mirror of
https://github.com/Part-DB/Part-DB-server.git
synced 2026-03-08 00:09:37 +00:00
0d58262e19
* Add manual backup creation and delete buttons to Update Manager - Add "Create Backup" button in the backups tab for on-demand backups - Add delete buttons (trash icons) for update logs and backups - New controller routes with CSRF protection and permission checks - Use data-turbo-confirm for CSP-safe confirmation dialogs - Add deleteLog() method to UpdateExecutor with filename validation * Add Docker backup support: download button, SQLite restore fix, decouple from auto-update - Decouple backup creation/restore UI from can_auto_update so Docker and other non-git installations can use backup features - Add backup download endpoint for saving backups externally - Fix SQLite restore to use configured DATABASE_URL path instead of hardcoded var/app.db (affects Docker and custom SQLite paths) - Show Docker-specific warning about var/backups/ not being persisted - Pass is_docker flag to template via InstallationTypeDetector * Add tests for backup/update manager improvements - Controller tests: auth, CSRF validation, 404 for missing backups, restore disabled check - UpdateExecutor: deleteLog validation, non-existent file, successful deletion - BackupManager: deleteBackup validation for missing/non-zip files * Fix test failures: add locale prefix to URLs, correct log directory path * Fix auth test: expect 401 instead of redirect for HTTP Basic auth * Improve test coverage for update manager controller Add happy-path tests for backup creation, deletion, download, and log deletion with valid CSRF tokens. Also test the locked state blocking backup creation. * Fix CSRF tests: initialize session before getting tokens * Fix CSRF tests: extract tokens from rendered page HTML * Harden backup security: password confirmation, CSRF, env toggle Address security review feedback from jbtronics: - Add IS_AUTHENTICATED_FULLY to all sensitive endpoints (create/delete backup, delete log, download backup, start update, restore) - Change backup download from GET to POST with CSRF token - Require password confirmation before downloading backups (backups contain sensitive data like password hashes and secrets) - Add DISABLE_BACKUP_DOWNLOAD env var (default: disabled) to control whether backup downloads are allowed - Add password confirmation modal with security warning in template - Add comprehensive tests: auth checks, env var blocking, POST-only enforcement, status/progress endpoint auth * Fix download modal: use per-backup modals for CSP/Turbo compatibility - Replace shared modal + inline JS with per-backup modals that have filename pre-set in hidden fields (no JavaScript needed) - Add data-turbo="false" to download forms for native browser handling - Add data-bs-dismiss="modal" to submit button to auto-close modal - Add hidden username field for Chrome accessibility best practice - Fix test: GET on POST-only route returns 404 not 405 * Fixed translation keys * Fixed text justification in download modal * Hardenened security of deleteLogEndpoint * Show whether backup, restores and updates are allowed or disabled by sysadmin on update manager * Added documentation for update manager related env variables --------- Co-authored-by: Jan Böhmer <mail@jan-boehmer.de>
153 lines
7.3 KiB
Bash
153 lines
7.3 KiB
Bash
#### Part-DB Configuration
|
|
# See https://docs.part-db.de/configuration.html for documentation of available options
|
|
|
|
###################################################################################
|
|
# Database settings
|
|
###################################################################################
|
|
|
|
# Format described at https://www.doctrine-project.org/projects/doctrine-dbal/en/latest/reference/configuration.html#connecting-using-a-url
|
|
# IMPORTANT: You MUST configure your server version, either here or in config/packages/doctrine.yaml
|
|
|
|
# Use a file (SQLite) as database. For bigger instances you should use a real database server (like MySQL)
|
|
DATABASE_URL="sqlite:///%kernel.project_dir%/var/app.db"
|
|
|
|
# Uncomment this line (and comment the line above to use a MySQL database
|
|
#DATABASE_URL=mysql://root:@127.0.0.1:3306/part-db?serverVersion=5.7
|
|
|
|
# Set this value to 1, if you want to use SSL to connect to the MySQL server. It will be tried to use the CA certificate
|
|
# otherwise a CA bundle shipped with PHP will be used.
|
|
# Leave it at 0, if you do not want to use SSL or if your server does not support it
|
|
DATABASE_MYSQL_USE_SSL_CA=0
|
|
|
|
# Set this value to 0, if you don't want to verify the CA certificate of the MySQL server
|
|
# Only do this, if you know what you are doing!
|
|
DATABASE_MYSQL_SSL_VERIFY_CERT=1
|
|
|
|
# Emulate natural sorting of strings even on databases that do not support it (like SQLite, MySQL or MariaDB < 10.7)
|
|
# This can be slow on big databases and might have some problems and quirks, so use it with caution
|
|
DATABASE_EMULATE_NATURAL_SORT=0
|
|
|
|
###################################################################################
|
|
# General settings
|
|
###################################################################################
|
|
|
|
# The public reachable URL of this Part-DB installation. This is used for generating links in SAML and email templates or when no request context is available.
|
|
DEFAULT_URI="https://partdb.changeme.invalid/"
|
|
|
|
###################################################################################
|
|
# Email settings
|
|
###################################################################################
|
|
|
|
# The DSN of the email server that should be used for sending emails (disabled by default)
|
|
# See Transport section of https://symfony.com/doc/current/components/mailer.html for available providers and syntax
|
|
MAILER_DSN=null://null
|
|
#MAILER_DSN=smtp://user:password@smtp.mailserver.invalid:587
|
|
|
|
# The email address from which all Part-DB emails should be sent. Change this when you configure email!
|
|
EMAIL_SENDER_EMAIL=noreply@partdb.changeme
|
|
# The sender name which should be used for all Part-DB emails
|
|
EMAIL_SENDER_NAME="Part-DB Mailer"
|
|
# Set this to 1 to allow reset of a password per email
|
|
ALLOW_EMAIL_PW_RESET=0
|
|
|
|
###################################################################################
|
|
# Error pages settings
|
|
###################################################################################
|
|
|
|
# You can set an email address here, which is shown on an error page, how to contact an administrator
|
|
ERROR_PAGE_ADMIN_EMAIL=''
|
|
# If this is set to true, solutions to common problems are shown on error pages. Disable this, if you do not want your users to see them...
