ideas icon indicating copy to clipboard operation
ideas copied to clipboard

Published 20 hours ago verified publisher icon statamic

Don’t allow using CP updater in Production

Open duncanmcclean opened this issue 4 years ago • 5 comments

I've seen a few people try to update their sites in production and when it fails, the site goes down.

It might be a good idea to not let people preform Statamic Updates in the CP if the site is in a production environment.

duncanmcclean avatar Oct 30 '20 07:10 duncanmcclean

Personally I think that this would not be a good change, since some less experienced developers might go and change the app environment to local quickly to “update the CP”, which will then dump their credentials if the update bricks their site. I am however a fan of displaying a warning message (maybe even a confirmation pop-up) along the lines of: “Updating the control panel might lead to a broken site, so we recommend doing this on your development environment only. Are you really sure you wish to proceed?” That way the warning is given and it’s up to them. I upvoted your idea nonetheless since I agree with the general idea.

jelleroorda avatar Dec 02 '20 18:12 jelleroorda

I'm surprised more people haven't requested this feature. I think having the ability to disable updating either through a method in code or via an environment variable that can be added to a particular environment's .env file e.g. STATAMIC_DISABLE_CP_UPDATES=true would be incredibly useful, especially where non-developers may have admin access to a production site.

WordPress (and a few other CMS) already have the ability to disable admin panel updates programatically or through their respective configurations.

MeMattStone avatar Oct 11 '22 17:10 MeMattStone

Just noting that we already support permissions around viewing and performing updates, should you not want your users doing certain things like this in the CP...

CleanShot 2022-10-11 at 16 55 03

jesseleite avatar Oct 11 '22 20:10 jesseleite

It's more for super admins that we want to block this ability, having the ability to globally block updates via the admin UI is preferable

MeMattStone avatar Oct 21 '22 07:10 MeMattStone

I know this doesn't actually switch it off, but I usually hide the Updates (and Addons) links on production with this:

if (! app()->environment('local')) {
    Nav::extend(function ($nav) {
        $nav->remove('Tools', 'Updates');
        $nav->remove('Tools', 'Addons');
    });
}

Helps to stop people clicking something they shouldn't.

jacksleight avatar Oct 21 '22 07:10 jacksleight

Closing as the ability to run updates in the Control Panel was removed completely in v4.

duncanmcclean avatar Nov 24 '23 10:11 duncanmcclean