It should be possible to disable the whole extension installation feature (Extension manager, File->Open of oxt file, Doubleclick in file manager). Firefox has a preference for this, which is not accessible from GUI (only about:config). Would be nice to have something like this for LibreOffice, too, so I may disable extension installation most of the time, only enable it for a short time to, for example, install a new dictionary and then disable it, again.
[This is an automated message.] This bug was filed before the changes to Bugzilla on 2011-10-16. Thus it started right out as NEW without ever being explicitly confirmed. The bug is changed to state NEEDINFO for this reason. To move this bug from NEEDINFO back to NEW please check if the bug still persists with the 3.5.0 beta1 or beta2 prereleases. Details on how to test the 3.5.0 beta1 can be found at: http://wiki.documentfoundation.org/QA/BugHunting_Session_3.5.0.-1 more detail on this bulk operation: http://nabble.documentfoundation.org/RFC-Operation-Spamzilla-tp3607474p3607474.html
Dear bug submitter! Due to the fact, that there are a lot of NEEDINFO bugs with no answer within the last six months, we close all of these bugs. To keep this message short, more infos are available @ https://wiki.documentfoundation.org/QA/NeedinfoClosure#Statement Thanks for understanding and hopefully updating your bug, so that everything is prepared for developers to fix your problem. Yours! Florian
it is RFE
Thanks for reporting! I think this is a pretty good enhancement request :-). I see this is initially reported in 2011 ... we do feel sorry about that. But we're trying to reduce our outstanding 'unconfirmed' list as best as possible. Kind regards, Joren
Do we have something like Mozilla's "about:config" which is not accessible through regular GUI? (A central config file directly accessible within cpp?) And I am not against it but IMHO, this doesn't seem to be a security feature to me. It just makes the option harder to access.
(In reply to Muhammet Kara from comment #8) > Do we have something like Mozilla's "about:config" which is not accessible > through regular GUI? (A central config file directly accessible within cpp?) We have the expert config in Settings->Advanced. That should be used for something like this. See https://cgit.freedesktop.org/libreoffice/core/commit/?id=1a032dcfebc2702f0612c470d6b9c3e3cf4fb637 for how to add such an option. I'm not sure how exactly this should be implemented. Maybe we can just disable the buttons (Add, Remove, Enable, Disable) in the extension manager dialog if this setting is set. And display a message like "Extension management has been disabled. Please contact your administrator for more information." or something like that. Of course users would still be able to install via the command line using unopkg. I'd limit the scope here only to the GUI.
(In reply to Samuel Mehrbrodt (CIB) from comment #9) > (In reply to Muhammet Kara from comment #8) > > Do we have something like Mozilla's "about:config" which is not accessible > > through regular GUI? (A central config file directly accessible within cpp?) > > We have the expert config in Settings->Advanced. That should be used for > something like this. See > https://cgit.freedesktop.org/libreoffice/core/commit/ > ?id=1a032dcfebc2702f0612c470d6b9c3e3cf4fb637 for how to add such an option. Sweet. I guess we can add an options like AllowExtensionInstallation under .Office.Security, or AllowInstallation under .Office.ExtensionManager > > I'm not sure how exactly this should be implemented. Maybe we can just > disable the buttons (Add, Remove, Enable, Disable) in the extension manager > dialog if this setting is set. > And display a message like "Extension management has been disabled. Please > contact your administrator for more information." or something like that. > > Of course users would still be able to install via the command line using > unopkg. I'd limit the scope here only to the GUI. I agree with you on keeping the scope only to the GUI. If we disable the buttons, we can add a notice somewhere on the extension manager. Or we leave the buttons clickable, and show a message whenever the user clicks on them.
(In reply to Muhammet Kara from comment #10) > I agree with you on keeping the scope only to the GUI. If we disable the > buttons, we can add a notice somewhere on the extension manager. Or we leave > the buttons clickable, and show a message whenever the user clicks on them. Disable the buttons and add a text label notice above the buttons in red (which of course is hidden when extension installation is enabled) stating that the feature has been disabled in expert configuration. @Dave: Any thoughts?
