Bug #92217
open
EM does not let users to download/install extensions marked as "outdated"
0%
Description
TYPO3 v8 in a traditional installation (no composer): The EM only lists extension versions in the overview of update-able versions that are not marked as insecure (review_state = -1) or outdated (review_state = -2). As a consequence, users can't update their insecure extensions, even a security bulletin and an upload comment on extensions.typo3.org tell users that an update is available and both explicitly suggest to update the extension.
See discussion on Slack
In short, the the problem is that the EM does not provide an option for uses to download extension versions that marked as outdated.
The following screenshot shows an example for extension l10nmgr.
Files
Updated by Michael Schams about 4 years ago
I had a quick look.
See file: typo3/sysext/extensionmanager/Classes/Domain/Repository/ExtensionRepository.php
As far as I can see, the EM uses the function findByExtensionKeyOrderedByVersion() to generate the list of available (downloadable/installable) extension versions.
In line 93:
$query->matching($query->logicalAnd($query->equals('extensionKey', $extensionKey), $query->greaterThanOrEqual('reviewState', 0)));
The condition check against review_state should be "!= -1" (hide insecure extensions), rather than ">= 0", as this also excludes outdated extensions ("-2").
However, I don't know if changing this would introduce side effects.