Add manual backup creation and delete buttons to Update Manager

- Add "Create Backup" button in the backups tab for on-demand backups - Add delete buttons (trash icons) for update logs and backups - New controller routes with CSRF protection and permission checks - Use data-turbo-confirm for CSP-safe confirmation dialogs - Add deleteLog() method to UpdateExecutor with filename validation
2026-05-20 02:11:31 +00:00 · 2026-02-17 22:20:01 +01:00 · 2026-02-17 22:20:01 +01:00 · 14300f2cf1
commit 14300f2cf1
parent 32a666f6c3
4 changed files with 230 additions and 23 deletions
--- a/src/Controller/UpdateManagerController.php
+++ b/src/Controller/UpdateManagerController.php
@ -314,6 +314,80 @@ class UpdateManagerController extends AbstractController
        return $this->json($details);
    }

+    /**
+     * Create a manual backup.
+     */
+    #[Route('/backup', name: 'admin_update_manager_backup', methods: ['POST'])]
+    public function createBackup(Request $request): Response
+    {
+        $this->denyAccessUnlessGranted('@system.manage_updates');
+
+        if (!$this->isCsrfTokenValid('update_manager_backup', $request->request->get('_token'))) {
+            $this->addFlash('error', 'Invalid CSRF token.');
+            return $this->redirectToRoute('admin_update_manager');
+        }
+
+        if ($this->updateExecutor->isLocked()) {
+            $this->addFlash('error', 'Cannot create backup while an update is in progress.');
+            return $this->redirectToRoute('admin_update_manager');
+        }
+
+        try {
+            $backupPath = $this->backupManager->createBackup(null, 'manual');
+            $this->addFlash('success', 'update_manager.backup.created');
+        } catch (\Exception $e) {
+            $this->addFlash('error', 'Backup failed: ' . $e->getMessage());
+        }
+
+        return $this->redirectToRoute('admin_update_manager');
+    }
+
+    /**
+     * Delete a backup file.
+     */
+    #[Route('/backup/delete', name: 'admin_update_manager_backup_delete', methods: ['POST'])]
+    public function deleteBackup(Request $request): Response
+    {
+        $this->denyAccessUnlessGranted('@system.manage_updates');
+
+        if (!$this->isCsrfTokenValid('update_manager_delete', $request->request->get('_token'))) {
+            $this->addFlash('error', 'Invalid CSRF token.');
+            return $this->redirectToRoute('admin_update_manager');
+        }
+
+        $filename = $request->request->get('filename');
+        if ($filename && $this->backupManager->deleteBackup($filename)) {
+            $this->addFlash('success', 'update_manager.backup.deleted');
+        } else {
+            $this->addFlash('error', 'update_manager.backup.delete_error');
+        }
+
+        return $this->redirectToRoute('admin_update_manager');
+    }
+
+    /**
+     * Delete an update log file.
+     */
+    #[Route('/log/delete', name: 'admin_update_manager_log_delete', methods: ['POST'])]
+    public function deleteLog(Request $request): Response
+    {
+        $this->denyAccessUnlessGranted('@system.manage_updates');
+
+        if (!$this->isCsrfTokenValid('update_manager_delete', $request->request->get('_token'))) {
+            $this->addFlash('error', 'Invalid CSRF token.');
+            return $this->redirectToRoute('admin_update_manager');
+        }
+
+        $filename = $request->request->get('filename');
+        if ($filename && $this->updateExecutor->deleteLog($filename)) {
+            $this->addFlash('success', 'update_manager.log.deleted');
+        } else {
+            $this->addFlash('error', 'update_manager.log.delete_error');
+        }
+
+        return $this->redirectToRoute('admin_update_manager');
+    }
+
    /**
     * Restore from a backup.
     */
--- a/src/Services/System/UpdateExecutor.php
+++ b/src/Services/System/UpdateExecutor.php
@ -602,6 +602,33 @@ class UpdateExecutor
    }


+    /**
+     * Delete a specific update log file.
+     */
+    public function deleteLog(string $filename): bool
+    {
+        // Validate filename pattern for security
+        if (!preg_match('/^update-[\w.\-]+\.log$/', $filename)) {
+            $this->logger->warning('Attempted to delete invalid log filename: ' . $filename);
+            return false;
+        }
+
+        $logPath = $this->project_dir . '/' . self::UPDATE_LOG_DIR . '/' . $filename;
+
+        if (!file_exists($logPath)) {
+            return false;
+        }
+
+        try {
+            $this->filesystem->remove($logPath);
+            $this->logger->info('Deleted update log: ' . $filename);
+            return true;
+        } catch (\Exception $e) {
+            $this->logger->error('Failed to delete update log: ' . $e->getMessage());
+            return false;
+        }
+    }
+
    /**
     * Restore from a backup file with maintenance mode and cache clearing.
     *