First we should verify the use case. I guess we talk about an enterprise scenario where employees must not install unsafe extensions or unbranded templates. In this case I would expect that the extension manager links to a local repository instead of the official with full control from the admins. For downloaded extensions when it lacks on a certain value, e.g. description.xml: RequiredOrigin=Foobar.org, the installation is _temporarily_ not possible. Otherwise, when the installation is permanently disallowed, access to the dialog should be disabled (hide the menu item) and unopkg should fail with a clear message. What I wouldn't do is to explain the UI with static text. Either it's clear from the workflow why a control is disabled or the tooltip gives further hints. The red text is a very strong error message pointing to a dangerous situation like data loss.
(In reply to Heiko Tietze from comment #12) > First we should verify the use case. I guess we talk about an enterprise > scenario where employees must not install unsafe extensions or unbranded > templates. In this case I would expect that the extension manager links to a > local repository instead of the official with full control from the admins. > For downloaded extensions when it lacks on a certain value, e.g. > description.xml: RequiredOrigin=Foobar.org, the installation is > _temporarily_ not possible. Otherwise, when the installation is permanently > disallowed, access to the dialog should be disabled (hide the menu item) and > unopkg should fail with a clear message. > > What I wouldn't do is to explain the UI with static text. Either it's clear > from the workflow why a control is disabled or the tooltip gives further > hints. The red text is a very strong error message pointing to a dangerous > situation like data loss. I have looking around, and consulting others, it looks like disabling the menu item would be very complicated (if possible). From the original description, it seems like that this is not necessarily an enterprise scenario. Regular users may also want to prevent "easy" (or accidental) installation of new extensions. And here is my proposal: - Disable the "add" button on the extension manager when a certain boolean value is set in the expert configuration, and give info via a tooltip message. - Also disable installation by double clicking an extension in the file manager, and give a clear message about why it cannot be installed. This way, the installation is temporarily disabled, user is informed about the situation, and the user also is able to monitor the current status of the installed extensions. Furthermore, we can do the same for other buttons/functionalities (removing extensions, altering extensions (via 'options') etc.) What do you think?
(In reply to Muhammet Kara from comment #13) > And here is my proposal: > - Disable the "add" button on the extension manager when a certain boolean > value is set in the expert configuration, and give info via a tooltip > message. > - Also disable installation by double clicking an extension in the file > manager, and give a clear message about why it cannot be installed. > > This way, the installation is temporarily disabled, user is informed about > the situation, and the user also is able to monitor the current status of > the installed extensions. > > Furthermore, we can do the same for other buttons/functionalities (removing > extensions, altering extensions (via 'options') etc.) > > What do you think? Sounds good. But don't forget the unopkg command-line option to add, validate, remove, reinstall, and list extensions.
(In reply to Muhammet Kara from comment #13) > What do you think? +1
(In reply to Heiko Tietze from comment #14) > (In reply to Muhammet Kara from comment #13) > > And here is my proposal: > > - Disable the "add" button on the extension manager when a certain boolean > > value is set in the expert configuration, and give info via a tooltip > > message. > > - Also disable installation by double clicking an extension in the file > > manager, and give a clear message about why it cannot be installed. > > > > This way, the installation is temporarily disabled, user is informed about > > the situation, and the user also is able to monitor the current status of > > the installed extensions. > > > > Furthermore, we can do the same for other buttons/functionalities (removing > > extensions, altering extensions (via 'options') etc.) > > > > What do you think? > > Sounds good. But don't forget the unopkg command-line option to add, > validate, remove, reinstall, and list extensions. As this feature is for use of advanced users (or admins), disabling the unopkg commands seems unnecessary since it can be enabled/disabled via the expert configurations. Moreover, advanced users (or admins) might want to be able to add/remove extensions while preventing the regular users from installing/removing extensions.
Muhammet Kara committed a patch related to this issue. It has been pushed to "master": http://cgit.freedesktop.org/libreoffice/core/commit/?id=99b7c4f57d7fe3cac772cce38e2dd6879e128315 tdf#36019: Dynamically enable/disable extension installation via GUI It will be available in 5.4.0. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Muhammet Kara committed a patch related to this issue. It has been pushed to "master": http://cgit.freedesktop.org/libreoffice/core/commit/?id=f09be32d0fcb176527b41cedc37814d5ed7ccad5 tdf#36019: Dynamically enable/disable extension removal via GUI It will be available in 5.5.0. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
It is now possible to enable/disable extension installation and removal via GUI by using the corresponding properties of the reference "ExtensionSecurity" in the expert configurations.
