DRCIT/snipe-it
1
0
Fork 0
mirror of https://github.com/snipe/snipe-it.git synced 2025-03-05 20:52:15 -08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Merge pull request #11388 from snipe/features/disable_purge_in_env

Browse source 
Disallow purge backup deletion by default and, enable via .env
This commit is contained in:
snipe 2022-06-24 16:12:00 -07:00 committed by GitHub
parent a03075b6ea 601f7a6994
commit be0f0fc421
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 98 additions and 31 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
.env.example
View file

@ -70,7 +70,8 @@ IMAGE_LIB=gd
MAIL_BACKUP_NOTIFICATION_DRIVER=null MAIL_BACKUP_NOTIFICATION_DRIVER=null
MAIL_BACKUP_NOTIFICATION_ADDRESS=null MAIL_BACKUP_NOTIFICATION_ADDRESS=null
BACKUP_ENV=true BACKUP_ENV=true
ALLOW_BACKUP_DELETE=false
ALLOW_DATA_PURGE=false
# -------------------------------------------- # --------------------------------------------
# OPTIONAL: SESSION SETTINGS # OPTIONAL: SESSION SETTINGS

61
app/Http/Controllers/SettingsController.php
View file

@ -1147,23 +1147,31 @@ class SettingsController extends Controller
*/ */
public function deleteFile($filename = null) public function deleteFile($filename = null)
{ {
if (! config('app.lock_passwords')) { if (config('app.allow_backup_delete')=='true') {
if (!config('app.lock_passwords')) {
$path = 'app/backups'; $path = 'app/backups';
if (Storage::exists($path.'/'.$filename)) { if (Storage::exists($path . '/' . $filename)) {
try {
Storage::delete($path.'/'.$filename);
try {
Storage::delete($path . '/' . $filename);
return redirect()->route('settings.backups.index')->with('success', trans('admin/settings/message.backup.file_deleted')); return redirect()->route('settings.backups.index')->with('success', trans('admin/settings/message.backup.file_deleted'));
} catch (\Exception $e) { } catch (\Exception $e) {
\Log::debug($e); \Log::debug($e);
} }
} else { } else {
return redirect()->route('settings.backups.index')->with('error', trans('admin/settings/message.backup.file_not_found')); return redirect()->route('settings.backups.index')->with('error', trans('admin/settings/message.backup.file_not_found'));
} }
} else { }
return redirect()->route('settings.backups.index')->with('error', trans('general.feature_disabled')); return redirect()->route('settings.backups.index')->with('error', trans('general.feature_disabled'));
} }
// Hell to the no
\Log::warning('User ID '.Auth::user()->id.' is attempting to delete backup file '.$filename.' and is not authorized to.');
return redirect()->route('settings.backups.index')->with('error', trans('general.backup_delete_not_allowed'));
} }
@ -1198,9 +1206,10 @@ class SettingsController extends Controller
Storage::putFileAs('app/backups', $request->file('file'), $upload_filename); Storage::putFileAs('app/backups', $request->file('file'), $upload_filename);
return redirect()->route('settings.backups.index')->with('success', 'File uploaded'); return redirect()->route('settings.backups.index')->with('success', 'File uploaded');
} else {
return redirect()->route('settings.backups.index')->withErrors($request->getErrors());
} }
return redirect()->route('settings.backups.index')->withErrors($request->getErrors());
} }
} else { } else {
@ -1298,11 +1307,17 @@ class SettingsController extends Controller
*/ */
public function getPurge() public function getPurge()
{ {
\Log::warning('User ID '.Auth::user()->id.' is attempting a PURGE');
\Log::warning('User '.Auth::user()->username.' (ID'.Auth::user()->id.') is attempting a PURGE');
if (config('app.allow_purge')=='true') {
return view('settings.purge-form'); return view('settings.purge-form');
} }
return redirect()->route('settings.index')->with('error', trans('general.purge_not_allowed'));
}
/** /**
* Purges soft-deletes. * Purges soft-deletes.
* *
@ -1314,24 +1329,42 @@ class SettingsController extends Controller
*/ */
public function postPurge(Request $request) public function postPurge(Request $request)
{ {
if (! config('app.lock_passwords')) { \Log::warning('User '.Auth::user()->username.' (ID'.Auth::user()->id.') is attempting a PURGE');
if ('DELETE' == $request->input('confirm_purge')) {
\Log::warning('User ID '.Auth::user()->id.' initiated a PURGE!'); if (config('app.allow_purge')=='true') {
\Log::debug('Purging is not allowed via the .env');
if (!config('app.lock_passwords')) {
if ($request->input('confirm_purge')=='DELETE') {
\Log::warning('User ID ' . Auth::user()->id . ' initiated a PURGE!');
// Run a backup immediately before processing // Run a backup immediately before processing
Artisan::call('backup:run'); Artisan::call('backup:run');
Artisan::call('snipeit:purge', ['--force' => 'true', '--no-interaction' => true]); Artisan::call('snipeit:purge', ['--force' => 'true', '--no-interaction' => true]);
$output = Artisan::output(); $output = Artisan::output();
return view('settings/purge') return redirect()->route('settings.index')
->with('output', $output)->with('success', trans('admin/settings/message.purge.success')); ->with('output', $output)->with('success', trans('admin/settings/message.purge.success'));
} else { } else {
return redirect()->back()->with('error', trans('admin/settings/message.purge.validation_failed')); return redirect()->route('settings.purge.index')
->with('error', trans('admin/settings/message.purge.validation_failed'));
} }
} else { } else {
return redirect()->back()->with('error', trans('general.feature_disabled')); return redirect()->route('settings.index')
->with('error', trans('general.feature_disabled'));
} }
} }
\Log::error('User '.Auth::user()->username.' (ID'.Auth::user()->id.') is attempting to purge deleted data and is not authorized to.');
// Nope.
return redirect()->route('settings.index')
->with('error', trans('general.purge_not_allowed'));
}
/** /**
* Returns a page with the API token generation interface. * Returns a page with the API token generation interface.
* *

