Textpattern's face to the public

giz · Today 19:54:31

@Pete: no biggie, there wasn’t anything in your posts that rubbed me up the wrong way!

Bloke wrote #341275:

I’m not sure what exactly the stumbling block was. 3 years ago would have been Txp 4.8.8, which I believe already had the auto-create database option, so (presumably) relocating config.php was a step too far.

I’ve never had success with the auto-create database option on a new install (including 4.9dev). The server always bitches about a lack of permissions, so I do it manually each time. A year or two ago I had one or two successes using a Textpattern installer tied into cPanel (Softalicious I think).

Access to /public_html/ is no longer straight forward. The choices are to use FileManager in cPanel, or ftp. Not having installed any other cms, I don’t know if they go through the same rigmarole as well:

a new client sends me the login details to their website control panel.
I can’t login without 2FA, so I have to bug my client to set me up as a ‘Technical Admin’ first.
cPanel (yay) and FileManager is now available at a push (!yay).
Depending on the host, to get ftp access I need to either:
1. Whitelist my IP against their firewall (every other day)
2. Set up certificates (never easy for me ;-)
Experiment with ftp types, ftp addresses, ports, username and passwords before I gain access to the file system
The easy bit: install Textpattern

My point is installing (any?) software directly for anyone other than a developer is a high friction process. One needs to persevere; textpattern.com is the biggest carrot we have to convey why it’s worth the effort.

Anecdotal only, but I’ve had too many potential clients who were initially enthusiastic about taking on my services in early discussions, but bailed after I sent them a link to textpattern.com.

Sites like AlternativeTo are possibly the ‘easiest’ way to drive new users to Textpattern, but we should also cater for word-of mouth recommendations by non-tech businesses and organisations.

Bloke · Today 20:41:51

giz wrote #341302:

Access to /public_html/ is no longer straight forward

Ain’t that the truth. I totally hear you about the ballache of file system access. In some ways it’s a good thing because it means rogue processes or untrusted users who stumble upon the /setup dir that the admin forgot to delete, can’t trash stuff.

I do keep flip-flopping between “it’s a bad idea” and “ease of use” and ultimately talking myself out of changing things.

That said, rather than automatically installing the file, could we offer:

The file contents for you to copy out (as now).
A ‘Download’ button for those that want a copy to upload it themselves (as now).
A ‘Try to install it’ button that has a go at creating config.php and populating it with the pre-prepared content.

With appropriate safeguards — e.g. making sure that the content that can be written to the file is only the stuff we want, and hasn’t been tampered with — then it should be safe enough to copy the content into the config.php file automatically.

Since clicking the button is still a manual action, and we will check it’s not been doctored before writing, and it can only be written if all checks pass and the connection is made, it’s probably safe enough.

There is a chance it will fail so we’ll need to trap that and warn people they’ll have to do it by hand. But it might be a step up in niceness.

Thoughts everyone?

Bloke · Today 20:52:26

giz wrote #341302:

I’ve never had success with the auto-create database option on a new install (including 4.9dev).

Hmm, that is annoying. Any particular setup or reason you can think of that might prevent it? It’s always created it for me, even when the database is on a different domain. If we can determine what the reason for failure is, we might be able to trap it or work around it.

etc · Today 22:48:12

Bloke wrote #341304:

With appropriate safeguards — e.g. making sure that the content that can be written to the file is only the stuff we want, and hasn’t been tampered with — then it should be safe enough to copy the content into the config.php file automatically.

Since clicking the button is still a manual action, and we will check it’s not been doctored before writing, and it can only be written if all checks pass and the connection is made, it’s probably safe enough.

I’m not so sure. Even if we limit config.php content to db credentials, anyone having a db account will be able to run your uploaded txp setup (while you sleep), gain access to txp, and thus to php. Small chance, of course.

Bloke · Today 23:25:25

etc wrote #341309:

Even if we limit config.php content to db credentials, anyone having a db account will be able to run your uploaded txp setup (while you sleep), gain access to txp, and thus to php. Small chance, of course.

A very small chance I would hope! If a person, as a responsible admin, runs /setup, chooses to autopopulate the config.php, and walks away at that moment without taking 30 seconds to finish the installation process and log in to the admin side (which attempts to delete the /setup for you), well, you’ve got bigger problems than a script kiddie following you 😀

Textpattern CMS

Textpattern CMS support forum

#97 Today 19:54:31

Re: Textpattern's face to the public

Bloke wrote #341275:

#98 Today 20:41:51

Re: Textpattern's face to the public

giz wrote #341302:

#99 Today 20:52:26

Re: Textpattern's face to the public

giz wrote #341302:

#100 Today 22:48:12

Re: Textpattern's face to the public

Bloke wrote #341304:

#101 Today 23:25:25

Re: Textpattern's face to the public

etc wrote #341309:

Board footer