Commit 2b4da58b authored by alexpott's avatar alexpott

Issue #2701851 by amateescu, animaci: The 'system.db_update' route should...

Issue #2701851 by amateescu, animaci: The 'system.db_update' route should restrict access via the 'access_check.db_update' service
parent 8efd6e53
......@@ -374,6 +374,7 @@ protected function selection(Request $request) {
'#attributes' => array('class' => array('button', 'button--primary')),
'#weight' => 5,
'#url' => $url,
'#access' => $url->access($this->currentUser()),
);
}
......
......@@ -56,20 +56,38 @@ function testUpdateAccess() {
$this->drupalGet($this->updateUrl, array('external' => TRUE));
$this->assertResponse(403);
// Check that a link to the update page is not accessible to regular users.
$this->drupalGet('/update-script-test/database-updates-menu-item');
$this->assertNoLink('Run database updates');
// Try accessing update.php as an anonymous user.
$this->drupalLogout();
$this->drupalGet($this->updateUrl, array('external' => TRUE));
$this->assertResponse(403);
// Check that a link to the update page is not accessible to anonymous
// users.
$this->drupalGet('/update-script-test/database-updates-menu-item');
$this->assertNoLink('Run database updates');
// Access the update page with the proper permission.
$this->drupalLogin($this->updateUser);
$this->drupalGet($this->updateUrl, array('external' => TRUE));
$this->assertResponse(200);
// Check that a link to the update page is accessible to users with proper
// permissions.
$this->drupalGet('/update-script-test/database-updates-menu-item');
$this->assertLink('Run database updates');
// Access the update page as user 1.
$this->drupalLogin($this->rootUser);
$this->drupalGet($this->updateUrl, array('external' => TRUE));
$this->assertResponse(200);
// Check that a link to the update page is accessible to user 1.
$this->drupalGet('/update-script-test/database-updates-menu-item');
$this->assertLink('Run database updates');
}
/**
......
......@@ -465,7 +465,7 @@ system.db_update:
defaults:
op: 'info'
requirements:
_access: 'TRUE'
_access_system_update: 'TRUE'
options:
default_url_options:
path_processing: FALSE
......
<?php
namespace Drupal\update_script_test\Controller;
use Drupal\Core\Controller\ControllerBase;
use Drupal\Core\Url;
use Symfony\Component\HttpFoundation\Request;
/**
* Controller routines for update_script_test routes.
*/
class UpdateScriptTestController extends ControllerBase {
/**
* Outputs a link to the database updates URL.
*/
public function databaseUpdatesMenuItem(Request $request) {
// @todo Simplify with https://www.drupal.org/node/2548095
$base_url = str_replace('/update.php', '', $request->getBaseUrl());
$url = (new Url('system.db_update'))->setOption('base_url', $base_url);
$build['main'] = array(
'#type' => 'link',
'#title' => $this->t('Run database updates'),
'#url' => $url,
'#access' => $url->access($this->currentUser()),
);
return $build;
}
}
update_script_test.database_updates_menu_item:
path: '/update-script-test/database-updates-menu-item'
defaults:
_controller: '\Drupal\update_script_test\Controller\UpdateScriptTestController::databaseUpdatesMenuItem'
requirements:
_access: 'TRUE'
......@@ -247,10 +247,11 @@ function update_authorize_update_batch_finished($success, $results) {
}
// Since we're doing an update of existing code, always add a task for
// running update.php.
$url = Url::fromRoute('system.db_update');
$results['tasks'][] = t('Your modules have been downloaded and updated.');
$results['tasks'][] = [
'#type' => 'link',
'#url' => Url::fromRoute('system.db_update'),
'#url' => $url,
'#title' => t('Run database updates'),
// Since this is being called outsite of the primary front controller,
// the base_url needs to be set explicitly to ensure that links are
......@@ -260,6 +261,7 @@ function update_authorize_update_batch_finished($success, $results) {
'absolute' => TRUE,
'base_url' => $GLOBALS['base_url'],
],
'#access' => $url->access(\Drupal::currentUser())
];
// Unset the variable since it is no longer needed.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment