dave/coolify
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

feat(routes): restrict backup download access to team admins and owners

Browse Source
This commit is contained in:
Andras Bacsai
2025-05-28 10:48:46 +02:00
parent 2934d4a259
commit 82529a3246
1 changed files with 4 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
routes/web.php
View File

@@ -290,9 +290,13 @@ Route::middleware(['auth'])->group(function () {
Route::get('/download/backup/{executionId}', function () { Route::get('/download/backup/{executionId}', function () {
try { try {
$team = auth()->user()->currentTeam(); $team = auth()->user()->currentTeam();
$user = auth()->user();
if (is_null($team)) { if (is_null($team)) {
return response()->json(['message' => 'Team not found.'], 404); return response()->json(['message' => 'Team not found.'], 404);
} }
if ($user->isAdminFromSession() === false) {
return response()->json(['message' => 'Only team admins/owners can download backups.'], 403);
}
$exeuctionId = request()->route('executionId'); $exeuctionId = request()->route('executionId');
$execution = ScheduledDatabaseBackupExecution::where('id', $exeuctionId)->firstOrFail(); $execution = ScheduledDatabaseBackupExecution::where('id', $exeuctionId)->firstOrFail();
$execution_team_id = $execution->scheduledDatabaseBackup->database->team()?->id; $execution_team_id = $execution->scheduledDatabaseBackup->database->team()?->id;