Drupal is a registered trademark of Dries Buytaert
Protected Pages 3.0.0 Major update available for module protected_pages (3.0.0). Commerce Core 3.3.8 Minor update available for module commerce (3.3.8). Search API HTML Element Filter 1.0.7 Minor update available for module search_api_html_element_filter (1.0.7). Layout Builder Reorder 2.0.1 Minor update available for module layout_builder_reorder (2.0.1). Ban 1.1.0 Minor update available for module ban (1.1.0). Field Formatter Range 2.0.0 Major update available for module field_formatter_range (2.0.0). Field Formatter Range 8.x-1.8 Minor update available for module field_formatter_range (8.x-1.8). UI Patterns (SDC in Drupal UI) 2.0.18 Minor update available for module ui_patterns (2.0.18). Search API Solr 4.3.11 Module search_api_solr updated after 14 months of inactivity (4.3.11). Provus Mega Menu Module provus_mega_menu crossed 1,000 active installs.

Disable UI

41 sites Security covered
View on drupal.org

This module restricts access to the Drupal admin interface for non-admin users on headless sites. It provides a permission to control UI access and automatically exempts routes that appear to be API endpoints.

This small module is intended to be used on headless Drupal sites where only admins and developers should have access to the Drupal UI, and regular/authenticated users should not. This is accomplished via a new permission called "Access UI routes".

The permission only applies to routes that the module determines are not API routes. The determination is based on the format requirements specified on each route. Any route that declares a _format requirement that starts with the string 'api_' or ends with the string 'json' is considered an API route. This crude heuristic seems to work for both the RESTful Web Services and JSON:API modules in core. YMMV for third-party modules that handle API requests in their own controllers without any special sentinel values in their routes.

In addition, special system routes (like the CSRF token endpoint for RESTful Web Services) as well as the user login and password reset forms are excluded from access restrictions via a new hook_disable_ui_route_exclusions(). If your site needs to expose more routes to users, you should either ensure that the _format of your route is correct (if you are exposing an API) or you should implement the new hook (if you are exposing an HTML page).

Credits

Project icon made by Freepik from www.flaticon.com

Activity

Total releases
1
First release
Jul 2025
Latest release
1 year ago
Releases (12 mo)
0 ▼ from 1
Maintenance
Dormant

Releases

Version Type Release date
1.0.7 Stable Jul 2, 2025