Closed
Bug 333012
Opened 18 years ago
Closed 14 years ago
Locked extensions should not be able to be disabled
Categories
(Toolkit :: Add-ons Manager, defect)
Toolkit
Add-ons Manager
Tracking
()
VERIFIED
INVALID
People
(Reporter: mkaply, Unassigned)
Details
Attachments
(1 file)
673 bytes,
patch
|
robert.strong.bugs
:
review-
|
Details | Diff | Splinter Review |
Currently there is a mechanism to lock a system extension so it can not be uninstalled. However, it can still be disabled. If an extension is locked, it should not be able to be disable either.
Reporter | ||
Comment 1•18 years ago
|
||
basically just add the check that we use for uninstall to disable.
Comment 2•18 years ago
|
||
locked means that the extension is updated with the application, it does not mean that the user shouldn't be able to disable it.
Updated•18 years ago
|
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → WONTFIX
Reporter | ||
Updated•18 years ago
|
Attachment #217442 -
Flags: review?(robert.bugzilla)
Comment 3•18 years ago
|
||
Actually, appManaged means an extension is updated with the application. Locked has been used for preventing uninstall but the full behavior / use cases for locked has not been afaik thought out or implemented. Ben may be able to shed some light on this. Michael, is this something you need and if so, can you provide the use case? I'd like to have at least some of the use cases for locked defined before it is implemented further.
Reporter | ||
Comment 4•18 years ago
|
||
Use case is the client customization kit (http://www.mozilla.org/projects/cck/firefox) For corporate browser deployments it would be useful to have extensions installed that can be updated but cannot be uninstalled/disabled. The alternative here is to use hidden which works, but then the extension can't be updated.
Comment 5•18 years ago
|
||
I wonder if the use case of having an extension that can't be uninstalled and can be enabled / disabled isn't also valid? For example, an extension installed in the application's extensions directory, all users have write access, and the sysadmin doesn't want the extension uninstalled but wants to give the users the ability to disable / enable the extension.
Reporter | ||
Comment 6•18 years ago
|
||
I definitely think this is a use case as well. There might be cases where you want to disable an extension to see if it is affecting browser behavior for instance.
Updated•18 years ago
|
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
Comment 7•18 years ago
|
||
I ran this by Ben and his comments were in support of preventing disable for locked extensions. It can still be disabled in safe mode for testing whether it is affecting the app's behavior. I'd like to think this through a bit more but my initial thought is it is appropriate to do this. I also want to verify that the safe guards are in place so this doesn't apply to extensions installed into the profile. One edgecase this will create is that the user could install the same extension into their profile which will take precedence over the one installed into the app directory and they will then be able to disable the extension. For now, I think preventing uninstalls is handled well enough by the fact that we don't allow uninstalls of extensions that are installed into a location that we don't have write access to. Benjamin, do you have any concerns regarding this?
Reporter | ||
Comment 8•18 years ago
|
||
Incidentally, both the hidden and locked options work for profile installed preferences.
Reporter | ||
Comment 9•18 years ago
|
||
Incidentally, both the hidden and locked options work for profile installed extensions.
Comment 10•18 years ago
|
||
I haven't tested it but it shouldn't be added when using the normal install methods except with locations that are considered restricted http://lxr.mozilla.org/seamonkey/source/toolkit/mozapps/extensions/src/nsExtensionManager.js.in#7093
Reporter | ||
Comment 11•18 years ago
|
||
true, but any extension is free to add hidden and locked to it's own entry in the extension RDF by explicitly manipulating the data source. I tried this and it worked.
Comment 12•18 years ago
|
||
Yes, as well as do many other things. Also, the file can be hand edited to make this happen. I could make the datasource always return false for addons installed into the profile directory but I see little point in doing so. The same extension that could modify the datasource could also install itself into a restricted location where these values are accepted... or for that matter it could do any number of the other things an extension can do to a system after it is installed.
Comment 13•18 years ago
|
||
In support of Comment #5; if this bug is going to be resolved, would there be a way I could let users chose if they want to disable enable extensions in the global app directory. I suggest they should be able to enable and disable extensions but not uninstall them in a corp environment. If they disable them, it does not affect other users, but if they uninstall them, it affects all users on that pc. regards shivanand sharma Firefox Corporate Deployment Guide http://varun21.googlepages.com/blog.html
Reporter | ||
Comment 14•18 years ago
|
||
That's fair. Basically if a company doesn't want an extension uninstalled or disabled, they can hide it.
Comment 15•18 years ago
|
||
The trouble with that approach is if the extension has options then the options won't be accessible. It is possible to make it so they can't be uninstalled, can be enabled / disabled, and have options available by making the app extensions directory read only for the users of the system.
Comment 16•18 years ago
|
||
I'm fine with doing this but the next bug that is going to be filed is to provide user feedback as to why they can't uninstall. If we are going to prevent disabling of locked extensions the new ui indication should be done preferably at the same time. Would you be willing to do this as well in this patch?
Reporter | ||
Comment 17•18 years ago
|
||
The bummer part here is that we typically replace the description of the extension with the status. so just having a "This extension has been locked by an administrator" as the status, means we lose the description..,
Comment 18•18 years ago
|
||
Not on the trunk and hopefully not on the branch soon either... I fixed that with the ui rewrite (see bug 329045). I'd suggest displaying the same badge as used when an add-on is incompatible, blocklisted, etc. and display the message as a new status message as is done for incompatible, blocklisted, etc.
Comment 19•18 years ago
|
||
Comment on attachment 217442 [details] [diff] [review] Fix for problem I don't want to take this without ui changes since a bug report to provide that would likely follow. I think this is the correct thing to do and a patch that includes the ui changes would be appreciated.
Attachment #217442 -
Flags: review?(robert.bugzilla) → review-
Assignee | ||
Updated•16 years ago
|
Product: Firefox → Toolkit
Comment 20•14 years ago
|
||
We no longer support locked extensions
Status: REOPENED → RESOLVED
Closed: 18 years ago → 14 years ago
Resolution: --- → INVALID
Comment 21•14 years ago
|
||
(In reply to comment #20) > We no longer support locked extensions Michael, would that raise any problem for your extension?
Reporter | ||
Comment 22•14 years ago
|
||
I was biting my tongue. Removing the ability to lock extensions is removing an important enterprise feature. But as long as we have the ability to overlay the add-on manager and manipulate the add-on list there, I'll be able to work around this.
Comment 23•14 years ago
|
||
Dave, so extensions can disable the buttons for their own entry?
Comment 24•14 years ago
|
||
(In reply to comment #23) > Dave, so extensions can disable the buttons for their own entry? Sure, extensions can do whatever they like, however locked extensions are probably better replaced with distribution bundles which don't show up in the add-ons manager at all and so cannot be disabled.
Comment 25•14 years ago
|
||
Thanks Dave. Given that information I verify the bug. Michael, whenever you have problems with CCK please report back.
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•