The 'system.db_update' route should restrict access via the 'access_check.db_update' service

Does this patch hide the menu link?

@animaci, good find and congrats for your first patch! :)

+++ b/core/modules/system/system.routing.yml
@@ -455,7 +455,7 @@ system.db_update:
-    _access: 'TRUE'
+    _permission: 'administer software updates'

Access to the db update page is also granted based on the 'update_free_access' setting, so it would be better to use the access_check.db_update service instead.

Here's also a small test for this.

Is there no place in core where we link to the updates and ideally should check access as well?

There are a couple of places where we could do that.

index 3a3e273..6c14ce1 100644
--- a/core/modules/system/src/Controller/DbUpdateController.php

--- a/core/modules/system/src/Controller/DbUpdateController.php
+++ b/core/modules/system/src/Controller/DbUpdateController.php

+++ b/core/modules/system/src/Controller/DbUpdateController.php
@@ -374,6 +374,7 @@ protected function selection(Request $request) {

@@ -374,6 +374,7 @@ protected function selection(Request $request) {
         '#attributes' => array('class' => array('button', 'button--primary')),
         '#weight' => 5,
         '#url' => $url,
+        '#access' => $url->access($this->currentUser()),
       );

Yeah its a bit pointless here to be honest, I just though that there is a good link somewhere else, so we could have skipped the custom test controller, but nevermind.

Committed c3e0c5b and pushed to 8.1.x ad 8.2.x. Thanks!

Committed to 8.1.x as the fix is a patch release safe bug fix.