24
config/app.php
View file

@ -430,4 +430,28 @@ return [
'api_throttle_per_minute' => env('API_THROTTLE_PER_MINUTE', 120), 'api_throttle_per_minute' => env('API_THROTTLE_PER_MINUTE', 120),
/*
|--------------------------------------------------------------------------
| Allow Web-Based Purge
|--------------------------------------------------------------------------
|
| This sets whether or not to allow superadmins to purge deleted data
|
*/
'allow_purge' => env('ALLOW_DATA_PURGE', false),
/*
|--------------------------------------------------------------------------
| Allow Backup Deletion
|--------------------------------------------------------------------------
|
| This sets whether or not to allow superadmins to delete backups
|
*/
'allow_backup_delete' => env('ALLOW_BACKUP_DELETE', false),
]; ];

3
resources/lang/en/general.php
View file

@ -360,4 +360,7 @@ return [
'maintenance_mode' => 'The service is temporarily unavailable for system updates. Please check back later.', 'maintenance_mode' => 'The service is temporarily unavailable for system updates. Please check back later.',
'maintenance_mode_title' => 'System Temporarily Unavailable', 'maintenance_mode_title' => 'System Temporarily Unavailable',
'ldap_import' => 'User password should not be managed by LDAP. (This allows you to send forgotten password requests.)', 'ldap_import' => 'User password should not be managed by LDAP. (This allows you to send forgotten password requests.)',
'purge_not_allowed' => 'Purging deleted data has been disabled in the .env file. Contact support or your systems administrator.',
'backup_delete_not_allowed' => 'Deleting backups has been disabled in the .env file. Contact support or your systems administrator.',
]; ];

8
resources/views/settings/backups.blade.php
View file

@ -66,6 +66,7 @@
<td> <td>
@can('superadmin') @can('superadmin')
@if (config('app.allow_backup_delete')=='true')
<a data-html="false" <a data-html="false"
class="btn delete-asset btn-danger btn-sm {{ (config('app.lock_passwords')) ? ' disabled': '' }}" class="btn delete-asset btn-danger btn-sm {{ (config('app.lock_passwords')) ? ' disabled': '' }}"
data-toggle="modal" href="{{ route('settings.backups.destroy', $file['filename']) }}" data-toggle="modal" href="{{ route('settings.backups.destroy', $file['filename']) }}"
@ -75,6 +76,13 @@
<i class="fas fa-trash icon-white" aria-hidden="true"></i> <i class="fas fa-trash icon-white" aria-hidden="true"></i>
<span class="sr-only">{{ trans('general.delete') }}</span> <span class="sr-only">{{ trans('general.delete') }}</span>
</a> </a>
@else
<a href="#"
class="btn delete-asset btn-danger btn-sm disabled">
<i class="fas fa-trash icon-white" aria-hidden="true"></i>
<span class="sr-only">{{ trans('general.delete') }}</span>
</a>
@endif
<a data-html="true" <a data-html="true"
href="{{ route('settings.backups.restore', $file['filename']) }}" href="{{ route('settings.backups.restore', $file['filename']) }}"

4
resources/views/settings/index.blade.php
View file

@ -314,6 +314,7 @@
</div> </div>
@endif @endif
<div class="col-md-4 col-lg-3 col-sm-6 col-xl-1"> <div class="col-md-4 col-lg-3 col-sm-6 col-xl-1">
<div class="box box-danger"> <div class="box box-danger">
<div class="box-body text-center"> <div class="box-body text-center">
@ -329,9 +330,6 @@
</div> </div>
</div> </div>
</div> </div>
</div>
</div> </div>