Issue #3458403 by mstrelan: Conditionally disable access to update manager routes

core/modules/update/src/Access/UpdateManagerAccessCheck.php

@@ -8,6 +8,11 @@ use Drupal\Core\Site\Settings;
 
 /**
  * Determines whether allow authorized operations is set.
+ *
+ * @deprecated in drupal:11.1.0 and is removed from drupal:12.0.0. There is no
+ *   replacement.
+ *
+ * @see https://www.drupal.org/node/3458658
  */
 class UpdateManagerAccessCheck implements AccessInterface {
 
@@ -35,6 +40,7 @@ class UpdateManagerAccessCheck implements AccessInterface {
    *   The access result.
    */
   public function access() {
+    @trigger_error('The ' . __METHOD__ . ' method is deprecated in drupal:11.1.0 and is removed from drupal:12.0.0. There is no replacement. See https://www.drupal.org/node/3458658', E_USER_DEPRECATED);
     // Uncacheable because the access result depends on a Settings key-value
     // pair, and can therefore change at any time.
     return AccessResult::allowedIf($this->settings->get('allow_authorize_operations', TRUE))->setCacheMaxAge(0);

core/modules/update/src/Routing/UpdateRouteSubscriber.php

@@ -0,0 +1,46 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Drupal\update\Routing;
+
+use Drupal\Core\Routing\RouteSubscriberBase;
+use Drupal\Core\Site\Settings;
+use Symfony\Component\Routing\RouteCollection;
+
+/**
+ * Route subscriber for Update module routes.
+ */
+class UpdateRouteSubscriber extends RouteSubscriberBase {
+
+  /**
+   * Constructs a new UpdateRouteSubscriber.
+   */
+  public function __construct(
+    protected Settings $settings,
+  ) {
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  protected function alterRoutes(RouteCollection $collection) {
+    if ($this->settings->get('allow_authorize_operations', TRUE)) {
+      return;
+    }
+    $routes = [
+      'update.report_install',
+      'update.report_update',
+      'update.module_install',
+      'update.module_update',
+      'update.theme_install',
+      'update.theme_update',
+      'update.confirmation_page',
+    ];
+    foreach ($routes as $route) {
+      $route = $collection->get($route);
+      $route->setRequirement('_access', 'FALSE');
+    }
+  }
+
+}

core/modules/update/update.routing.yml

@@ -30,7 +30,6 @@ update.report_install:
     _title: 'Add new module or theme'
   requirements:
     _permission: 'administer software updates'
-    _access_update_manager: 'TRUE'
 
 update.report_update:
   path: '/admin/reports/updates/update'
@@ -39,7 +38,6 @@ update.report_update:
     _title: 'Update'
   requirements:
     _permission: 'administer software updates'
-    _access_update_manager: 'TRUE'
 
 update.module_install:
   path: '/admin/modules/install'
@@ -48,7 +46,6 @@ update.module_install:
     _title: 'Add new module'
   requirements:
     _permission: 'administer software updates'
-    _access_update_manager: 'TRUE'
 
 update.module_update:
   path: '/admin/modules/update'
@@ -57,7 +54,6 @@ update.module_update:
     _title: 'Update'
   requirements:
     _permission: 'administer software updates'
-    _access_update_manager: 'TRUE'
 
 update.theme_install:
   path: '/admin/theme/install'
@@ -66,7 +62,6 @@ update.theme_install:
     _title: 'Add new theme'
   requirements:
     _permission: 'administer software updates'
-    _access_update_manager: 'TRUE'
 
 update.theme_update:
   path: '/admin/appearance/update'
@@ -75,7 +70,6 @@ update.theme_update:
     _title: 'Update'
   requirements:
     _permission: 'administer software updates'
-    _access_update_manager: 'TRUE'
 
 update.confirmation_page:
   path: '/admin/update/ready'
@@ -84,4 +78,3 @@ update.confirmation_page:
     _title: 'Ready to update'
   requirements:
     _permission: 'administer software updates'
-    _access_update_manager: 'TRUE'

core/modules/update/update.services.yml

@@ -24,3 +24,6 @@ services:
   logger.channel.update:
     parent: logger.channel_base
     arguments: [ 'update' ]
+  update.route_subscriber:
+    class: Drupal\update\Routing\UpdateRouteSubscriber
+    arguments: ['@settings']