diff --git a/.env.example b/.env.example index bd65c1935f..90c785e94b 100644 --- a/.env.example +++ b/.env.example @@ -70,7 +70,8 @@ IMAGE_LIB=gd MAIL_BACKUP_NOTIFICATION_DRIVER=null MAIL_BACKUP_NOTIFICATION_ADDRESS=null BACKUP_ENV=true - +ALLOW_BACKUP_DELETE=false +ALLOW_DATA_PURGE=false # -------------------------------------------- # OPTIONAL: SESSION SETTINGS diff --git a/app/Http/Controllers/SettingsController.php b/app/Http/Controllers/SettingsController.php index d6574f17c8..7fd7ea4f1c 100755 --- a/app/Http/Controllers/SettingsController.php +++ b/app/Http/Controllers/SettingsController.php @@ -1147,23 +1147,31 @@ class SettingsController extends Controller */ public function deleteFile($filename = null) { - if (! config('app.lock_passwords')) { - $path = 'app/backups'; + if (config('app.allow_backup_delete')=='true') { - if (Storage::exists($path.'/'.$filename)) { - try { - Storage::delete($path.'/'.$filename); + if (!config('app.lock_passwords')) { + $path = 'app/backups'; - return redirect()->route('settings.backups.index')->with('success', trans('admin/settings/message.backup.file_deleted')); - } catch (\Exception $e) { - \Log::debug($e); + if (Storage::exists($path . '/' . $filename)) { + + try { + Storage::delete($path . '/' . $filename); + return redirect()->route('settings.backups.index')->with('success', trans('admin/settings/message.backup.file_deleted')); + } catch (\Exception $e) { + \Log::debug($e); + } + + } else { + return redirect()->route('settings.backups.index')->with('error', trans('admin/settings/message.backup.file_not_found')); } - } else { - return redirect()->route('settings.backups.index')->with('error', trans('admin/settings/message.backup.file_not_found')); } - } else { + return redirect()->route('settings.backups.index')->with('error', trans('general.feature_disabled')); } + + // Hell to the no + \Log::warning('User ID '.Auth::user()->id.' is attempting to delete backup file '.$filename.' and is not authorized to.'); + return redirect()->route('settings.backups.index')->with('error', trans('general.backup_delete_not_allowed')); } @@ -1198,9 +1206,10 @@ class SettingsController extends Controller Storage::putFileAs('app/backups', $request->file('file'), $upload_filename); return redirect()->route('settings.backups.index')->with('success', 'File uploaded'); - } else { - return redirect()->route('settings.backups.index')->withErrors($request->getErrors()); } + + return redirect()->route('settings.backups.index')->withErrors($request->getErrors()); + } } else { @@ -1298,9 +1307,15 @@ class SettingsController extends Controller */ public function getPurge() { - \Log::warning('User ID '.Auth::user()->id.' is attempting a PURGE'); - return view('settings.purge-form'); + \Log::warning('User '.Auth::user()->username.' (ID'.Auth::user()->id.') is attempting a PURGE'); + + if (config('app.allow_purge')=='true') { + return view('settings.purge-form'); + } + + return redirect()->route('settings.index')->with('error', trans('general.purge_not_allowed')); + } /** @@ -1314,22 +1329,40 @@ class SettingsController extends Controller */ public function postPurge(Request $request) { - if (! config('app.lock_passwords')) { - if ('DELETE' == $request->input('confirm_purge')) { - \Log::warning('User ID '.Auth::user()->id.' initiated a PURGE!'); - // Run a backup immediately before processing - Artisan::call('backup:run'); - Artisan::call('snipeit:purge', ['--force' => 'true', '--no-interaction' => true]); - $output = Artisan::output(); + \Log::warning('User '.Auth::user()->username.' (ID'.Auth::user()->id.') is attempting a PURGE'); - return view('settings/purge') - ->with('output', $output)->with('success', trans('admin/settings/message.purge.success')); + if (config('app.allow_purge')=='true') { + \Log::debug('Purging is not allowed via the .env'); + + if (!config('app.lock_passwords')) { + + if ($request->input('confirm_purge')=='DELETE') { + + \Log::warning('User ID ' . Auth::user()->id . ' initiated a PURGE!'); + // Run a backup immediately before processing + Artisan::call('backup:run'); + Artisan::call('snipeit:purge', ['--force' => 'true', '--no-interaction' => true]); + $output = Artisan::output(); + + return redirect()->route('settings.index') + ->with('output', $output)->with('success', trans('admin/settings/message.purge.success')); + + } else { + return redirect()->route('settings.purge.index') + ->with('error', trans('admin/settings/message.purge.validation_failed')); + } } else { - return redirect()->back()->with('error', trans('admin/settings/message.purge.validation_failed')); + return redirect()->route('settings.index') + ->with('error', trans('general.feature_disabled')); } - } else { - return redirect()->back()->with('error', trans('general.feature_disabled')); } + + \Log::error('User '.Auth::user()->username.' (ID'.Auth::user()->id.') is attempting to purge deleted data and is not authorized to.'); + + + // Nope. + return redirect()->route('settings.index') + ->with('error', trans('general.purge_not_allowed')); } /** diff --git a/config/app.php b/config/app.php index ba56b42e33..d57e5a0177 100755 --- a/config/app.php +++ b/config/app.php @@ -430,4 +430,28 @@ return [ 'api_throttle_per_minute' => env('API_THROTTLE_PER_MINUTE', 120), + + /* + |-------------------------------------------------------------------------- + | Allow Web-Based Purge + |-------------------------------------------------------------------------- + | + | This sets whether or not to allow superadmins to purge deleted data + | + */ + + 'allow_purge' => env('ALLOW_DATA_PURGE', false), + + + /* + |-------------------------------------------------------------------------- + | Allow Backup Deletion + |-------------------------------------------------------------------------- + | + | This sets whether or not to allow superadmins to delete backups + | + */ + + 'allow_backup_delete' => env('ALLOW_BACKUP_DELETE', false), + ]; diff --git a/resources/lang/en/general.php b/resources/lang/en/general.php index 0b9c680f2d..94f0001b7c 100644 --- a/resources/lang/en/general.php +++ b/resources/lang/en/general.php @@ -360,4 +360,7 @@ return [ 'maintenance_mode' => 'The service is temporarily unavailable for system updates. Please check back later.', 'maintenance_mode_title' => 'System Temporarily Unavailable', 'ldap_import' => 'User password should not be managed by LDAP. (This allows you to send forgotten password requests.)', + 'purge_not_allowed' => 'Purging deleted data has been disabled in the .env file. Contact support or your systems administrator.', + 'backup_delete_not_allowed' => 'Deleting backups has been disabled in the .env file. Contact support or your systems administrator.', + ]; \ No newline at end of file diff --git a/resources/views/settings/backups.blade.php b/resources/views/settings/backups.blade.php index c50e7a51a3..94733141c0 100644 --- a/resources/views/settings/backups.blade.php +++ b/resources/views/settings/backups.blade.php @@ -66,6 +66,7 @@ @can('superadmin') + @if (config('app.allow_backup_delete')=='true') + @else + + + {{ trans('general.delete') }} + + @endif @endif +
@@ -329,9 +330,6 @@
- - - diff --git a/resources/views/setup/migrate.blade.php b/resources/views/setup/migrate.blade.php index 922b69a35a..fb9f50e17c 100644 --- a/resources/views/setup/migrate.blade.php +++ b/resources/views/setup/migrate.blade.php @@ -1,7 +1,7 @@ @extends('layouts/setup') {{-- Page title --}} @section('title') -{{ trans('gerneral.setup_migrations') }} +{{ trans('general.setup_migrations') }} @parent @stop @@ -12,27 +12,27 @@
- {{ trans('gerneral.setup_no_migrations') }} + {{ trans('general.setup_no_migrations') }}
@else
- {{ trans('gerneral.setup_successful_migrations') }} + {{ trans('general.setup_successful_migrations') }}
@endif -

{{ trans('gerneral.setup_migration_output') }}

+

{{ trans('general.setup_migration_output') }} 

{{ $output }}
@stop @section('button')
- +
@parent @stop