Update manager routes are not disabled when allow_authorize_operations is FALSE

Created on 3 February 2025, 3 months ago

Problem/Motivation

This issue was originally reported as a security issue. The Security Team decided that it can be fixed in public.

Adding $settings['allow_authorize_operations'] = FALSE; in settings.php should prevent all users from accessing certain pages, such as /admin/reports/updates/update. After 📌 Conditionally disable access to update manager routes Fixed , it does not.

Steps to reproduce

Add $settings['allow_authorize_operations'] = FALSE; in settings.php.
Empty cache.
As a user with the "administer software updates" permission, browse to /admin/reports/updates/update.

Proposed resolution

In update.services.yml, add the event_subscriber tag to the update.route_subscriber service. This service was always meant to be a route subscriber, but without the tag it is never invoked.

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

🐛 Bug report

Status

Active

Version

10.3 ✨

Component

update.module

Created by

🇺🇸United States benjifisher Boston area

Live updates comments and jobs are added and updated live.

Security improvements
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Merge Requests

!11088Update manager routes are not disabled when allow_authorize_operations is FALSE
Open
🇺🇸United States benjifisher
updated 3 months ago

Comments & Activities

Issue created by @benjifisher
Merge request !11088Make the update.route_subscriber service an event listener → (Open) created by benjifisher
Pipeline finished with Failed
3 months ago
Total: 480s
#413007
Comment 3 months ago →
🇺🇸United States benjifisher Boston area
I implemented the proposed resolution, and I started working on a test. My test does not work, and I am not sure why. I committed it to the feature branch anyway. Maybe someone else will have a chance to look at it.
Comment 3 months ago →
🇺🇸United States benjifisher Boston area
Somehow I missed that 🐛 Update manager routes are not disabled anymore when allow_authorize_operations is FALSE Active was created a few days ago. I am closing this issue as a duplicate.
Pipeline finished with Failed
3 months ago
Total: 394s
#413082

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024