(Same issue here: http://drupal.org/node/1177752. I'm re-posting this for 8.x-dev.)

When a security update comes out for Drupal, Update module displays a red notification on admin pages saying, "There is a security update available for your version of Drupal". If you're a site administrator, this message is helpful. But if you're not the person responsible for keeping the site up to date, this message can be scary. As a result, many site-builders turn off Update before handing a website over to end-users to prevent end-users (content managers, etc.) from getting upset or worried when it's time to update the site.

Since Update doesn't implement hook_permission at all, security update notifications are "all or nothing". If Update module is enabled, everyone who has access to admin pages see the warning. If you don't like this behavior, the only option is to turn Update off.

Wouldn't it be better to have Update module provide a permission for seeing (or not seeing) these security update notifications? This seems like a better solution for two reasons:

1. It just seems like a more elegant solution to have access to the warning message be permission-based / role-based.

2. For modules that depend on Update module, the current state of things is no good. Custom modules can't take advantage of Drupal core's Update module without forcing site builders to choose between added functionality and user friendliness.

CommentFileSizeAuthor
#6 update-module-should-implement-hook-permission-1177752-7--8.x.patch8.21 KBbryanhirsch
#1 update-module-should-implement-hook-permission-1177754-1.patch6.83 KBbryanhirsch

Comments

bryanhirsch’s picture

bryanhirsch commented
Title: Update module should implement hook_permission for security update notifications » patch
Status: Active » Needs review
StatusFileSize
new update-module-should-implement-hook-permission-1177754-1.patch6.83 KB

(This is a forward port of the patch submitted for the same issue on 7.x-dev here: http://drupal.org/node/1177752.)

This patch implements hook_permission in Update module to give site administrators more granular control over who sees the scary red security update notification that appears on all admin pages when it's time to update the code base. Without this patch, Update module displays the red update notification to anyone with permission to access admin pages, no matter what their role is.

Update 8000 "grandfathers" in anyone who previously had access to admin pages, automatically granting them 'update notification' permission. This way, we won't confuse anyone who is accustomed to seeing these notifications.

In the future, if this patch is committed, people can be given permission to receive the security update notification by granting them the 'update notification' permission.

bryanhirsch’s picture

bryanhirsch commented
Title: patch » Update module should implement hook_permission for security update notifications

Status: Needs review » Needs work

The last submitted patch, update-module-should-implement-hook-permission-1177754-1.patch, failed testing.

bfroehle’s picture

bfroehle commented

oops, wrong issue.

bfroehle’s picture

bfroehle commented
Status: Needs work » Closed (duplicate)

The current workflow isn't to have a single issue for both 7.x and 8.x. So marking this as closed as duplicate of #1177752: Update module should implement hook_permission for security update notifications.

bryanhirsch’s picture

bryanhirsch commented
StatusFileSize
new update-module-should-implement-hook-permission-1177752-7--8.x.patch8.21 KB

The 8.x patch I uploaded here failed:
http://drupal.org/node/1177752#comment-4570180

I'm guessing this is because the test bot tested them against 7.x (since that issue is assigned to 7.x-dev). I'm uploading the 8.x patch here for testing.