Issue #2675066 by alexpott, xjm: Restrict migrate upgrade permission to user1

core/modules/migrate_drupal_ui/migrate_drupal_ui.routing.yml

@@ -4,7 +4,7 @@ migrate_drupal_ui.upgrade:
     _form: '\Drupal\migrate_drupal_ui\Form\MigrateUpgradeForm'
     _title: 'Upgrade'
   requirements:
-    _permission: 'administer software updates'
+    _custom_access: '\Drupal\migrate_drupal_ui\MigrateAccessCheck::checkAccess'
   options:
     _admin_route: TRUE
 
@@ -13,6 +13,6 @@ migrate_drupal_ui.log:
   defaults:
       _controller: '\Drupal\migrate_drupal_ui\Controller\MigrateController::showLog'
   requirements:
-    _permission: 'administer software updates'
+    _custom_access: '\Drupal\migrate_drupal_ui\MigrateAccessCheck::checkAccess'
   options:
     _admin_route: TRUE

core/modules/migrate_drupal_ui/src/MigrateAccessCheck.php

@@ -0,0 +1,40 @@
+<?php
+
+/**
+ * @file
+ * Contains \Drupal\migrate_drupal_ui\MigrateAccessCheck.
+ */
+
+namespace Drupal\migrate_drupal_ui;
+
+use Drupal\Core\Access\AccessResultAllowed;
+use Drupal\Core\Session\AccountInterface;
+
+/**
+ * Checks access for migrate_drupal_ui routes.
+ *
+ * The Drupal Upgrade UI can only be used by user 1. This is because any other
+ * user might have different permissions on the source and target site.
+ *
+ * This class is designed to be used with '_custom_access' route requirement.
+ *
+ * @see \Drupal\Core\Access\CustomAccessCheck
+ */
+class MigrateAccessCheck {
+
+  /**
+   * Checks if the user is user 1 and grants access if so.
+   *
+   * @param \Drupal\Core\Session\AccountInterface $account
+   *   The current user account.
+   *
+   * @return \Drupal\Core\Access\AccessResult
+   *   The access result.
+   */
+  public function checkAccess(AccountInterface $account) {
+    // The access result is uncacheable because it is just limiting access to
+    // the migrate UI which is not worth caching.
+    return AccessResultAllowed::allowedIf((int) $account->id() === 1)->mergeCacheMaxAge(0);
+  }
+
+}

core/modules/migrate_drupal_ui/src/Tests/MigrateAccessTest.php

@@ -0,0 +1,42 @@
+<?php
+
+/**
+ * @file
+ * Contains \Drupal\migrate_drupal_ui\Tests\MigrateAccessTest.
+ */
+
+namespace Drupal\migrate_drupal_ui\Tests;
+
+use Drupal\simpletest\WebTestBase;
+
+/**
+ * Tests that only user 1 can access the migrate UI.
+ *
+ * @group migrate_drupal_ui
+ */
+class MigrateAccessTest extends WebTestBase {
+
+  /**
+   * Modules to enable.
+   *
+   * @var array
+   */
+  public static $modules = ['migrate_drupal_ui'];
+
+  /**
+   * Tests that only user 1 can access the migrate UI.
+   */
+  protected function testAccess() {
+    $this->drupalLogin($this->rootUser);
+    $this->drupalGet('upgrade');
+    $this->assertResponse(200);
+    $this->assertText(t('Drupal Upgrade'));
+
+    $user = $this->createUser(['administer software updates']);
+    $this->drupalLogin($user);
+    $this->drupalGet('upgrade');
+    $this->assertResponse(403);
+    $this->assertNoText(t('Drupal Upgrade'));
+  }
+
+}

core/modules/migrate_drupal_ui/src/Tests/MigrateUpgradeTestBase.php

@@ -42,8 +42,7 @@ abstract class MigrateUpgradeTestBase extends WebTestBase {
     $this->createMigrationConnection();
     $this->sourceDatabase = Database::getConnection('default', 'migrate_drupal_ui');
 
-    // Create and log in as user 1. Migrations in the UI can only be performed
-    // as user 1 once https://www.drupal.org/node/2675066 lands.
+    // Log in as user 1. Migrations in the UI can only be performed as user 1.
     $this->drupalLogin($this->rootUser);
   }