From 77bf28bcb62126d8d272a0925461c7470f6587c3 Mon Sep 17 00:00:00 2001 From: snipe Date: Thu, 23 Jun 2022 20:11:43 -0700 Subject: [PATCH 1/9] Disallow purge Signed-off-by: snipe --- .env.example | 1 + app/Http/Controllers/SettingsController.php | 35 +++++++++++++-------- config/app.php | 12 +++++++ resources/lang/en/general.php | 1 + resources/views/settings/index.blade.php | 2 ++ 5 files changed, 38 insertions(+), 13 deletions(-) diff --git a/.env.example b/.env.example index bd65c1935f..f4947e6473 100644 --- a/.env.example +++ b/.env.example @@ -8,6 +8,7 @@ APP_URL=null APP_TIMEZONE='UTC' APP_LOCALE=en MAX_RESULTS=500 +ALLOW_DATA_PURGE=false # -------------------------------------------- # REQUIRED: UPLOADED FILE STORAGE SETTINGS diff --git a/app/Http/Controllers/SettingsController.php b/app/Http/Controllers/SettingsController.php index d6574f17c8..0e8427fbd8 100755 --- a/app/Http/Controllers/SettingsController.php +++ b/app/Http/Controllers/SettingsController.php @@ -1299,8 +1299,13 @@ class SettingsController extends Controller public function getPurge() { \Log::warning('User ID '.Auth::user()->id.' is attempting a PURGE'); + if (config('app.allow_purge')=='true') { + + return view('settings.purge-form'); + } + + return redirect()->back()->with('error', trans('general.purge_not_allowed')); - return view('settings.purge-form'); } /** @@ -1314,21 +1319,25 @@ class SettingsController extends Controller */ public function postPurge(Request $request) { - if (! config('app.lock_passwords')) { - if ('DELETE' == $request->input('confirm_purge')) { - \Log::warning('User ID '.Auth::user()->id.' initiated a PURGE!'); - // Run a backup immediately before processing - Artisan::call('backup:run'); - Artisan::call('snipeit:purge', ['--force' => 'true', '--no-interaction' => true]); - $output = Artisan::output(); + if (config('app.allow_purge')=='true') { + if (!config('app.lock_passwords')) { + if ('DELETE' == $request->input('confirm_purge')) { + \Log::warning('User ID ' . Auth::user()->id . ' initiated a PURGE!'); + // Run a backup immediately before processing + Artisan::call('backup:run'); + Artisan::call('snipeit:purge', ['--force' => 'true', '--no-interaction' => true]); + $output = Artisan::output(); - return view('settings/purge') - ->with('output', $output)->with('success', trans('admin/settings/message.purge.success')); + return view('settings/purge') + ->with('output', $output)->with('success', trans('admin/settings/message.purge.success')); + } else { + return redirect()->back()->with('error', trans('admin/settings/message.purge.validation_failed')); + } } else { - return redirect()->back()->with('error', trans('admin/settings/message.purge.validation_failed')); + return redirect()->back()->with('error', trans('general.feature_disabled')); } - } else { - return redirect()->back()->with('error', trans('general.feature_disabled')); + + return redirect()->back()->with('error', trans('general.purge_not_allowed')); } } diff --git a/config/app.php b/config/app.php index ba56b42e33..3969da19d4 100755 --- a/config/app.php +++ b/config/app.php @@ -430,4 +430,16 @@ return [ 'api_throttle_per_minute' => env('API_THROTTLE_PER_MINUTE', 120), + + /* + |-------------------------------------------------------------------------- + | Allow Web-Based Purge + |-------------------------------------------------------------------------- + | + | This sets whether or not to allow superadmins to purge deleted data + | + */ + + 'allow_purge' => env('ALLOW_DATA_PURGE', false), + ]; diff --git a/resources/lang/en/general.php b/resources/lang/en/general.php index 0b9c680f2d..74c403baf5 100644 --- a/resources/lang/en/general.php +++ b/resources/lang/en/general.php @@ -360,4 +360,5 @@ return [ 'maintenance_mode' => 'The service is temporarily unavailable for system updates. Please check back later.', 'maintenance_mode_title' => 'System Temporarily Unavailable', 'ldap_import' => 'User password should not be managed by LDAP. (This allows you to send forgotten password requests.)', + 'purge_not_allowed' => 'Purging deleted data has been disabled in the .env file. Contact support or your systems administrator.', ]; \ No newline at end of file diff --git a/resources/views/settings/index.blade.php b/resources/views/settings/index.blade.php index d2817ae04c..ff7d0cfd3e 100755 --- a/resources/views/settings/index.blade.php +++ b/resources/views/settings/index.blade.php @@ -314,6 +314,7 @@ @endif + @if (config('app.allow_purge')=='true')
@@ -329,6 +330,7 @@
+ @endif From f483eafae914f469b367b1b5b51544f72fa9397a Mon Sep 17 00:00:00 2001 From: snipe Date: Fri, 24 Jun 2022 15:44:11 -0700 Subject: [PATCH 2/9] Added backup delete env Signed-off-by: snipe --- .env.example | 1 + 1 file changed, 1 insertion(+) diff --git a/.env.example b/.env.example index f4947e6473..85937742f7 100644 --- a/.env.example +++ b/.env.example @@ -9,6 +9,7 @@ APP_TIMEZONE='UTC' APP_LOCALE=en MAX_RESULTS=500 ALLOW_DATA_PURGE=false +ALLOW_BACKUP_DELETE=false # -------------------------------------------- # REQUIRED: UPLOADED FILE STORAGE SETTINGS From cf99d424135eda5d691bfd1a228124097ded3518 Mon Sep 17 00:00:00 2001 From: snipe Date: Fri, 24 Jun 2022 15:48:37 -0700 Subject: [PATCH 3/9] Added backup delete to app config Signed-off-by: snipe --- config/app.php | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/config/app.php b/config/app.php index 3969da19d4..d57e5a0177 100755 --- a/config/app.php +++ b/config/app.php @@ -442,4 +442,16 @@ return [ 'allow_purge' => env('ALLOW_DATA_PURGE', false), + + /* + |-------------------------------------------------------------------------- + | Allow Backup Deletion + |-------------------------------------------------------------------------- + | + | This sets whether or not to allow superadmins to delete backups + | + */ + + 'allow_backup_delete' => env('ALLOW_BACKUP_DELETE', false), + ]; From 657039882c29e00dcdc04bda437024adfde36a73 Mon Sep 17 00:00:00 2001 From: snipe Date: Fri, 24 Jun 2022 15:48:46 -0700 Subject: [PATCH 4/9] Added purge and backup strings Signed-off-by: snipe --- resources/lang/en/general.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/resources/lang/en/general.php b/resources/lang/en/general.php index 74c403baf5..94f0001b7c 100644 --- a/resources/lang/en/general.php +++ b/resources/lang/en/general.php @@ -361,4 +361,6 @@ return [ 'maintenance_mode_title' => 'System Temporarily Unavailable', 'ldap_import' => 'User password should not be managed by LDAP. (This allows you to send forgotten password requests.)', 'purge_not_allowed' => 'Purging deleted data has been disabled in the .env file. Contact support or your systems administrator.', + 'backup_delete_not_allowed' => 'Deleting backups has been disabled in the .env file. Contact support or your systems administrator.', + ]; \ No newline at end of file From fce4f0dc0eb714eab2ae302e7d42085adeb04486 Mon Sep 17 00:00:00 2001 From: snipe Date: Fri, 24 Jun 2022 15:49:07 -0700 Subject: [PATCH 5/9] Disable delete button if not allowed Signed-off-by: snipe --- resources/views/settings/backups.blade.php | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/resources/views/settings/backups.blade.php b/resources/views/settings/backups.blade.php index c50e7a51a3..94733141c0 100644 --- a/resources/views/settings/backups.blade.php +++ b/resources/views/settings/backups.blade.php @@ -66,6 +66,7 @@ @can('superadmin') + @if (config('app.allow_backup_delete')=='true') + @else + + + {{ trans('general.delete') }} + + @endif Date: Fri, 24 Jun 2022 15:49:22 -0700 Subject: [PATCH 6/9] Disallow backup deletion and log attempt if not allowed Signed-off-by: snipe --- app/Http/Controllers/SettingsController.php | 68 ++++++++++++++------- 1 file changed, 46 insertions(+), 22 deletions(-) diff --git a/app/Http/Controllers/SettingsController.php b/app/Http/Controllers/SettingsController.php index 0e8427fbd8..7fd7ea4f1c 100755 --- a/app/Http/Controllers/SettingsController.php +++ b/app/Http/Controllers/SettingsController.php @@ -1147,23 +1147,31 @@ class SettingsController extends Controller */ public function deleteFile($filename = null) { - if (! config('app.lock_passwords')) { - $path = 'app/backups'; + if (config('app.allow_backup_delete')=='true') { - if (Storage::exists($path.'/'.$filename)) { - try { - Storage::delete($path.'/'.$filename); + if (!config('app.lock_passwords')) { + $path = 'app/backups'; - return redirect()->route('settings.backups.index')->with('success', trans('admin/settings/message.backup.file_deleted')); - } catch (\Exception $e) { - \Log::debug($e); + if (Storage::exists($path . '/' . $filename)) { + + try { + Storage::delete($path . '/' . $filename); + return redirect()->route('settings.backups.index')->with('success', trans('admin/settings/message.backup.file_deleted')); + } catch (\Exception $e) { + \Log::debug($e); + } + + } else { + return redirect()->route('settings.backups.index')->with('error', trans('admin/settings/message.backup.file_not_found')); } - } else { - return redirect()->route('settings.backups.index')->with('error', trans('admin/settings/message.backup.file_not_found')); } - } else { + return redirect()->route('settings.backups.index')->with('error', trans('general.feature_disabled')); } + + // Hell to the no + \Log::warning('User ID '.Auth::user()->id.' is attempting to delete backup file '.$filename.' and is not authorized to.'); + return redirect()->route('settings.backups.index')->with('error', trans('general.backup_delete_not_allowed')); } @@ -1198,9 +1206,10 @@ class SettingsController extends Controller Storage::putFileAs('app/backups', $request->file('file'), $upload_filename); return redirect()->route('settings.backups.index')->with('success', 'File uploaded'); - } else { - return redirect()->route('settings.backups.index')->withErrors($request->getErrors()); } + + return redirect()->route('settings.backups.index')->withErrors($request->getErrors()); + } } else { @@ -1298,13 +1307,14 @@ class SettingsController extends Controller */ public function getPurge() { - \Log::warning('User ID '.Auth::user()->id.' is attempting a PURGE'); - if (config('app.allow_purge')=='true') { + \Log::warning('User '.Auth::user()->username.' (ID'.Auth::user()->id.') is attempting a PURGE'); + + if (config('app.allow_purge')=='true') { return view('settings.purge-form'); } - return redirect()->back()->with('error', trans('general.purge_not_allowed')); + return redirect()->route('settings.index')->with('error', trans('general.purge_not_allowed')); } @@ -1319,26 +1329,40 @@ class SettingsController extends Controller */ public function postPurge(Request $request) { + \Log::warning('User '.Auth::user()->username.' (ID'.Auth::user()->id.') is attempting a PURGE'); + if (config('app.allow_purge')=='true') { + \Log::debug('Purging is not allowed via the .env'); + if (!config('app.lock_passwords')) { - if ('DELETE' == $request->input('confirm_purge')) { + + if ($request->input('confirm_purge')=='DELETE') { + \Log::warning('User ID ' . Auth::user()->id . ' initiated a PURGE!'); // Run a backup immediately before processing