? docs
? tmp
? modules/syndication
? sites/all/modules/admin_menu
? sites/all/modules/cck
? sites/all/modules/coder
? sites/all/modules/cvs_deploy
? sites/all/modules/demo
? sites/all/modules/devel
? sites/all/modules/drush
? sites/all/modules/google_analytics
? sites/all/modules/path_redirect
? sites/all/modules/pbs
? sites/all/modules/plugin_manager
? sites/all/modules/robotstxt
? sites/all/modules/sandbox
Index: update.php
===================================================================
RCS file: /cvs/drupal/drupal/update.php,v
retrieving revision 1.279
diff -u -p -r1.279 update.php
--- update.php	9 Mar 2009 20:58:19 -0000	1.279
+++ update.php	18 Mar 2009 05:46:24 -0000
@@ -13,9 +13,11 @@ define('DRUPAL_ROOT', getcwd());
  * Point your browser to "http://www.example.com/update.php" and follow the
  * instructions.
  *
- * If you are not logged in as administrator, you will need to modify the access
- * check statement inside your settings.php file. After finishing the upgrade,
- * be sure to open settings.php again, and change it back to its original state!
+ * If you are not logged in as administrator or do not have the
+ * 'administer site updates' permission, you will need to modify the
+ * access check statement inside your settings.php file. After
+ * finishing the upgrade, be sure to open settings.php again, and
+ * change it back to its original state!
  */
 
 /**
@@ -338,10 +340,16 @@ function update_finished($success, $resu
   }
 }
 
+/**
+ * Internal version of l() to avoid pointing URLs to 'update.php/$path'.
+ */
+function update_l($text, $path = NULL) {
+  return '<a href="' . base_path() . (variable_get('clean_url', 0) ? '' : '?q=') . $path . '">'. $text . '</a>';
+}
+
 function update_helpful_links() {
-  // NOTE: we can't use l() here because the URL would point to 'update.php?q=admin'.
-  $links[] = '<a href="' . base_path() . '">Front page</a>';
-  $links[] = '<a href="' . base_path() . '?q=admin">Administration pages</a>';
+  $links[] = update_l('Front page');
+  $links[] = update_l('Administration pages', 'admin');
   return $links;
 }
 
@@ -352,14 +360,14 @@ function update_results_page() {
   update_task_list();
   // Report end result
   if (module_exists('dblog')) {
-    $log_message = ' All errors have been <a href="' . base_path() . '?q=admin/reports/dblog">logged</a>.';
+    $log_message = ' All errors have been ' . update_l('logged', 'admin/reports/dblog') . '.';
   }
   else {
     $log_message = ' All errors have been logged.';
   }
 
   if ($_SESSION['update_success']) {
-    $output = '<p>Updates were attempted. If you see no failures below, you may proceed happily to the <a href="' . base_path() . '?q=admin">administration pages</a>. Otherwise, you may need to update your database manually.' . $log_message . '</p>';
+    $output = '<p>Updates were attempted. If you see no failures below, you may proceed happily to the ' . update_l('administration pages', 'admin') . '. Otherwise, you may need to update your database manually.' . $log_message . '</p>';
   }
   else {
     list($module, $version) = array_pop(reset($_SESSION['updates_remaining']));
@@ -424,7 +432,7 @@ function update_info_page() {
   $output .= "<ol>\n";
   $output .= "<li><strong>Back up your database</strong>. This process will change your database values and in case of emergency you may need to revert to a backup.</li>\n";
   $output .= "<li><strong>Back up your code</strong>. Hint: when backing up module code, do not leave that backup in the 'modules' or 'sites/*/modules' directories as this may confuse Drupal's auto-discovery mechanism.</li>\n";
-  $output .= '<li>Put your site into <a href="' . base_path() . '?q=admin/settings/site-maintenance">maintenance mode</a>.</li>' . "\n";
+  $output .= '<li>Put your site into ' . update_l('maintenance mode', 'admin/settings/site-maintenance') . '.</li>' . "\n";
   $output .= "<li>Install your new files in the appropriate location, as described in the handbook.</li>\n";
   $output .= "</ol>\n";
   $output .= "<p>When you have performed the steps above, you may proceed.</p>\n";
@@ -435,12 +443,14 @@ function update_info_page() {
 
