rosslh/coolify
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(routes): restrict backup download access to team admins and owners

Browse source
This commit is contained in:
Andras Bacsai 2025-05-28 10:48:46 +02:00
parent 2934d4a259
commit 82529a3246
1 changed files with 4 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
routes/web.php
View file

@ -290,9 +290,13 @@
Route::get('/download/backup/{executionId}', function () {
try {
$team = auth()->user()->currentTeam();
$user = auth()->user();
if (is_null($team)) {
return response()->json(['message' => 'Team not found.'], 404);
}
if ($user->isAdminFromSession() === false) {
return response()->json(['message' => 'Only team admins/owners can download backups.'], 403);
}
$exeuctionId = request()->route('executionId');
$execution = ScheduledDatabaseBackupExecution::where('id', $exeuctionId)->firstOrFail();
$execution_team_id = $execution->scheduledDatabaseBackup->database->team()?->id;