Issue #2701851 by amateescu, animaci: The 'system.db_update' route should...

Issue #2701851 by amateescu, animaci: The 'system.db_update' route should restrict access via the 'access_check.db_update' service

Issue #2701851 by amateescu, animaci: The 'system.db_update' route should...
2b4da58b · Alex Pott · 8efd6e53 · 2b4da58b · 2b4da58b · 2b4da58b
Commit 2b4da58b authored 9 years ago by Alex Pott
--- a/core/modules/system/src/Controller/DbUpdateController.php
+++ b/core/modules/system/src/Controller/DbUpdateController.php
@@ -374,6 +374,7 @@ protected function selection(Request $request) {
        '#attributes' => array('class' => array('button', 'button--primary')),
        '#weight' => 5,
        '#url' => $url,
+        '#access' => $url->access($this->currentUser()),
      );
    }


--- a/core/modules/system/src/Tests/Update/UpdateScriptTest.php
+++ b/core/modules/system/src/Tests/Update/UpdateScriptTest.php
@@ -56,20 +56,38 @@ function testUpdateAccess() {
    $this->drupalGet($this->updateUrl, array('external' => TRUE));
    $this->assertResponse(403);

+    // Check that a link to the update page is not accessible to regular users.
+    $this->drupalGet('/update-script-test/database-updates-menu-item');
+    $this->assertNoLink('Run database updates');
+
    // Try accessing update.php as an anonymous user.
    $this->drupalLogout();
    $this->drupalGet($this->updateUrl, array('external' => TRUE));
    $this->assertResponse(403);

+    // Check that a link to the update page is not accessible to anonymous
+    // users.
+    $this->drupalGet('/update-script-test/database-updates-menu-item');
+    $this->assertNoLink('Run database updates');
+
    // Access the update page with the proper permission.
    $this->drupalLogin($this->updateUser);
    $this->drupalGet($this->updateUrl, array('external' => TRUE));
    $this->assertResponse(200);

+    // Check that a link to the update page is accessible to users with proper
+    // permissions.
+    $this->drupalGet('/update-script-test/database-updates-menu-item');
+    $this->assertLink('Run database updates');
+
    // Access the update page as user 1.
    $this->drupalLogin($this->rootUser);
    $this->drupalGet($this->updateUrl, array('external' => TRUE));
    $this->assertResponse(200);
+
+    // Check that a link to the update page is accessible to user 1.
+    $this->drupalGet('/update-script-test/database-updates-menu-item');
+    $this->assertLink('Run database updates');
  }

  /**

--- a/core/modules/system/system.routing.yml
+++ b/core/modules/system/system.routing.yml
@@ -465,7 +465,7 @@ system.db_update:
  defaults:
    op: 'info'
  requirements:
-    _access: 'TRUE'
+    _access_system_update: 'TRUE'
  options:
    default_url_options:
      path_processing: FALSE

--- a/core/modules/system/tests/modules/update_script_test/src/Controller/UpdateScriptTestController.php
+++ b/core/modules/system/tests/modules/update_script_test/src/Controller/UpdateScriptTestController.php
+<?php
+
+namespace Drupal\update_script_test\Controller;
+
+use Drupal\Core\Controller\ControllerBase;
+use Drupal\Core\Url;
+use Symfony\Component\HttpFoundation\Request;
+
+/**
+ * Controller routines for update_script_test routes.
+ */
+class UpdateScriptTestController extends ControllerBase {
+
+  /**
+   * Outputs a link to the database updates URL.
+   */
+  public function databaseUpdatesMenuItem(Request $request) {
+    // @todo Simplify with https://www.drupal.org/node/2548095
+    $base_url = str_replace('/update.php', '', $request->getBaseUrl());
+    $url = (new Url('system.db_update'))->setOption('base_url', $base_url);
+    $build['main'] = array(
+      '#type' => 'link',
+      '#title' => $this->t('Run database updates'),
+      '#url' => $url,
+      '#access' => $url->access($this->currentUser()),
+    );
+
+    return $build;
+  }
+
+}
--- a/core/modules/system/tests/modules/update_script_test/update_script_test.routing.yml
+++ b/core/modules/system/tests/modules/update_script_test/update_script_test.routing.yml
+update_script_test.database_updates_menu_item:
+  path: '/update-script-test/database-updates-menu-item'
+  defaults:
+    _controller: '\Drupal\update_script_test\Controller\UpdateScriptTestController::databaseUpdatesMenuItem'
+  requirements:
+    _access: 'TRUE'
--- a/core/modules/update/update.authorize.inc
+++ b/core/modules/update/update.authorize.inc
@@ -247,10 +247,11 @@ function update_authorize_update_batch_finished($success, $results) {
  }
  // Since we're doing an update of existing code, always add a task for
  // running update.php.
+  $url = Url::fromRoute('system.db_update');
  $results['tasks'][] = t('Your modules have been downloaded and updated.');
  $results['tasks'][] = [
    '#type' => 'link',
-    '#url' => Url::fromRoute('system.db_update'),
+    '#url' => $url,
    '#title' => t('Run database updates'),
    // Since this is being called outsite of the primary front controller,
    // the base_url needs to be set explicitly to ensure that links are
@@ -260,6 +261,7 @@ function update_authorize_update_batch_finished($success, $results) {
      'absolute' => TRUE,
      'base_url' => $GLOBALS['base_url'],
    ],
+    '#access' => $url->access(\Drupal::currentUser())
  ];

  // Unset the variable since it is no longer needed.