authorize.php

Administrative script for running authorized file operations.

Using this script, the site owner (the user actually owning the files on the webserver) can authorize certain file-related operations to proceed with elevated privileges, for example to deploy and upgrade modules or themes. Users should not visit this page directly, but instead use an administrative user interface which knows how to redirect the user to this script as part of a multistep process. This script actually performs the selected operations without loading all of Drupal, to be able to more gracefully recover from errors. Access to the script is controlled by a global killswitch in settings.php ('allow_authorize_operations') and via the 'administer software updates' permission.

There are helper functions for setting up an operation to run via this system in modules/system/system.module. For more information, see: Authorized operation helper functions

File

drupal/core/authorize.php
View source
  1. <?php
  2. /**
  3. * @file
  4. * Administrative script for running authorized file operations.
  5. *
  6. * Using this script, the site owner (the user actually owning the files on the
  7. * webserver) can authorize certain file-related operations to proceed with
  8. * elevated privileges, for example to deploy and upgrade modules or themes.
  9. * Users should not visit this page directly, but instead use an administrative
  10. * user interface which knows how to redirect the user to this script as part of
  11. * a multistep process. This script actually performs the selected operations
  12. * without loading all of Drupal, to be able to more gracefully recover from
  13. * errors. Access to the script is controlled by a global killswitch in
  14. * settings.php ('allow_authorize_operations') and via the 'administer software
  15. * updates' permission.
  16. *
  17. * There are helper functions for setting up an operation to run via this
  18. * system in modules/system/system.module. For more information, see:
  19. * @link authorize Authorized operation helper functions @endlink
  20. */
  21. // Change the directory to the Drupal root.
  22. chdir('..');
  23. /**
  24. * Global flag to identify update.php and authorize.php runs.
  25. *
  26. * Identifies update.php and authorize.php runs, avoiding unwanted operations
  27. * such as css/js preprocessing and translation, and solves some theming issues.
  28. * The flag is checked in other places in Drupal code (not just authorize.php).
  29. */
  30. const MAINTENANCE_MODE = 'update';
  31. /**
  32. * Renders a 403 access denied page for authorize.php.
  33. */
  34. function authorize_access_denied_page() {
  35. drupal_add_http_header('Status', '403 Forbidden');
  36. watchdog('access denied', 'authorize.php', NULL, WATCHDOG_WARNING);
  37. drupal_set_title('Access denied');
  38. return t('You are not allowed to access this page.');
  39. }
  40. /**
  41. * Determines if the current user is allowed to run authorize.php.
  42. *
  43. * The killswitch in settings.php overrides all else, otherwise, the user must
  44. * have access to the 'administer software updates' permission.
  45. *
  46. * @return
  47. * TRUE if the current user can run authorize.php, and FALSE if not.
  48. */
  49. function authorize_access_allowed() {
  50. return settings()->get('allow_authorize_operations', TRUE) && user_access('administer software updates');
  51. }
  52. // *** Real work of the script begins here. ***
  53. require_once __DIR__ . '/includes/bootstrap.inc';
  54. require_once __DIR__ . '/includes/common.inc';
  55. require_once __DIR__ . '/includes/file.inc';
  56. require_once __DIR__ . '/includes/module.inc';
  57. require_once __DIR__ . '/includes/ajax.inc';
  58. // We prepare only a minimal bootstrap. This includes the database and
  59. // variables, however, so we have access to the class autoloader.
  60. drupal_bootstrap(DRUPAL_BOOTSTRAP_SESSION);
  61. // This must go after drupal_bootstrap(), which unsets globals!
  62. global $conf;
  63. // We have to enable the user and system modules, even to check access and
  64. // display errors via the maintenance theme.
  65. $module_list['system'] = 'core/modules/system/system.module';
  66. $module_list['user'] = 'core/modules/user/user.module';
  67. Drupal::moduleHandler()->setModuleList($module_list);
  68. Drupal::moduleHandler()->load('system');
  69. Drupal::moduleHandler()->load('user');
  70. // Initialize the language system.
  71. drupal_language_initialize();
  72. // Initialize the maintenance theme for this administrative script.
  73. drupal_maintenance_theme();
  74. $output = '';
  75. $show_messages = TRUE;
  76. if (authorize_access_allowed()) {
  77. // Load both the Form API and Batch API.
  78. require_once __DIR__ . '/includes/form.inc';
  79. require_once __DIR__ . '/includes/batch.inc';
  80. // Load the code that drives the authorize process.
  81. require_once __DIR__ . '/includes/authorize.inc';
  82. if (isset($_SESSION['authorize_operation']['page_title'])) {
  83. drupal_set_title($_SESSION['authorize_operation']['page_title']);
  84. }
  85. else {
  86. drupal_set_title(t('Authorize file system changes'));
  87. }
  88. // See if we've run the operation and need to display a report.
  89. if (isset($_SESSION['authorize_results']) && $results = $_SESSION['authorize_results']) {
  90. // Clear the session out.
  91. unset($_SESSION['authorize_results']);
  92. unset($_SESSION['authorize_operation']);
  93. unset($_SESSION['authorize_filetransfer_info']);
  94. if (!empty($results['page_title'])) {
  95. drupal_set_title($results['page_title']);
  96. }
  97. if (!empty($results['page_message'])) {
  98. drupal_set_message($results['page_message']['message'], $results['page_message']['type']);
  99. }
  100. $output = theme('authorize_report', array('messages' => $results['messages']));
  101. $links = array();
  102. if (is_array($results['tasks'])) {
  103. $links += $results['tasks'];
  104. }
  105. else {
  106. $links = array_merge($links, array(
  107. l(t('Administration pages'), 'admin'),
  108. l(t('Front page'), '<front>'),
  109. ));
  110. }
  111. $output .= theme('item_list', array('items' => $links, 'title' => t('Next steps')));
  112. }
  113. // If a batch is running, let it run.
  114. elseif (isset($_GET['batch'])) {
  115. $output = _batch_page();
  116. }
  117. else {
  118. if (empty($_SESSION['authorize_operation']) || empty($_SESSION['authorize_filetransfer_info'])) {
  119. $output = t('It appears you have reached this page in error.');
  120. }
  121. elseif (!$batch = batch_get()) {
  122. // We have a batch to process, show the filetransfer form.
  123. $elements = drupal_get_form('authorize_filetransfer_form');
  124. $output = drupal_render($elements);
  125. }
  126. }
  127. // We defer the display of messages until all operations are done.
  128. $show_messages = !(($batch = batch_get()) && isset($batch['running']));
  129. }
  130. else {
  131. $output = authorize_access_denied_page();
  132. }
  133. if (!empty($output)) {
  134. drupal_add_http_header('Content-Type', 'text/html; charset=utf-8');
  135. print theme('maintenance_page', array('content' => $output, 'show_messages' => $show_messages));
  136. }

Functions

Namesort descending Description
authorize_access_allowed Determines if the current user is allowed to run authorize.php.
authorize_access_denied_page Renders a 403 access denied page for authorize.php.

Constants

Namesort descending Description
MAINTENANCE_MODE Global flag to identify update.php and authorize.php runs.

Globals

Namesort descending Description
$conf