Upgrade Now Front End Message

[craigf136]

Why? I thought front end message was going to be licence key related - no mention of use advising about updates etc. When message is dismissed, how long is it dismissed for? who is this message visible to?

 

[Tripp★]

As far as I am aware it's only visible to Administrators. See: https://community.invisionpower.com/release-notes/410-r24/

Quote

Upgrade process

• New upgrade process where new files are downloaded and installed automatically when possible.
• Option to set email address for notifications when an upgrade is available
• Banner shown to admins on the front end when an upgrade is available. It can be dismissed except for security updates.

 

[VizionDev]

46 minutes ago, Tripp_UK said:

As far as I am aware it's only visible to Administrators.

Correct.

1 hour ago, craigf136 said:

When message is dismissed

You should actually go through with the update, instead of trying to dismiss it, the new version addresses multiple issues

[VizionDev]

49 minutes ago, Tripp_UK said:

New upgrade process where new files are downloaded and installed automatically when possible.

Always good to know that files can be deployed to my server without knowledge.

Reminds me of a security convention where the main topic was regarding an ISP's master server that would achieve the same for pushing configurations and an employee distributed malware through it thus gaining control of every router assigned to that CVC.

[craigf136]

It's visible on my custom theme to all staff, admin moderators, chat mods and had reports that some members are all seeing the message.

5 hours ago, VizionDev said:

Correct.

You should actually go through with the update, instead of trying to dismiss it, the new version addresses multiple issues

I know what we should be doing but deploying the update when we are good and ready to deploy it. it's already on 4.1.3.1 which is addressing some update issues.

[Charles]

12 hours ago, VizionDev said:

Always good to know that files can be deployed to my server without knowledge.

This is not true. Please do not spread false information. No files can be deployed on your server without your knowledge.

[tekguru]

12 hours ago, VizionDev said:

You should actually go through with the update, instead of trying to dismiss it, the new version addresses multiple issues

I'm not going anywhere near it. I spent weeks waiting for a decent portal display (Pages = templates & blocks) to be available for 4.0.x and I believe that breaks with 4.1.x, so I'm not moving until that works. Amazes me how a few templates in pages can get screwed up with a 'point' update. For me this is as bad as migrating from 3.8.x all over again. I simply can't afford the time investment to get Pages workable again!

[VizionDev]

6 hours ago, Charles said:

This is not true. Please do not spread false information. No files can be deployed on your server without your knowledge.

I'm aware, if there wasn't an edit lockout it'd be adjusted. Sometimes it would be good to be a lot clearer in details because I was not the only one who had the same thought, just the only one who said something - my apologies.

[craigf136]

I know an update exists and yes I will install it but when we are on our biggest night of the year (game launch night) I'm not taken the forum offline to install and update.

Why does it not have a dismiss option and then reappear after a set time?

[Lindy]

1 hour ago, craigf136 said:

I know an update exists and yes I will install it but when we are on our biggest night of the year (game launch night) I'm not taken the forum offline to install and update.

Why does it not have a dismiss option and then reappear after a set time?

Because we don't want you to dismiss critical notices. Standard update notices can be dismissed. Those that contain security updates cannot be dismissed without actually upgrading. We learned a lot with IP.Board -- including not being pushy enough about security updates... leading to your community to be compromised, you being angry, no backup and a 6 page support ticket. We try to allow as much flexibility as possible but we're not going to be flexible on pushing security updates -- critical updates will stay in your face until you update; that's the point... they're not "eh, I'll get that this weekend" kind of things. 

Your community getting compromised is not only an inconvenience to your users and a poor reflection on your community... it's also a poor reflection on us as the developers of the software. We do our part to protect you and with IPS4 - there's no room for "I didn't get a security notice from you by e-mail" or "not all of us login to our AdminCP every day" or "I didn't realize it was that serious." If you get the red box and can't dismiss it -- it's not a "when you feel like it" update. WAI. :)

[Koby]

Looks like clients are likely to just use something like adblock to hide it then and then they'll never see it. So not giving them a close button is a pretty bad decision overall. No one likes feeling forced into something.

