When you're reading this blog entry, you may have tried to access one of the following update manager pages as Administrator on a Drupal 8 / 9 project and got "Access denied" even if you're ADMIN! ;)
You've already checked all permissions and started debugging, but still hope for help and an explanation. Here you go! :)
Affected paths are, for example:
- /admin/modules/install
- /admin/reports/update/update
- /admin/modules/install
- /admin/modules/update
- /admin/theme/install
- /admin/theme/update
- /admin/update/ready
If you're getting "Access denied" here, as with 'administer software updates' permission or even admin, I guess you have
$settings['allow_authorize_operations'] = TRUE;
in your settings.php.
It was a long way to find out that in
web/core/modules/update/src/Access/UpdateManagerAccessCheck.php
these lines
/**
* Checks access.
*
* @return \Drupal\Core\Access\AccessResultInterface
* The access result.
*/
public function access() {
// Uncacheable because the access result depends on a Settings key-value
// pair, and can therefore change at any time.
return AccessResult::allowedIf($this->settings->get('allow_authorize_operations', TRUE))->setCacheMaxAge(0);
}combined with:
requirements:
_permission: 'administer software updates'
_access_update_manager: 'TRUE'from update.routing.yml
are the reason!
Read more about it in my comment #24 in this issue and help to fix this UX problem for the future by indicating why access is denied...
