Skip navigation
Help

authorize.php

  1. drupal
    1. 7 drupal/authorize.php

Administrative script for running authorized file operations.

Using this script, the site owner (the user actually owning the files on the webserver) can authorize certain file-related operations to proceed with elevated privileges, for example to deploy and upgrade modules or themes. Users should not visit this page directly, but instead use an administrative user interface which knows how to redirect the user to this script as part of a multistep process. This script actually performs the selected operations without loading all of Drupal, to be able to more gracefully recover from errors. Access to the script is controlled by a global killswitch in settings.php ('allow_authorize_operations') and via the 'administer software updates' permission.

There are helper functions for setting up an operation to run via this system in modules/system/system.module. For more information, see: Authorized operation helper functions

Globals

NameDescription
$conf

Functions & methods

NameDescription
authorize_access_allowedDetermine if the current user is allowed to run authorize.php.
authorize_access_denied_pageRender a 403 access denied page for authorize.php

Constants

NameDescription
DRUPAL_ROOTRoot directory of Drupal installation.
MAINTENANCE_MODEGlobal flag to identify update.php and authorize.php runs, and so avoid various unwanted operations, such as hook_init() and hook_exit() invokes, css/js preprocessing and translation, and solve some theming issues. This flag is checked on several…

File

drupal/authorize.php
View source
  1. <?php
  2. /**
  3. * @file
  4. * Administrative script for running authorized file operations.
  5. *
  6. * Using this script, the site owner (the user actually owning the files on
  7. * the webserver) can authorize certain file-related operations to proceed
  8. * with elevated privileges, for example to deploy and upgrade modules or
  9. * themes. Users should not visit this page directly, but instead use an
  10. * administrative user interface which knows how to redirect the user to this
  11. * script as part of a multistep process. This script actually performs the
  12. * selected operations without loading all of Drupal, to be able to more
  13. * gracefully recover from errors. Access to the script is controlled by a
  14. * global killswitch in settings.php ('allow_authorize_operations') and via
  15. * the 'administer software updates' permission.
  16. *
  17. * There are helper functions for setting up an operation to run via this
  18. * system in modules/system/system.module. For more information, see:
  19. * @link authorize Authorized operation helper functions @endlink
  20. */
  21. /**
  22. * Root directory of Drupal installation.
  23. */
  24. define('DRUPAL_ROOT', getcwd());
  25. /**
  26. * Global flag to identify update.php and authorize.php runs, and so
  27. * avoid various unwanted operations, such as hook_init() and
  28. * hook_exit() invokes, css/js preprocessing and translation, and
  29. * solve some theming issues. This flag is checked on several places
  30. * in Drupal code (not just authorize.php).
  31. */
  32. define('MAINTENANCE_MODE', 'update');
  33. /**
  34. * Render a 403 access denied page for authorize.php
  35. */
  36. function authorize_access_denied_page() {
  37. drupal_add_http_header('Status', '403 Forbidden');
  38. watchdog('access denied', 'authorize.php', NULL, WATCHDOG_WARNING);
  39. drupal_set_title('Access denied');
  40. return t('You are not allowed to access this page.');
  41. }
  42. /**
  43. * Determine if the current user is allowed to run authorize.php.
  44. *
  45. * The killswitch in settings.php overrides all else, otherwise, the user must
  46. * have access to the 'administer software updates' permission.
  47. *
  48. * @return
  49. * TRUE if the current user can run authorize.php, otherwise FALSE.
  50. */
  51. function authorize_access_allowed() {
  52. return variable_get('allow_authorize_operations', TRUE) && user_access('administer software updates');
  53. }
  54. // *** Real work of the script begins here. ***
  55. require_once DRUPAL_ROOT . '/includes/bootstrap.inc';
  56. require_once DRUPAL_ROOT . '/includes/session.inc';
  57. require_once DRUPAL_ROOT . '/includes/common.inc';
  58. require_once DRUPAL_ROOT . '/includes/file.inc';
  59. require_once DRUPAL_ROOT . '/includes/module.inc';
  60. require_once DRUPAL_ROOT . '/includes/ajax.inc';
  61. // We prepare only a minimal bootstrap. This includes the database and
  62. // variables, however, so we have access to the class autoloader registry.
  63. drupal_bootstrap(DRUPAL_BOOTSTRAP_SESSION);
  64. // This must go after drupal_bootstrap(), which unsets globals!
  65. global $conf;
  66. // We have to enable the user and system modules, even to check access and
  67. // display errors via the maintainence theme.
  68. $module_list['system']['filename'] = 'modules/system/system.module';
  69. $module_list['user']['filename'] = 'modules/user/user.module';
  70. module_list(TRUE, FALSE, FALSE, $module_list);
  71. drupal_load('module', 'system');
  72. drupal_load('module', 'user');
  73. // We also want to have the language system available, but we do *NOT* want to
  74. // actually call drupal_bootstrap(DRUPAL_BOOTSTRAP_LANGUAGE), since that would
  75. // also force us through the DRUPAL_BOOTSTRAP_PAGE_HEADER phase, which loads
  76. // all the modules, and that's exactly what we're trying to avoid.
  77. drupal_language_initialize();
  78. // Initialize the maintenance theme for this administrative script.
  79. drupal_maintenance_theme();
  80. $output = '';
  81. $show_messages = TRUE;
  82. if (authorize_access_allowed()) {
  83. // Load both the Form API and Batch API.
  84. require_once DRUPAL_ROOT . '/includes/form.inc';
  85. require_once DRUPAL_ROOT . '/includes/batch.inc';
  86. // Load the code that drives the authorize process.
  87. require_once DRUPAL_ROOT . '/includes/authorize.inc';
  88. // For the sake of Batch API and a few other low-level functions, we need to
  89. // initialize the URL path into $_GET['q']. However, we do not want to raise
  90. // our bootstrap level, nor do we want to call drupal_initialize_path(),
  91. // since that is assuming that modules are loaded and invoking hooks.
  92. // However, all we really care is if we're in the middle of a batch, in which
  93. // case $_GET['q'] will already be set, we just initialize it to an empty
  94. // string if it's not already defined.
  95. if (!isset($_GET['q'])) {
  96. $_GET['q'] = '';
  97. }
  98. if (isset($_SESSION['authorize_operation']['page_title'])) {
  99. drupal_set_title($_SESSION['authorize_operation']['page_title']);
  100. }
  101. else {
  102. drupal_set_title(t('Authorize file system changes'));
  103. }
  104. // See if we've run the operation and need to display a report.
  105. if (isset($_SESSION['authorize_results']) && $results = $_SESSION['authorize_results']) {
  106. // Clear the session out.
  107. unset($_SESSION['authorize_results']);
  108. unset($_SESSION['authorize_operation']);
  109. unset($_SESSION['authorize_filetransfer_info']);
  110. if (!empty($results['page_title'])) {
  111. drupal_set_title($results['page_title']);
  112. }
  113. if (!empty($results['page_message'])) {
  114. drupal_set_message($results['page_message']['message'], $results['page_message']['type']);
  115. }
  116. $output = theme('authorize_report', array('messages' => $results['messages']));
  117. $links = array();
  118. if (is_array($results['tasks'])) {
  119. $links += $results['tasks'];
  120. }
  121. else {
  122. $links = array_merge($links, array(
  123. l(t('Administration pages'), 'admin'),
  124. l(t('Front page'), '<front>'),
  125. ));
  126. }
  127. $output .= theme('item_list', array('items' => $links, 'title' => t('Next steps')));
  128. }
  129. // If a batch is running, let it run.
  130. elseif (isset($_GET['batch'])) {
  131. $output = _batch_page();
  132. }
  133. else {
  134. if (empty($_SESSION['authorize_operation']) || empty($_SESSION['authorize_filetransfer_info'])) {
  135. $output = t('It appears you have reached this page in error.');
  136. }
  137. elseif (!$batch = batch_get()) {
  138. // We have a batch to process, show the filetransfer form.
  139. $elements = drupal_get_form('authorize_filetransfer_form');
  140. $output = drupal_render($elements);
  141. }
  142. }
  143. // We defer the display of messages until all operations are done.
  144. $show_messages = !(($batch = batch_get()) && isset($batch['running']));
  145. }
  146. else {
  147. $output = authorize_access_denied_page();
  148. }
  149. if (!empty($output)) {
  150. print theme('update_page', array('content' => $output, 'show_messages' => $show_messages));
  151. }