How idiot-proof can SMF be made?

Started by MrPhil, April 29, 2010, 10:54:06 AM

Previous topic - Next topic

MrPhil

Face it. SMF is easy enough to install that just about anyone with a pulse can get a forum going. Unfortunately, it also means that there are people out there who shouldn't be let near the innards of a forum. That is, they have absolutely no programming skills, yet they are trying to modify PHP code and often failing. Then they come here screaming HELP!!! (all caps) with

"I think I've been hacked!!! There's this code in my file:
if (!defined(SMF))
   die("Hacking attempt!");

What do I do? What do I do??????!!!!!"

or failing to realize that if a PHP string starts with a single quote (apostrophe) ' you can't put an unescaped apostrophe in the middle of the string! Etc., etc. ("What's a string? What's PHP?") And most can't be bothered to do a basic search of the forum for the answer. And many need extensive hand-holding because they just don't get the concepts in programming or databases. I.e., you can't explain a concept once and send them on their way -- you have to hold their hand step by painful step.

It never ceases to amaze me that some of these people actually can remember to keep breathing. OK, perhaps that's a bit unfair to them -- I probably can't do some things that they can do with ease. But the fact remains that many forum operators should not be let near code. So, to focus this rant, can SMF (or any other PHP-based web application) be made absolutely idiot proof? That is, they should be able to install/remove mods or update text without ever having to touch raw PHP code. Ever. Can it be done? It's like welding the hood shut on their car, if they're more likely to do damage fiddling with the engine. Among other things, it would take a built-in editor that can detect text strings and how they're delimited, and look for unescaped quotes (possibly by storing all text strings in the database? what a performance hit that would be!). If would take something more elementary than phpMyAdmin to deal with the database.

Of course, those of us who understand programming will still want to go diving into the code to do custom stuff, but those who can't program should be kept away from code. Can they be locked out/given adequately smart tools to do most jobs for them, without interfering with programmers? The prime example would be a fool-proof mod system. I'd say that at least half the topics on the Support boards involve mods that failed to install properly, or failed to remove properly, or refuse to install at all. We've got to do better than that! How radically would SMF have to be re-architected to make installing or removing a mod a painless, goofproof process? Is it a realistic goal?

The current process depends upon matching segments of code in a file, code that may be altered by another mod. At the very least, SMF should refuse to install a mod if any failures are reported in the pre-install search. Far too many beginners get into trouble because they tell the package manager to go ahead, and then fail to properly manually install the remainder of the code, or omit a database update step. There's also no protection against installing a mod twice. I suppose that mods could be limited to inserting function calls at specified points in the code, but that may be too limited in capability (and the question of mods interacting with each other, depending on the order they're installed, remains). As for removing mods, I think it would be better to build a list of mods being used, and always apply them in one go against a vanilla copy of SMF. If one mod refuses to install, don't install any -- make the admin first pull the failing mod out of the list.

For themes or skins, we need a smart WYSIWYG editor that can update the CSS for you when you drag components around the screen, select colors or background images to use, and perhaps even add new modules for new functions. Is there a plug-in for Firefox that would let you do that, and rewrite the affected CSS file(s)?

Browsing through the Support boards, I could probably come up with lots more specific examples. The question remains: can a PHP-based web application be made idiot proof to update and upgrade, without preventing programmers from doing custom work if they desire? The latter condition implies that source code is available in some format. A single fixed application (think canned software like Word) can be locked down, but something that permits upgrades/updates, skins, themes, language packs, and most of all, "mods", is open to all sorts of trouble when people who shouldn't be messing around with code are forced to do so.

Your thoughts?

Arantor

Cue everyone pointing to WordPress.

It fits most criteria - friendly WYSIWYG editor, mods that don't require matching code segments and so on.

But 1) it's a lot simpler application in the scheme of things, 2) it pays dearly for such simplicity, both in terms of what can be customised and in performance terms.

It's all too easy to kill a WP installation with lots of mods which have to do their own DB work as opposed to using central resources, and the worst case I ever saw was a WP site running 400 queries Every Single Page. But it is a lot more restrictive in terms of functionality in what you can actually do with it as a result of modding; you can bolt quite literally anything into SMF with a little work, the same cannot be said so easily of WP.

I would also note that a lot of the discussion about mods vs plugins vs flexibility vs functionality and balancing all this was held months ago by the Phoenix/Yourasoft folks and I don't recall any really good answer coming out of it.

Even in a 'locked down' app like Word you can still get and write plugins for it (heck, I spent months engineering applet type stuff in Excel, including the primary stock control we had at my old company, though I only had the "joy" of maintenance)

I hear what you're saying but I don't see how to reconcile the need for simplicity with the power of true customisation.

In fact, I'm very much of the opposite side of the fence; I remember when to make a website you actually had to *learn* something, and to a point I'd actually like to see that mentality return somewhat.

