From 5c6ab5033280dd154f9323cae10b099676f0ece0 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Mon, 22 Sep 2025 17:44:26 +0200
Subject: [PATCH] fix(databases): update backup retrieval logic to include team
 context

- Modified backup configuration queries in the DatabasesController to filter by team ID, ensuring proper access control.
- Enhanced S3 storage retrieval to use the current team context for better data integrity.
- Added a relationship method in ScheduledDatabaseBackup model to associate backups with teams.
---
 app/Http/Controllers/Api/DatabasesController.php | 11 ++++++-----
 app/Models/ScheduledDatabaseBackup.php           |  5 +++++
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/app/Http/Controllers/Api/DatabasesController.php b/app/Http/Controllers/Api/DatabasesController.php
index a9c7cb6f4..c697417bd 100644
--- a/app/Http/Controllers/Api/DatabasesController.php
+++ b/app/Http/Controllers/Api/DatabasesController.php
@@ -12,6 +12,7 @@ use App\Http\Controllers\Controller;
 use App\Jobs\DatabaseBackupJob;
 use App\Jobs\DeleteResourceJob;
 use App\Models\Project;
+use App\Models\S3Storage;
 use App\Models\ScheduledDatabaseBackup;
 use App\Models\Server;
 use App\Models\StandalonePostgresql;
@@ -717,7 +718,7 @@ class DatabasesController extends Controller
             return response()->json(['message' => 'Database not found.'], 404);
         }
 
-        $backupConfig = ScheduledDatabaseBackup::where('database_id', $database->id)
+        $backupConfig = ScheduledDatabaseBackup::where('team_id', $teamId)->where('database_id', $database->id)
             ->where('uuid', $request->scheduled_backup_uuid)
             ->first();
         if (! $backupConfig) {
@@ -741,7 +742,7 @@ class DatabasesController extends Controller
 
         // Convert s3_storage_uuid to s3_storage_id
         if (isset($backupData['s3_storage_uuid'])) {
-            $s3Storage = \App\Models\S3Storage::where('uuid', $backupData['s3_storage_uuid'])->first();
+            $s3Storage = S3Storage::ownedByCurrentTeam()->where('uuid', $backupData['s3_storage_uuid'])->first();
             if ($s3Storage) {
                 $backupData['s3_storage_id'] = $s3Storage->id;
             }
@@ -1950,7 +1951,7 @@ class DatabasesController extends Controller
         }
 
         // Find the backup configuration by its UUID
-        $backup = ScheduledDatabaseBackup::where('database_id', $database->id)
+        $backup = ScheduledDatabaseBackup::where('team_id', $teamId)->where('database_id', $database->id)
             ->where('uuid', $request->scheduled_backup_uuid)
             ->first();
 
@@ -2071,7 +2072,7 @@ class DatabasesController extends Controller
         }
 
         // Find the backup configuration by its UUID
-        $backup = ScheduledDatabaseBackup::where('database_id', $database->id)
+        $backup = ScheduledDatabaseBackup::where('team_id', $teamId)->where('database_id', $database->id)
             ->where('uuid', $request->scheduled_backup_uuid)
             ->first();
 
@@ -2179,7 +2180,7 @@ class DatabasesController extends Controller
         }
 
         // Find the backup configuration by its UUID
-        $backup = ScheduledDatabaseBackup::where('database_id', $database->id)
+        $backup = ScheduledDatabaseBackup::where('team_id', $teamId)->where('database_id', $database->id)
             ->where('uuid', $request->scheduled_backup_uuid)
             ->first();
 
diff --git a/app/Models/ScheduledDatabaseBackup.php b/app/Models/ScheduledDatabaseBackup.php
index 90204d8df..f26090951 100644
--- a/app/Models/ScheduledDatabaseBackup.php
+++ b/app/Models/ScheduledDatabaseBackup.php
@@ -10,6 +10,11 @@ class ScheduledDatabaseBackup extends BaseModel
 {
     protected $guarded = [];
 
+    public function team()
+    {
+        return $this->belongsTo(Team::class);
+    }
+
     public function database(): MorphTo
     {
         return $this->morphTo();