What is the best practices update procedure?

[dalers]

I pulled the latest commits knowing a database update was included while a user was logged in. I logged out and then back in with security role Administrator (which triggered Z_UpgradeDatabase.php to run), but I'm curious what would have happened if the logged in user had tried doing something (e.g. create a PO or add a Supplier or Item). Would the user have been blocked from doing anything that affected the database?

In a "dispersed multi-branch retail management system", how should one perform a git pull on a live system? The commits pulled could include a db update, and if so, how would I know other than manually reviewing commits? What if there are other webERP users actively using the system when I git pull?

Also, what is the effect of selecting "Allow SysAdmin Access Only" for [Main Menu > Setup > General > System Parameters > Perform Database Maintenance at Login]?

[andrewcouling]

what is the effect of selecting "Allow SysAdmin Access Only"

I am also interested in this question. When I last did an update, I went looking for something like a 'Maintenance Mode' setting, but couldn't find one. As a work around, to prevent users from logging in during update, I set Account Status = Blocked in WWW_Users.php for all other users.

[pakricard]

In a "dispersed multi-branch retail management system", how should one perform a git pull on a live system? The commits pulled could include a db update, and if so, how would I know other than manually reviewing commits? What if there are other webERP users actively using the system when I git pull?

In my case, major updates, I do nighttime, once all the branches are closed. Minor updates (bug fixes) during the day, as uploading a couple of PHP files lasts few seconds, except for scripts that affect the daily operations of the remote branches.

Manually reviewing commits? oh yes! all of them

Also, what is the effect of selecting "Allow SysAdmin Access Only" for [Main Menu > Setup > General > System Parameters > Perform Database Maintenance at Login]?

Allow SysAdmin Access Only: blocks all users except system admins to prevent regular users from logging in. It does not log out users already logged in, though.

[andrewcouling]

Allow SysAdmin Access Only: blocks all users except system admins to prevent regular users from logging in. It does not log out users already logged in, though.

@pakricard , thanks for explaining this. I will use this feature during future updates.

Would be good to have this description on SystemParameters.php alongside the drop-down. I'll add this to my to-do list.

[andrewcouling]

Would be good to have this description on SystemParameters.php alongside the drop-down. I'll add this to my to-do list.

@dalers , thank you for implementing this in your recent commit. 👍

[dalers]

How about this solution? I think it would be the simplest solution and wouldn't require new controls or logic changes. I'd also like to know for sure if logged-in users are blocked from doing anything that would cause a commit to the database, and if the system fails gracefully for logged in users or if they get screens of errors.

If one was to create a new section and move the variable selector, what all would be involved? Only SystemParameters.php? Do all themes need to be tested? Are translations involved (or do they need to be? I'm not familar with the translation system, only that there a lot of .po files I think are involved).

[andrewcouling]

In the scenario where you have enabled Allow SysAdmin Access Only, but there could still be some users logged-in, it would be useful to have a 'Who's Logged-In' report.

[dalers]

would be useful to have a 'Who's Logged-In' report.

I very much agree, my first inclination is to add an "Active" field to the user record (www_users) with the logic to set it "YES" in the login code and the logic to set it "NO" in the auto-logout code. However, I think just moving the control to improve visiblity is a good first step.

[dalers]

It appears users can still affect the database if they happen to be logged in when an Administrator sets [Main Menu > Settings > General > System Parameters > Perform Database Maintenance At Logon] to "Allow SysAdmin Access Only".

As a user logged in with security role "Manufac/Stock Admin", I attempted to create a new Item after a different user with security role "Administrator" had set [System Parameters > Perform Database Maintenance At Logon] to "Allow SysAdmin Access Only" and the new Item was created in the stockmaster table.

@andrewcouling

As a work around, to prevent users from logging in during update, I set Account Status = Blocked in WWW_Users.php for all other users.

Did you test what a user could do if they were already logged in when you set this?

Seperately, when creating the new Item there was also an error in Stocks.php shown "Warning: Trying to access array offset on value of type null in C:\xampp\htdocs\webERP\Stocks.php on line 67"

This is likely the first time I have created an Item on a dev server with showing PHP notices and warnings enabled in php.ini (also fwiw all items in the db have 0 stock). Is this warning one of those to be expected when showing notices and warnings is enabled?

