Thanks for the important advice with joomla updates and the template overides.
Thomas Kahl
· 5 months ago
... that's why a more detailed changelog would be useful. You multiply the work that has to be done when every site-owner has to check for the changes on his own. It would be much better if the changelog would show exactly what was changed. A simple "Fixed issue 1234 in file abc.php" doesn't help much.
Brian Teeman
· 5 months ago
I agree especial for the more technical user. Personaly I always download a full copy of the new release and then do a diff against the previous version/
Flavio Copes
· 5 months ago
You can also use a SVN client and see what's been changed in the new Joomla release.
Thomas Kahl
· 5 months ago
I don't know the percentage of Joomla-Users that know what an SVN is. Do you think it is more than 10% ;-)
Flavio Copes
· 5 months ago
I think it's the same percentage that knows what a template override is and how to modify it.. the problem is that this is something really hard to do for the average user - but should not be hard for a serious website administrator.
So we should explain to the average users that they shouldn't use output overrides.. or this is a responsability of the template builders?
Brian Teeman
· 5 months ago
The issue I was trying to explain is that end users are using template overrides but most of them probably do not even realise that. They just download a template and use it. joomla tells them to update for security purposes but they dont realise they have to update the template as well
Lawrence Meckan
· 5 months ago
Hit this issue so often it's not funny whilst consulting/contracting for other businesses.
And no, it's not pretty to fix, especially when dealing with fragmented custom templates.
The overrides change PHP behaviours which, in reality, should not be part of a template. Templates should stick to artwork, CSS and HTML (maybe a little JS), not behavioural changes inside PHP.
Studios and template farms use the overrides system to churn out templates quickly, without testing the quality and security of their own code in comparison to the security updates. And then get their clients breached because of it. I've had to clean up such messes.
Whilst overrides seem to be a good shortcut feature to better functionality, we are left with designers (who generally have little to no security knowledge about Joomla) hacking override templates to pieces, exposing new security holes.
The multiplication of work and effort in order to patch and secure everything due to the overrides also presents a quandary.
If it's creating more work at the expense of security, is the override system an overall positive or negative at the end of the day?
Emerson Rocha Luiz
· 5 months ago
I Agree with thomas. Maybe if they put in some page some aspects that was changed on each release can help final users to pay atention in some special aspect, and provably give feedback more faster or even avoid problems.
its ok that we have one Bug squad on Joomla that make one good work, but maybe for a Joomla they need MORE help, and give information about problems and how they solve, can help a bit better.
For now, at least on last releases, people do not have at least one page with more detalied changelog, that can avoid users start to think that maintain joomla up-to-date fast can simple make they a problem
Rick
· 5 months ago
Perhaps the issue is template overrides should be made in a way that won't affect the security of the site.
Rick
· 5 months ago
Meaning....it's a view....there shouldn't be any DB calls or the like in it. Right?
Brian Teeman
· 5 months ago
Rick if you look at the template override changes in the last 2 releases of joomla you will see that both of them have modification to protect your site from xss and sql injection vulnerabilities
Rick Blalock
· 5 months ago
Yeh I know about the changes. But that's my point is, if at all possible, there shouldn't be things in the view that would allow for these types of vulnerabilities. You're absolutely right about updating Joomla. I use overrides extensively and have used the Beez overrides for many a site so it's annoying to have to go through that stuff.
Ideally, the view won't have anything BUT html markup and stay away from opening up the system from within the view.
TimoteoManna
· 2 months ago
You may not agree, but it seems to me that blind date uncensored are high on the list of things that everyone loves to hate. I have just one
All Comments
So we should explain to the average users that they shouldn't use output overrides.. or this is a responsability of the template builders?
joomla tells them to update for security purposes but they dont realise they have to update the template as well
And no, it's not pretty to fix, especially when dealing with fragmented custom templates.
The overrides change PHP behaviours which, in reality, should not be part of a template. Templates should stick to artwork, CSS and HTML (maybe a little JS), not behavioural changes inside PHP.
Studios and template farms use the overrides system to churn out templates quickly, without testing the quality and security of their own code in comparison to the security updates. And then get their clients breached because of it. I've had to clean up such messes.
Whilst overrides seem to be a good shortcut feature to better functionality, we are left with designers (who generally have little to no security knowledge about Joomla) hacking override templates to pieces, exposing new security holes.
The multiplication of work and effort in order to patch and secure everything due to the overrides also presents a quandary.
If it's creating more work at the expense of security, is the override system an overall positive or negative at the end of the day?
its ok that we have one Bug squad on Joomla that make one good work, but maybe for a Joomla they need MORE help, and give information about problems and how they solve, can help a bit better.
For now, at least on last releases, people do not have at least one page with more detalied changelog, that can avoid users start to think that maintain joomla up-to-date fast can simple make they a problem
Ideally, the view won't have anything BUT html markup and stay away from opening up the system from within the view.