This is somewhat in the gray zone between bug and feature request, but from a security perspective the current behaviour is a bug or undesired behaviour (or lack of desired behaviour, if you like).

The current behaviour is that the Download _method_ is available to all roles, even those who do not have the "Download backups" permission, as that one for the moment has a limited scope: it prevents access to the download history page with its links, and hides the links that are otherwise shown right after making a backup to an online folder.

Security logic:
When giving roles access to ONLY make backups, and NOT to be able to access the download files links, then the Download method should also NOT be available to those users, enforcing them to make backups to only the server, without any possibility to get hold of the data.

Ideally, for some extra flexibility, this could be a configurable setting so that it is possible to override the default and still give access to the Download method, if needed. I think that for this reason, instead of changing the code to relate it directly to the role permissions, it should be possible to select which Download methods are available to which roles on a dedicated settings page.

Comments

Leeteq’s picture

Leeteq CreditAttribution: Leeteq commented
Category: Bug report » Feature request
Priority: Normal » Major
couturier’s picture

couturier CreditAttribution: couturier as a volunteer commented
Version: 7.x-2.x-dev » 8.x-4.x-dev
Priority: Major » Minor

Someone else requested this feature, but you have explained it much more thoroughly here, so I am going to change the version to 8.x-4.x dev and see what the new maintainer thinks. My feeling is that this is not something that many developers would need, especially as Drupal 8 is moving toward servicing more complex sites with advanced maintainers at the helm of the sites. Also, our resources on development for the D8 port are very limited, but we will see what happens with this. Please respond if you are still interested in this feature.

Alex Andrascu’s picture

Alex Andrascu CreditAttribution: Alex Andrascu at Intellix commented
Priority: Minor » Major

This is quite big as it renders the Access backup files permission rather useless.

couturier’s picture

couturier CreditAttribution: couturier as a volunteer commented

I just ran across another similar request where @ronan responded basically that tailoring functions to roles isn't something he planned to do. Here is what he said:

. . . I'm sorry the current permissions don't suit your need but given how destructive this module can be there isn't a whole lot of point in making the permissions to fine-grained so I don't plan on expanding them to any major degree. Basically, my philosophy here is that if you can't trust your users completely (both their integrity and their competence) then they shouldn't have any access to B&M whatsoever. . . .

Alex Andrascu’s picture

Alex Andrascu CreditAttribution: Alex Andrascu at Intellix commented

The current 8.x version of the module has a couple of permissions but mainly Perform a backup and 'Access backup files' that should do just that when enabled.

So here's a use case:

I have one user with only the Perform a backup permission enabled.

Still I'm presented with the option to Download even though I don't have the 'Access backup files' permission.

This surely can't be quite right is it ? Plus the patch is on the way :)

couturier’s picture

couturier CreditAttribution: couturier as a volunteer commented

@Alex Andrascu, exactly. It doesn't make sense to configure it that way.

  • Alex Andrascu committed ef4ba24 on 8.x-4.x 
    Issue #2135827 by Alex Andrascu: The Download method should be related...
Alex Andrascu’s picture

Alex Andrascu CreditAttribution: Alex Andrascu at Intellix commented

Ok this should now be fixed in the next release

Alex Andrascu’s picture

Alex Andrascu CreditAttribution: Alex Andrascu at Intellix commented
Status: Active » Fixed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

eigentor’s picture

eigentor CreditAttribution: eigentor commented

Hm. Something is seriously messed up with the permissions.
Module version. 8.x-4.0-beta3
Today I tried to configure the permissions, I wanted to give a user the permission to download the database. None of the permissions made that possible.
Even "Administer Backup and Migrate" does not allow to download the database.
Is that dependent on something else? Maybe to do with the private files path?
"Access backup files" also does not give access to the saved backup files. The only way that is possible, if I give someone the permission to Administer Backup and migrate.
But then he can restore backups, which I find very dangerous as it can destroy data.

bartmcpherson’s picture

bartmcpherson
He/him/his
Primary language English
Location Cleveland
CreditAttribution: bartmcpherson as a volunteer commented

Agreed, The 'access backup files' permission does not allow a user with the permission to see the Saved Backups.
routing.yml can be updated to allow access to the tab and download a backup.
(\Drupal\backup_migrate\Controller\BackupController::listAll)
(\Drupal\backup_migrate\Controller\BackupController::download)

However once in there the operations dropdown lists restore/download/delete.
If the user does not have restore permission, it will fail on the next page. I contend that they should not see the option to even try dong a restore.
Not sure if this issue should be reopened or another one created.

couturier’s picture

couturier CreditAttribution: couturier as a volunteer commented

I think this is more of a security feature request than a bug. With development resources for this module extremely limited right now, this is probably a topic to go on the back burner. If you feel strongly that it needs to be changed going forward, I would recommend opening a new issue.