mirror of
https://github.com/Part-DB/Part-DB-server.git
synced 2026-03-08 00:09:37 +00:00
0d58262e19
* Add manual backup creation and delete buttons to Update Manager - Add "Create Backup" button in the backups tab for on-demand backups - Add delete buttons (trash icons) for update logs and backups - New controller routes with CSRF protection and permission checks - Use data-turbo-confirm for CSP-safe confirmation dialogs - Add deleteLog() method to UpdateExecutor with filename validation * Add Docker backup support: download button, SQLite restore fix, decouple from auto-update - Decouple backup creation/restore UI from can_auto_update so Docker and other non-git installations can use backup features - Add backup download endpoint for saving backups externally - Fix SQLite restore to use configured DATABASE_URL path instead of hardcoded var/app.db (affects Docker and custom SQLite paths) - Show Docker-specific warning about var/backups/ not being persisted - Pass is_docker flag to template via InstallationTypeDetector * Add tests for backup/update manager improvements - Controller tests: auth, CSRF validation, 404 for missing backups, restore disabled check - UpdateExecutor: deleteLog validation, non-existent file, successful deletion - BackupManager: deleteBackup validation for missing/non-zip files * Fix test failures: add locale prefix to URLs, correct log directory path * Fix auth test: expect 401 instead of redirect for HTTP Basic auth * Improve test coverage for update manager controller Add happy-path tests for backup creation, deletion, download, and log deletion with valid CSRF tokens. Also test the locked state blocking backup creation. * Fix CSRF tests: initialize session before getting tokens * Fix CSRF tests: extract tokens from rendered page HTML * Harden backup security: password confirmation, CSRF, env toggle Address security review feedback from jbtronics: - Add IS_AUTHENTICATED_FULLY to all sensitive endpoints (create/delete backup, delete log, download backup, start update, restore) - Change backup download from GET to POST with CSRF token - Require password confirmation before downloading backups (backups contain sensitive data like password hashes and secrets) - Add DISABLE_BACKUP_DOWNLOAD env var (default: disabled) to control whether backup downloads are allowed - Add password confirmation modal with security warning in template - Add comprehensive tests: auth checks, env var blocking, POST-only enforcement, status/progress endpoint auth * Fix download modal: use per-backup modals for CSP/Turbo compatibility - Replace shared modal + inline JS with per-backup modals that have filename pre-set in hidden fields (no JavaScript needed) - Add data-turbo="false" to download forms for native browser handling - Add data-bs-dismiss="modal" to submit button to auto-close modal - Add hidden username field for Chrome accessibility best practice - Fix test: GET on POST-only route returns 404 not 405 * Fixed translation keys * Fixed text justification in download modal * Hardenened security of deleteLogEndpoint * Show whether backup, restores and updates are allowed or disabled by sysadmin on update manager * Added documentation for update manager related env variables --------- Co-authored-by: Jan Böhmer <mail@jan-boehmer.de> |
||
|---|---|---|
| .. | ||
| .gitignore | ||
| frontend.cs.xlf | ||
| frontend.da.xlf | ||
| frontend.de.xlf | ||
| frontend.el.xlf | ||
| frontend.en.xlf | ||
| frontend.es.xlf | ||
| frontend.fr.xlf | ||
| frontend.hu.xlf | ||
| frontend.it.xlf | ||
| frontend.ja.xlf | ||
| frontend.nl.xlf | ||
| frontend.pl.xlf | ||
| frontend.ru.xlf | ||
| frontend.uk.xlf | ||
| frontend.zh.xlf | ||
| messages.cs.xlf | ||
| messages.da.xlf | ||
| messages.de.xlf | ||
| messages.el.xlf | ||
| messages.en.xlf | ||
| messages.es.xlf | ||
| messages.fr.xlf | ||
| messages.hu.xlf | ||
| messages.it.xlf | ||
| messages.ja.xlf | ||
| messages.nl.xlf | ||
| messages.pl.xlf | ||
| messages.ru.xlf | ||
| messages.zh.xlf | ||
| SchebTwoFactorBundle+intl-icu.de.xlf | ||
| SchebTwoFactorBundle+intl-icu.en.xlf | ||
| SchebTwoFactorBundle.de.xlf | ||
| SchebTwoFactorBundle.en.xlf | ||
| security.cs.xlf | ||
| security.da.xlf | ||
| security.de.xlf | ||
| security.el.xlf | ||
| security.en.xlf | ||
| security.es.xlf | ||
| security.fr.xlf | ||
| security.hr.xlf | ||
| security.hu.xlf | ||
| security.it.xlf | ||
| security.ja.xlf | ||
| security.nl.xlf | ||
| security.pl.xlf | ||
| security.ru.xlf | ||
| security.uk.xlf | ||
| security.vi.xlf | ||
| security.zh.xlf | ||
| validators.cs.xlf | ||
| validators.da.xlf | ||
| validators.de.xlf | ||
| validators.el.xlf | ||
| validators.en.xlf | ||
| validators.fr.xlf | ||
| validators.hr.xlf | ||
| validators.hu.xlf | ||
| validators.it.xlf | ||
| validators.ja.xlf | ||
| validators.nl.xlf | ||
| validators.pl.xlf | ||
| validators.ru.xlf | ||
| validators.uk.xlf | ||
| validators.zh.xlf | ||