Commit 2b4da58b authored by alexpott's avatar alexpott

Issue #2701851 by amateescu, animaci: The 'system.db_update' route should...

Issue #2701851 by amateescu, animaci: The 'system.db_update' route should restrict access via the 'access_check.db_update' service
parent 8efd6e53
...@@ -374,6 +374,7 @@ protected function selection(Request $request) { ...@@ -374,6 +374,7 @@ protected function selection(Request $request) {
'#attributes' => array('class' => array('button', 'button--primary')), '#attributes' => array('class' => array('button', 'button--primary')),
'#weight' => 5, '#weight' => 5,
'#url' => $url, '#url' => $url,
'#access' => $url->access($this->currentUser()),
); );
} }
......
...@@ -56,20 +56,38 @@ function testUpdateAccess() { ...@@ -56,20 +56,38 @@ function testUpdateAccess() {
$this->drupalGet($this->updateUrl, array('external' => TRUE)); $this->drupalGet($this->updateUrl, array('external' => TRUE));
$this->assertResponse(403); $this->assertResponse(403);
// Check that a link to the update page is not accessible to regular users.
$this->drupalGet('/update-script-test/database-updates-menu-item');
$this->assertNoLink('Run database updates');
// Try accessing update.php as an anonymous user. // Try accessing update.php as an anonymous user.
$this->drupalLogout(); $this->drupalLogout();
$this->drupalGet($this->updateUrl, array('external' => TRUE)); $this->drupalGet($this->updateUrl, array('external' => TRUE));
$this->assertResponse(403); $this->assertResponse(403);
// Check that a link to the update page is not accessible to anonymous
// users.
$this->drupalGet('/update-script-test/database-updates-menu-item');
$this->assertNoLink('Run database updates');
// Access the update page with the proper permission. // Access the update page with the proper permission.
$this->drupalLogin($this->updateUser); $this->drupalLogin($this->updateUser);
$this->drupalGet($this->updateUrl, array('external' => TRUE)); $this->drupalGet($this->updateUrl, array('external' => TRUE));
$this->assertResponse(200); $this->assertResponse(200);
// Check that a link to the update page is accessible to users with proper
// permissions.
$this->drupalGet('/update-script-test/database-updates-menu-item');
$this->assertLink('Run database updates');
// Access the update page as user 1. // Access the update page as user 1.
$this->drupalLogin($this->rootUser); $this->drupalLogin($this->rootUser);
$this->drupalGet($this->updateUrl, array('external' => TRUE)); $this->drupalGet($this->updateUrl, array('external' => TRUE));
$this->assertResponse(200); $this->assertResponse(200);
// Check that a link to the update page is accessible to user 1.
$this->drupalGet('/update-script-test/database-updates-menu-item');
$this->assertLink('Run database updates');
} }
/** /**
......
...@@ -465,7 +465,7 @@ system.db_update: ...@@ -465,7 +465,7 @@ system.db_update:
defaults: defaults:
op: 'info' op: 'info'
requirements: requirements:
_access: 'TRUE' _access_system_update: 'TRUE'
options: options:
default_url_options: default_url_options:
path_processing: FALSE path_processing: FALSE
......
<?php
namespace Drupal\update_script_test\Controller;
use Drupal\Core\Controller\ControllerBase;
use Drupal\Core\Url;
use Symfony\Component\HttpFoundation\Request;
/**
* Controller routines for update_script_test routes.
*/
class UpdateScriptTestController extends ControllerBase {
/**
* Outputs a link to the database updates URL.
*/
public function databaseUpdatesMenuItem(Request $request) {
// @todo Simplify with https://www.drupal.org/node/2548095
$base_url = str_replace('/update.php', '', $request->getBaseUrl());
$url = (new Url('system.db_update'))->setOption('base_url', $base_url);
$build['main'] = array(
'#type' => 'link',
'#title' => $this->t('Run database updates'),
'#url' => $url,
'#access' => $url->access($this->currentUser()),
);
return $build;
}
}
update_script_test.database_updates_menu_item:
path: '/update-script-test/database-updates-menu-item'
defaults:
_controller: '\Drupal\update_script_test\Controller\UpdateScriptTestController::databaseUpdatesMenuItem'
requirements:
_access: 'TRUE'
...@@ -247,10 +247,11 @@ function update_authorize_update_batch_finished($success, $results) { ...@@ -247,10 +247,11 @@ function update_authorize_update_batch_finished($success, $results) {
} }
// Since we're doing an update of existing code, always add a task for // Since we're doing an update of existing code, always add a task for
// running update.php. // running update.php.
$url = Url::fromRoute('system.db_update');
$results['tasks'][] = t('Your modules have been downloaded and updated.'); $results['tasks'][] = t('Your modules have been downloaded and updated.');
$results['tasks'][] = [ $results['tasks'][] = [
'#type' => 'link', '#type' => 'link',
'#url' => Url::fromRoute('system.db_update'), '#url' => $url,
'#title' => t('Run database updates'), '#title' => t('Run database updates'),
// Since this is being called outsite of the primary front controller, // Since this is being called outsite of the primary front controller,
// the base_url needs to be set explicitly to ensure that links are // the base_url needs to be set explicitly to ensure that links are
...@@ -260,6 +261,7 @@ function update_authorize_update_batch_finished($success, $results) { ...@@ -260,6 +261,7 @@ function update_authorize_update_batch_finished($success, $results) {
'absolute' => TRUE, 'absolute' => TRUE,
'base_url' => $GLOBALS['base_url'], 'base_url' => $GLOBALS['base_url'],
], ],
'#access' => $url->access(\Drupal::currentUser())
]; ];
// Unset the variable since it is no longer needed. // Unset the variable since it is no longer needed.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment