Minimize potential forum-breaking issues #85
Comments
|
This would amazing to have, I don't think the problem it would be solving is about Flarum not booting, but rather just extensions not booting. Solution 1 would avoid us creating another interface, but would need to separate the core js bundle from extensions to only load that, but code splitting is already doing something similar I believe with the bundles, so not sure if we want to mess with that here as well. Solution 2 might be better, the blade template would be minimal, it would only need to allow disabling/enabling extensions, but it might also require adding a login form in case the admin is logged out for whatever reason. |
|
I think there's a bunch of separate things we need here:
|
We wouldn't load the JS though right? since currently extension JS code is contained in the same bundle, unless that changes. |
We could omit the initializer step. On the other hand, we should probably eventually split each extension's code into its own file instead of a single mega-file, so that could be another vector. |
Oh! I forgot we had that! nice. |
I'm against this idea. Multiple script files would mean multiple HTTP requests, which would add extra overhead compared to the single file workflow we have at the moment. While HTTP/2 removes a fair amount of overhead compared to HTTP/1, we still have ~50ms TTFB on our main JS payload, and parallel connections on slower connections become painful. Separating into different frontends is a good idea still, because of the overall bundle improvement, and the fact that we won't have 30 different FEs, most likely :P |
Looking at the code, URL parameter wouldn't work, extensions are booted before we start handling the coming request. The safe mode would be useful when an extension breaks the backend, so perhaps we can utilise the configurable Though we can effectively start working on the other points, I'll try to tackle the blade admin page. |
You're right. We could do some PHP globals hackery, but it would be preferable to avoid that. For |
That's a good point, an additional configurable safe mode option makes sense then! |
|
I've been thinking more about the safe more option, and if we decide to have one, I'm leaning towards going with something similar to Discourse's approach. I don't think we should allow disabling extensions on the backend via safe mode because that opens up a whole slew of potential security issues. Furthermore, it couples per-request state to global application state, which is something we'd like to avoid. That being said, I started working on a safe mode PR, but stopped when I realized I didn't understand the use case. What do we want this to do? Do we want to make it easier to debug frontend issues? Offer a way for admins to rescue a "bricked" forum by disabling all extensions? Allow admins to edit extension settings in the admin panel without those reflecting on the forum side? |
askvortsov1
changed the title
How does discourse handle it ?
No, yes, no.
If we take the admin NoJS view as an example, which solves the issue of an extension breaking the admin frontend and locking out the admin from fixing it by disabling said extension. The same can happen if an extension breaks the backend and prevents Flarum from booting, the admin NoJS view is only solving half of the problem, having the possibility to safely boot to disable said extensions and therefor require less SSH access is needed. I don't know what exactly you're referring to when mentioning security issues, but if my assumptions are correct, I think the smart thing to do is to have safe mode as sort of an offline mode level 2, where it is an offline mode (which locks users from accessing the forum apart from the admin) but it also doesn't boot any extensions.
Isn't that why we're avoiding the URL safe mode option, or is it also an issue with other approaches ? |
|
Makes sense, I think I was overthinking this when I wrote it. I'll open a PR for this.
Discourse's approach is that any user can trigger a "no-js safe mode" where the backend works with all plugins, but plugin JS isn't booted. Apparently, the goal is to help diagnose broken JS issues. I believe that when we convert our JS system to be more extender based, a lot more errors will happen on boot, meaning that diagnosing where stuff goes wrong will become a lot easier. I think that might be a more effective system than just disabling JS. |
Part of https://github.com/flarum/core/issues/2911 If the `boot_extensions` key is set to false, core will not boot any extensions in the backend, or run any initializers in the frontend. This allows admins to recover their forum without SSH access by disabling extension boot, going to the admin panel, and turning off offending extensions. **Questions/Concerns for Reviewers**: - Should we somehow signal to admins that this mode is enabled, possibly via alert? Otherwise, it might be confusing why extensions are indicated as enabled in the admin dashboard. This is challenging, as the alerts we currently have are in `content.blade.php`, and that view does not have access to payload/config. - Should this require maintenance mode? If we disable all extensions (e.g. tags), some restricted discussions / content will immediately become public. This could lead to leaks via web scraping.
|
I've added a new entry:
|
Feature Request
Is your feature request related to a problem? Please describe.
If there is a backend/boot/JS error, we should still allow admins to access the admin page.
This could be done with a simple No-JS admin page accessible via a URL such as
example.forum/admin?safe=true.Describe the solution you'd like
Solution 1
If this
safe=trueis present, we should not load any extensions while displaying this page. We can then show the user a page that allows them to make changes to the active extensions (enabling/disabling).Solution 2
Alternative with using just Blade and DB password as authorization to enable and disable extensions without any booting of Flarum.
Justify why this feature belongs in Flarum's core, rather than in a third-party extension
This is a core part of Flarum that would improve accessibility to more users.
Agreed Upon Tasks
config.php) that loads Flarum without booting any extensions (Add config.php option not to boot extensions framework#3073).Lesscompilation failures.The text was updated successfully, but these errors were encountered: