nitsan-technologies
diff --git a/‎Classes/Controller/BackupBaseController.php
Lines changed: 173 additions & 96 deletions b/‎Classes/Controller/BackupBaseController.php
Lines changed: 173 additions & 96 deletions
diff --git a/‎Classes/Controller/BackupglobalController.php
Lines changed: 33 additions & 13 deletions b/‎Classes/Controller/BackupglobalController.php
Lines changed: 33 additions & 13 deletions
diff --git a/‎Classes/Controller/BackupsController.php
Lines changed: 50 additions & 4 deletions b/‎Classes/Controller/BackupsController.php
Lines changed: 50 additions & 4 deletions
diff --git a/‎Classes/Domain/Model/Backupglobal.php
Lines changed: 28 additions & 0 deletions b/‎Classes/Domain/Model/Backupglobal.php
Lines changed: 28 additions & 0 deletions
diff --git a/‎Configuration/Backend/Modules.php
Lines changed: 2 additions & 2 deletions b/‎Configuration/Backend/Modules.php
Lines changed: 2 additions & 2 deletions
diff --git a/‎Configuration/TCA/tx_nsbackup_domain_model_backupglobal.php
Lines changed: 9 additions & 0 deletions b/‎Configuration/TCA/tx_nsbackup_domain_model_backupglobal.php
Lines changed: 9 additions & 0 deletions
diff --git a/‎Resources/Private/Language/locallang.xlf
Lines changed: 24 additions & 0 deletions b/‎Resources/Private/Language/locallang.xlf
Lines changed: 24 additions & 0 deletions
diff --git a/‎Resources/Private/Language/locallang_db.xlf
Lines changed: 3 additions & 0 deletions b/‎Resources/Private/Language/locallang_db.xlf
Lines changed: 3 additions & 0 deletions
diff --git a/‎Resources/Private/Layouts/Default.html
Lines changed: 43 additions & 1 deletion b/‎Resources/Private/Layouts/Default.html
Lines changed: 43 additions & 1 deletion
@@ -12,7 +12,8 @@
 use TYPO3\CMS\Backend\Template\ModuleTemplateFactory;
 use TYPO3\CMS\Extbase\Mvc\Controller\ActionController;
 use NITSAN\NsBackup\Domain\Repository\BackupglobalRepository;
-use TYPO3\CMS\Extbase\Utility\LocalizationUtility as transalte;
+use TYPO3\CMS\Core\Core\Environment;
+use TYPO3\CMS\Extbase\Utility\LocalizationUtility;
 use TYPO3\CMS\Extbase\Persistence\Exception\UnknownObjectException;
 use TYPO3\CMS\Extbase\Persistence\Exception\IllegalObjectTypeException;
 
