Magento Guide, Part 2 – Using Magento Connect

June 9, 2008 at 2:22 pm, Category: General Computing, Web Development, by Ewan

There have been more than a few updates to Magento in the last 2 months or so, and unless you’ve just installed it or haven’t worked on it, an update is going to be a bit of an annoyance. You certainly don’t want to reinstall Magento and copy or, even worse, add all your products and skin changes all over again.

The best way by far to update Magento is to use the Magento Downloader facility. To do that, all you need is a paper, pencil, a die… no, wait. You need Magento installed and an Internet connection. An FTP client and/or a helpful Web Host will come in handy as well.

In The Beginning…

To begin with, you need to set the folder permissions so that the Downloader can work. The Downloader requires all of the folders in your Magento install, every single one, to be writeable. If you have an FTP client like FileZilla and a lot of patience, you can ask it to set the permissions of your folders to 777 and recurse it through all folders and subdirectories. Don’t change permissions for the files – this isn’t needed. If you have SSH access or a nice webhost, ask them to run this line in your Magento install folder:

find ./ -type d -exec chmod 777 {} \;

This command will find all the directories and set the permission to 777. And it’s a lot quicker than using an FTP client… if you are forced to use an FTP client, I’d go put the kettle on. And maybe go to the shop and buy some biscuits – it’s going to take a while.

Let there be Downloads

Once you’ve done that, point your browser to www.yourdomainname.extension/downloader Here you’ll be presented with a login screen. Any user with full admin rights can log in to this area.

Once you’ve logged in, assuming you’ve never been in the Downloader before you’ll be confronted with a screen that looks a bit like this (click on the thumbnail to view it full size):

You can’t use the full functionality of the Downloader yet. Enter the following line of code into the second box (Paste extension key to install) – it will tell the Downloader to find and install all the latest updates for Magento:

magento-core/Mage_All_Latest

Push the button and wait for the console to tell you it’s finished installing (the downloader opens up a black console screen in your web page, with green text) and you’ll see this page (again, click on the thumbnail):

Now the hard part is over. When you refresh this page, you’ll see a list of all the Magento components, your version number and the current version available. Modules requiring an update are highlighted in Gold. You can also use this downloader to incorporate modules available on Magento Connect into your Magento store.

It’s also recommended that you take Varien’s advice and select the option to clear all the sessions – this will ensure that you won’t encounter any cached content from older versions.

Well, that’s it – no more cumbersome upgrades or installs!

Bookmark It

Hube

>>>”Magento install, every single one, to be writeable. If you have an FTP client like FileZilla and a lot of patience, you can ask it to set the permissions of your folders to 777″

This is a huge security vulnerability!!! Changing all folders to 777 opens the entire site up to hacking!!!

Perhaps you have never been on the receiving end of this, but I have. A host that I have worked with required that I set a folders permissions to 777 in order to allow scripts residing on the server to write to the folder. This was due to the fact that my scripts on the server ran with the permissions of the visitor rather than the permission of the file owner. This opened a window for hackers and I nearly lost the entire site.

Knowing this, how can I make all the folders that Magento uses public writable (777) and insure the security of the site?
admin

I would suggest that the problem lies with the scripts and the hosts rather than the permissions.

Yes, if your files and folders are set to 777 then anyone can do anything. Except, of course:

They need access to your files and folders!

If a website is hacked, it is because the hacker found a way in. This is NOT because of the permissions. The permissions dictate what LEGITIMATE users of various kinds can do; without access they make no difference.

So the problem lies with how the hackers got to your site (or get to your site, however you want to put it). I’d suggest vulnerabilities in the scripts you mention are at fault here; an exploit in those scripts that allows a hacker a multitude of ways into your site code. Perhaps.

They may have found another way in. Just because the permissions were changed and the site was hacked doesn’t mean the two were related – it may have been coincidental. Well known software, old versions that don’t have updates to fix security issues, poor choice of passwords – all are avenues for potential hacking.

Magento is a new product, it is constantly updated, and we have high levels of security on our servers. There has not been a single successful hack on our servers; we host many, many Magento sites, who all use the downloader and haven’t had issues. There are many more Magento users around the world who, sadly, are not using us for their hosting, but who, happily, have not reported that their sites have been hacked.

So, no. This is NOT ‘a huge security vulnerability!!!’ Running scripts that allow hackers to cost you almost an entire site is a vulnerability. Setting full permissions for Magento on a secure server is not a vulnerability.

And there’s always the final option – you could change the permissions back? Whereas the downloader needs these permissions, Magento itself does not…
http://imandirect.com/blog iman

Thanks for the tutorial. Finally i found a site that made sense. Keep it up.

The use of pictures really helps!

Thanks!

~iman
http://syberplace.com Swapnil

I have followed the instructions to change the permission of the files and the permission have been successfully changed.
But, when I load the downloader and provide username and password it gives the following error.