It's like driving a car or riding a bike; you get to know it, and if it isn't performing right, odds are you'll pop the bonnet and have a look, or examine the thingamajigs and doodleflips. I'd love to see a similar mentality occurring here, really. I am a firm believer that if you're going to invest time and energy in something like a site, you really should invest some time and energy in understanding the mechanics at least a little.

I'm not suggesting that every forum owner learn advanced PHP and be capable of writing any mod known to mankind, but I do believe that forum owners/administrators should learn the absolute basics.

Kenny01

You're right Arantor.

You can't learn without damaging, as you can't learn how to walk without falling.

I crashed several of my forums before learning the admin game, now i have a very big and stable board.

青山 素子

One way to solve the problem is to go completely object-oriented. To add functionality, you can extend a class. Of course, this has a huge potential for killing modification developers since they would all have to wrap their heads around your object structure and most of the people developing modifications for SMF are not anywhere near experienced or dedicated enough to learn all the framework required for even a small change. With this method, you also have the potential for performance issues

The next possibility is to add "hooks" like other products do. Unfortunately, unless you design these smartly in the flow or add something for each line, it becomes restrictive as to what modifications can do when using that system. Heck, even with being smart in location or just scattering things over the place, you'll still likely run into situations where you need something else.

Yet another possibility is to support both "hook" and an inline-edit methods. The problem here is that you will get a lot of people doing direct code edits and you'll run into the same problems of conflicting code edits.

In conclusion, the best solution for flexibility without conflicts is going the object-oriented way, but you also cut down the number of people who will be able to work in that model. If you want to allow flexibility while encouraging beginners to customize things, you'll almost have to allow direct code edits and the possible issues that can bring.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


Arantor

MC: On OOP, it would basically kill the modding community here. And even then you don't really solve the problem, in fact. You just end up with multiple mods trying to extend the same class in different ways and get into trouble that way.

青山 素子

Quote from: Arantor on April 29, 2010, 01:12:38 PM
On OOP, it would basically kill the modding community here.

Indeed it would. I thought I put that in my post above.


Quote from: Arantor on April 29, 2010, 01:12:38 PM
And even then you don't really solve the problem, in fact. You just end up with multiple mods trying to extend the same class in different ways and get into trouble that way.

Yeah, it's not a panacea, but it would prevent certain types of problems from occurring. Unfortunately, it has its own negatives.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


Arantor

You did, I just wanted to make it clear that we weren't talking about a reduction in the community, it would basically die, because the number of programmers around here that can build something in OOP generally is far too low, and I don't see it encouraging experienced programmers from outside the current ecosystem much either.

kat

The other side of the coin is that people like me, who knew absolutely zilch about php, learn from such things. I knew BASIC, AMOS and a bit of REXX, though, so I had a bsic (No pun intended) feeling for program structure and stuff.


The people that piss me off are those that don't even try anything, before coming in and asking/demanding help.

Arantor

*nods* BASIC, AMOS and REXX are great languages in their own way - and you can learn some of the techniques that underpin PHP from them (particularly AMOS, with its Procedures that are very much the same as PHP functions, right down to passing values, scope and everything else)

Quote from: Kat on April 29, 2010, 01:49:35 PM
The people that piss me off are those that don't even try anything, before coming in and asking/demanding help.

Those are the people that get me so irate - and they're the people who get abusive if you encourage them to help themselves first.

kat

In a way, it's a shame that the old "Type code in from a magazine" days are long gone.

MrPhil

Quote from: ArantorI hear what you're saying but I don't see how to reconcile the need for simplicity with the power of true customisation.

In fact, I'm very much of the opposite side of the fence; I remember when to make a website you actually had to *learn* something, and to a point I'd actually like to see that mentality return somewhat.
I think the days are long past when people would put up with having to learn coding in order to get a site up. Most people want a canned solution, and either can not or will not learn programming. I understand their point -- I use Linux to a degree, but I'm no fanatic about it. I don't care to devote all my waking hours to studying and extending it and compiling kernels. It's just a tool to get a job done. Likewise, they see a forum like SMF as a tool to accomplish some task, not a hobby in and of itself. They want to run a community of some sort and talk to other people, and couldn't care less what the tool is.

To continue with your automotive simile, in the old old days you had to be a mechanic to keep a car running (chauffeur comes from the French for "fire stoker", the guy who shoveled coal into a Stanley Steamer's boiler). Over the decades, cars became more reliable and automated, until today you rarely have to pop the hood/bonnet to do anything (and most car owners would be totally lost trying to find their way around all the gizmos/hoses/pipes of a modern engine compartment). Hell, I majored in mechanical engineering, and I leave almost all the maintenance on my car to the local garage, as I don't have the tools, manuals, or specialized training to confidently tackle most things. If I had to be in there twiddling the points on a weekly basis, I might reconsider.