@@ -66,24 +67,20 @@ public function initializeView(): void
      */
     public function globalsettingAction(): ResponseInterface
     {
-        if(!empty($this->errorValidation)) {
-            $header = transalte::translate('global.errorvalidation', 'ns_backup');
-            $message = transalte::translate('global.errorvalidation.message', 'ns_backup');
-            $this->addFlashMessage($message, $header, ContextualFeedbackSeverity::ERROR);
-        }
-
         $pageRenderer = GeneralUtility::makeInstance(className: PageRenderer::class);
         $pageRenderer->loadJavaScriptModule('@nitsan/ns-backup/jquery.js');
         $pageRenderer->loadJavaScriptModule('@nitsan/ns-backup/Main.js');
         $view = $this->initializeModuleTemplate($this->request);
         $globalSettingsData = $this->backupglobalRepository->findAll();
+        $varPath = Environment::getVarPath();
         $view->assignMultiple([
             'cleanup' => constant('cleanup'),
             'backupglobal' => $globalSettingsData[0],
             'compress' => constant('compress'),
             'action' => 'globalsetting',
             'errorValidation' => $this->errorValidation,
-            'modalAttr' => 'data-bs-'
+            'modalAttr' => 'data-bs-',
+            'varPath' => $varPath
         ]);
         return $view->renderResponse('Backupglobal/Globalsetting');
     }
@@ -100,13 +97,24 @@ public function createAction(Backupglobal $backupglobal): ResponseInterface
         $emails = GeneralUtility::trimExplode(',', $backupglobal->getEmails());
         foreach ($emails as $email) {
             if(!GeneralUtility::validEmail($email)) {
-                $msg = transalte::translate('email.not.valid', 'ns_backup');
+                $msg = LocalizationUtility::translate('email.not.valid', 'ns_backup');
                 $this->addFlashMessage('', $msg);
                 return $this->redirect('globalsetting', ContextualFeedbackSeverity::ERROR);
             }
         }
-
-        $msg = transalte::translate('globalsettings.create', 'ns_backup');
+        if (!is_dir($backupglobal->getBackupStorePath())) {
+            $msg = LocalizationUtility::translate('storePath.not.valid', 'ns_backup');
+            $this->addFlashMessage('', $msg, ContextualFeedbackSeverity::ERROR);
+            return $this->redirect('globalsetting');
+        }
+        $phpPath = trim($backupglobal->getPhp());
+        $backupglobal->setPhp($phpPath);
+        if (!is_executable($backupglobal->getPhp())) {
+            $msg = LocalizationUtility::translate('phpPath.not.valid', 'ns_backup');
+            $this->addFlashMessage('', $msg, ContextualFeedbackSeverity::ERROR);
+            return $this->redirect('globalsetting');
+        }
+        $msg = LocalizationUtility::translate('globalsettings.create', 'ns_backup');
         $this->addFlashMessage('', $msg);
         $this->backupglobalRepository->add($backupglobal);
 
@@ -126,12 +134,24 @@ public function updateAction(Backupglobal $backupglobal): ResponseInterface
         $emails = GeneralUtility::trimExplode(',', $backupglobal->getEmails());
         foreach ($emails as $email) {
             if(!GeneralUtility::validEmail($email)) {
-                $msg = transalte::translate('email.not.valid', 'ns_backup');
+                $msg = LocalizationUtility::translate('email.not.valid', 'ns_backup');
                 $this->addFlashMessage('', $msg);
                 return $this->redirect('globalsetting', ContextualFeedbackSeverity::ERROR);
             }
         }
-        $msg = transalte::translate('globalsettings.update', 'ns_backup');
+        if (!is_dir($backupglobal->getBackupStorePath())) {
+            $msg = LocalizationUtility::translate('storePath.not.valid', 'ns_backup');
+            $this->addFlashMessage('', $msg, ContextualFeedbackSeverity::ERROR);
+            return $this->redirect('globalsetting');
+        }
+        $phpPath = trim($backupglobal->getPhp());
+        $backupglobal->setPhp($phpPath);
+        if (!is_executable($backupglobal->getPhp())) {
+            $msg = LocalizationUtility::translate('phpPath.not.valid', 'ns_backup');
+            $this->addFlashMessage('', $msg, ContextualFeedbackSeverity::ERROR);
+            return $this->redirect('globalsetting');
+        }
+        $msg = LocalizationUtility::translate('globalsettings.update', 'ns_backup');
         $this->addFlashMessage('', $msg);
         $this->backupglobalRepository->update($backupglobal);
 
 
@@ -109,6 +109,11 @@ public function backuprestoreAction(): ResponseInterface
         $pageRenderer->loadJavaScriptModule('@nitsan/ns-backup/Main.js');
 
         $globalSettingsData = $this->backupglobalRepository->findAll();
+        // Get Local Storage Path
+        if ($globalSettingsData[0]) {
+            $globalBackupStorePath = $globalSettingsData[0]->getBackupStorePath();
+            $isPublicPath = $this->isPathPublic($globalBackupStorePath);
+        }
         $arrMultipleVars = [
             'cleanup' => constant('cleanup'),
             'backuptype' => constant('backuptype'),
@@ -119,6 +124,19 @@ public function backuprestoreAction(): ResponseInterface
         ];
 
         $arrPost = $this->request->getArguments();
+        $backupName = trim($arrPost['backuprestore']['backupName'] ?? '');
+        if (preg_match('/[^0-9A-Za-z _-]/', $backupName)) {
+            $sanitizedName = htmlspecialchars($backupName, ENT_QUOTES, 'UTF-8');
+
+            $this->addFlashMessage(
+                "Invalid backup name: '{$sanitizedName}'. " . transalte::translate('manualbackup.error.description', 'ns_backup'),
+                transalte::translate('manualbackup.error', 'ns_backup'),
+                ContextualFeedbackSeverity::ERROR
+            );
+
+            return $this->redirect('backuprestore');
+        }
+
         // "RUN" Backup from "Manual Backup Module"
         $arrPost = $arrPost['backuprestore'] ?? '';
 
@@ -137,7 +155,7 @@ public function backuprestoreAction(): ResponseInterface
                 $mesHeader = transalte::translate('manualbackup.success', 'ns_backup');
                 $backup_file = transalte::translate('backup.downloaded', 'ns_backup').' '.$arrResponse['backup_file'];
                 $this->addFlashMessage($backup_file, $mesHeader);
-                
+
                 $response = (array) json_decode($arrResponse['log']);
                 if (isset($response['errorCount']) && $response['errorCount'] > 0) {
                     $globalSettingsData = $this->backupglobalRepository->findAll();
@@ -160,7 +178,10 @@ public function backuprestoreAction(): ResponseInterface
                 // Pass to Fluid
                 $arrMultipleVars['isManualBackup'] = '1';
                 $arrMultipleVars['log'] = '<pre class="pre-scrollable"><code class="json">'. json_encode(json_decode($arrResponse['log']), JSON_PRETTY_PRINT) .'</code></pre>';
-                $arrMultipleVars['download_url'] = $arrResponse['download_url'];
+                $arrMultipleVars['download_url'] = '';
+                if ($isPublicPath) {
+                    $arrMultipleVars['download_url'] = $arrResponse['download_url'];
+                }
             }
         }
 
@@ -194,6 +215,15 @@ public function deletebackupbackupAction(): ResponseInterface
         $request = $this->request->getQueryParams();
         $uid = $request['uid'];
 
+        $globalSettingsData = $this->backupglobalRepository->findAll();
+        $globalSettingsData = !empty($globalSettingsData[0]) ? $globalSettingsData[0] : null;
+
+        if (!$globalSettingsData) {
+            $headerMsg = transalte::translate('something.wrong.here', 'ns_backup');
+            $this->addFlashMessage($headerMsg, '', ContextualFeedbackSeverity::ERROR, true);
+            die;
+        }
+
         $arrBackup = $this->backupglobalRepository->findBackupByUid($uid);
         // Let's delete it
         $this->backupglobalRepository->removeBackupData($uid);
@@ -203,11 +233,13 @@ public function deletebackupbackupAction(): ResponseInterface
             unlink($arrBackup['filenames']);
         }
 