[Lindy]

2 hours ago, Koby said:

Looks like clients are likely to just use something like adblock to hide it then and then they'll never see it. So not giving them a close button is a pretty bad decision overall. No one likes feeling forced into something.

I know I am immensely annoyed when I'm forced into things that are for my own protection. Like pesky seatbelts. Had it not been for GM and their ding, ding, ding, ding chimefest - I may have been able to ignore that ridiculous warning and common sense last week. Instead, I took the hard way out and buckled up... then GM and the laws of physics took the power of choice away from me and I ended up with a concussion instead of being ejected from my vehicle, garnering some fresh air and plunging through the windshield of another vehicle to brighten someone else's day too. Grrr... I hate feeling forced into things.  

Ok - an admittedly extreme analogy for dramatic effect, but the point stands. We're not putting ads for men's vitamin supplements on your community and "forcing" you to look at them... we're putting a warning on your community indicating there's a critical security update that needs to be applied to minimize the risk to you and your users. I would really like to hope that most would click "update." 

Ultimately, if you want to rebel against a red box and expose your community to a security risk out of spite - I guess I can't stop you any more than GM can stop you from defeating their seat belt warning chime and flashing light. We did our part as the manufacturer to make it very obvious and say "in case you didn't realize it, you should really buckle up" - if you want to "defeat" the warning, well that's certainly unfortunate for you and your users.

 

Recap: Standard upgrade boxes can be closed/dismissed. Critical/security update boxes cannot.

[VizionDev]

5 hours ago, craigf136 said:

I know an update exists and yes I will install it but when we are on our biggest night of the year (game launch night) I'm not taken the forum offline to install and update.

Why does it not have a dismiss option and then reappear after a set time?

It only appears for yourself and other administrators, not for the users. Just ignore it until you find a suitable time to do it that won't cause any negative affect on your community.

Overall downtime is generally less than 5 minutes anyway.

It comes down to this - if you want your forum secure, and safe from the latest security exploits and very real and extreme risks that pose against your community. Hit the update button, it's there to save your community not to annoy you.

Realistically the X should have a confirm popup "Ignoring this update voids any warranty or compensation that may otherwise of been considered if you updated" to reiterate the importance of a security update

[Koby]

Well hell, I had a long post written up but the editor just up and lost it all.

[craigf136]

6 hours ago, Lindy said:

Because we don't want you to dismiss critical notices. Standard update notices can be dismissed. Those that contain security updates cannot be dismissed without actually upgrading. We learned a lot with IP.Board -- including not being pushy enough about security updates... leading to your community to be compromised, you being angry, no backup and a 6 page support ticket. We try to allow as much flexibility as possible but we're not going to be flexible on pushing security updates -- critical updates will stay in your face until you update; that's the point... they're not "eh, I'll get that this weekend" kind of things. 

Your community getting compromised is not only an inconvenience to your users and a poor reflection on your community... it's also a poor reflection on us as the developers of the software. We do our part to protect you and with IPS4 - there's no room for "I didn't get a security notice from you by e-mail" or "not all of us login to our AdminCP every day" or "I didn't realize it was that serious." If you get the red box and can't dismiss it -- it's not a "when you feel like it" update. WAI.

I fully appreciate that Lindy, I was bit P***ed off last night, our biggest night of the year and three things have happened.

• Activity streams is broken, profiles are broken, Mod CP is broken 
• The security update message constantly staring you in the face, you can't take the site offline on the most active night of the year
• The game launched with the biggest aspect of it for us/me being broken (at 38 it shouldn't bother me but it did last night)

Apologies, it was a bit of a rant as I was a bit p***ed off but all I wanted to do was dismiss it, the ACP has the info available and it could return every few hours front end and "all" our staff can see it.

