This is somewhat in the gray zone between bug and feature request, but from a security perspective the current behaviour is a bug or undesired behaviour (or lack of desired behaviour, if you like).
The current behaviour is that the Download _method_ is available to all roles, even those who do not have the "Download backups" permission, as that one for the moment has a limited scope: it prevents access to the download history page with its links, and hides the links that are otherwise shown right after making a backup to an online folder.
Security logic:
When giving roles access to ONLY make backups, and NOT to be able to access the download files links, then the Download method should also NOT be available to those users, enforcing them to make backups to only the server, without any possibility to get hold of the data.
Ideally, for some extra flexibility, this could be a configurable setting so that it is possible to override the default and still give access to the Download method, if needed. I think that for this reason, instead of changing the code to relate it directly to the role permissions, it should be possible to select which Download methods are available to which roles on a dedicated settings page.
Comments
Comment #1
Leeteq CreditAttribution: Leeteq commentedComment #2
couturier CreditAttribution: couturier as a volunteer commentedSomeone else requested this feature, but you have explained it much more thoroughly here, so I am going to change the version to 8.x-4.x dev and see what the new maintainer thinks. My feeling is that this is not something that many developers would need, especially as Drupal 8 is moving toward servicing more complex sites with advanced maintainers at the helm of the sites. Also, our resources on development for the D8 port are very limited, but we will see what happens with this. Please respond if you are still interested in this feature.
Comment #3
Alex Andrascu CreditAttribution: Alex Andrascu at Intellix commentedThis is quite big as it renders the
Access backup files
permission rather useless.Comment #4
couturier CreditAttribution: couturier as a volunteer commentedI just ran across another similar request where @ronan responded basically that tailoring functions to roles isn't something he planned to do. Here is what he said:
Comment #5
Alex Andrascu CreditAttribution: Alex Andrascu at Intellix commentedThe current 8.x version of the module has a couple of permissions but mainly
Perform a backup
and'Access backup files'
that should do just that when enabled.So here's a use case:
I have one user with only the
Perform a backup
permission enabled.Still I'm presented with the option to Download even though I don't have the
'Access backup files'
permission.This surely can't be quite right is it ? Plus the patch is on the way :)
Comment #6
couturier CreditAttribution: couturier as a volunteer commented@Alex Andrascu, exactly. It doesn't make sense to configure it that way.
Comment #8
Alex Andrascu CreditAttribution: Alex Andrascu at Intellix commentedOk this should now be fixed in the next release
Comment #9
Alex Andrascu CreditAttribution: Alex Andrascu at Intellix commentedComment #11
eigentor CreditAttribution: eigentor commentedHm. Something is seriously messed up with the permissions.
Module version. 8.x-4.0-beta3
Today I tried to configure the permissions, I wanted to give a user the permission to download the database. None of the permissions made that possible.
Even "Administer Backup and Migrate" does not allow to download the database.
Is that dependent on something else? Maybe to do with the private files path?
"Access backup files" also does not give access to the saved backup files. The only way that is possible, if I give someone the permission to Administer Backup and migrate.
But then he can restore backups, which I find very dangerous as it can destroy data.
Comment #12
bartmcphersonAgreed, The 'access backup files' permission does not allow a user with the permission to see the Saved Backups.
routing.yml can be updated to allow access to the tab and download a backup.
(\Drupal\backup_migrate\Controller\BackupController::listAll)
(\Drupal\backup_migrate\Controller\BackupController::download)
However once in there the operations dropdown lists restore/download/delete.
If the user does not have restore permission, it will fail on the next page. I contend that they should not see the option to even try dong a restore.
Not sure if this issue should be reopened or another one created.
Comment #13
couturier CreditAttribution: couturier as a volunteer commentedI think this is more of a security feature request than a bug. With development resources for this module extremely limited right now, this is probably a topic to go on the back burner. If you feel strongly that it needs to be changed going forward, I would recommend opening a new issue.