When attempting to install a module at /admin/modules/install or a theme at /admin/theme/install I get the access denied page despite being logged in as user 1.

Steps to Reproduce

  • Fresh install of drupal 8.3
  • Ensure you're logged in as user 1
  • Use core migrate modules to upgrade from a D7 site
  • Navigate to either of the install ui pages listed above
  • Paste a link to a compatible module or theme from drupal.org
  • Observe the accesse denied page

I realize that there are a lot of variables in server configuration settings and D7 site, so these steps likely won't reproduce the issue on every single upgrade. I'm happy to provide whatever additional details I can to help.

Expected Behavior and Observed

I expected the module or theme to be downloaded and installed, but instead I encountered the access denied page. This is the standard drupal access denied page, not an apache page or browser page.

Comments

JoshOrndorff created an issue. See original summary.

JoshOrndorff’s picture

JoshOrndorff CreditAttribution: JoshOrndorff commented

Additional Detail: Both modules and themes that are installed via SSH can be enabled and used as expected via the web interface.

cilefen’s picture

cilefen CreditAttribution: cilefen commented
Component: user.module » update.module
Issue tags: +migrate

Is there anything logged by Drupal or by the PHP in the web server logs around the same time?

JoshOrndorff’s picture

JoshOrndorff CreditAttribution: JoshOrndorff commented

There is an entry in Drupal's Recent Log Entries.

Type: Access Denied
User: Anonymous (Although I am logged in as user 1)
Location: http://example.com/subdir/core/authorize.php/?batch=1&id=101692&op=start
Referrer: http://example.com/admin/theme/install
Message: authorize.php
Severity: Warning

Now I realize this is likely related to running drupal from a subdirectory of my webroot right? It's likely relevant that I've followed the suggestion in #30 over here: https://www.drupal.org/node/2612160

cilefen’s picture

cilefen CreditAttribution: cilefen commented

Yeah, see if it is reproducible on an unpatched 8.3.x.

JoshOrndorff’s picture

JoshOrndorff CreditAttribution: JoshOrndorff commented

After removing the patch, I get "Redirects to external URLs are not allowed by default, use \Drupal\Core\Routing\TrustedRedirectResponse for it." on the two install ui pages as well as many other pages. That's why I used the patch to begin with.

Seems like the other issue is the right place to continue this conversation though right?

Thanks for your help.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.0-alpha1 will be released the week of January 30, 2017, which means new developments and disruptive changes should now be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.0-alpha1 will be released the week of July 31, 2017, which means new developments and disruptive changes should now be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.0-alpha1 will be released the week of January 17, 2018, which means new developments and disruptive changes should now be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.6.x-dev » 8.7.x-dev

Drupal 8.6.0-alpha1 will be released the week of July 16, 2018, which means new developments and disruptive changes should now be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.7.x-dev » 8.8.x-dev

Drupal 8.7.0-alpha1 will be released the week of March 11, 2019, which means new developments and disruptive changes should now be targeted against the 8.8.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.0-alpha1 will be released the week of October 14th, 2019, which means new developments and disruptive changes should now be targeted against the 8.9.x-dev branch. (Any changes to 8.9.x will also be committed to 9.0.x in preparation for Drupal 9’s release, but some changes like significant feature additions will be deferred to 9.1.x.). For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.1.x-dev

Drupal 8.9.0-beta1 was released on March 20, 2020. 8.9.x is the final, long-term support (LTS) minor release of Drupal 8, which means new developments and disruptive changes should now be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

dww’s picture

dww
we/he/they
CreditAttribution: dww as a volunteer commented
Status: Active » Closed (duplicate)
Issue tags: -migrate +Bug Smash Initiative
Parent issue: » #2764541: Module installs fail - access denied and logged off

Let's continue at #2764541: Module installs fail - access denied and logged off

Thanks,
-Derek

Anybody’s picture

Anybody
Primary language German
Location Porta Westfalica
CreditAttribution: Anybody as a volunteer and at DROWL.de commented

Well, I think maybe this is the better one and the true duplicate issue (see comment #24):
#2055185: If allow_authorize_operations is FALSE, print a better error about it on Update Manager routes

Leaving this link for others running into "Access denied" on these pages.

TL;DR:
allow_authorize_operations = TRUE in settings.php is the reason!