From 64f85839751cfd13b9c2cb356cbaf4f9caeb8ed5 Mon Sep 17 00:00:00 2001 From: Andras Bacsai Date: Fri, 24 May 2024 09:33:09 +0200 Subject: [PATCH] fix: root team able to download backups --- routes/web.php | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/routes/web.php b/routes/web.php index feb2dd0eb..75ba96e2f 100644 --- a/routes/web.php +++ b/routes/web.php @@ -254,14 +254,16 @@ $exeuctionId = request()->route('executionId'); $execution = ScheduledDatabaseBackupExecution::where('id', $exeuctionId)->firstOrFail(); $execution_team_id = $execution->scheduledDatabaseBackup->database->team()?->id; - if (is_null($execution_team_id)) { - return response()->json(['message' => 'Team not found.'], 404); - } - if ($team->id !== $execution_team_id) { - return response()->json(['message' => 'Permission denied.'], 403); - } - if (is_null($execution)) { - return response()->json(['message' => 'Backup not found.'], 404); + if ($team->id !== 0) { + if (is_null($execution_team_id)) { + return response()->json(['message' => 'Team not found.'], 404); + } + if ($team->id !== $execution_team_id) { + return response()->json(['message' => 'Permission denied.'], 403); + } + if (is_null($execution)) { + return response()->json(['message' => 'Backup not found.'], 404); + } } $filename = data_get($execution, 'filename'); if ($execution->scheduledDatabaseBackup->database->getMorphClass() === 'App\Models\ServiceDatabase') {