like SiteDash, and other tools. The customers themselves are never supposed to update the extras, as this might result in unpredicted behavior, bugs or errors. It is our task to make sure the sites are not vulnerable to attacks.

The Gallery exploit in particular is something that was discussed a lot in the community, and we were made aware of this in many channels. Perhaps more people would have upgraded Gallery if they saw that an update was available, but I also think that few people update every single extra that has an available update all the time. Unless it was somehow made clear that this was a very important update for Gallery, I think that most people would just skip updating it. A new dashboard widget would not fix this.

Regardless, I am not going to fight a battle against making this a part of the core. If most people are positive to this, then fine by me. I would just personally prefer to make a good extra out of it, and allow people to make it a part of their default setup, if they chose to, instead of forcing it on everyone.

Perhaps this approach make more sense in a framework, instead of a CMS, like MODX.

[JoshuaLuckers]

I think this is a great opportunity to have a good discussion where possible solutions are proposed.

One of the problems I can deduct is not being aware of important security updates. Maybe we should focus on how that can be improved?

[Jako]

It is necessary to put an update method in the core! For security reason! And some warning for insecure extras should be in the core too. For security reason.

[philipwhiuk]

One option is to have a small ‘core’ but then a release that provides a bunch of recommended add ons on top.

[ghost]

Like I said, what, 10 years ago? MODX Lite!

[OptimusCrime]

@Jako Update methods for extras already exists, we are debating whether or not we have to place it on the dashboard for everyone to see, including customers that have no technological understanding, and might be confused over what it means. Naturally, it can be hidden, but it seem like extra work for something that should be opt-in in my opinion.

[Jako]

@OptimusCrime Ok, it is necessary to put a check for a core update in the core, too (wherever it is displayed). And some webservice where the current available version is requested. Updater and simpleUpdater have their own webservice and UpgradeMODX relies on GitHub which is a bit annoying. I don't see any reason, why this should stay in an extra, that has to be promoted/found and installed separate from the core.

[Ruslan-Aleev]

We must not forget about the update widget for the beta version, but for now (alpha1) this widget does not work, but it is already on the main home panel :)