Index: update.php =================================================================== RCS file: /cvs/drupal/drupal/update.php,v retrieving revision 1.301 diff -u -p -r1.301 update.php --- update.php 25 Aug 2009 21:53:47 -0000 1.301 +++ update.php 3 Sep 2009 22:11:22 -0000 @@ -13,7 +13,8 @@ define('DRUPAL_ROOT', getcwd()); * Point your browser to "http://www.example.com/update.php" and follow the * instructions. * - * If you are not logged in as administrator, you will need to modify the access + * If you are not logged in as the site administrator or as a user with the + * 'Administer software updates' permission, you will need to modify the access * check statement inside your settings.php file. After finishing the upgrade, * be sure to open settings.php again, and change it back to its original state! */ @@ -196,16 +197,39 @@ function update_info_page() { function update_access_denied_page() { drupal_set_title('Access denied'); - return '

Access denied. You are not authorized to access this page. Please log in as the admin user (the first user you created). If you cannot log in, you will have to edit settings.php to bypass this access check. To do this:

+ return '

Access denied. You are not authorized to access this page. Please log in as a user with the Administer software updates permission, or as the admin user (the first user you created). If you cannot log in, you will have to edit settings.php to bypass this access check. To do this:

  1. With a text editor find the settings.php file on your system. From the main Drupal directory that you installed all the files into, go to sites/your_site_name if such directory exists, or else to sites/default which applies otherwise.
  2. There is a line inside your settings.php file that says $update_free_access = FALSE;. Change it to $update_free_access = TRUE;.
  3. As soon as the update.php script is done, you must change the settings.php file back to its original form with $update_free_access = FALSE;.
    4. -
  4. To avoid having this problem in future, remember to log in to your website as the admin user (the user you first created) before you backup your database at the beginning of the update process.
    5. +
  5. To avoid having this problem in the future, remember to log in to your website as a user with the Administer software updates permission, or as the admin user (the first user you created) before you backup your database at the beginning of the update process.
'; } /** + * Determines if the current user is allowed to run update.php. + * + * @return + * TRUE if the current user should be granted access, or FALSE otherwise. + */ +function update_access_allowed() { + global $update_free_access, $user; + // Allow the global variable in settings.php to override the access check. + if (!empty($update_free_access)) { + return TRUE; + } + // Calls to user_access() might fail during the Drupal 6 to 7 update process, + // so we fall back on requiring that the user be logged in as user #1. + try { + require_once drupal_get_path('module', 'user') . '/user.module'; + return user_access('administer software updates'); + } + catch (Exception $e) { + return $user->uid == 1; + } +} + +/** * Add the update task list to the current page. */ function update_task_list($active = NULL) { @@ -267,13 +291,12 @@ update_prepare_d7_bootstrap(); // Determine if the current user has access to run update.php. drupal_bootstrap(DRUPAL_BOOTSTRAP_SESSION); -$update_access_allowed = !empty($update_free_access) || $user->uid == 1; // Only allow the requirements check to proceed if the current user has access // to run updates (since it may expose sensitive information about the site's // configuration). $op = isset($_REQUEST['op']) ? $_REQUEST['op'] : ''; -if (empty($op) && $update_access_allowed) { +if (empty($op) && update_access_allowed()) { require_once DRUPAL_ROOT . '/includes/install.inc'; require_once DRUPAL_ROOT . '/includes/file.inc'; require_once DRUPAL_ROOT . '/modules/system/system.install'; @@ -307,7 +330,7 @@ drupal_maintenance_theme(); ini_set('display_errors', TRUE); // Only proceed with updates if the user is allowed to run them. -if ($update_access_allowed) { +if (update_access_allowed()) { include_once DRUPAL_ROOT . '/includes/install.inc'; include_once DRUPAL_ROOT . '/includes/batch.inc'; Index: modules/system/system.module =================================================================== RCS file: /cvs/drupal/drupal/modules/system/system.module,v retrieving revision 1.784 diff -u -p -r1.784 system.module --- modules/system/system.module 1 Sep 2009 16:50:12 -0000 1.784 +++ modules/system/system.module 3 Sep 2009 22:11:23 -0000 @@ -216,6 +216,10 @@ function system_permission() { 'title' => t('Administer site configuration'), 'description' => t('Configure site-wide settings such as module or theme administration settings.'), ), + 'administer software updates' => array( + 'title' => t('Administer software updates'), + 'description' => t('Run the update.php script.'), + ), 'administer actions' => array( 'title' => t('Administer actions'), 'description' => t('Manage the actions defined for your site.'), Index: sites/default/default.settings.php =================================================================== RCS file: /cvs/drupal/drupal/sites/default/default.settings.php,v retrieving revision 1.29 diff -u -p -r1.29 default.settings.php --- sites/default/default.settings.php 22 Aug 2009 20:10:38 -0000 1.29 +++ sites/default/default.settings.php 3 Sep 2009 22:11:24 -0000 @@ -157,9 +157,10 @@ $db_prefix = ''; * Access control for update.php script * * If you are updating your Drupal installation using the update.php script - * being not logged in as administrator, you will need to modify the access - * check statement below. Change the FALSE to a TRUE to disable the access - * check. After finishing the upgrade, be sure to open this file again + * and you are not logged in as the administrator or as a user with the + * 'Administer software updates' permission, you will need to modify the + * access check statement below. Change the FALSE to a TRUE to disable the + * access check. After finishing the upgrade, be sure to open this file again * and change the TRUE back to a FALSE! */ $update_free_access = FALSE;