Merge pull request #11388 from snipe/features/disable_purge_in_env

Disallow purge backup deletion by default and, enable via .env
snipe · Jun 24, 2022 · be0f0fc · be0f0fc
2 parents a03075b + 601f7a6
commit be0f0fc
Show file tree

Hide file tree

Showing 6 changed files with 98 additions and 31 deletions.
diff --git a/.env.example b/.env.example
@@ -70,7 +70,8 @@ IMAGE_LIB=gd
 MAIL_BACKUP_NOTIFICATION_DRIVER=null
 MAIL_BACKUP_NOTIFICATION_ADDRESS=null
 BACKUP_ENV=true
-
+ALLOW_BACKUP_DELETE=false
+ALLOW_DATA_PURGE=false
 
 # --------------------------------------------
 # OPTIONAL: SESSION SETTINGS

diff --git a/app/Http/Controllers/SettingsController.php b/app/Http/Controllers/SettingsController.php
@@ -1147,23 +1147,31 @@ public function downloadFile($filename = null)
      */
     public function deleteFile($filename = null)
     {
-        if (! config('app.lock_passwords')) {
-            $path = 'app/backups';
+        if (config('app.allow_backup_delete')=='true') {
 
-            if (Storage::exists($path.'/'.$filename)) {
-                try {
-                    Storage::delete($path.'/'.$filename);
+            if (!config('app.lock_passwords')) {
+                $path = 'app/backups';
 
-                    return redirect()->route('settings.backups.index')->with('success', trans('admin/settings/message.backup.file_deleted'));
-                } catch (\Exception $e) {
-                    \Log::debug($e);
+                if (Storage::exists($path . '/' . $filename)) {
+
+                    try {
+                        Storage::delete($path . '/' . $filename);
+                        return redirect()->route('settings.backups.index')->with('success', trans('admin/settings/message.backup.file_deleted'));
+                    } catch (\Exception $e) {
+                        \Log::debug($e);
+                    }
+
+                } else {
+                    return redirect()->route('settings.backups.index')->with('error', trans('admin/settings/message.backup.file_not_found'));
                 }
-            } else {
-                return redirect()->route('settings.backups.index')->with('error', trans('admin/settings/message.backup.file_not_found'));
             }
-        } else {
+
             return redirect()->route('settings.backups.index')->with('error', trans('general.feature_disabled'));
         }
+
+        // Hell to the no
+        \Log::warning('User ID '.Auth::user()->id.' is attempting to delete backup file '.$filename.' and is not authorized to.');
+        return redirect()->route('settings.backups.index')->with('error', trans('general.backup_delete_not_allowed'));
     }
 
 
@@ -1198,9 +1206,10 @@ public function postUploadBackup(Request $request) {
                         Storage::putFileAs('app/backups', $request->file('file'), $upload_filename);
 
                         return redirect()->route('settings.backups.index')->with('success', 'File uploaded');
-                } else {
-                    return redirect()->route('settings.backups.index')->withErrors($request->getErrors());
                 }
+
+                return redirect()->route('settings.backups.index')->withErrors($request->getErrors());
+
             }
 
         } else {
@@ -1298,9 +1307,15 @@ public function postRestore($filename = null)
      */
     public function getPurge()
     {
-        \Log::warning('User ID '.Auth::user()->id.' is attempting a PURGE');
 
-        return view('settings.purge-form');
+        \Log::warning('User '.Auth::user()->username.' (ID'.Auth::user()->id.') is attempting a PURGE');
+
+        if (config('app.allow_purge')=='true') {
+            return view('settings.purge-form');
+        }
+
+        return redirect()->route('settings.index')->with('error', trans('general.purge_not_allowed'));
+
     }
 
     /**
@@ -1314,22 +1329,40 @@ public function getPurge()
      */
     public function postPurge(Request $request)
     {
-        if (! config('app.lock_passwords')) {
-            if ('DELETE' == $request->input('confirm_purge')) {
-                \Log::warning('User ID '.Auth::user()->id.' initiated a PURGE!');
-                // Run a backup immediately before processing
-                Artisan::call('backup:run');
-                Artisan::call('snipeit:purge', ['--force' => 'true', '--no-interaction' => true]);
-                $output = Artisan::output();
+        \Log::warning('User '.Auth::user()->username.' (ID'.Auth::user()->id.') is attempting a PURGE');
+
+        if (config('app.allow_purge')=='true') {
+            \Log::debug('Purging is not allowed via the .env');
+
+            if (!config('app.lock_passwords')) {
+
+                if ($request->input('confirm_purge')=='DELETE') {
+
+                    \Log::warning('User ID ' . Auth::user()->id . ' initiated a PURGE!');
+                    // Run a backup immediately before processing
+                    Artisan::call('backup:run');
+                    Artisan::call('snipeit:purge', ['--force' => 'true', '--no-interaction' => true]);
+                    $output = Artisan::output();
 
