Admin Page Registration for 3rd Party Modules

[DrByte]

Remember: There's a LOT MORE TO UPDATING ADDONS FOR 1.5 than merely adding menu options!!!!!
Discussed in other threads.

[countrycharm]

Remember: There's a LOT MORE TO UPDATING ADDONS FOR 1.5 than merely adding menu options!!!!!
Discussed in other threads.

Yes I understand that. What other threads are you talking about.

[dbltoe]

Remember: There's a LOT MORE TO UPDATING ADDONS FOR 1.5 than merely adding menu options!!!

Agreed!
I try each day to learn more to make sure I'm doing it right. If it weren't for the several posts on this subject, I would be in the dark myself. I still am not close to comfortable with going too far but get a feeling the "tricks" are being kept a little close to the chest.
I can understand that teaching someone to fix can lead to someone else learning to break.
I hesitated to list my solution, but was empathizing with countrycharm's pain. Certainly did not want to put something out that could be the elephant in the room later.

[DrByte]

Nothings being "kept close to the chest". I've explained the requirements in other threads several times.

[countrycharm]

Nothings being "kept close to the chest". I've explained the requirements in other threads several times.

The addon needs to be upgraded to work with the new admin menu system in v1.5. There are several discussion threads which address those matters.
There are several more things, security-related, that are also required when upgrading modules for compatibility with v1.5. If you don't also do those things then your addons will not work either. They'll be redirecting you to your admin home page every time you click on a link in the addon.
So, merely adding menu options isn't sufficient for all addons.

OK i have read what you have said about a Module not working if the security-related issues are not fix. I'm like dbltoe I try to learn this stuff more and more each day.

[niccol]

The tricks aren't being kept close to anyone's chest because there are not any tricks.

The page needs to be registered to appear in the menus. This is just a hugely massive improvement from the previous system. It needs a admin page file, some defines and a correct entry in admin pages. This is discussed a lot in other threads.

For the file to work -

1. It needs to function with the Zen 1.5 codebase. That may mean re-writing or it may be a merge of a lot of files with the new versions of those files. Or it may be that no changes are needed or that the module is never going to work with 1.5. This really can only be discussed on a module by module basis.and really is not the business of the ZC core developers.

2. In it's new form the module needs to meet the security standards of 1.5. The main one of these is that ''random' use of GET parameters is going to divert you back to admin main page but using GET parameters for things like product filters is OK. There are others but my understanding is that that is the main one at the moment. All data entered and read from the database needs to be sanitised but I don't think this will break functionality but is so basic a requirement that it should be implemented anyway. If the developers can add to the list of 'no-nos' then that would be helpful but I haven't found too many new ones yet.

Of course, there may be some merit in not discussing in an open forum exactly how all the security features work. But if you create a well coded module that meets those guidelines it seems to work.

[dbltoe]

2. In it's new form the module needs to meet the security standards of 1.5. The main one of these is that ''random' use of GET parameters is going to divert you back to admin main page but using GET parameters for things like product filters is OK. There are others but my understanding is that that is the main one at the moment. All data entered and read from the database needs to be sanitised but I don't think this will break functionality but is so basic a requirement that it should be implemented anyway. If the developers can add to the list of 'no-nos' then that would be helpful but I haven't found too many new ones yet.

Of course, there may be some merit in not discussing in an open forum exactly how all the security features work. But if you create a well coded module that meets those guidelines it seems to work.

This is why you haven't seen "okay, how do we identify the critters" and "where to throw the bleach."
It's difficult to find much that matches what I'm looking at in mods I'm trying to get working. They're not mine, but my customers use them. And I am attempting to ensure that they work while REALLY ensuring that there are no hidden glitches.
This is one of those times that I wish we could have a restricted area where a few of us could put our heads together (with supervision) on a file or files. I am an ardent advocate of education, but I also realize there are some things you don't teach until you're sure the knowledge will be used for good.
I quickly find every mention of $_GET, admin_pages, etc. but find myself searching Google for hours trying to make some tutorial match what I'm looking at from a previous programmer.

It's not as simple as, but like, telling someone to scroll down in their browser. Could they use the mouse to move the site, their down arrow, or Page Down key? Or maybe just Home or End? Everyone has their way to do things that don't match ANY tutorial yet get the job done. Seems like every tutorial I look at cries out, "Use the mouse wheel!". On a Mac?
Get my ?

[niccol]

@dbltoe

Yes I do understand your frustration.

Some of the codebase in Zen is quite old now. What that has meant is that code hacking has actually pretty straight forward and with a bit of php knowledge people could get modules to work. That resulted in a wide range of powerful modules that did all kinds of things and 'worked fine' . Which was a good thing. Particularly with the ethos that most modules are free.

The structure and security of these modules is not guaranteed. I know that I am as guilty as anyone of producing code that 'worked' but had its flaws.

I am not one of the developers so what I say next is just my opinion.

PCI compliance has changed the playing field. We do not need to discuss here whether that is a good or bad thing and what the flaws in the present situation are because that has been discussed elsewhere. But it is important to understand that the playing field has been changed.

It would not be all that responsible for developers of a widely used platform to continue to produce a software that facilitated people adding modules that invalidated the PCI compliance that they have worked so hard towards.

We all want to see Zen as a inherently compliant platform. We all want to see all the modules as inherently compliant. That is just part of the new world that we are operating in. Unfortunately, that does mean that there is an onus on module authors to understand a bit more about how this all works, otherwise the module may not function.

There are lots of people out there who have put in a huge amount of work trying to help with modules they know and love but did not actually write. This is one of the failings, and great strengths, of Zen, and perhaps this form of open source development. The original authors are not around any more. The management of modules has been picked up by others. So, re-writing a module is really hard work for those other people. In some cases it may just be easier to start from scratch then wade through someone else's code, which may or may not be comprehensible in the first place.

A good example of how it works when the author is still around are all Conor's mods, for instance Ceon URI rewriting. They were updated by the author and work on 1.5. Lovely.

The orphaned modules, where the original author is not around are much more problematic. And, yes, I can understand the frustration. There is one module out there that I am having a personal nightmare with. But, it really is not the developers problem that there is no-one available who really really understands the module's code well enough that updating it reasonably simple.

The problem is the level of understanding of a module's code not the changes in 1.5. Other platforms insist that an 'active' module has active 'Maintainers' ( I am using Drupal language here ) and if not then they are flagged as 'Not Actively Maintained' . I wonder how many modules in the free software add-ons section would actually have an active maintainer at the moment? Perhaps that is something that would be a good idea to implement.

Also, I have to say that this is going to change again if 2.0 is released. Modules are going to need to be re-worked again. Without any prediction about when that might happen it is hard to judge what the best line of approach is regarding 1.5.

[dbltoe]

That's the longest "I agree" I've ever read without one suggestion of a solution.

[countrycharm]

That's the longest "I agree" I've ever read without one suggestion of a solution.

That's what I'm talking about.