[pakricard]

It appears users can still affect the database if they happen to be logged in when an Administrator sets [Main Menu > Settings > General > System Parameters > Perform Database Maintenance At Logon] to "Allow SysAdmin Access Only".

Yes, you are right. I could find a proper way to kick out users already logged in.

To prevent this, the (ugly) workaround I do is to email all user stating webERP will be inactive at HH:MM for an expected duration of XX minutes.
At HH:HH + 5 courtesy minutes:

• Rename www.mydomain.com/weberp to www.mydomain.com/weberp_temp_12345 or some random directory name.
• Do my admin work undisturbed
• Rename www.mydomain.com/weberp_temp_12345 back to www.mydomain.com/weberp
• Email all users stating webERP is back in action

It is harsh but effective. If someone knows a proper way to log out all users (except admin) once they are logged in, it would be great.

BTW, the Warning you commented from line 67 is unrelated to this Allow SysAdmin Access Only access, as setting it, only prevents regular users from logging in, nothing else.

[andrewcouling]

If someone knows a proper way to log out all users (except admin) once they are logged in, it would be great.

Some ideas on this subject here.

[timschofield]

I don't think I would like to have the facility to force people to logout. Someone could be just at the end of a large order, and then they are forced out, losing their work. I would prefer to go down the route of showing who is currently logged in, and maybe a phone number to contact them on. It would be easy enough to do. Tim

…

On Thu, 12 Dec 2024 at 12:46, Andrew Couling ***@***.***> wrote: If someone knows a proper way to log out all users (except admin) once they are logged in, it would be great. Some ideas on this subject here. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

-- www.weberp.org @TimSchofield2 Blog: https://kwamoja.home.blog/

[dalers]

I don't think I would like to have the facility to force people to logout. Someone could be just at the end of a large order, and then they are forced out, losing their work.

I don't disagree it could happen, but fundamentally, imho, commits to the database cannot be allowed to occur while new code is being copied into place (i.e. until git pull completes, and and any cache in the pipline is reloaded) before commits can be allowed to the db again.

@pakricard solved this by sending a lot of emails and changing the webroot filename (which iiuc fails because the path to the php file the browser is trying to access with data input by the user doesn't exist anymore in the server files system). @andrewcouling solved this iiuc by not allowing new logins and counting on everyone to be logged out.

Perhaps the best solution is actually to take the database off-line and let the php code fail and show a simple "sorry, database is gone" message to the user?

Also, I think I may have posted recommending consideration for using the "notification system" (without knowing if there actually is one) to send notifications within the system. In this case, for a security role Administrator to send a notification to everyone that the "system is going down in 1 hr... 30 min... 10 min... 5 min... 1 min... system going down nooooo" (and optionally for a receiver to send Accept/Refuse back to everyone with Security role Administrator).

maybe a phone number to contact them on.

Why not use the contact information in the user/employee record? (again, without knowing if there is one.... ;-) )

[timschofield]

Hi Dale, there is no notification system. It's something I have occasionally wondered about implementing. It would be an interesting technical challenge, but beyond the scope of v5

What I had in mind was that when the administrator wanted to do an update, they would first stop any new logins except the SysAdmin, then they could select an option to see who was currently logged in (presumably after having earlier given warning by email or some such). This option would also show their contact details (you are correct these would be in www_users). The SysAdmin would keep refreshing this until all users were logged out, and then they can do the update.

This is a fairly simple system, with the need for very little new coding. Yes it could be improved on but given that you wouldn't update a production system that often it seems a fairly good compromise.

Tim

[dalers]

there is no notification system

How do "notifications" work now? (I hope I am using the correct term, I seem to recall a conversation iirc mostly between you and @pakricard about whether "notifications" were being queued and displayed correctly.

What I had in mind...

But until then, we have to use the solutions from @pakricard and @andrewcouling or mine - take the database server offline. Would it be a) possible and b) easy to trap the return from an attempted db connection and give the user a polite "database not there" message ("notification"?) if it wasn't?

