fix(databases): update backup retrieval logic to include team context

- Modified backup configuration queries in the DatabasesController to filter by team ID, ensuring proper access control. - Enhanced S3 storage retrieval to use the current team context for better data integrity. - Added a relationship method in ScheduledDatabaseBackup model to associate backups with teams.
2025-09-22 17:44:26 +02:00
parent ed2ba832a8
commit 5c6ab50332
2 changed files with 11 additions and 5 deletions
--- a/app/Http/Controllers/Api/DatabasesController.php
+++ b/app/Http/Controllers/Api/DatabasesController.php
@@ -12,6 +12,7 @@ use App\Http\Controllers\Controller;
 use App\Jobs\DatabaseBackupJob;
 use App\Jobs\DeleteResourceJob;
 use App\Models\Project;
 use App\Models\S3Storage;
 use App\Models\ScheduledDatabaseBackup;
 use App\Models\Server;
 use App\Models\StandalonePostgresql;
@@ -717,7 +718,7 @@ class DatabasesController extends Controller
            return response()->json(['message' => 'Database not found.'], 404);
        }
-        $backupConfig = ScheduledDatabaseBackup::where('database_id', $database->id)
+        $backupConfig = ScheduledDatabaseBackup::where('team_id', $teamId)->where('database_id', $database->id)
            ->where('uuid', $request->scheduled_backup_uuid)
            ->first();
        if (! $backupConfig) {
@@ -741,7 +742,7 @@ class DatabasesController extends Controller
        // Convert s3_storage_uuid to s3_storage_id
        if (isset($backupData['s3_storage_uuid'])) {
-            $s3Storage = \App\Models\S3Storage::where('uuid', $backupData['s3_storage_uuid'])->first();
+            $s3Storage = S3Storage::ownedByCurrentTeam()->where('uuid', $backupData['s3_storage_uuid'])->first();
            if ($s3Storage) {
                $backupData['s3_storage_id'] = $s3Storage->id;
            }
@@ -1950,7 +1951,7 @@ class DatabasesController extends Controller
        }
        // Find the backup configuration by its UUID
-        $backup = ScheduledDatabaseBackup::where('database_id', $database->id)
+        $backup = ScheduledDatabaseBackup::where('team_id', $teamId)->where('database_id', $database->id)
            ->where('uuid', $request->scheduled_backup_uuid)
            ->first();
@@ -2071,7 +2072,7 @@ class DatabasesController extends Controller
        }
        // Find the backup configuration by its UUID
-        $backup = ScheduledDatabaseBackup::where('database_id', $database->id)
+        $backup = ScheduledDatabaseBackup::where('team_id', $teamId)->where('database_id', $database->id)
            ->where('uuid', $request->scheduled_backup_uuid)
            ->first();
@@ -2179,7 +2180,7 @@ class DatabasesController extends Controller
        }
        // Find the backup configuration by its UUID
-        $backup = ScheduledDatabaseBackup::where('database_id', $database->id)
+        $backup = ScheduledDatabaseBackup::where('team_id', $teamId)->where('database_id', $database->id)
            ->where('uuid', $request->scheduled_backup_uuid)
            ->first();
--- a/app/Models/ScheduledDatabaseBackup.php
+++ b/app/Models/ScheduledDatabaseBackup.php
@@ -10,6 +10,11 @@ class ScheduledDatabaseBackup extends BaseModel
 {
    protected $guarded = [];
    public function team()
    {
        return $this->belongsTo(Team::class);
    }
    public function database(): MorphTo
    {
        return $this->morphTo();