Artisan::call('backup:run'); Artisan::call('snipeit:purge', ['--force' => 'true', '--no-interaction' => true]); $output = Artisan::output(); - return view('settings/purge') + return redirect()->route('settings.index') ->with('output', $output)->with('success', trans('admin/settings/message.purge.success')); + } else { - return redirect()->back()->with('error', trans('admin/settings/message.purge.validation_failed')); + return redirect()->route('settings.purge.index') + ->with('error', trans('admin/settings/message.purge.validation_failed')); } } else { - return redirect()->back()->with('error', trans('general.feature_disabled')); + return redirect()->route('settings.index') + ->with('error', trans('general.feature_disabled')); } - - return redirect()->back()->with('error', trans('general.purge_not_allowed')); } + + \Log::error('User '.Auth::user()->username.' (ID'.Auth::user()->id.') is attempting to purge deleted data and is not authorized to.'); + + + // Nope. + return redirect()->route('settings.index') + ->with('error', trans('general.purge_not_allowed')); } /** From 75d19d815d4d52b3918e295f997a48d42283674d Mon Sep 17 00:00:00 2001 From: snipe Date: Fri, 24 Jun 2022 15:59:40 -0700 Subject: [PATCH 7/9] Still show the purge button even if not allowed to avoid confusion Signed-off-by: snipe --- resources/views/settings/index.blade.php | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/resources/views/settings/index.blade.php b/resources/views/settings/index.blade.php index ff7d0cfd3e..09230ee17e 100755 --- a/resources/views/settings/index.blade.php +++ b/resources/views/settings/index.blade.php @@ -314,7 +314,7 @@ @endif - @if (config('app.allow_purge')=='true') +
@@ -329,10 +329,6 @@

{{ trans('admin/settings/general.purge_help') }}

-
- @endif - - From 601f7a6994053e10bd52312d6997e1d024839371 Mon Sep 17 00:00:00 2001 From: snipe Date: Fri, 24 Jun 2022 16:00:05 -0700 Subject: [PATCH 8/9] Moved new variables in example env Signed-off-by: snipe --- .env.example | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.env.example b/.env.example index 85937742f7..90c785e94b 100644 --- a/.env.example +++ b/.env.example @@ -8,8 +8,6 @@ APP_URL=null APP_TIMEZONE='UTC' APP_LOCALE=en MAX_RESULTS=500 -ALLOW_DATA_PURGE=false -ALLOW_BACKUP_DELETE=false # -------------------------------------------- # REQUIRED: UPLOADED FILE STORAGE SETTINGS @@ -72,7 +70,8 @@ IMAGE_LIB=gd MAIL_BACKUP_NOTIFICATION_DRIVER=null MAIL_BACKUP_NOTIFICATION_ADDRESS=null BACKUP_ENV=true - +ALLOW_BACKUP_DELETE=false +ALLOW_DATA_PURGE=false # -------------------------------------------- # OPTIONAL: SESSION SETTINGS From 3b3f1a817edfecff6a2488d7ca65f3e8a9cef80a Mon Sep 17 00:00:00 2001 From: Brady Wetherington Date: Fri, 24 Jun 2022 16:00:15 -0700 Subject: [PATCH 9/9] Typo of 'general' was in the migration blade a few places --- resources/views/setup/migrate.blade.php | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/resources/views/setup/migrate.blade.php b/resources/views/setup/migrate.blade.php index 922b69a35a..fb9f50e17c 100644 --- a/resources/views/setup/migrate.blade.php +++ b/resources/views/setup/migrate.blade.php @@ -1,7 +1,7 @@ @extends('layouts/setup') {{-- Page title --}} @section('title') -{{ trans('gerneral.setup_migrations') }} +{{ trans('general.setup_migrations') }} @parent @stop @@ -12,27 +12,27 @@
- {{ trans('gerneral.setup_no_migrations') }} + {{ trans('general.setup_no_migrations') }}
@else
- {{ trans('gerneral.setup_successful_migrations') }} + {{ trans('general.setup_successful_migrations') }}
@endif -

{{ trans('gerneral.setup_migration_output') }}

+

{{ trans('general.setup_migration_output') }}

{{ $output }}
@stop @section('button')
- +
@parent @stop