Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
There are several links on the update results page that could lead to the user getting an access denied error.
1. Link to admin/reports/dblog without checking user_access('access site reports').
2. Link to admin without checking user_access('access administration pages').
Comment | File | Size | Author |
---|---|---|---|
#21 | update-links-598414-21.patch | 4.89 KB | Tor Arne Thune |
#21 | update-links-598414-21-D7.patch | 4.48 KB | Tor Arne Thune |
#21 | interdiff-17-21.txt | 1.03 KB | Tor Arne Thune |
#17 | update-links-598414-17.patch | 5.22 KB | Tor Arne Thune |
#17 | update-links-598414-17-D7.patch | 4.81 KB | Tor Arne Thune |
Comments
Comment #1
Dave ReidCurrent patch depends on #67234: Update script access rights.
Comment #3
David_Rothstein CreditAttribution: David_Rothstein commentedSubscribing. Nice catches on the other broken links!
Comment #4
David_Rothstein CreditAttribution: David_Rothstein commentedOops, not sure how that happened.
Comment #5
Tor Arne Thune CreditAttribution: Tor Arne Thune commentedStill a valid issue in Drupal 7.2. Re-rolling patch in #1. Unfortunately, this patch breaks strings, so uploading another version for D7 without the string change.
Comment #6
Tor Arne Thune CreditAttribution: Tor Arne Thune commentedReroll.
Comment #7
Tor Arne Thune CreditAttribution: Tor Arne Thune commentedTested and reviewed the patches for D8 and D7. Code looks good. Can't see how the code can fail. See the result of the tests below.
Review log in Drupal 7 with all permissions.
Review log in Drupal 7 with only the 'administer software updates' permission.
Review log in Drupal 8 with all permissions.
Review log in Drupal 8 with only the 'administer software updates' permission.
As can be seen, there will still be a possible 403 in the review log for Drupal 7, as the string can't be changed.
Comment #8
Tor Arne Thune CreditAttribution: Tor Arne Thune commentedD'oh! I just realized strings in update.php are not translated, as Drupal is probably not fully bootstrapped.
So I'll attach a D7 version of the D8 patch with the string change.
Comment #9
Tor Arne Thune CreditAttribution: Tor Arne Thune commentedThere, a new D7 patch, which has the same lines of code as the D8 patch in #6.
Results:
Review log in Drupal 7 with all permissions.
Review log in Drupal 7 with only the 'administer software updates' permission.
Comment #10
Tor Arne Thune CreditAttribution: Tor Arne Thune commentedEasy patch to review and set to RTBC ;)
Comment #11
Tor Arne Thune CreditAttribution: Tor Arne Thune commented#6: update-links-598414-6.patch queued for re-testing.
Comment #12
marvil07 CreditAttribution: marvil07 commentedNeeds re-roll for core directory change at least.
-27 days to next Drupal core point release.
Comment #13
Tor Arne Thune CreditAttribution: Tor Arne Thune commentedThat's the D7 version in #9. The D8 version is in #6.
Latest D7 version: update-links-598414-9-D7.patch.
Latest D8 version: update-links-598414-6.patch.
Comment #14
marvil07 CreditAttribution: marvil07 commentedSorry about my confusion.
Patch look pretty good, but I would suggest one little thing more.
It would be great if this line also have some lines of testing, creating a user which has access site reports permission and one who doesn't.
-27 days to next Drupal core point release.
Comment #15
Tor Arne Thune CreditAttribution: Tor Arne Thune commentedThanks for the review! In fact, the tests already created by Dave Reid are only for the screen you get when there are no pending updates. The text
Updates were attempted. If you see no failures below, you may proceed happily to ... Otherwise, you may need to update your database manually. All errors have been logged.
is only displayed after updates have been performed successfully. I'm not sure how to test this process and I can't find any automated tests in core that performs a database update and allows me to add a test for the links on the successful outcome page after the update.
Comment #16
Tor Arne Thune CreditAttribution: Tor Arne Thune commentedFound out how to write a test for the text on the successful update page. Coming up.
Comment #17
Tor Arne Thune CreditAttribution: Tor Arne Thune commentedThis should test all functionality that the original fix has touched upon.
Comment #18
marvil07 CreditAttribution: marvil07 commentedThanks for the implementation!
I guess now it's ready.
Comment #19
Dries CreditAttribution: Dries commentedHow about we always print the second one? We already have a linke to the administration pages above. Seems like this could be simplified a bit.
Comment #20
Tor Arne Thune CreditAttribution: Tor Arne Thune commentedYou're right. There is not much use to linking to the administration pages 2 times. Will remove the if else tomorrow. Thanks!
Comment #21
Tor Arne Thune CreditAttribution: Tor Arne Thune commentedThat should do it.
Comment #22
Dries CreditAttribution: Dries commentedCommitted to 7.x and 8.x. Thanks!