Update manager routes are not disabled when allow_authorize_operations is FALSE

Created on 3 February 2025, 2 months ago

Problem/Motivation

This issue was originally reported as a security issue. The Security Team decided that it can be fixed in public.

Adding $settings['allow_authorize_operations'] = FALSE; in settings.php should prevent all users from accessing certain pages, such as /admin/reports/updates/update. After πŸ“Œ Conditionally disable access to update manager routes Fixed , it does not.

Steps to reproduce

  1. Add $settings['allow_authorize_operations'] = FALSE; in settings.php.
  2. Empty cache.
  3. As a user with the "administer software updates" permission, browse to /admin/reports/updates/update.

Proposed resolution

In update.services.yml, add the event_subscriber tag to the update.route_subscriber service. This service was always meant to be a route subscriber, but without the tag it is never invoked.

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

πŸ› Bug report
Status

Active

Version

10.3 ✨

Component

update.module

Created by

πŸ‡ΊπŸ‡ΈUnited States benjifisher Boston area

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Merge Requests

Comments & Activities

Production build 0.71.5 2024