Unverified Commit 49c3ed28 authored by larowlan's avatar larowlan

Issue #2804155 by tedbow, drumm, samuel.mortenson, xjm, geerlingguy: If the...

Issue #2804155 by tedbow, drumm, samuel.mortenson, xjm, geerlingguy: If the next minor version of core has a security release, status still says "Security update required!" even if the site is on an equivalent, secure release already

(cherry picked from commit adf32937)
parent 38110948
......@@ -548,6 +548,14 @@ public function securityUpdateAvailabilityProvider() {
'expected_update_message_type' => static::UPDATE_AVAILABLE,
'fixture' => 'sec.8.x-2.2_1.x_secure',
],
// On latest security release for module major release 1.
// Security release also available for next major.
'8.x-1.2, 8.x-1.2 8.x-2.2' => [
'module_patch_version' => '8.x-1.2',
'expected_security_release' => [],
'expected_update_message_type' => static::UPDATE_NONE,
'fixture' => 'sec.8.x-1.2_8.x-2.2',
],
// @todo In https://www.drupal.org/node/2865920 add test cases:
// - 8.x-2.0 using fixture 'sec.8.x-1.2_8.x-2.2' to ensure that 8.x-2.2
// is the only security update.
......
......@@ -242,6 +242,15 @@ public function securityUpdateAvailabilityProvider() {
'expected_update_message_type' => static::SECURITY_UPDATE_REQUIRED,
'fixture' => 'sec.0.2',
],
// Site on latest security release available for site minor release 0.
// Minor release 1 also has a security release, and the current release
// is marked as insecure.
'0.2, 0.2' => [
'site_patch_version' => '0.2',
'expected_security_release' => ['1.2', '2.0-rc2'],
'expected_update_message_type' => static::UPDATE_AVAILABLE,
'fixture' => 'sec.0.2-rc2',
],
// Two security releases available for site minor release 0.
// 0.1 security release marked as insecure.
// No releases for next minor.
......@@ -273,10 +282,7 @@ public function securityUpdateAvailabilityProvider() {
'site_patch_version' => '1.2',
'expected_security_releases' => [],
'expected_update_message_type' => static::UPDATE_NONE,
// @todo Change to use fixture 'sec.0.2-rc2' in
// https://www.drupal.org/node/2804155. Currently this case would fail
// because 8.2.0-rc2 would be the recommend security release.
'fixture' => 'sec.0.2-rc2-b',
'fixture' => 'sec.0.2-rc2',
],
// No security release available for site minor release 0.
// Security release available for next minor.
......@@ -286,6 +292,20 @@ public function securityUpdateAvailabilityProvider() {
'expected_update_message_type' => static::SECURITY_UPDATE_REQUIRED,
'fixture' => 'sec.1.2_insecure',
],
// All releases for minor 0 are secure.
// Security release available for next minor.
'0.0, 1.2, secure' => [
'site_patch_version' => '0.0',
'expected_security_release' => ['1.2'],
'expected_update_message_type' => static::UPDATE_AVAILABLE,
'fixture' => 'sec.1.2',
],
'0.2, 1.2, secure' => [
'site_patch_version' => '0.2',
'expected_security_release' => ['1.2'],
'expected_update_message_type' => static::UPDATE_AVAILABLE,
'fixture' => 'sec.1.2',
],
// Site on 2.0-rc2 which is a security release.
'2.0-rc2, 0.2 1.2' => [
'site_patch_version' => '2.0-rc2',
......
......@@ -425,15 +425,6 @@ function update_calculate_project_update_status(&$project_data, $available) {
$project_data['recommended'] = $project_data['latest_version'];
}
//
// Check to see if we need an update or not.
//
if (!empty($project_data['security updates'])) {
// If we found security updates, that always trumps any other status.
$project_data['status'] = UPDATE_NOT_SECURE;
}
if (isset($project_data['status'])) {
// If we already know the status, we're done.
return;
......
......@@ -405,24 +405,6 @@ function update_get_available($refresh = FALSE) {
$available = \Drupal::keyValueExpirable('update_available_releases')->getAll();
}
// Check for security releases that are covered under the same security
// advisories as the site's current release, and override the update status
// data so that those releases are not flagged as needed security updates.
// Any security releases beyond those specific releases will still be shown
// as required security updates.
// @todo This is a temporary fix to allow minor-version backports of security
// fixes to be shown as secure. It should not be included in the codebase of
// any release or branch other than such backports. Replace this with
// https://www.drupal.org/project/drupal/issues/2804155.
foreach (_update_equivalent_security_releases() as $equivalent_release) {
if (!empty($available['drupal']['releases'][$equivalent_release]['terms']['Release type'])) {
$security_release_key = array_search('Security update', $available['drupal']['releases'][$equivalent_release]['terms']['Release type']);
if ($security_release_key !== FALSE) {
unset($available['drupal']['releases'][$equivalent_release]['terms']['Release type'][$security_release_key]);
}
}
}
return $available;
}
......@@ -439,11 +421,14 @@ function update_get_available($refresh = FALSE) {
* A list of security release numbers that are equivalent to this release
* (i.e. covered by the same advisory), for backported security fixes only.
*
* @todo This is a temporary fix to allow minor-version backports of security
* fixes to be shown as secure. Replace this with
* https://www.drupal.org/project/drupal/issues/2766491.
* @internal
*
* @deprecated in Drupal 8.6.0 and will be removed before Drupal 9.0.0. Use the
* 'Insecure' release type tag in update XML provided by Drupal.org to
* determine if releases are insecure.
*/
function _update_equivalent_security_releases() {
trigger_error("_update_equivalent_security_releases() was a temporary fix and will be removed before 9.0.0. Use the 'Insecure' release type tag in update XML provided by Drupal.org to determine if releases are insecure.", E_USER_DEPRECATED);
switch (\Drupal::VERSION) {
case '8.3.8':
return ['8.4.5', '8.5.0-rc1'];
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment