37684-vm/api/download_backup.php
2026-03-01 01:15:48 +00:00

47 lines
1.4 KiB
PHP

<?php
/**
* Secure Backup Download API
*
* Only accessible by authenticated administrators.
*/
session_start();
// Authentication and role-based access control
if (!isset($_SESSION['user_id']) || !isset($_SESSION['role']) || $_SESSION['role'] !== 'admin') {
http_response_code(403);
echo json_encode(['error' => 'Forbidden: Only administrators can access this resource.']);
exit;
}
// Input validation
if (!isset($_GET['filename'])) {
http_response_code(400);
echo json_encode(['error' => 'Bad Request: Filename is required.']);
exit;
}
$filename = basename($_GET['filename']); // Prevent directory traversal
$backups_dir = realpath(__DIR__ . '/../backups');
$filepath = "{$backups_dir}/{$filename}";
// Security check: ensure the file exists and is within the backups directory
if (!$backups_dir || !file_exists($filepath) || strpos(realpath($filepath), $backups_dir) !== 0) {
http_response_code(404);
echo json_encode(['error' => 'Not Found: Backup file not found or access denied.']);
exit;
}
// Determine content type
header('Content-Description: File Transfer');
header('Content-Type: application/sql');
header('Content-Disposition: attachment; filename="' . $filename . '"');
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize($filepath));
// Stream the file for download
readfile($filepath);
exit;