Contrib.social

Warning message links to "available updates" even if user does not have permission for that page

Open on Drupal.org β†’
Created on 10 June 2022, over 2 years ago
Updated 30 January 2023, over 1 year ago

Problem/Motivation

After #332796: Add permissions to the update.module to hide warnings β†’ , a message like this is shown to anyone with the new "View update notifications" permission, if there is pending security update:

There is a security update available for your version of Drupal. To ensure the security of your server, you should update immediately! See the available updates page for more information.

The link ("available updates") goes to /admin/reports/updates. This link is shown even if the user does not have permission to view that page.

Steps to reproduce

  1. Install Drupal 9.4.0-rc1.
  2. Grant these permissions to the 'Content editor' user role:
    • Use the administration pages and help (should already have this one)
    • View update notifications
  3. Install an older version of a module missing a security update. E.g. Quick Edit (contrib) version 1.0.0 β†’ .
  4. Create a user with the 'Content editor' role, login, and visit /admin
  5. See a warning message about a missing security update that includes a link to "available updates". Note the link in the message and follow it.
  6. Land on /admin/reports/updates which is a 404 for this user.

Proposed resolution

Check link access when generating the messages to print in the UI, and if the user doesn't have access to the 'Available updates' report, don't include a link to it.

Remaining tasks

User interface changes

Users with limited permissions will only see warning messages from Update Manager that include text, not a link to a page they can't access.

Before

After

API changes

None

Data model changes

None

Release notes snippet

None

πŸ› Bug report
Status

Needs work

Version

10.1 ✨

Component
UpdateΒ  β†’

Last updated about 9 hours ago

  • Maintained by
  • πŸ‡ΊπŸ‡ΈUnited States @tedbow
  • πŸ‡ΊπŸ‡ΈUnited States @dww
Created by

πŸ‡ΊπŸ‡ΈUnited States benjifisher Boston area

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment over 1 year ago β†’
    needs-review-queue-bot

    The Needs Review Queue Bot β†’ tested this issue. It either no longer applies to Drupal core, or fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".

    Apart from a re-roll or rebase, this issue may need more work to address feedback in the issue or MR comments. To progress an issue, incorporate this feedback as part of the process of updating the issue. This helps other contributors to know what is outstanding.

    Consult the Drupal Contributor Guide β†’ to find step-by-step guides for working with issues.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024