Where do web sites come in on the automotive timeline? I think they're still back in maybe the 1920s or 30s. Much of the time they'll get you from Point A to Point B without trouble, but if something goes wrong, you have to really dive into its innards. And routine maintenance can still be an adventure, requiring intimate knowledge of the site's coding and inner systems. Unfortunately, that's in conflict with the SMF-as-tool viewpoint. We need forum owners to be part-time mechanics (programmers), but they're not interested. As long as that's true, I think that will limit the appeal of SMF.

The whole point of my opening post was that we require forum owners to have some familiarity with programming in order to modify it, or do anything but the most mundane day-to-day operations. And most forum owners do not have such skills (or the desire/capability to learn them), so what can we do to lift the burden? Of course, this brings up the matter that people are used to taking their cars to a mechanic, and paying dearly for the privilege, but just try charging for service on a piece of free software!

Quote from: KatIn a way, it's a shame that the old "Type code in from a magazine" days are long gone.
The ones where they actually gave high level (BASIC) or Assembly code, or the ones where they fed hundreds of numeric byte code values into a BASIC utility to create a file? At least with the former, you had a chance to study and understand the code, and maybe learn something. With the latter, the premium was on very careful typing. In neither case did you particularly have to know any computer science in order to get the thing running.

Arantor

Actually, you citing Linux is a great example.

I'm the kind of person that would probably go off and learn to compile kernels etc (been there, done that, in fact) but my point is that people don't even want to look at the command line, much less get in and look around, and that's something I think needs to change.

What I'm getting at is that while SMF is a tool, and largely a well built one, any tool needs time and energy to get used to it, to get the best out of it, and if it's a tool you plan to use on any kind of basis, surely you'd go and invest some time in getting to know it better? That's the part I have trouble with - too many people want to use it as a tool but don't want to invest the time in getting to know it.

Result: you have people using the digital equivalent of a hammer on the digital equivalent of a nail and complaining when the nail bends.

True, the internet, and user expectations, have come a long way since I got into building websites, when technical skill or at least the willingness to learn was a requirement, not a bonus. And now, anyone can set a site up in minutes. Great, fantastic. And indeed all the time you can get from A to B that's great.

Another example, borrowing from the car analogy again: changing a tyre. It's not an arduous task and most people that drive a car can manage it. Except the idiot-proofing of the internet generation means people will run screaming before they'll attempt the digital equivalent of jacking the car up and changing a tyre.

You invest time and money in a car, you learn how to do some minor things on it - the average person won't try and understand every little component but the absolute basics they can manage, like when it says it's out of petrol, it's time to put new petrol in.

Yet, here, you have the digital equivalent and people come and ask for help without taking a moment to do the digital equivalent.

I don't think idiot proofing is the answer - it hasn't really helped WP IMO, all that happens is you raise the digital equivalent of a group of car drivers that *won't* learn how to change a tyre, not because they *can't* but because of some other factor.

Instead of idiot proofing the software - which, I'd point out, is what successive iterations of Windows have tried to do, and ended up making it harder to do anything outside of the absolute basics with each successive iteration - I'd encourage a program of helping users to do things, so that instead of encouraging a 'OMG THE SITE IS DOWN HEEEEELP' culture, we can start to encourage something of 'OK, the site is down, it isn't x, it isn't y...' and helping users to develop their skills. The end result is users that feel more confident with things, which is actually a win-win.

Classic case of this - only this week I saw a user asking for free mod installations, on a per mod basis, with no mitigating factors other than user inexperience. As one person stated - why not instead of doing it for them, teach them how to do it so they'll be empowered?

DoctorMalboro

There's no such thing as an idiot-proof software unless you write it in word and you can make mods, themes and stuff in word ;)

Arantor

Word isn't idiot-proof. In fact I lost count of the number of times my bosses gave me things to do in Word that were beyond their skills...

DoctorMalboro

Quote from: Arantor on April 29, 2010, 05:00:26 PMWord isn't idiot-proof. In fact I lost count of the number of times my bosses gave me things to do in Word that were beyond their skills...
Well, it's something that the microsoft staff did, what can you expect? :P

kat

I think the typing of code from a mag helped, because you ALWAYS screwed-up something. So, to get it working, you had to go through the code, line by line, figuring-out what did what, so you could get it working.

smp420

Maybe just keeping the noobs out of the mod site is a good idea. Maybe some type of test you have to pass in order to access it.
"Things turn out best for those who make the best of the way things turn out." -Jack Buck

Arantor

Well, you need to have a licence to drive a car...

smp420

Basically the same idea, the same would also be a good idea to stop them from editing themes through smf.
"Things turn out best for those who make the best of the way things turn out." -Jack Buck

Antechinus

It is not possible to make software idiot-proof as someone will always build a better idiot. Rather than nobbling the software methinks it would be easier and more rewarding to exterminate the idiots. ;D

Advertisement: