The setting to bypass access check on update.php (currently located at the top of update.php itself) is easy to overlook in the mass of work with upgrading a site, and problem is only reported at the end of update process (i.e. only just once).
I believe that this is a problem with similar severity as (if not higher than) protection of settings.php and the like, and so it should be reported in the System Status report.
I'm attaching a patch, including changes:
--- Due to impossibility (I believe) to include update.php only just to check setting, but not execute it, THIS PATCH INTRODUCES A CHANGE TO SETTINGS.PHP: The setting to bypass access check on update.php is moved into settings.php, which I believe is consistent, and allows files other than update.php to see it for check.
--- The check is added to System Status report.
--- The changed location of the setting is reflected in comments and descriptions at various places around update.php, and UPGRADE.txt (also fixing previously broken step-numbering in step 2 by the way).
|update-access_0.patch||8.13 KB||Ignored: Check issue status.||None||None|