Problem/Motivation
Currently the update notification ("Update available") is shown to all users with the permission "administer site configuration", while there is already a permission "administer software updates" which is not used for that.
This leads to the issue that users who are not allowed to update see this message. In many cases, this are customers who are then afraid as they don't understand what they can (not) do and what are the consequences.
Steps to reproduce
Use a Drupal project with available updates and "administer site configuration" permission, but without "administer software updates" permission and be confused ;)
Proposed resolution
- Add a new "
view update notifications" permission to Update Manager. - Only show update notifications to users with that permission.
- Add an upgrade path to grant this permission to all roles that currently see the notifications (because they have the
administer site configurationpermission).
Remaining tasks
- Reviews / refinements.
- RTBC.
User interface changes
Update Manager notifications about available updates at the top of most /admin/* pages will only appear for users with the new view update notifications permission.
API changes
None.
Data model changes
Nope.
Release notes snippet
The Update Manager will only print notifications at the top of most /admin/* pages for users with the new view update notifications permission. A post update hook is provided that adds this permission to all roles that have the administer site configuration (which was previously used to decide who should see the notifications).
Credits
Huge THANKS to @voleger who did a great job in the both other issues to create the patches!
Alternative approaches
There are three different approaches to this problem. Both the UX team and the Update Manager subsystem maintainer (dww) agree that this issue (#332796) is the right solution, so the alternatives are now closed: