Updating modules and themes requires ftp access to your server
-J For this to work the way you describe it, wouldn't you have to set your module and theme directories as writable by the web server itself?Wouldn't that make Drupal more vulnerable to attack, especially on a shared host?I had a VPS that was among the casualties there, so maybe I'm a little more sensitive to these issues right now, but I'd like security to be (remain? Hi Kirk, Please click through the 2nd round wireframes, or go visit this issue at d.o.We're actually a little hyper paranoid about security. I wrote most of the underlying API layer here: So you can see how that works.People will have to provide their ssh/ftp creds when installing and we won't store the password. Best, Jacob Hi Jacob - thanks for the pointer, I overlooked those links. That's an interesting approach - seems to negate my concerns quite well. The local Drupal site downloads the file from d.o 2.Should be interesting to see how the final product works. It confirms that the md5 sum of the file matches that published by d.o (to reduce potential for dns poisoning - this happens automatically via ajax, ideally) 3.That said, you should take a look at how Aegir displays these sorts of details, it's a great inspiration to draw from.Eclipse Very good idea, and I second the linking or integration with Backup and Migrate, evenif it is just recommending that or a similar module and letting someone invoke it from page 2 in your wireframe. Thanks so much for taking this one, it will make many people's lives easier.
There is no separation of "user contributed content" and "the backend system" which means, you cannot roll one back without affecting the other.Right now, I believe that only the settings file is writable by the server - an attacker could overwrite or erase settings, but that's about it.With the modules or themes writable by the server, it could allow an attacker to inject PHP code into currently installed modules and/or themes.So without further ado: Sure, we've all got our methods, but the point of this is to provide something for people who don't know how to use such tools.So that every new Drupal users can quickly and easily update their modules and themes, without ever hitting FTP or the command line.