Problem/Motivation

\Drupal\system\Controller\DbUpdateController::helpfulLinks checks $this->account->hasPermission which hard-codes the permissions required for those routes.

This was identified in new changes in #3508449: Add link to Status Report from database updates completion page and decided to resolve in a followup because there is an existing pattern.

Instead it should make use of Url->access and avoid hard-coding

See https://git.drupalcode.org/project/drupal/-/merge_requests/11267#note_47... for example

Steps to reproduce

Alter the system.admin route to require different permissions
Run update.php and view the helpful links on post update page
Click the link to 'Administration pages' and note access is denied.

Proposed resolution

Make use of Url::access instead

Remaining tasks

Add a test?

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

CommentFileSizeAuthor
#6 Screenshot-1.png25.8 KBjuandhr
#6 Screenshot-2.png81.34 KBjuandhr

Issue fork drupal-3512116

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

Comments

larowlan created an issue. See original summary.

larowlan’s picture

Issue summary: View changes

,

annmarysruthy made their first commit to this issue’s fork.

annmarysruthy’s picture

Status: Active » Needs review
juandhr’s picture

Status: Needs review » Reviewed & tested by the community
StatusFileSize
new81.34 KB
new25.8 KB

I can confirm that the changes introduced in the drupal-3512116/3512116-drupalsystemcontrollerdbupdatecontrollerhelpfullinks-checks-hard-coded branch work as expected.

While testing these changes in a local environment, I:

  • Added the 'access administration pages', 'administer site configuration', and 'administer software updates' permissions to a test role.
  • Logged in with that role and navigated to the /update.php/selection page in the default update process.
  • Verified that the "Administration pages" and "Status report" links display correctly.

This confirms that the modification to use the access() method from Drupal\Core\Url is working as intended.

quietone’s picture

Issue summary: View changes
Status: Reviewed & tested by the community » Needs work
Issue tags: +Needs tests

@juandhr, thanks for testing this issue and reporting the steps you followed. That is good practice. Is also helps to provide confirmation of the problem, before the patch is applied. And you can save yourself some time and effort because in Drupal core there is no need to upload screenshots of your IDE. There is some information about that at https://www.drupal.org/about/core/policies/maintainers/how-is-credit-gra....

Can we add a test for this?

Not sure what I am doing wrong but I can't duplicate the problem.

mstrelan’s picture

Status: Needs work » Needs review
Issue tags: -Needs tests

@quietone the problem is more hypothetical and the update here is for best practice. I'll try to explain the problem.

  • In \Drupal\system\Controller\DbUpdateController::helpfulLinks we check if the user has the 'administer site configuration' permission before displaying the "Status report" link.
  • In \Drupal\Tests\system\Functional\UpdateSystem\UpdateScriptTest::testSuccessfulMultilingualUpdateFunctionality we create a user with a bunch of permissions. This includes both 'access site reports' and 'administer site configuration'. Then we assert that the "Status report" link exists.
  • Core later decides that the permission required to access the 'system.status' route should actually be 'access site reports' and not 'administer site configuration' so the route is updated. The test still passes because that user has both permissions. But a user with 'administer site configuration' and not 'access site reports' will still see the link, even though they won't be able to access the route.
  • The same problem could arise if a contrib or custom module decides to alter the permissions required for the route. For example, they might override the status report page and provide a custom permission for it. The link will still appear for users with the original permission.

By changing to Url::access we don't need to worry about what permission the route requires, just whether the logged in user can access it or not.

Can we add a test for this?

I think the test mentioned above is sufficient, not sure it's worth the effort to expand that further.

smustgrave’s picture

Status: Needs review » Reviewed & tested by the community

@quietone that work for you? Moving to RTBC to put in committer eyes.

  • longwave committed 9a1d0b13 on 11.x
    Issue #3512116 by annmarysruthy, juandhr, larowlan, mstrelan, quietone...
longwave’s picture

Status: Reviewed & tested by the community » Fixed

I could argue that helpfuLinks() should be filtered after the fact, maybe the links template could have an option to check access before rendering each link, but this works for me as a simple solution given there are only two links to check. I agree also that this meets the criteria for not needing an explicit test, the manual test results are enough.

Committed 9a1d0b1 and pushed to 11.x. Thanks!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.