It would be nice to avoid:

[timschofield]

The "notifications" we were talking about are the messages that appear accross the top. these are created by a call to the prnMsg() function. These take the form:

prnMsg ('a notification message', $severity);

where $severity is one of 'error'/'warn'/'info'/'success'

They are generated by the PHP code. a user, even if they are a SysAdmin cannot generate these messages, and they can't be sent to any other users.

I think we are over thinking this. Surely the process is simple:

1 Tell users in advance when routine maintenance is to be done.
2 When the time comes to do the maintenance, shut off new logins except SysAdmin logins
3 Check if any other users are still logged in.
4 If there are users logged in, then contact them and ask them to logout.

return to step 3 until nobody is logged in.

5 Perform routine maintenance
6 Re-instate other logins
7 Go home and have a beer

Tim

[dalers]

created by a call to the prnMsg()

Thanks for summary.

I think we are over thinking this. Surely the process is simple.

I agree your proposal would be a solution.

They (notifications) are generated by the PHP code. a user, even if they are a SysAdmin cannot generate these messages, and they can't be sent to any other users.

A one-way broadcast system might not be too hard to develop. A SysAdmin could access a script that would accept a message (e.g. "webERP will be unavailable for 30 minutes starting at 20:00 GMT") with an expiry date, time or number of elapsed minutes, and some function that runs every user access could call prnMsg() to display the message to the user until it has expired.

For now though, it seems the only solutino to preventing database commits while upgrading code is to either take down the web server or take down the database server.

[dalers]

@timschofield what is the process for showing a banner like this one to the user? How is the color (severity?) set? What are the rules to follow? Can you give me a quick overview as if I was a five-year old?

P.S. my apologies if this is already written up somewhere.

[dalers]

@andrewcouling

I set Account Status = Blocked in WWW_Users.php

I think this will only block new logins, it won't affect users already logged in.

I set Blocked = 1 for my current user in the database (mnestor)

and then clicked [Insert New Item] for a new item in progress...

[dalers]

Fwiw, WackoWiki (wiki integration supported by webERP) seems to be able to remove users...

[pakricard]

A simple way to notify this to all users could be showing a prnMsg() "System going down in X minutes" in the header, so it is shown in every page they load.

We should just keep some setting in DB (shutdown timestamp) and X would be the difference between the shutdown timestamp and current timestamp.

I agree with @timschofield, this (and any other improvement) should be post v5. There are a zillion things to be fixed to get a workable v5 and PHP8 ready. I think that we should focus on getting what we get working OK and stable. Then, we can work on improvements.

[dalers]

We had the same idea! :-)

I have not said there needs to be a solution in v5 and am not even proposing there should be any development at this time (my apologies for implying it). For now, to prevent potential database corruption while performing an upgrade, either serving the site must be stopped (e.g. by changing the webroot as you described) or the database server must be stopped (or connections refused).

[pakricard]

Further thinking about it... It depends on the number of concurrent users and how polite the system admin wants to be.

The biggest corporations (e. g. your online bank) just show a message "system will be down for maintenance on XXXX until YYYY" and when XXXX arrives, they just block new log ins and kick out already logged users. It would be unreasonable to phone potentially thousands of users and ask them please to finish their transaction and log out.

I have 60-80 concurrent users during working hours, so it becomes unreasonable to wait for all of them to kindly logout.

I guess, the polite way (phone call or similar when they don't log out) it makes sense for installs below 10 concurrent users, probably on the same building.

[dalers]

The biggest corporations (e. g. your online bank) just show a message "system will be down for maintenance on XXXX until YYYY" and when XXXX arrives, they just block new log ins and kick out already logged users. It would be unreasonable to phone potentially thousands of users and ask them please to finish their transaction and log out.

This has been the norm for me in medium and large businesses with internal IT departments - a 1hr/10min/1min system pop-up warning and then a final "system going down now" (sometimes starting with an email notice a day or a week prior). If for some reason that isn't acceptable to a user, it's on the user to phone or contact someone...