(In reply to Muhammet Kara from comment #19) > It is now possible to enable/disable extension installation and removal via > GUI by using the corresponding properties of the reference > "ExtensionSecurity" in the expert configurations. Cannot confirm the removal. Self compiled after pull. Add is disabled ("unopkg add <file>" still works), the tooltips says why, but Remove is still enabled and possible. Version: 5.5.0.0.alpha0+ Build ID: e558edc24f593d9ef2905adb8ab7677c1dab1fac CPU threads: 8; OS: Linux 4.10; UI render: default; VCL: kde4; Locale: en-US (en_US.UTF-8); Calc: group Adding also Olivier for documentation.
(In reply to Heiko Tietze from comment #20) > (In reply to Muhammet Kara from comment #19) > > It is now possible to enable/disable extension installation and removal via > > GUI by using the corresponding properties of the reference > > "ExtensionSecurity" in the expert configurations. > > Cannot confirm the removal. Self compiled after pull. Add is disabled > ("unopkg add <file>" still works), the tooltips says why, but Remove is > still enabled and possible. > > Version: 5.5.0.0.alpha0+ > Build ID: e558edc24f593d9ef2905adb8ab7677c1dab1fac > CPU threads: 8; OS: Linux 4.10; UI render: default; VCL: kde4; > Locale: en-US (en_US.UTF-8); Calc: group > > Adding also Olivier for documentation. I have tested again and "removal" seems okay (disabled/enabled properly) after application restart (just like installation). Could you please test again? Version: 5.5.0.0.alpha0+ Build ID: 0f2981329c6b2cf409a506ad10f1485a8fc7d686 CPU threads: 8; OS: Linux 4.9; UI render: default; VCL: gtk3; Locale: en-US (en_US.UTF-8); Calc: group
(In reply to Muhammet Kara from comment #21) > I have tested again and "removal" seems okay (disabled/enabled properly) > after application restart (just like installation). Could you please test > again? Fresh pull, new compilation, same result. The button is enabled while the tooltip says removal wouldn't be possible and I should contact the admin. And when I click the button the extension is removed. Version: 5.5.0.0.alpha0+ Build ID: 2a3e763e99207b1354ed349bcbbf439721f08c14 CPU threads: 8; OS: Linux 4.11; UI render: default; VCL: kde4; Locale: en-US (en_US.UTF-8); Calc: group
Tested again and successfully this time. Add/remove have different entries in the advanced options, both should be set to true in order to prevent changes to extensions. The user can still disable/enable the installed extension what might be appreciated for some users. The buttons are disabled with specific tooltips, unopkg works independ from the setting. Version: 5.5.0.0.alpha0+ Build ID: 0bebf37bac076a56801ef7d1c113f729b12b9f46 CPU threads: 2; OS: Linux 4.11; UI render: default; VCL: gtk2; Locale: de-DE (en_US.UTF-8); Calc: group
Muhammet Kara committed a patch related to this issue. It has been pushed to "master": http://cgit.freedesktop.org/libreoffice/core/commit/?id=99841f1fd2bf22bca7dcc7e05fc1f91d612d5343 tdf#36019: Fix tooltip It will be available in 5.5.0. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Muhammet Kara committed a patch related to this issue. It has been pushed to "master": http://cgit.freedesktop.org/libreoffice/core/commit/?id=18cf49580846c176f2c93d0072ee9de96b129a26 tdf#36019: Disable context menu entry for extension removal properly It will be available in 5.5.0. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Muhammet Kara committed a patch related to this issue. It has been pushed to "libreoffice-5-4": http://cgit.freedesktop.org/libreoffice/core/commit/?id=5cae6a08a13ab0842826989eb5b840746be494a2&h=libreoffice-5-4 tdf#36019: Enable/disable extension installation and removal via GUI It will be available in 5.4.0.1. The patch should be included in the daily builds available at http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: http://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.