#170638 by JirkaRybka and chx: move update access variable to settings.php, so we can check whether it is wide open, and we have one place for settings

5 files changed, 47 insertions, 22 deletions

diff --git a/UPGRADE.txt b/UPGRADE.txt
index 90363f33e..b22fd8c3c 100644
--- a/UPGRADE.txt
+++ b/UPGRADE.txt
@@ -25,8 +25,8 @@ UPGRADING
 2.  Log on as the user with user ID 1.  User ID 1 is the first
     account created and the main administrator account.  User
     ID 1 needs to be logged in so that you can access update.php
-    (step 9) which can only be run by user ID 1.  Do not close
-    your browser until step 10 is complete.
+    (step 10) which can only be run by user ID 1.  Do not close
+    your browser until step 11 is complete.
 
 3.  Place the site in "Off-line" mode, to mask any errors from
     site visitors.
@@ -64,13 +64,14 @@ UPGRADING
 
     Note: if you are unable to access update.php do the following:
 
-      - Open update.php with a text editor.
+      - Open your settings.php with a text editor.
 
-      - There is a line near top of update.php that says
-        $access_check = TRUE;. Change it to $access_check = FALSE;.
+      - There is a line that says $update_free_access = FALSE;.
+        Change it to $update_free_access = TRUE;.
 
-      - As soon as the script is done, you must change the update.php
-        script back to its original form to $access_check = TRUE;.
+      - As soon as the update.php script is done, you must change
+        the settings.php file back to its original form with
+        $update_free_access = FALSE;.
 
 11. Finally, return site to "Online" mode so your visitors may resume
     browsing.
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
index 939d26c6a..17d4e0b07 100644
--- a/includes/bootstrap.inc
+++ b/includes/bootstrap.inc
@@ -274,7 +274,7 @@ function conf_init() {
   global $base_url, $base_path, $base_root;
 
   // Export the following settings.php variables to the global namespace
-  global $db_url, $db_prefix, $cookie_domain, $conf, $installed_profile;
+  global $db_url, $db_prefix, $cookie_domain, $conf, $installed_profile, $update_free_access;
   $conf = array();
 
   if (file_exists('./'. conf_path() .'/settings.php')) {
diff --git a/modules/system/system.install b/modules/system/system.install
index 6bd3d970f..79f732b85 100644
--- a/modules/system/system.install
+++ b/modules/system/system.install
@@ -105,7 +105,7 @@ function system_requirements($phase) {
     }
     $requirements['cron'] += array('description' => '');
 
-    $requirements['cron']['description'] .= ' '. t('You can <a href="@cron">run cron manually</a>.', array('@cron' => url('admin/logs/status/run-cron')));
+    $requirements['cron']['description'] .= ' '. $t('You can <a href="@cron">run cron manually</a>.', array('@cron' => url('admin/logs/status/run-cron')));
 
     $requirements['cron']['title'] = $t('Cron maintenance tasks');
   }
@@ -166,6 +166,23 @@ function system_requirements($phase) {
     }
   }
 
+  // Verify the update.php access setting
+  if ($phase == 'runtime') {
+    if (!empty($GLOBALS['update_free_access'])) {
+      $requirements['update access'] = array(
+        'value' => $t('Not protected'),
+        'severity' => REQUIREMENT_ERROR,
+        'description' => $t('The update.php script is accessible to everyone without authentication check, which is a security risk. You must change the $update_free_access value in your settings.php back to FALSE.'),
+      );
+    }
+    else {
+      $requirements['update access'] = array(
+        'value' => $t('Protected'),
+      );
+    }
+    $requirements['update access']['title'] = $t('Access to update.php');
+  }
+
   // Test Unicode library
   include_once './includes/unicode.inc';
   $requirements = array_merge($requirements, unicode_requirements());
diff --git a/sites/default/default.settings.php b/sites/default/default.settings.php
index 38db95fd3..6cc0aa4cc 100644
--- a/sites/default/default.settings.php
+++ b/sites/default/default.settings.php
@@ -94,6 +94,17 @@ $db_url = 'mysql://username:password@localhost/databasename';
 $db_prefix = '';
 
 /**
+ * Access control for update.php script
+ *
+ * If you are updating your Drupal installation using the update.php script
+ * being not logged in as administrator, you will need to modify the access
+ * check statement below. Change the FALSE to a TRUE to disable the access
+ * check. After finishing the upgrade, be sure to open this file again
+ * and change the TRUE back to a FALSE!
+ */
+$update_free_access = FALSE;
+
+/**
  * Base URL (optional).
  *
  * If you are experiencing issues with different site domains,
diff --git a/update.php b/update.php
index 04fd19b32..393b3fdf7 100644
--- a/update.php
+++ b/update.php
@@ -9,14 +9,10 @@
  * instructions.
  *
  * If you are not logged in as administrator, you will need to modify the access
- * check statement below. Change the TRUE to a FALSE to disable the access
- * check. After finishing the upgrade, be sure to open this file and change the
- * FALSE back to a TRUE!
+ * check statement inside your settings.php file. After finishing the upgrade,
+ * be sure to open settings.php again, and change it back to its original state!
  */
 
-// Enforce access checking?
-$access_check = TRUE;
-
 /**
  * Add a column to a database using syntax appropriate for PostgreSQL.
  * Save result of SQL commands in $ret array.
@@ -427,8 +423,8 @@ function update_results_page() {
     $output = '<p class="error">The update process was aborted prematurely while running <strong>update #'. $version .' in '. $module .'.module</strong>. All other errors have been <a href="index.php?q=admin/logs/watchdog">logged</a>. You may need to check the <code>watchdog</code> database table manually.</p>';
   }
 
-  if ($GLOBALS['access_check'] == FALSE) {
-    $output .= "<p><strong>Reminder: don't forget to set the <code>\$access_check</code> value at the top of <code>update.php</code> back to <code>TRUE</code>.</strong></p>";
+  if (!empty($GLOBALS['update_free_access'])) {
+    $output .= "<p><strong>Reminder: don't forget to set the <code>\$update_free_access</code> value in your <code>settings.php</code> file back to <code>FALSE</code>.</strong></p>";
   }
 
   $output .= theme('item_list', $links);
@@ -482,11 +478,11 @@ function update_info_page() {
 
 function update_access_denied_page() {
   drupal_set_title('Access denied');
-  return '<p>Access denied. You are not authorized to access this page. Please log in as the admin user (the first user you created). If you cannot log in, you will have to edit <code>update.php</code> to bypass this access check. To do this:</p>
+  return '<p>Access denied. You are not authorized to access this page. Please log in as the admin user (the first user you created). If you cannot log in, you will have to edit <code>settings.php</code> to bypass this access check. To do this:</p>
 <ol>
- <li>With a text editor find the update.php file on your system. It should be in the main Drupal directory that you installed all the files into.</li>
- <li>There is a line near top of update.php that says <code>$access_check = TRUE;</code>. Change it to <code>$access_check = FALSE;</code>.</li>
- <li>As soon as the script is done, you must change the update.php script back to its original form to <code>$access_check = TRUE;</code>.</li>
+ <li>With a text editor find the settings.php file on your system. From the main Drupal directory that you installed all the files into, go to <code>sites/your_site_name</code> if such directory exists, or else to <code>sites/default</code> which applies otherwise.</li>
+ <li>There is a line inside your settings.php file that says <code>$update_free_access = FALSE;</code>. Change it to <code>$update_free_access = TRUE;</code>.</li>
+ <li>As soon as the update.php script is done, you must change the settings.php file back to its original form with <code>$update_free_access = FALSE;</code>.</li>
  <li>To avoid having this problem in future, remember to log in to your website as the admin user (the user you first created) before you backup your database at the beginning of the update process.</li>
 </ol>';
 }
@@ -815,7 +811,7 @@ update_create_batch_table();
 ini_set('display_errors', TRUE);
 
 // Access check:
-if (($access_check == FALSE) || ($user->uid == 1)) {
+if (!empty($update_free_access) || $user->uid == 1) {
 
   include_once './includes/install.inc';
   include_once './includes/batch.inc';