[timschofield]

I'm still not sure how you would update the system with the web server and/or DB server taken down, and how you would send a prnMsg to another user's screen. However I'm happy to go along with others. I think the script will be useful so I have committed a script to display users currently logged in anyway. Thanks Tim

…

On Fri, 13 Dec 2024 at 17:56, Dale Scott ***@***.***> wrote: The biggest corporations (e. g. your online bank) just show a message "system will be down for maintenance on XXXX until YYYY" and when XXXX arrives, they just block new log ins and kick out already logged users. It would be unreasonable to phone potentially thousands of users and ask them please to finish their transaction and log out. This is how it's always been for me with internal IT. 1hr/10min/1min system pop-up warnings and a final "system going down now" have been the norm. If for some reason that isn't acceptable to a user, it's on the user to phone someone... — Reply to this email directly, view it on GitHub <#297 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAL6LAAWZK75JJ3X4U4G332FMNWBAVCNFSM6AAAAABTLYZ7ASVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTCNJWGAZTGNA> . You are receiving this because you were mentioned.Message ID: ***@***.***>

-- www.weberp.org <http://www.weberpafrica.com> @TimSchofield2 Blog: https://kwamoja.home.blog/

[dalers]

I'm still not sure how you would update the system with the web server and/or DB server taken down,

Sorry Tim, I'm being sloppy and maybe not thinking things properly through.

Updating webERP code (git pull) can be done without a web or db server, but you are of course correct that updating a database to the lastest DBUpdateNumber requires both.

See if you agree with the following:

Step 1 - block new users from logging in by setting [Main Menu > Settings > General > System Parameters > DB Maintenance] to "Allow SysAdmin Only".

Step 2 - log out existing users by stopping temporarily stopping the web server and deleting stored sessions.

The following was sufficient for me with Apache 2.4 on FreeBSD 14.1, but is somewhat draconian as it also logs anyone logged in on my server to WordPress, MantisBT, Moodle, Nextcloud, ProjeQtOr, SuiteCRM, TimeTracker and WackoWiki.

% sudo service apache24 stop
% sudo rm /tmp/sess*
% sudo service apache24 start

This is also using out-of-box httpd.conf and webERP config.php, and I don't know enough to know if Apache or webERP could configured to store session data differently.

Step 3 - perform git pull to fetch and merge new code (being confident there is no other user with security role Administrator mucking about).

Step 4 - login as user with security role Administrator and perform db update if needed.

Step 5 - disable "Allow SysAdmin Only" to let users login again.

[dalers]

committed a script to display users currently logged in anyway.

Thanks, it seems to work correctly for me, but I'm also now having issues using MS Edge I hadn't noticed before (and so may be related).

I logged in using Chrome as user mnestor (Administrator) and also logged in as user bjenks using MS Edge. Using the Edge login, I found if I click a main menu item more than twice (any menu item, followed by any other menu item) the login screen appeared and I had to log in again (or at least I assumed I had to, since it's the Login window...). Then I accessed LoggedInUsers.php as user mnestor in Chrome and see multiple active logins for mnestor and bjenks - when I expected to see one active login each. Stopping and restarting Apache and MariaDb did not change the behavior in Edge (can click ONE menu item after logging in, and then clicking any other menu item results in Login page).

Fwiw, here's the page in Edge after clicking a second menu item. Note Edge has apparently saved mnestor for "User name" and has populated the login fields even though I had logged in as user bjenks), and any user who logs in (including user mnestor) gets the Login page after clicking a 2nd menu item.

[timschofield]

This is a duplicate of Enrique's issue here: #309

[dalers]

Per @timschofield #297 (comment)

I think the script will be useful so I have committed a script to display users currently logged in anyway.

and #309 (comment)

It will now work except if the user closes the browser or the tab without logging out. There doesn't seem to be a reliable cross browser way of achieving this.

If the list of logged-in users provided by LoggedInUsers.php can't be trusted, the SysAdmin will still have to forceably disable access to webERP because they don't know if the users are actually active or not.