-        $rootPath = $this->globalSettingsData[0]->root ?? (Environment::getProjectPath() ?? '');
+        $rootPath = $globalSettingsData->root ?? (Environment::getProjectPath() ?? '');
         if(Environment::isComposerMode()) {
             $rootPath = Environment::getPublicPath();
         }
-        $jsonFolder = $rootPath.'/uploads/tx_nsbackup/json/';
+
+        $rootPath = $globalSettingsData->backupStorePath ?? ($rootPath . '/uploads');
+        $jsonFolder = $rootPath.'/tx_nsbackup/json/';
         if(file_exists($jsonFolder.$arrBackup['jsonfile'])) {
             unlink($jsonFolder.$arrBackup['jsonfile']);
         }
@@ -231,4 +263,18 @@ protected function initializeModuleTemplate(
     ): ModuleTemplate {
         return $this->moduleTemplateFactory->create($request);
     }
+
+    /**
+     * @param string $path
+     * @return boolean
+     */
+    public function isPathPublic(string $path): bool
+    {
+        if (!Environment::isComposerMode()) {
+            $valuesToCheck = ['typo3', 'typo3conf', 'vendor', 'typo3temp', 'bin'];
+            $parts = array_filter(explode('/', rtrim($path, '/')));
+            return empty(array_intersect($parts, $valuesToCheck));
+        }
+        return str_contains(rtrim($path, '/'), Environment::getPublicPath());
+    }
 }
@@ -27,6 +27,13 @@ class Backupglobal extends AbstractEntity
      */
     public string $emails = '';
 
+    /**
+     * backupStorePath
+     *
+     * @var string
+     */
+    public string $backupStorePath = '';
+
     /**
      * emailFrom
      *
@@ -301,4 +308,25 @@ public function setCleanup(string $cleanup): void
     {
         $this->cleanup = $cleanup;
     }
+
+    /**
+     * Returns the backupStorePath
+     *
+     * @return string backupStorePath
+     */
+    public function getBackupStorePath(): string
+    {
+        return $this->backupStorePath;
+    }
+
+    /**
+     * Sets the backupStorePath
+     *
+     * @param string $backupStorePath
+     * @return void
+     */
+    public function setBackupStorePath(string $backupStorePath): void
+    {
+        $this->backupStorePath = $backupStorePath;
+    }
 }
@@ -7,8 +7,8 @@
     'nitsan_nsbackup' => [
         'parent' => 'tools',
         'position' => ['before' => 'top'],
-        'access' => 'user',
-        'path' => '/module/nitsan/NsBackupBackup    ',
+        'access' => 'admin',
+        'path' => '/module/nitsan/NsBackupBackup',
         'icon' => 'EXT:ns_backup/Resources/Public/Icons/module-nsbackup.svg',
         'labels' => 'LLL:EXT:ns_backup/Resources/Private/Language/locallang_backup.xlf',
         'extensionName' => 'NsBackup',
 
