47 lines
1.4 KiB
PHP
47 lines
1.4 KiB
PHP
<?php
|
|
/**
|
|
* Secure Backup Download API
|
|
*
|
|
* Only accessible by authenticated administrators.
|
|
*/
|
|
|
|
session_start();
|
|
|
|
// Authentication and role-based access control
|
|
if (!isset($_SESSION['user_id']) || !isset($_SESSION['role']) || $_SESSION['role'] !== 'admin') {
|
|
http_response_code(403);
|
|
echo json_encode(['error' => 'Forbidden: Only administrators can access this resource.']);
|
|
exit;
|
|
}
|
|
|
|
// Input validation
|
|
if (!isset($_GET['filename'])) {
|
|
http_response_code(400);
|
|
echo json_encode(['error' => 'Bad Request: Filename is required.']);
|
|
exit;
|
|
}
|
|
|
|
$filename = basename($_GET['filename']); // Prevent directory traversal
|
|
$backups_dir = realpath(__DIR__ . '/../backups');
|
|
$filepath = "{$backups_dir}/{$filename}";
|
|
|
|
// Security check: ensure the file exists and is within the backups directory
|
|
if (!$backups_dir || !file_exists($filepath) || strpos(realpath($filepath), $backups_dir) !== 0) {
|
|
http_response_code(404);
|
|
echo json_encode(['error' => 'Not Found: Backup file not found or access denied.']);
|
|
exit;
|
|
}
|
|
|
|
// Determine content type
|
|
header('Content-Description: File Transfer');
|
|
header('Content-Type: application/sql');
|
|
header('Content-Disposition: attachment; filename="' . $filename . '"');
|
|
header('Expires: 0');
|
|
header('Cache-Control: must-revalidate');
|
|
header('Pragma: public');
|
|
header('Content-Length: ' . filesize($filepath));
|
|
|
|
// Stream the file for download
|
|
readfile($filepath);
|
|
exit;
|