[timschofield]

In the end organisations will use whatever method best suits them. I could never personally recommend something that involves arbitrarily cutting users off mid transaction, but if that works for a particular organisation then that is of course up to them :) Tim

…

On Sat, 14 Dec 2024 at 18:18, Dale Scott ***@***.***> wrote: Per @timschofield #297 (comment) I think the script will be useful so I have committed a script to display users currently logged in anyway. and #309 (comment) It will now work except if the user closes the browser or the tab without logging out. There doesn't seem to be a reliable cross browser way of achieving this. If the list of logged-in users provided by LoggedInUsers.php can't be trusted, the SysAdmin will still have to forceably disable access to webERP because they don't know if the users are actually active or not. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: ***@***.***>

-- www.weberp.org @TimSchofield2 Blog: https://kwamoja.home.blog/

[dalers]

arbitrarily cutting users off mid transaction

Do you think that is possible following my updated procedure? #297 (reply in thread)?

If a session is valid when the user starts a transaction, is the transaction guaranteed to complete? I'm thinking it probably is - unless a "top-level" script calls another script that also checks the session and then fails if the session file was deleted on the server after the first script started execution.

[timschofield]

On Sat, 14 Dec 2024 at 19:04, Dale Scott ***@***.***> wrote: arbitrarily cutting users off mid transaction Do you think that is possible following my updated procedure? #297 (reply in thread)?

Unless I am missing something then: % sudo service apache24 stop % sudo rm /tmp/sess* % sudo service apache24 start will cut off whatever a user is doing. So somebody who has entered 24 lines of a 25 line sales order will find they have been cut off mid transaction and would need to start again on line 1.I can't imagine implementing such a system in any organisation I have worked in, but if it works in some organisations that is fine.I am just saying I couldn't personally recommend it.

[timschofield]

My final thoughts on this thread, is that it is indeed possible to use a different directory than /tmp to store the session data. Just set the variable $SessionSavePath to the path you want to use inside config.php. I use ~/.sessions_weberp to separate out the webERP session data. Thanks Tim

…

On Sat, 14 Dec 2024 at 19:17, Tim Schofield ***@***.***> wrote: On Sat, 14 Dec 2024 at 19:04, Dale Scott ***@***.***> wrote: > > arbitrarily cutting users off mid transaction > > Do you think that is possible following my updated procedure? #297 (reply in thread)? > Unless I am missing something then: % sudo service apache24 stop % sudo rm /tmp/sess* % sudo service apache24 start will cut off whatever a user is doing. So somebody who has entered 24 lines of a 25 line sales order will find they have been cut off mid transaction and would need to start again on line 1.I can't imagine implementing such a system in any organisation I have worked in, but if it works in some organisations that is fine.I am just saying I couldn't personally recommend it.

-- www.weberp.org @TimSchofield2 Blog: https://kwamoja.home.blog/

[dalers]

possible to use a different directory than /tmp to store the session data. Just set the variable $SessionSavePath to the path you want to use inside config.php. I use ~/.sessions_weberp to separate out the webERP session data.

Thanks for the tip. I think we've hashed this out as much as we can. My final thought is that allowing a transaction to procede and corrupt a database during a system update will be more inconvenient to users in the long run than having to re-enter a purchase order (after ignoring multiple notifications the system will be going down shortly)

[timschofield]

On Sun, 15 Dec 2024 at 20:20, Dale Scott ***@***.***> wrote: (after ignoring multiple notifications the system will be going down shortly)

Hi Dale, that's one of the things I don't understand. I really have no idea how these notifications can be sent. There is nothing in webERP currently that can manage that. It would require some kind of messaging system to be written. Tim

[dalers]

...nothing in webERP currently that can manage that ... would require some kind of
messaging system...

You are of course correct. I was thinking of the email messages @pakricard sends his users (notifications in the general sense).

[pakricard]

Hi @dalers:

I think the risk of corrupting the DB because users are kicked out somehow mid-transaction is zero, if we use DB_Txn_Begin() and DB_Txn_Commit() in DB updates (INSERT, UPDATE, DELETE).

The truth is, currently not all scripts use the Transaction Commit, but probably we should. Maybe adding DB_Txn_Begin() and DB_Txn_Commit() in every critical script will ensure no DB corruption.

