ClassicPress icon indicating copy to clipboard operation
ClassicPress copied to clipboard
verified publisher icon ClassicPress

"Future security updates will be applied automatically" message is not shown

Open nylen opened this issue 7 years ago • 1 comments

Currently, the following code indicating that "future security updates will be applied automatically" will never be triggered:

https://github.com/ClassicPress/ClassicPress/blob/cf5f3de426a92623231ed55053d2c3ae1e94ce14/src/wp-admin/update-core.php#L186-L199

More info about this code path:

https://github.com/ClassicPress/ClassicPress/blob/cf5f3de426a92623231ed55053d2c3ae1e94ce14/src/wp-admin/includes/class-wp-automatic-updater.php#L130-L152

https://github.com/ClassicPress/ClassicPress/blob/cf5f3de426a92623231ed55053d2c3ae1e94ce14/src/wp-admin/includes/class-core-upgrader.php#L318-L330

See also ClassicPress/ClassicPress-v1#156, ClassicPress/ClassicPress#357.

nylen avatar Feb 27 '19 18:02 nylen

This isn't making it in time for 1.1.0.

nylen avatar Sep 15 '19 01:09 nylen

This seems to be code specific to ClassicPress and is intended to display a message that future security updates will be automatically applied.

I have tested through the code as currently implemented and there are a few considerations.

This is hard to test in a clone of the developement code becuase the presence on any indication of version control skips update checks.

The check code from src/wp-admin/update-core.php in $upgrader->should_update() used $wp_version but also appends to the version string so it may looks something like 2.1.1.1.next.minor - I'm not sure why this doesn't use $cp_version, nor when there is a string appended.

$upgrader->should_update() in turn calls Core_Upgrader::should_update_to_version(), passing in a single argument of the current version number.

In src/wp-admin/includes/class-core-upgrader.php, the should_update_to_version() function includes version.php and uses $cp_version from there as the current version and uses the passed version numner as the $offered version. There is also a check on 'WP_AUTO_UPDATE_CORE' passing these three arguments to _auto_update_enabled_for_versions(). In _auto_update_enabled_for_versions(), the passed strings are parsed with regular expressions, the string passed with next.minor appended fails to parse correctly and this results in one level of failure. However the 2 versions compared right back in src/wp-admin/update-core.php will end up both being the current version number, This is because that section of code only runs when ClassicPress in on the current latest version. As such even if the string append step is removed, no version update is detected as available and this is the second reason the update message fails to show.

Possible solutions: 1/ Fix version strings to remove appended string, use $cp_version and extend _auto_update_enabled_for_versions() to compare identical strings for this check to run, this latter step may have unintended consequences though of a perpetual update loop - that would need careful checking. 2/ Bypass the complex process above and instead check 'WP_AUTO_UPDATE_CORE', possible settings for this are null, true, false, major, minor and patch. In the case that this is null, minor updates are the default, so in all cases with the exception of false we can report that security updates should be automatically applied.

mattyrob avatar Aug 05 '24 16:08 mattyrob

That sounds a little ridiculous. I would definitely opt for option 2!

KTS915 avatar Aug 05 '24 17:08 KTS915