Drupal provides a UI for updating contrib modules automatically (at /admin/reports/updates/update). This process is dangerous when used in a distribution like farmOS because it will not reapply patches to modules that are included in the packaged distro (eg: those defined in the drupal-org.make file).

We currently have a big block of text on https://farmOS.org/hosting/update warning against using this feature:

Do not use Drupal's automatic update feature

Drupal provides an interface for downloading and updating contributed modules automatically.

This process may break your farmOS system.

farmOS is a Drupal distribution, and includes patches to some contributed Drupal modules that are necessary for proper functioning. Drupal's automatic update feature will not apply the necessary patches when it downloads the new version of a module.

It also does not support updating Drupal distributions (only modules and themes). farmOS is a Drupal distribution, and new versions often include automated update code to ensure a smooth update from one version of farmOS to the next.

Therefore, it is recommended that you either download the officially packaged releases of farmOS from https://drupal.org/project/farm, build it yourself with Drush, or run farmOS on Docker. This will ensure that the necessary patches are applied, and that the farmOS distribution updates are included.

And yet, there are still occasional messages in the farmOS forum or chat from someone who didn't see that message, and assumed that the "Updates available" features provided by Drupal are official farmOS features, and therefore should be trusted.

So, I propose we take a more drastic measure: prevent the ability to update via Drupal's UI entirely.

Comments

m.stenta created an issue. See original summary.

m.stenta’s picture

One approach would be to simply implement hook_menu_alter() and remove/restrict access to /admin/reports/updates/update entirely.

This would still allow access to the list of available updates (/admin/reports/updates), but would not allow access to the form for downloading/installing updates through the UI.

Only problem with this is that the Status report (/admin/reports/status) links directly to that page. So if someone looks there, and tries to click that link, it won't work.

Another option might be to use hook_form_alter() on the form on that page to disable it's functionality. We could also put a big message at the top that says it was disabled intentionally, and describe why.

This would be the most effective way to avoid this issue in the future. And we could probably remove the big message from farmOS.org, if we have it in farmOS itself.

m.stenta’s picture

Note: the form ID is update_manager_update_form and actually appears in three places: /admin/reports/updates/update, /admin/modules/update, and /admin/appearance/update.

One form alter hook will cover all three.

  • m.stenta committed aa6edcf on 7.x-1.x
    Issue #3136140: Prevent updating via Drupal UI
    
m.stenta’s picture

Status: Active » Fixed

Fixed with a very simple form alter in farm.profile:

/**
 * Implements hook_form_BASE_FORM_ID_alter().
 */
function farm_form_update_manager_update_form_alter(&$form, &$form_state, $form_id) {

  // Disable updating through the UI.
  // @see https://www.drupal.org/project/farm/issues/3136140
  drupal_set_message(t('Performing updates through this interface is disabled by farmOS. For information about updating farmOS, see <a href="!url">!url</a>.', array('!url' => 'https://farmOS.org/hosting/updating')), 'error');
  $form['actions']['#access'] = FALSE;
}

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

m.stenta’s picture

Version: 7.x-1.x-dev » 2.x-dev
Status: Closed (fixed) » Active

Reopening this for 2.x.

  • m.stenta committed c646cc4 on 2.x
    Issue #3136140: Prevent updating via Drupal UI
    
m.stenta’s picture

Status: Active » Fixed

Forgot to close this.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.