My approach of changing the directory, does not affect the DB server, so after X seconds it will consider the connection was lost and rollback.

If I properly understood your approach of shutting down the DB server, I also guess it won't affect, as the DB server should be smart enough to roll back all pending work when starting its own shut down.

[dalers]

Hi Ricard

risk of corrupting the DB because users are kicked out somehow mid-transaction is zero, if we use DB_Txn_Begin() and DB_Txn_Commit() in DB updates (INSERT, UPDATE, DELETE).

I am confident you and @timschofield both eclipse my knowledge of MySQL/MariaDB, but my understanding of transactions is that they are required when a user can cause multiple related commits to be performed (likely to multiple tables) that must all be completed (i.e. essentially performed as an atomic operation) before another user can be allowed to perform a commit of similar or related data (I am sure I am not saying this correctly so hope you understand my intent).

My approach of changing the directory, does not affect the DB server...

I now believe I was wrong to propose stopping the database server as a possible solution. Although the server may shutdown deterministically (and either complete or not complete transactions in progress), it seems more controlled to keep the DB server running and prevent webERP from sending commits to the DB server.

My speculation is that if webERP (Apache/PHP) sends an SQL commit to the DB server, the DB server will complete processing the commit even if the web server is not running when the commit completes. Do you know if this is correct?

...so after X seconds it will consider the connection was lost and rollback.

I expect this situation would occur if PHP stopped sending the SQL query to the DB server, such as if the DB server was running on a different physical server than Apache/PHP, and the Apache/PHP server failed in the middle of sending the query to the DB server. However (and I am speculating again), I don't believe changing the webERP webroot would result in this behavior and suspect the PHP interpreter would complete sending the SQL query to the DB server and the DB server would respond back to the PHP interpreter. I suspect only killing the Apache process would kill PHP processing mid-query (assuming Apache and mod_php with other configurations behaving differently).

I'm sorry if I seem pedantic, I'm only trying to understand properly how the system behaves.

Cheers,
Dale

[timschofield]

I think we have probably run this subject into the ground. So long as we agree that we don't say that the project is specifying a preferred way of doing this then I am happy to leave it here. As with most things there are a number of ways of achieving the same thing, none of them perfect, and different organisations will have different ways they want to work. Thanks Tim

…

On Mon, 16 Dec 2024 at 05:21, Dale Scott ***@***.***> wrote: Hi Ricard risk of corrupting the DB because users are kicked out somehow mid-transaction is zero, if we use DB_Txn_Begin() and DB_Txn_Commit() in DB updates (INSERT, UPDATE, DELETE). I am confident you and @timschofield both eclipse my knowledge of MySQL/MariaDB, but my understanding of transactions is that they are required when a user can cause multiple related commits to be performed (likely to multiple tables) that must all be completed (i.e. essentially performed as an atomic operation) before another user can be allowed to perform a commit of similar or related data (I am sure I am not saying this correctly so hope you understand my intent). My approach of changing the directory, does not affect the DB server... I now believe I was wrong to propose stopping the database server as a possible solution. Although the server may shutdown deterministically (and either complete or not complete transactions in progress), it seems more controlled to keep the DB server running and prevent webERP from sending commits to the DB server. My speculation is that if webERP (Apache/PHP) sends an SQL commit to the DB server, the DB server will complete processing the commit even if the web server is not running when the commit completes. Do you know if this is correct? ...so after X seconds it will consider the connection was lost and rollback. I expect this situation would occur if PHP stopped sending the SQL query to the DB server, such as if the DB server was running on a different physical server than Apache/PHP, and the Apache/PHP server failed in the middle of sending the query to the DB server. However (and I am speculating again), I don't believe changing the webERP webroot would result in this behavior and suspect the PHP interpreter would complete sending the SQL query to the DB server and the DB server would respond back to the PHP interpreter. I suspect only killing the Apache process would kill PHP processing mid-query (assuming Apache and mod_php with other configurations behaving differently). I'm sorry if I seem pedantic, I'm only trying to understand properly how the system behaves. Cheers, Dale — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: ***@***.***>

-- www.weberp.org @TimSchofield2 Blog: https://kwamoja.home.blog/