Update manager routes are not disabled anymore when allow_authorize_operations is FALSE

Caused some test failures.

benjifisher → credited catch → .

benjifisher → credited greggles → .

benjifisher → credited larowlan → .

benjifisher → credited longwave → .

benjifisher → credited poker10 → .

benjifisher → credited zeip → .

This issue only affects the 10.3.x branch. I am updating this issue and changing the target of the MR. Let's see if that resolves the failing test.

This bug report needs tests. I am adding the tag for that and leaving the issue at NW, even if the tests pass.

I am adding issue credit for those who commented on the private issue.

I am adding 📌 Conditionally disable access to update manager routes Fixed as a related issue, since that is the issue that introduced the bug.

The tests all pass now that the original commit is made on the 10.3.x branch.

I tried adding a test, but it is not working. :-( At least, it fails when I run it locally. I added the test to the MR anyway: maybe someone else can see what is wrong.

I tried adding \Drupal::service('router.route_provider')->reset(); to the test, but that did not help.

@benjifisher, this should be on 11.x.

10.3 is in security mode now and Drupal 10 is now in maintenance mode, adding a test is not eligible for commit. There is a very limited set of changed allowed in https://www.drupal.org/about/core/policies/core-change-policies/allowed-changes#s-maintenance-minor-releases.

@quietone:

From Comment #11:

This issue only affects the 10.3.x branch.

So we may decide not to fix this issue, but moving it back to the 11.x branch does not make sense.

Something went wrong with the link in your comment, but the list at https://www.drupal.org/about/core/policies/core-change-policies/allowed-... → does not mention security fixes, which seems odd to me. The security team decided that this issue can be fixed in public, as a "security improvement" or "security hardening". I think that should make this issue eligible.

If new tests are not allowed, then that makes it easier. I removed the test and updated the MR.

@benjifisher, I got this wrong. This is about security and is thus eligible. It is my mistake and sorry for the noise.

Curious why does this not affect 11.x? Code appears to be the same.

Since we are not adding tests to the 10.3.x branch, the current MR does not have any of my code. So I think I am eligible to review this issue: RTBC.

@smustgrave: As you pointed out in Comment #4, the same change, applied to the 11.x branch, causes a test failure. Looking at that failing test, I think the route subscriber is auto-wired (and so it is considered a bug to add the tag the old way).

Ah thanks!

This was released as part of Drupal 10.3.13. It is not applicable to later branches.

Automatically closed - issue fixed for 2 weeks with no activity.