404 Error
Page Not Found

I shall be thankful for any help.
http://www.webshopnews.net Webshopnews

Thank you for your Magento connect tutorial. I´ve only one suggestion, but it´s not a criticism: A Video-Tutorial for that would be a blast….
http://petdriverslicense.com Nadia

I have been trying to install magento via ftp and ssh and neither seems to work I get the following error in the magento installation wizard:

Path “/usr/www/users/jibjab/store/app/etc” must be writable
Path “/usr/www/users/jibjab/store/var” must be writable
Path “/usr/www/users/jibjab/store/media” must be writable

the hacking info was helpful because I did cahnge all the file permissions to 777, but I will change them back. I may have missed a step, but do you leave all of the downloaded magento files on the desk top or do I put them in a certain place? Any advice would be very help ful. thanks
http://www.gest8.com Qbert

infact the folders simply have to be writable by the server usually ‘www-data’ or similar, so you could do this instead in theory (i have yet to try this but i will very shortly )

find ./ –type d –exec chgrp www-data {} \;
Adam

ok, apology time, I’ve just noticed you were only recommending changing directories not files to 777 (RTFA! , so it’s not as bad as I made out above. Still preferable to set the correct permissions though if possible, or at the very least set them back after you’ve upgraded…

http://www.magentocommerce.com/wiki/groups/227/resetting_file_permissions
http://anglersonline.com Gary

Thanks for the how-to!

Thanks,
Gary
http://www.owlboy.com OwlBoy

Thanks for this! It made things clear as can be for me I think . Been wondering how Magento connect was able to do its stuff, I had my permissions wrong heh.
Pingback: The Essential Magento eCommerce Toolkit | Web.AppStorm
Pingback: 1 Custom Wordpress and Magento E Commerce Development
Pingback: The Essential Magento eCommerce Toolkit | Best Web Magazine
http://pulse.yahoo.com/_2JY6XQ6UL7LQ7TEYKFDXGGX7KE Linda Lind

Magento offers standard templates and themes in the shopkeepers. This allows them to customize the look of the store with the exercise of user interface. It can even be used on mobile devices. With the help of modular code, it is easier to store users to upgrade the installation of Magento Magento retain their personalization.

Magento theme
Anonymous

I have set permission to all folders as 777, include sub folders; and in browser I put: mydomain/admin.extensions/downloader; but the page couldn’t found. Anyone knows why? Please help!
Anonymous

Hi there, I’m not sure where the ‘admin.extensions’ part of your URL has come from – I think this is your problem. You need to go to:

mydomain/downloader

The admin URL and extensions you’re using shouldn’t have any bearing on this URL. The only change to it would be if your domain isn’t in the web root (i.e. if you have to go to mydomain.com/shop/ to see the Magento store, then the URL would be mydomain/shop/downloader).

You can also access Magento Connect through the admin area of your Magento store. Hope that helps!
Anonymous

Hi NuBlue,
Thanks so much for the repay, unfortunately, I still can’t get it. this is my url:
http://www.shopshopers.immersemedia.us/admin.extension/downloader
if I can access Magento Connect through the admin area is it meas from: System/Magento Connect Manager? I can’t do that neither, I got “401 Not Found”.
Thanks again!
Anonymous

Hi NuBlue,
Thanks so much for the repay, unfortunately, I still can’t get it. this is my url:
http://www.shopshopers.immersemedia.us/admin.extension/downloader
if I can access Magento Connect through the admin area is it meas from: System/Magento Connect Manager? I can’t do that neither, I got “401 Not Found”.
Thanks again!
Anonymous

Hi Jason,

Your Magento store appears to be broken – as I can see your admin area by going to yourdomain/admin, I should be able to see Magento Connect by going to yourdomain/downloader.

If you have shell access to your hosting, I would try resetting pear or mage (depending on what version you are using) – with the following command, run from the web root folder:

./pear mage-setup

OR

./mage mage-setup

I would also check the settings in your admin area, as well as in your database, to see if you have specified any custom admin or site URLs, ensure all of your file/folder ownership and permission settings are correct, and clear your cache.

Does the downloader folder actually exist in your webspace?

If you are aware of when the downloader was working, I would consider rolling back to any backups you have from this point, or if it is a new install, I’d consider installing again.

As the site isn’t hosted with us, this is purely guesswork and we can’t investigate your issue properly, but I can tell you that the site isn’t working as it should.

Good luck!
Anonymous

Hi NuBlue,

Yes, the downloader folder is just under my subdomain name, and I am only host for this website. This was second time I installed Magento, and no lucky I still couldn’t use Magento Connect Manger. I will check all you’ve said letter on, for me, those are harsh job.Thanks again, you are so nice and patient; your business will grow quickly.