# How can we enforce better Magento extensions? ## and get rid of the weak #### by Jisse Reitsma (Yireo)
# );sse Reitsma - Founder of Yireo - Trainer of Magento 2 developers - Creator of MageTestFest & Reacticon - Organizer of usergroups, hackathons - Magento Master 2017-2019 Mover - Member of ExtDN (Magento Ext Dev Network)
# How can we enforce better Magento extensions?
# We can't
# My talk - Obvious points about extension quality - Bits of psychology - Bits of ranting - Enlighted points - A lot of bullet points like these
# Obvious points about extension quality - Comply to the coding standards - Magento Coding Standard (consolidation project) - Add testing - Unit tests, integration tests, MFTF, acceptance tests - Don't inject the ObjectManager - Except in factories, proxies, builders, tests and more - Don't overwrite core preferences - Unless your module's purpose is exactly that - And so on ...
# Review of a bad extension
# Review of a bad extension (1 of 3) - Dependencies - No `require` dependencies with framework or modules - PHP compatibility with PHP 5.5 (for an Magento 2 extension) - Not all dependencies are in `module.xml` - Coding standards - Prefixing internal variables with an underscore - Code not formatted in PSR-1 or PSR-2 - Long methods with too many features - More than 10 code indents in a single class (Object Calisthenics)
# Review of a bad extension (2 of 3) - ObjectManager stuff - Injecting ObjectManager instead of using DI properly - Calling upon the ObjectManager in PHTML templates via a hidden `factory()` method - Injecting dependencies via constructor DI and then not using those dependencies - Injecting too many dependencies via constructor DI: Code should be SOLID - Suddenly calling upon ObjectManager::getInstance somewhere in the code - Intercepting with an around() plugin where before() or after() is enough already - Relying on the ObjectManager to `get()` a singleton instance, and then still writing your own singleton method - Manual database queries - Manual SQL queries to write to configuration instead of using `\Magento\Framework\App\Config\Storage\WriterInterface` - Defining your own models & collections and then still resorting to manual SQL queries to call upon your tables - Inserting default configuration values via Setup-class instead of using `etc/config.xml` - Manual SQL queries in Setup-classes
# Review of a bad extension (3 of 3) - Theming stuff - Using helpers in General - Too much logic in PHTML templates - Adding CSS instead of LESS - `
` - templates are not translatable - Small stuff - Call-to-home via `controller_action_predispatch` event in backend - Base module that does a lot of hard work to add notifications on each backend page - No custom acl.xml for own backend pages and configuration settings (but still defining resources) - Adding inline HTML into a field render class, instead of using a PHTML template - Overriding classes using a DI preference rewrite, instead of using plugins or composition - Extending a class for no reason
# Rating: D (Mordor)
# Why is this bad? - No requirements in composer, so no proper versioning - Not extensible by other developers - More CSS loaded in head - Hard to create theming overrides This is costing money.
# Areas where bad extension cost - Conflicts - Extensibility - Interoperability - Security
# Bits of psychology
# Bits of psychology - Self-interest - Extension providers want to sell extensions - Merchants want to save money where they can - Developers want to go home at 17:00 - Their managers want to drive Porshes - Stubbornness - None of the groups above wants to change - You are always right. The other one is wrong. - You don't want your friends to be bullied at.
# Conclusion: Change is hard.
# My conclusion: Change needs to be enforced.
# Measuring quality with provider X - Not complying to coding standards - Not true for all modern X extensions - No automated tests - X is now gradually implementing unit tests and integration tests - X is also one of the first extension vendors implementing MFTF - Bad usage of `ObjectManager` - Last time I checked an X extension, they did all correctly - And a lot of people are happy with X - X extensions work with X extensions - Fair pricing of extensions
# Rating: 87.42
# What does "rating" mean?
# Quality checking - Doing it yourself - PHPCS, PHPStan, PHPMD - Security scanners: mwscan, eComscan - Magento Marketplace validation - PHPCS, MFTF, Varnish tests - Testing - Unit, integration, end-to-end, functional
# Validation sites - NrJudge - Triplecheck.io (And Magento Marketplace)
# Different environments - Magento 2.1, 2.2, 2.3 - PHP 7.0, 7.1, 7.2 - With and without Varnish - In Developer Mode and Production Mode - Oh and let's add this later to it as well: - GraphQL, Apollo Server, PWA - ElasticSearch 5, 6 - MySQL 5.6, 5.7, 8 (Oracle, MariaDb, Percona)
# The problem of rating - How to calculate the score? - Take average of X rules with Yes/No answer? - Number of unique PHPCS Warnings divided by number of rules? - What about false positives? Manual checking? - What to do with the rating? - Strike 3 and you're out? - When do you stop guiding an extension developer? - When to rate? - Every time a new release is uploaded? (free CI tool) - Edge cases - What about 1000s of low level warnings? - What about 1 major security issue?
# Rating is hard ## So let's focus on the really really bad extensions first
# If really really bad extensions are rated so badly, still using them is straight-out stupid. But a reality check shows that people are still using bad extensions everywhere.
# How to drop the legacy?
# Legacy in the Magento Marketplace - Magento Marketplace grew too quickly - Replacement of MagentoConnect legacy - Initial extension submission got in, but no checks for additional versions - Coding standards were (are?) not mature yet - Is using `json_encode` a security hazard? - How to check for bad usage with the Object Manager? Tests? Factories?
# Changes in Magento Marketplace - MFTF becomes more important - Automated testing is now done on every release - EQP2 is going to open up tooling to the community - Rating extensions is currently being investigated - Kicking out extensions is currently being investigated
The night is darkest just before the dawn.
And I promise you, the dawn is coming.
Harvey (Two-Face) Dent from "The Dark Knight"
before he changes into a psychotic SoB
# Challenges in the market - Two Face Magento - Magento versus Adobe - Community versus high-end enterprise - PWA versus monolithic - Drop the Knockout legacy and go PWA - Extension quality remains for backend only - It is unsure how Magento extensions should extend React/Vue behaviour - Market is shifting - Small shop owners move elsewhere (Shopware, BigCommerce) - Serious shop owners spend more on custom development ($$$) - And how do extensions fit into this new market? - Brexit - Mwoahahaha
# What can we do together?
# What can we do together? - Drop bad extensions - Stop using bad extensions, because they cost money - Call out in the community for same features but good extension instead - Promote knowledge on why bad extensions are bad - Help with the relevant Magento projects - Magento Coding Standard (PHPCS) - Slack channels (marketplace, phpcs, testing) - Promote MFTF, Integration Testing, Unit Testing and other code quality tools - Send comments on bad extensions to the Magento Marketplace team - Help ExtDN do its real work - Spread the word on good extensions - Spread our flyers on quality and standards - Feedback: Send us your poor and your weak! [firstname.lastname@example.org](mailto:email@example.com)
# Drop the legacy
# All right # Thanks
MageX Austin 2019 - How can we enforce better Magento extensions?