-                return view('settings/purge')
-                    ->with('output', $output)->with('success', trans('admin/settings/message.purge.success'));
+                    return redirect()->route('settings.index')
+                        ->with('output', $output)->with('success', trans('admin/settings/message.purge.success'));
+
+                } else {
+                    return redirect()->route('settings.purge.index')
+                        ->with('error', trans('admin/settings/message.purge.validation_failed'));
+                }
             } else {
-                return redirect()->back()->with('error', trans('admin/settings/message.purge.validation_failed'));
+                return redirect()->route('settings.index')
+                    ->with('error', trans('general.feature_disabled'));
             }
-        } else {
-            return redirect()->back()->with('error', trans('general.feature_disabled'));
         }
+
+        \Log::error('User '.Auth::user()->username.' (ID'.Auth::user()->id.') is attempting to purge deleted data and is not authorized to.');
+
+
+        // Nope.
+        return redirect()->route('settings.index')
+            ->with('error', trans('general.purge_not_allowed'));
     }
 
     /**

diff --git a/config/app.php b/config/app.php
@@ -430,4 +430,28 @@
 
     'api_throttle_per_minute' => env('API_THROTTLE_PER_MINUTE', 120),
 
+
+    /*
+    |--------------------------------------------------------------------------
+    | Allow Web-Based Purge
+    |--------------------------------------------------------------------------
+    |
+    | This sets whether or not to allow superadmins to purge deleted data
+    |
+    */
+
+    'allow_purge' => env('ALLOW_DATA_PURGE', false),
+
+
+    /*
+   |--------------------------------------------------------------------------
+   | Allow Backup Deletion
+   |--------------------------------------------------------------------------
+   |
+   | This sets whether or not to allow superadmins to delete backups
+   |
+   */
+
+    'allow_backup_delete' => env('ALLOW_BACKUP_DELETE', false),
+
 ];
diff --git a/resources/lang/en/general.php b/resources/lang/en/general.php
@@ -360,4 +360,7 @@
     'maintenance_mode'      => 'The service is temporarily unavailable for system updates. Please check back later.',
     'maintenance_mode_title' => 'System Temporarily Unavailable',
     'ldap_import'           => 'User password should not be managed by LDAP. (This allows you to send forgotten password requests.)',
+    'purge_not_allowed'     => 'Purging deleted data has been disabled in the .env file. Contact support or your systems administrator.',
+    'backup_delete_not_allowed'     => 'Deleting backups has been disabled in the .env file. Contact support or your systems administrator.',
+
 ];
diff --git a/resources/views/settings/backups.blade.php b/resources/views/settings/backups.blade.php
@@ -66,6 +66,7 @@ class="table table-striped snipe-table">
               <td>
 
                   @can('superadmin')
+                      @if (config('app.allow_backup_delete')=='true')
                       <a data-html="false"
                          class="btn delete-asset btn-danger btn-sm {{ (config('app.lock_passwords')) ? ' disabled': '' }}" 
                          data-toggle="modal" href="{{ route('settings.backups.destroy', $file['filename']) }}" 
@@ -75,6 +76,13 @@ class="btn delete-asset btn-danger btn-sm {{ (config('app.lock_passwords')) ? '
                           <i class="fas fa-trash icon-white" aria-hidden="true"></i>
                           <span class="sr-only">{{ trans('general.delete') }}</span>
                       </a>
+                      @else
+                          <a href="#"
+                             class="btn delete-asset btn-danger btn-sm disabled">
+                              <i class="fas fa-trash icon-white" aria-hidden="true"></i>
+                              <span class="sr-only">{{ trans('general.delete') }}</span>
+                          </a>
+                      @endif
 
                      <a data-html="true" 
                      href="{{ route('settings.backups.restore', $file['filename']) }}" 

diff --git a/resources/views/settings/index.blade.php b/resources/views/settings/index.blade.php
@@ -314,6 +314,7 @@
           </div>
         @endif
 
+
     <div class="col-md-4 col-lg-3 col-sm-6 col-xl-1">
       <div class="box box-danger">
         <div class="box-body text-center">
@@ -329,9 +330,6 @@
         </div>
       </div>
     </div>
-
-
-    </div>
   </div>