Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
When attempting to install a module at /admin/modules/install
or a theme at /admin/theme/install
I get the access denied page despite being logged in as user 1.
Steps to Reproduce
- Fresh install of drupal 8.3
- Ensure you're logged in as user 1
- Use core migrate modules to upgrade from a D7 site
- Navigate to either of the install ui pages listed above
- Paste a link to a compatible module or theme from drupal.org
- Observe the accesse denied page
I realize that there are a lot of variables in server configuration settings and D7 site, so these steps likely won't reproduce the issue on every single upgrade. I'm happy to provide whatever additional details I can to help.
Expected Behavior and Observed
I expected the module or theme to be downloaded and installed, but instead I encountered the access denied page. This is the standard drupal access denied page, not an apache page or browser page.
Comments
Comment #2
JoshOrndorff CreditAttribution: JoshOrndorff commentedAdditional Detail: Both modules and themes that are installed via SSH can be enabled and used as expected via the web interface.
Comment #3
cilefen CreditAttribution: cilefen commentedIs there anything logged by Drupal or by the PHP in the web server logs around the same time?
Comment #4
JoshOrndorff CreditAttribution: JoshOrndorff commentedThere is an entry in Drupal's Recent Log Entries.
Type: Access Denied
User: Anonymous (Although I am logged in as user 1)
Location: http://example.com/subdir/core/authorize.php/?batch=1&id=101692&op=start
Referrer: http://example.com/admin/theme/install
Message: authorize.php
Severity: Warning
Now I realize this is likely related to running drupal from a subdirectory of my webroot right? It's likely relevant that I've followed the suggestion in #30 over here: https://www.drupal.org/node/2612160
Comment #5
cilefen CreditAttribution: cilefen commentedYeah, see if it is reproducible on an unpatched 8.3.x.
Comment #6
JoshOrndorff CreditAttribution: JoshOrndorff commentedAfter removing the patch, I get "Redirects to external URLs are not allowed by default, use \Drupal\Core\Routing\TrustedRedirectResponse for it." on the two install ui pages as well as many other pages. That's why I used the patch to begin with.
Seems like the other issue is the right place to continue this conversation though right?
Thanks for your help.
Comment #14
dwwLet's continue at #2764541: Module installs fail - access denied and logged off
Thanks,
-Derek
Comment #15
AnybodyWell, I think maybe this is the better one and the true duplicate issue (see comment #24):
#2055185: If allow_authorize_operations is FALSE, print a better error about it on Update Manager routes
Leaving this link for others running into "Access denied" on these pages.
TL;DR:
allow_authorize_operations = TRUE in settings.php is the reason!