From 4692fca5bcd33728bff24a575e5243acc7cef9be Mon Sep 17 00:00:00 2001
From: catch <6915-catch@users.noreply.drupalcode.org>
Date: Mon, 8 Jul 2024 09:46:19 +0100
Subject: [PATCH] Issue #3458403 by mstrelan: Conditionally disable access to
 update manager routes

---
 .../src/Access/UpdateManagerAccessCheck.php   |  6 +++
 .../src/Routing/UpdateRouteSubscriber.php     | 46 +++++++++++++++++++
 core/modules/update/update.routing.yml        |  7 ---
 core/modules/update/update.services.yml       |  3 ++
 4 files changed, 55 insertions(+), 7 deletions(-)
 create mode 100644 core/modules/update/src/Routing/UpdateRouteSubscriber.php

diff --git a/core/modules/update/src/Access/UpdateManagerAccessCheck.php b/core/modules/update/src/Access/UpdateManagerAccessCheck.php
index 64fdeb01676..5125b9ab64e 100644
--- a/core/modules/update/src/Access/UpdateManagerAccessCheck.php
+++ b/core/modules/update/src/Access/UpdateManagerAccessCheck.php
@@ -8,6 +8,11 @@ use Drupal\Core\Site\Settings;
 
 /**
  * Determines whether allow authorized operations is set.
+ *
+ * @deprecated in drupal:11.1.0 and is removed from drupal:12.0.0. There is no
+ *   replacement.
+ *
+ * @see https://www.drupal.org/node/3458658
  */
 class UpdateManagerAccessCheck implements AccessInterface {
 
@@ -35,6 +40,7 @@ class UpdateManagerAccessCheck implements AccessInterface {
    *   The access result.
    */
   public function access() {
+    @trigger_error('The ' . __METHOD__ . ' method is deprecated in drupal:11.1.0 and is removed from drupal:12.0.0. There is no replacement. See https://www.drupal.org/node/3458658', E_USER_DEPRECATED);
     // Uncacheable because the access result depends on a Settings key-value
     // pair, and can therefore change at any time.
     return AccessResult::allowedIf($this->settings->get('allow_authorize_operations', TRUE))->setCacheMaxAge(0);
diff --git a/core/modules/update/src/Routing/UpdateRouteSubscriber.php b/core/modules/update/src/Routing/UpdateRouteSubscriber.php
new file mode 100644
index 00000000000..9bffe435f08
--- /dev/null
+++ b/core/modules/update/src/Routing/UpdateRouteSubscriber.php
@@ -0,0 +1,46 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Drupal\update\Routing;
+
+use Drupal\Core\Routing\RouteSubscriberBase;
+use Drupal\Core\Site\Settings;
+use Symfony\Component\Routing\RouteCollection;
+
+/**
+ * Route subscriber for Update module routes.
+ */
+class UpdateRouteSubscriber extends RouteSubscriberBase {
+
+  /**
+   * Constructs a new UpdateRouteSubscriber.
+   */
+  public function __construct(
+    protected Settings $settings,
+  ) {
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  protected function alterRoutes(RouteCollection $collection) {
+    if ($this->settings->get('allow_authorize_operations', TRUE)) {
+      return;
+    }
+    $routes = [
+      'update.report_install',
+      'update.report_update',
+      'update.module_install',
+      'update.module_update',
+      'update.theme_install',
+      'update.theme_update',
+      'update.confirmation_page',
+    ];
+    foreach ($routes as $route) {
+      $route = $collection->get($route);
+      $route->setRequirement('_access', 'FALSE');
+    }
+  }
+
+}
diff --git a/core/modules/update/update.routing.yml b/core/modules/update/update.routing.yml
index 52304b37eb5..16adbe4a70b 100644
--- a/core/modules/update/update.routing.yml
+++ b/core/modules/update/update.routing.yml
@@ -30,7 +30,6 @@ update.report_install:
     _title: 'Add new module or theme'
   requirements:
     _permission: 'administer software updates'
-    _access_update_manager: 'TRUE'
 
 update.report_update:
   path: '/admin/reports/updates/update'
@@ -39,7 +38,6 @@ update.report_update:
     _title: 'Update'
   requirements:
     _permission: 'administer software updates'
-    _access_update_manager: 'TRUE'
 
 update.module_install:
   path: '/admin/modules/install'
@@ -48,7 +46,6 @@ update.module_install:
     _title: 'Add new module'
   requirements:
     _permission: 'administer software updates'
-    _access_update_manager: 'TRUE'
 
 update.module_update:
   path: '/admin/modules/update'
@@ -57,7 +54,6 @@ update.module_update:
     _title: 'Update'
   requirements:
     _permission: 'administer software updates'
-    _access_update_manager: 'TRUE'
 
 update.theme_install:
   path: '/admin/theme/install'
@@ -66,7 +62,6 @@ update.theme_install:
     _title: 'Add new theme'
   requirements:
     _permission: 'administer software updates'
-    _access_update_manager: 'TRUE'
 
 update.theme_update:
   path: '/admin/appearance/update'
@@ -75,7 +70,6 @@ update.theme_update:
     _title: 'Update'
   requirements:
     _permission: 'administer software updates'
-    _access_update_manager: 'TRUE'
 
 update.confirmation_page:
   path: '/admin/update/ready'
@@ -84,4 +78,3 @@ update.confirmation_page:
     _title: 'Ready to update'
   requirements:
     _permission: 'administer software updates'
-    _access_update_manager: 'TRUE'
diff --git a/core/modules/update/update.services.yml b/core/modules/update/update.services.yml
index 465df135529..3f96c81b8ba 100644
--- a/core/modules/update/update.services.yml
+++ b/core/modules/update/update.services.yml
@@ -24,3 +24,6 @@ services:
   logger.channel.update:
     parent: logger.channel_base
     arguments: [ 'update' ]
+  update.route_subscriber:
+    class: Drupal\update\Routing\UpdateRouteSubscriber
+    arguments: ['@settings']