[Tracy Perry]

Funny... we have a notifications system in place that would have seemed to have been ideal for that.  And you could make it an alert that could not be dismissed and always showed as a "new" one.  Would have been much less intrusive, and could be set to be directed at specific users.

[Hexsplosions]

I'm grateful for the notification. It took me 5 minutes to perform a backup, a minute to take the site offline, 2 minutes to apply the update, 1 minute to pat myself on the back for a job well done, and another minute to put everything back online.

Sometimes I think admins like to make a mountain out of a molehill.

[Charles]

I personally think us being very proactive about encouraging security updates is a really good thing. Back in the 3.x days it was not nearly that apparent. Now you always know if you're missing out on an important update.

[craigf136]

1 hour ago, Evil Edwina said:

I'm grateful for the notification. It took me 5 minutes to perform a backup, a minute to take the site offline, 2 minutes to apply the update, 1 minute to pat myself on the back for a job well done, and another minute to put everything back online.

Sometimes I think admins like to make a mountain out of a molehill.

I'm not making a mountain out of a molehill, far from it.

Put it this way, on the biggest day of your communities year and 3 year game cycle, would you risk taking your site offline to perform a security update? I have issues witht the activity stream, mod cp, user profiles which need to be addressed - I'm desperate to have them fixed but I'm not risking downtime as a result and the update going pear shaped (as thta's probably what would happen knowing my luck).

[Flitterkill]

Tracy Perry brings up a good idea. A flagged, permanent-until-upgraded notification would do the trick as well. I would combine both the front end message (but dismiss-able) with the perma-notification. You could even css the critical notification and wrap it in a red background, etc.

@someone.... When you say the message is for administrators only is that for the single distinct user group "Administrators" or for any/all that have ACP access?

[Hexsplosions]

9 hours ago, craigf136 said:

Put it this way, on the biggest day of your communities year and 3 year game cycle, would you risk taking your site offline to perform a security update?

Yes, I would. My users security is paramount and I will always put it before anything else. When it comes to security it is always an easy decision. Even if you do not want to do the update there and then, the fact that the message is visible only to your admins means the display of it shouldn't have caused an issue. There's a lot of quite pointless whining in this thread over the display of a message that, ultimately, is only visible to a select few.

[chilihead]

If it's only security updates you can't dismiss, that is a good thing. If you dismiss it, and think "oh I'll do it tomorrow," tomorrow rolls around and you forget (because of no notification), then, you can go for days or weeks with a vulnerable site. Security updates should be installed asap.

[chilihead]

Perhaps they should limit it to critical updates only. 4.1 was released as a security update, but the security update was noted as not critical. Just an idea. But I can see why they do all. Security is security.

[craigf136]

I would normally, but with previous releases and fixes, something doesn't work and 4.1.3.1, then 4.1.3.2 is released etc and having any downtime as a result of a bug (not security fix) but a bug is critical & we are already diminished because we have no Mod CP, we have no activity stream, we have no user profiles accessible and risking the site being down because of the security issue - was a risk I was prepared to take.

The message irrespective of how it appears is available to Admins but also moderators with ACP access and that shouldn't be the case. We where told admins only and it's not.

[Koby]

36 minutes ago, craigf136 said:

I would normally, but with previous releases and fixes, something doesn't work and 4.1.3.1, then 4.1.3.2 is released etc and having any downtime as a result of a bug (not security fix) but a bug is critical & we are already diminished because we have no Mod CP, we have no activity stream, we have no user profiles accessible and risking the site being down because of the security issue - was a risk I was prepared to take.

The message irrespective of how it appears is available to Admins but also moderators with ACP access and that shouldn't be the case. We where told admins only and it's not.

If a mod has ACP access, they're not a mod. Mods only have MCP access.

Only admins have ACP access; if you have given your 'mods' the ability to access it, then you're technically referring to them incorrectly about their position as you're calling your admins simply 'mods'.