@@ -176,5 +176,14 @@
                 'eval' => 'trim'
             ],
         ],
+        'backup_store_path' => [
+            'exclude' => true,
+            'label' => 'LLL:EXT:ns_backup/Resources/Private/Language/locallang_db.xlf:tx_nsbackup_domain_model_backupglobal.backup_store_path',
+            'config' => [
+                'type' => 'input',
+                'size' => 30,
+                'eval' => 'trim'
+            ],
+        ],
     ],
 ];
@@ -193,6 +193,12 @@
 			<trans-unit id="globalsettings.form.cleanup_quantity.desc">
 				<source>Enter at how many backups clean or remove backups at your web-server and remote servers/cloud too, Min:1 And Max:500 allow</source>
 			</trans-unit>
+			<trans-unit id="globalsettings.form.backup_store_path">
+				<source>Backup Store Path</source>
+			</trans-unit>
+			<trans-unit id="globalsettings.form.backup_store_path.desc">
+				<source>Please enter a path to store the backup (e.g., /var/www/html/public/, /var/www/html/). We recommend using a protected path to restrict external access.</source>
+			</trans-unit>
 			<trans-unit id="globalsettings.form.servercleanup">
 				<source>Server Cleanups?</source>
 			</trans-unit>
@@ -445,9 +451,27 @@
 			<trans-unit id="email.not.valid">
 				<source>Email format is not valid</source>
 			</trans-unit>
+			<trans-unit id="phpPath.not.valid">
+				<source>PHP path is not executable</source>
+			</trans-unit>
+			<trans-unit id="storePath.not.valid">
+				<source>The backup storage does not exist.</source>
+			</trans-unit>
             <trans-unit id="something.wrong.here">
                 <source>Something is wrong here. Please check you Global Settings</source>
             </trans-unit>
+			<trans-unit id="servercloud.content.downloadBackupError">
+				<source>This backup contains the private path. Due to security purposes, it is not able to download.  You can download it manually from your server.</source>
+			</trans-unit>
+			<trans-unit id="servercloud.content.downloadErrorTitle">
+				<source>Download Backup</source>
+			</trans-unit>
+			<trans-unit id="manualbackup.error.description">
+				<source>Allowed characters: letters, numbers, spaces, dashes (-), and underscores (_).</source>
+			</trans-unit>
+			<trans-unit id="servercloud.content.downloadBackupNotFound">
+				<source>This backup is no longer available.</source>
+			</trans-unit>
 		</body>
 	</file>
 </xliff>
@@ -82,6 +82,9 @@
 			<trans-unit id="tx_nsbackup_domain_model_backupdata.status">
 				<source>Status</source>
 			</trans-unit>
+			<trans-unit id="tx_nsbackup_domain_model_backupglobal.backup_store_path">
+				<source>Backup Store Path</source>
+			</trans-unit>
 		</body>
 	</file>
 </xliff>
@@ -50,7 +50,7 @@
                 <f:flashMessages />
                 <f:if condition="{errorValidation}">
                     <div class="alert alert-warning">
-                        <f:format.raw>{errorValidation}</f:format.raw>
+                        <f:sanitize.html>{errorValidation}</f:sanitize.html>
                     </div>
                 </f:if>
                 <f:render section="content" />
@@ -203,5 +203,47 @@ <h5 class="modal-title">Download Backup</h5>
 		</div>
 	</div>
 
+	<!-- Private Backup Download Error  -->
+	<div class="modal fade" id="backupDownloadError" role="dialog"
+		 aria-labelledby="nsBackupDeleteRecordModal" aria-hidden="true">
+		<div class="modal-dialog" role="document">
+			<div class="modal-content">
+				<div class="modal-header">
+					<h5 class="modal-title"><f:translate key="servercloud.content.downloadErrorTitle" /> <span class="backup-title"></span></h5>
+					<button type="button" class="close" {modalAttr}dismiss="modal" aria-label="Close">
+						<span aria-hidden="true">&times;</span>
+					</button>
+				</div>
+				<div class="modal-body">
+					<p class="delete-msg"><f:translate key="servercloud.content.downloadBackupError" /></p>
+				</div>
+				<div class="modal-footer">
+					<button type="button" class="btn btn-warning" {modalAttr}dismiss="modal"><em class="fa fa-close"
+																								 aria-hidden="true"></em><f:translate key="servercloud.content.cancel" /></button>
+				</div>
+			</div>
+		</div>
+	</div>
 
+	<!-- Private Backup Download Error  -->
+	<div class="modal fade" id="backupNotAvailable" tabindex="-1" role="dialog"
+		 aria-labelledby="nsBackupNotAvailableModal" aria-hidden="true">
+		<div class="modal-dialog" role="document">
+			<div class="modal-content">
+				<div class="modal-header">
+					<h5 class="modal-title"><f:translate key="servercloud.content.downloadErrorTitle" /> <span class="backup-title"></span></h5>
+					<button type="button" class="close" {modalAttr}dismiss="modal" aria-label="Close">
+						<span aria-hidden="true">&times;</span>
+					</button>
+				</div>
+				<div class="modal-body">
+					<p class="delete-msg"><f:translate key="servercloud.content.downloadBackupNotFound" /></p>
+				</div>
+				<div class="modal-footer">
+					<button type="button" class="btn btn-warning" {modalAttr}dismiss="modal"><em class="fa fa-close"
+																								 aria-hidden="true"></em><f:translate key="servercloud.content.cancel" /></button>
+				</div>
+			</div>
+		</div>
+	</div>
 </html>