While working on #67234: Update script access rights, I discovered that anonymous users are sometimes not able to run update.php, even if $update_free_access is set to TRUE in settings.php. They can get about one screen in, and then not go any farther.

The problem seems to be that the token validation code in update.php fails. This might be related to #201122: Drupal should support disabling anonymous sessions, which made it so that session data isn't always saved for anonymous users. Since drupal_valid_token() relies on the session ID, it fails in this case.

Although there a few ways we could fix this, if the problem is as I identified it above, I'm guessing we want to find a general solution so that drupal_valid_token() can actually work for anonymous users in Drupal 7.

Comments

moshe weitzman’s picture

Status: Active » Closed (duplicate)