From 2e50c28d9c319a1f5c24b6d534d0500128e97594 Mon Sep 17 00:00:00 2001
From: Nathaniel Catchpole <catch@35733.no-reply.drupal.org>
Date: Thu, 10 Mar 2016 11:02:55 +0900
Subject: [PATCH] Issue #2675066 by alexpott, xjm: Restrict migrate upgrade
 permission to user1

---
 .../migrate_drupal_ui.routing.yml             |  4 +-
 .../src/MigrateAccessCheck.php                | 40 ++++++++++++++++++
 .../src/Tests/MigrateAccessTest.php           | 42 +++++++++++++++++++
 .../src/Tests/MigrateUpgradeTestBase.php      |  3 +-
 4 files changed, 85 insertions(+), 4 deletions(-)
 create mode 100644 core/modules/migrate_drupal_ui/src/MigrateAccessCheck.php
 create mode 100644 core/modules/migrate_drupal_ui/src/Tests/MigrateAccessTest.php

diff --git a/core/modules/migrate_drupal_ui/migrate_drupal_ui.routing.yml b/core/modules/migrate_drupal_ui/migrate_drupal_ui.routing.yml
index 4b4bd08f237..2d99abd76e0 100644
--- a/core/modules/migrate_drupal_ui/migrate_drupal_ui.routing.yml
+++ b/core/modules/migrate_drupal_ui/migrate_drupal_ui.routing.yml
@@ -4,7 +4,7 @@ migrate_drupal_ui.upgrade:
     _form: '\Drupal\migrate_drupal_ui\Form\MigrateUpgradeForm'
     _title: 'Upgrade'
   requirements:
-    _permission: 'administer software updates'
+    _custom_access: '\Drupal\migrate_drupal_ui\MigrateAccessCheck::checkAccess'
   options:
     _admin_route: TRUE
 
@@ -13,6 +13,6 @@ migrate_drupal_ui.log:
   defaults:
       _controller: '\Drupal\migrate_drupal_ui\Controller\MigrateController::showLog'
   requirements:
-    _permission: 'administer software updates'
+    _custom_access: '\Drupal\migrate_drupal_ui\MigrateAccessCheck::checkAccess'
   options:
     _admin_route: TRUE
diff --git a/core/modules/migrate_drupal_ui/src/MigrateAccessCheck.php b/core/modules/migrate_drupal_ui/src/MigrateAccessCheck.php
new file mode 100644
index 00000000000..e66fad75aed
--- /dev/null
+++ b/core/modules/migrate_drupal_ui/src/MigrateAccessCheck.php
@@ -0,0 +1,40 @@
+<?php
+
+/**
+ * @file
+ * Contains \Drupal\migrate_drupal_ui\MigrateAccessCheck.
+ */
+
+namespace Drupal\migrate_drupal_ui;
+
+use Drupal\Core\Access\AccessResultAllowed;
+use Drupal\Core\Session\AccountInterface;
+
+/**
+ * Checks access for migrate_drupal_ui routes.
+ *
+ * The Drupal Upgrade UI can only be used by user 1. This is because any other
+ * user might have different permissions on the source and target site.
+ *
+ * This class is designed to be used with '_custom_access' route requirement.
+ *
+ * @see \Drupal\Core\Access\CustomAccessCheck
+ */
+class MigrateAccessCheck {
+
+  /**
+   * Checks if the user is user 1 and grants access if so.
+   *
+   * @param \Drupal\Core\Session\AccountInterface $account
+   *   The current user account.
+   *
+   * @return \Drupal\Core\Access\AccessResult
+   *   The access result.
+   */
+  public function checkAccess(AccountInterface $account) {
+    // The access result is uncacheable because it is just limiting access to
+    // the migrate UI which is not worth caching.
+    return AccessResultAllowed::allowedIf((int) $account->id() === 1)->mergeCacheMaxAge(0);
+  }
+
+}
diff --git a/core/modules/migrate_drupal_ui/src/Tests/MigrateAccessTest.php b/core/modules/migrate_drupal_ui/src/Tests/MigrateAccessTest.php
new file mode 100644
index 00000000000..88fe0bc462f
--- /dev/null
+++ b/core/modules/migrate_drupal_ui/src/Tests/MigrateAccessTest.php
@@ -0,0 +1,42 @@
+<?php
+
+/**
+ * @file
+ * Contains \Drupal\migrate_drupal_ui\Tests\MigrateAccessTest.
+ */
+
+namespace Drupal\migrate_drupal_ui\Tests;
+
+use Drupal\simpletest\WebTestBase;
+
+/**
+ * Tests that only user 1 can access the migrate UI.
+ *
+ * @group migrate_drupal_ui
+ */
+class MigrateAccessTest extends WebTestBase {
+
+  /**
+   * Modules to enable.
+   *
+   * @var array
+   */
+  public static $modules = ['migrate_drupal_ui'];
+
+  /**
+   * Tests that only user 1 can access the migrate UI.
+   */
+  protected function testAccess() {
+    $this->drupalLogin($this->rootUser);
+    $this->drupalGet('upgrade');
+    $this->assertResponse(200);
+    $this->assertText(t('Drupal Upgrade'));
+
+    $user = $this->createUser(['administer software updates']);
+    $this->drupalLogin($user);
+    $this->drupalGet('upgrade');
+    $this->assertResponse(403);
+    $this->assertNoText(t('Drupal Upgrade'));
+  }
+
+}
diff --git a/core/modules/migrate_drupal_ui/src/Tests/MigrateUpgradeTestBase.php b/core/modules/migrate_drupal_ui/src/Tests/MigrateUpgradeTestBase.php
index a4911aa3d3e..be0a4c65ce2 100644
--- a/core/modules/migrate_drupal_ui/src/Tests/MigrateUpgradeTestBase.php
+++ b/core/modules/migrate_drupal_ui/src/Tests/MigrateUpgradeTestBase.php
@@ -42,8 +42,7 @@ abstract class MigrateUpgradeTestBase extends WebTestBase {
     $this->createMigrationConnection();
     $this->sourceDatabase = Database::getConnection('default', 'migrate_drupal_ui');
 
-    // Create and log in as user 1. Migrations in the UI can only be performed
-    // as user 1 once https://www.drupal.org/node/2675066 lands.
+    // Log in as user 1. Migrations in the UI can only be performed as user 1.
     $this->drupalLogin($this->rootUser);
   }