From 82529a324654e4108f1ff6ff79c5825f4956b181 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Wed, 28 May 2025 10:48:46 +0200
Subject: [PATCH] feat(routes): restrict backup download access to team admins
 and owners

---
 routes/web.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/routes/web.php b/routes/web.php
index f1031e629..dc6817906 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -290,9 +290,13 @@ Route::middleware(['auth'])->group(function () {
     Route::get('/download/backup/{executionId}', function () {
         try {
             $team = auth()->user()->currentTeam();
+            $user = auth()->user();
             if (is_null($team)) {
                 return response()->json(['message' => 'Team not found.'], 404);
             }
+            if ($user->isAdminFromSession() === false) {
+                return response()->json(['message' => 'Only team admins/owners can download backups.'], 403);
+            }
             $exeuctionId = request()->route('executionId');
             $execution = ScheduledDatabaseBackupExecution::where('id', $exeuctionId)->firstOrFail();
             $execution_team_id = $execution->scheduledDatabaseBackup->database->team()?->id;