Index: update.php
===================================================================
RCS file: /cvs/drupal/drupal/update.php,v
retrieving revision 1.282
diff -u -p -r1.282 update.php
--- update.php 12 May 2009 08:37:44 -0000 1.282
+++ update.php 12 May 2009 09:43:08 -0000
@@ -13,9 +13,11 @@ define('DRUPAL_ROOT', getcwd());
* Point your browser to "http://www.example.com/update.php" and follow the
* instructions.
*
- * If you are not logged in as administrator, you will need to modify the access
- * check statement inside your settings.php file. After finishing the upgrade,
- * be sure to open settings.php again, and change it back to its original state!
+ * If you are not logged in as administrator or do not have the
+ * 'administer site updates' permission, you will need to modify the
+ * access check statement inside your settings.php file. After
+ * finishing the upgrade, be sure to open settings.php again, and
+ * change it back to its original state!
*/
/**
@@ -434,13 +436,15 @@ function update_info_page() {
}
function update_access_denied_page() {
+ drupal_set_header($_SERVER['SERVER_PROTOCOL'] . ' 403 Forbidden');
+ watchdog('access denied', 'update.php', NULL, WATCHDOG_WARNING);
drupal_set_title('Access denied');
- return 'Access denied. You are not authorized to access this page. Please log in as the admin user (the first user you created). If you cannot log in, you will have to edit settings.php to bypass this access check. To do this:
+ return 'Access denied. You are not authorized to access this page. Please give your user the Administer site updates permission, or log in as the admin user (the first user you created). If you cannot log in, you will have to edit settings.php to bypass this access check. To do this:
- With a text editor find the settings.php file on your system. From the main Drupal directory that you installed all the files into, go to
sites/your_site_name if such directory exists, or else to sites/default which applies otherwise.
- There is a line inside your settings.php file that says
$update_free_access = FALSE;. Change it to $update_free_access = TRUE;.
- As soon as the update.php script is done, you must change the settings.php file back to its original form with
$update_free_access = FALSE;.
- - To avoid having this problem in future, remember to log in to your website as the admin user (the user you first created) before you backup your database at the beginning of the update process.
+ - To avoid having this problem in future, remember to log in to your website as a user with the Administer site updates permission, or as the admin user (the user you first created) before you backup your database at the beginning of the update process.
';
}
@@ -728,7 +732,7 @@ update_prepare_d7_bootstrap();
// Determine if the current user has access to run update.php.
drupal_bootstrap(DRUPAL_BOOTSTRAP_SESSION);
-$update_access_allowed = !empty($update_free_access) || $user->uid == 1;
+$update_access_allowed = !empty($update_free_access) || user_access('administer site updates');
// Only allow the requirements check to proceed if the current user has access
// to run updates (since it may expose sensitive information about the site's
Index: modules/system/system.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/system/system.module,v
retrieving revision 1.692
diff -u -p -r1.692 system.module
--- modules/system/system.module 12 May 2009 08:37:45 -0000 1.692
+++ modules/system/system.module 12 May 2009 09:43:09 -0000
@@ -181,6 +181,10 @@ function system_perm() {
'title' => t('Administer site configuration'),
'description' => t('Configure site-wide settings such as module or theme administration settings.'),
),
+ 'administer site updates' => array(
+ 'title' => t('Administer site updates'),
+ 'description' => t('Run the update.php script.'),
+ ),
'administer actions' => array(
'title' => t('Administer actions'),
'description' => t('Manage the actions defined for your site.'),