|
|
ERROR_PAGE_SHOW_HELP=1
|
|
|
|
###################################################################################
|
|
# Update Manager settings
|
|
###################################################################################
|
|
|
|
# Disable web-based updates from the Update Manager UI (0=enabled, 1=disabled).
|
|
# When disabled, use the CLI command "php bin/console partdb:update" instead.
|
|
DISABLE_WEB_UPDATES=1
|
|
|
|
# Disable backup restore from the Update Manager UI (0=enabled, 1=disabled).
|
|
# Restoring backups is a destructive operation that could overwrite your database.
|
|
DISABLE_BACKUP_RESTORE=1
|
|
|
|
# Disable backup download from the Update Manager UI (0=enabled, 1=disabled).
|
|
# Backups contain sensitive data including password hashes and secrets.
|
|
# When enabled, users must confirm their password before downloading.
|
|
DISABLE_BACKUP_DOWNLOAD=1
|
|
|
|
###################################################################################
|
|
# SAML Single sign on-settings
|
|
###################################################################################
|
|
# Set this to 1 to enable SAML single sign on
|
|
# Be also sure to set the correct values for DEFAULT_URI
|
|
SAML_ENABLED=0
|
|
|
|
# Set to 1, if your Part-DB installation is behind a reverse proxy and you want to use SAML
|
|
SAML_BEHIND_PROXY=0
|
|
|
|
# A JSON encoded array of role mappings in the form { "saml_role": PARTDB_GROUP_ID, "*": PARTDB_GROUP_ID }
|
|
# The first match is used, so the order is important! Put the group mapping with the most privileges first.
|
|
# Please not to only use single quotes to enclose the JSON string
|
|
SAML_ROLE_MAPPING='{}'
|
|
# A mapping could look like the following
|
|
#SAML_ROLE_MAPPING='{ "*": 2, "admin": 1, "editor": 3}'
|
|
|
|
# When this is set to 1, the group of SAML users will be updated everytime they login based on their SAML roles
|
|
SAML_UPDATE_GROUP_ON_LOGIN=1
|
|
|
|
# The entity ID of your SAML IDP (e.g. the realm name of your Keycloak server)
|
|
SAML_IDP_ENTITY_ID="https://idp.changeme.invalid/realms/master"
|
|
# The URL of your SAML IDP SingleSignOnService (e.g. the endpoint of your Keycloak server)
|
|
SAML_IDP_SINGLE_SIGN_ON_SERVICE="https://idp.changeme.invalid/realms/master/protocol/saml"
|
|
# The URL of your SAML IDP SingleLogoutService (e.g. the endpoint of your Keycloak server)
|
|
SAML_IDP_SINGLE_LOGOUT_SERVICE="https://idp.changeme.invalid/realms/master/protocol/saml"
|
|
# The public certificate of the SAML IDP (e.g. the certificate of your Keycloak server)
|
|
SAML_IDP_X509_CERT="MIIC..."
|
|
|
|
# The entity of your SAML SP, must match the SP entityID configured in your SAML IDP (e.g. Keycloak).
|
|
# This should be a the domain name of your Part-DB installation, followed by "/sp"
|
|
SAML_SP_ENTITY_ID="https://partdb.changeme.invalid/sp"
|
|
|
|
# The public certificate of the SAML SP
|
|
SAML_SP_X509_CERT="MIIC..."
|
|
# The private key of the SAML SP
|
|
SAML_SP_PRIVATE_KEY="MIIE..."
|
|
|
|
|
|
######################################################################################
|
|
# Other settings
|
|
######################################################################################
|
|
# In demo mode things it is not possible for a user to change his password and his settings.
|
|
DEMO_MODE=0
|
|
|
|
# Change this to true, if no url rewriting (like mod_rewrite for Apache) is available
|
|
# In that case all URL contains the index.php front controller in URL
|
|
NO_URL_REWRITE_AVAILABLE=0
|
|
|
|
# Set to 1, if Part-DB should redirect all HTTP requests to HTTPS. You dont need to configure this, if your webserver already does this.
|
|
REDIRECT_TO_HTTPS=0
|
|
|
|
# Set this to zero, if you want to disable the year 2038 bug check on 32-bit systems (it will cause errors with current 32-bit PHP versions)
|
|
DISABLE_YEAR2038_BUG_CHECK=0
|
|
|
|
# Set the trusted IPs here, when using an reverse proxy
|
|
#TRUSTED_PROXIES=127.0.0.0/8,::1,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
|
|
#TRUSTED_HOSTS='^(localhost|example\.com)$'
|
|
|
|
|
|
###> symfony/lock ###
|
|
# Choose one of the stores below
|
|
# postgresql+advisory://db_user:db_password@localhost/db_name
|
|
LOCK_DSN=flock
|
|
###< symfony/lock ###
|
|
|
|
###> nelmio/cors-bundle ###
|
|
CORS_ALLOW_ORIGIN='^https?://(localhost|127\.0\.0\.1)(:[0-9]+)?$'
|
|
###< nelmio/cors-bundle ###
|
|
|
|
###> symfony/framework-bundle ###
|
|
APP_ENV=prod
|
|
APP_SECRET=a03498528f5a5fc089273ec9ae5b2849
|
|
APP_SHARE_DIR=var/share
|
|
###< symfony/framework-bundle ###
|