 function update_access_denied_page() {
   drupal_set_title('Access denied');
-  return '<p>Access denied. You are not authorized to access this page. Please log in as the admin user (the first user you created). If you cannot log in, you will have to edit <code>settings.php</code> to bypass this access check. To do this:</p>
+  watchdog('access denied', 'update.php', NULL, WATCHDOG_WARNING);
+  drupal_set_header($_SERVER['SERVER_PROTOCOL'] . ' 403 Forbidden');
+  return '<p>Access denied. You are not authorized to access this page. Please give your user the <code>Administer site updates</code> permission, or log in as the admin user (the first user you created). If you cannot log in, you will have to edit <code>settings.php</code> to bypass this access check. To do this:</p>
 <ol>
  <li>With a text editor find the settings.php file on your system. From the main Drupal directory that you installed all the files into, go to <code>sites/your_site_name</code> if such directory exists, or else to <code>sites/default</code> which applies otherwise.</li>
  <li>There is a line inside your settings.php file that says <code>$update_free_access = FALSE;</code>. Change it to <code>$update_free_access = TRUE;</code>.</li>
  <li>As soon as the update.php script is done, you must change the settings.php file back to its original form with <code>$update_free_access = FALSE;</code>.</li>
- <li>To avoid having this problem in future, remember to log in to your website as the admin user (the user you first created) before you backup your database at the beginning of the update process.</li>
+ <li>To avoid having this problem in future, remember to log in to your website as a user with the <code>Administer site updates</code> permission, or as the admin user (the user you first created) before you backup your database at the beginning of the update process.</li>
 </ol>';
 }
 
@@ -732,7 +742,7 @@ drupal_maintenance_theme();
 ini_set('display_errors', TRUE);
 
 // Access check:
-if (!empty($update_free_access) || $user->uid == 1) {
+if (!empty($update_free_access) || user_access('administer site updates')) {
 
   include_once DRUPAL_ROOT . '/includes/install.inc';
   include_once DRUPAL_ROOT . '/includes/batch.inc';
Index: modules/system/system.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/system/system.module,v
retrieving revision 1.673
diff -u -p -r1.673 system.module
--- modules/system/system.module	17 Mar 2009 15:26:29 -0000	1.673
+++ modules/system/system.module	18 Mar 2009 05:46:29 -0000
@@ -181,6 +181,10 @@ function system_perm() {
       'title' => t('Administer site configuration'),
       'description' => t('Configure site-wide settings such as module or theme administration settings.'),
     ),
+    'administer site updates' => array(
+      'title' => t('Administer site updates'),
+      'description' => t('Run the update.php script.'),
+    ),
     'administer actions' => array(
       'title' => t('Administer actions'),
       'description' => t('Manage the actions defined for your site.'),
Index: modules/system/system.test
===================================================================
RCS file: /cvs/drupal/drupal/modules/system/system.test,v
retrieving revision 1.39
diff -u -p -r1.39 system.test
--- modules/system/system.test	11 Feb 2009 05:33:18 -0000	1.39
+++ modules/system/system.test	18 Mar 2009 05:46:30 -0000
@@ -878,7 +878,7 @@ class SystemThemeFunctionalTest extends 
       'node_admin_theme' => FALSE,
     );
     $this->drupalPost('admin/build/themes', $edit, t('Save configuration'));
-    
+
     $this->drupalGet('admin');
     $this->assertRaw('themes/garland', t('Administration theme used on an administration page.'));
 
@@ -887,7 +887,7 @@ class SystemThemeFunctionalTest extends 
 
     // Reset to the default theme settings.
     $this->drupalPost('admin/build/themes', array(), t('Reset to defaults'));
-    
+
     $this->drupalGet('admin');
     $this->assertRaw('themes/garland', t('Site default theme used on administration page.'));
 
@@ -895,3 +895,47 @@ class SystemThemeFunctionalTest extends 
     $this->assertRaw('themes/garland', t('Site default theme used on the add content page.'));
   }
 }
+
+/**
+ * Tests for the update system functionality.
+ */
+class UpdateScriptFunctionalTest extends DrupalWebTestCase {
+  function getInfo() {
+    return array(
+      'name' => t('Update.php functionality'),
+      'description' => t('Tests the update script access and functionality.'),
+      'group' => t('System'),
+    );
+  }
+
+  /**
+   * Tests access to the update script.
+   */
+  function testUpdateAccess() {
+    // Try accessing update.php without the proper permission.
+    $regular_user = $this->drupalCreateUser();
+    $this->drupalLogin($regular_user);
+    $this->drupalGet('update.php');
+    $this->assertResponse(403);
+    $this->assertNoFieldByXPath('//input[@type="submit"]', t('Continue'), t('Continue button not found'));
+
+    // Try accessing update.php as an anonymous user.
+    $this->drupalLogout();
+    $this->drupalGet('update.php');
+    $this->assertResponse(403);
+    $this->assertNoFieldByXPath('//input[@type="submit"]', t('Continue'), t('Continue button not found'));
+
+    // Try accessing update.php with the proper permission.
+    $update_user = $this->drupalCreateUser(array('administer site updates', 'access administration pages'));
+    $this->drupalLogin($update_user);
+    $this->drupalGet('update.php');
+    $this->assertResponse(200);
+    $this->assertFieldByXPath('//input[@type="submit"]', t('Continue'), t('Continue button found'));
+
+    // Proceed through the update process without any pending updates.
+    $this->drupalPost(NULL, array(), t('Continue'));
+    $this->assertText(t('No pending updates.'));
+    $this->clickLink('Administration pages');
+    $this->assertResponse(200);
+  }
+}