[PHPBB3-15928] Remove support for downloading backups

Discuss requests for comments/changes posted in the Issue Tracker for the development of phpBB. Upcoming releases are 3.2/Rhea and 3.3.
User avatar
Scanialady
Registered User
Posts: 14
Joined: Sat Sep 12, 2015 3:17 pm

Re: [PHPBB3-15928] Remove support for downloading backups

Post by Scanialady » Fri Jan 11, 2019 12:01 pm

I don't like this idea to remove support for downloading backups. And I don't like the "one founder"-idea.
Permissions to download a backup can save or compromit a board as well. However, assigning the rights incorrectly is a human problem, not one of the software. To have at least 2 founders may be the last rescue if the main admin is no longer available (sick / dead / listless / on vacation ...).

To better support the GDPR there would be a lot of other functions with more priority and more effect. All were discussed extensively a year ago.

User avatar
DavidIQ
Customisations Team Leader
Customisations Team Leader
Posts: 1802
Joined: Thu Mar 02, 2006 4:29 pm
Location: Earth
Contact:

Re: [PHPBB3-15928] Remove support for downloading backups

Post by DavidIQ » Fri Jan 11, 2019 8:27 pm

Well I guess you should ask yourself: under what circumstance would an administrator need to download a database backup from within the ACP through their browser? If it's for convenience then does that make their data safe or does it put them in the same precarious situation that many sites have been in with massive data leaks?

Situations where a forum administrator does not have access to the server are very rare so to continue putting everyone at risk for that tiny fraction of a percent of admins that might end up needing to download a backup through the browser does not seem to merit keeping the functionality.
Image

User avatar
3Di
Registered User
Posts: 741
Joined: Tue Nov 01, 2005 9:50 pm
Location: Milano (I) Frankfurt (D)
Contact:

Re: [PHPBB3-15928] Remove support for downloading backups

Post by 3Di » Sat Jan 12, 2019 5:53 am

DavidIQ wrote:
Fri Jan 11, 2019 8:27 pm
Situations where a forum administrator does not have access to the server are very rare so to continue putting everyone at risk for that tiny fraction of a percent of admins that might end up needing to download a backup through the browser does not seem to merit keeping the functionality.
Agreed.
:game_die: The new Dice Roller extension for phpBB 3.2 is out! :game_die:

Please PM me only to request paid works. Thx.
Want to compensate me for my interest? Donate
Extensions, Scripts, MOD porting, Update/Upgrades
My development's activity º PhpStorm's proud user

User avatar
3Di
Registered User
Posts: 741
Joined: Tue Nov 01, 2005 9:50 pm
Location: Milano (I) Frankfurt (D)
Contact:

Re: [PHPBB3-15928] Remove support for downloading backups

Post by 3Di » Sat Jan 12, 2019 5:58 am

Ger wrote:
Thu Jan 10, 2019 12:19 pm
3Di wrote:
Thu Jan 10, 2019 10:38 am
v3d wrote:
Thu Jan 10, 2019 10:08 am
Why not create an admin permission "can download backups" or more commonly "can use the backup functionality (create, restore, delete, download)"?
It might be an idea for phpBB 3.3/4, I don't see it as something to implement in 3.2 anyway.
Why would an extra permission need to wait for a new major version, while removal of functionality can be done in a minor upgrade?

Not that I really care, I never use that phpBB function anyway (MySQL Workbench ftw).
I have to say that in light of the reasons why functionality has been removed, I don't even think it's a good idea today to add a permit to the existing ones.
:game_die: The new Dice Roller extension for phpBB 3.2 is out! :game_die:

Please PM me only to request paid works. Thx.
Want to compensate me for my interest? Donate
Extensions, Scripts, MOD porting, Update/Upgrades
My development's activity º PhpStorm's proud user

v3d
Registered User
Posts: 4
Joined: Tue Jan 08, 2019 8:42 am

Re: [PHPBB3-15928] Remove support for downloading backups

Post by v3d » Wed Jan 23, 2019 8:31 am

DavidIQ wrote:
Fri Jan 11, 2019 8:27 pm
Well I guess you should ask yourself: under what circumstance would an administrator need to download a database backup from within the ACP through their browser? If it's for convenience then does that make their data safe or does it put them in the same precarious situation that many sites have been in with massive data leaks?
phpMyAdmin, a commonly used web app, has the very same download/export feature. Hosting providers offer similar functionality through admin panels, also web-based. And it goes without saying that browser operated cloud software is becoming more and more prevalent.

For the data leaks part, as far as I am aware, the most common root cause was unintended access through the API - this was the case from Wordpress to Facebook, Google+ and the most recent Linkedin debacle. Then there's the case of Cloudflare.

Once again, it is unclear where lies the vulnerability for phpBB? At web browser level, the ACP, permission control ("rogue" admins) or the backup functionality itself? The "no feature, no problem" approach doesn't prevent the risk as the ACP could still be exploited to gain access to user data (mass email functionality, extensions).

User avatar
AbaddonOrmuz
Registered User
Posts: 3
Joined: Wed Jul 02, 2014 9:44 pm

Re: [PHPBB3-15928] Remove support for downloading backups

Post by AbaddonOrmuz » Thu Jan 24, 2019 8:39 pm

v3d wrote:
Wed Jan 23, 2019 8:31 am
phpMyAdmin, a commonly used web app, has the very same download/export feature. Hosting providers offer similar functionality through admin panels, also web-based. And it goes without saying that browser operated cloud software is becoming more and more prevalent.
Not all administrators have phpMyAdmin or cPanel access and yet any administrator could download the database from the ACP.

I think that's one of the reasons why it has been removed that option.

User avatar
david63
Registered User
Posts: 264
Joined: Mon Feb 07, 2005 7:23 am
Location: Lancashire, UK

Re: [PHPBB3-15928] Remove support for downloading backups

Post by david63 » Sun Jan 27, 2019 8:40 am

Here is a case in point where being able to download a backup is possibly the only way out of the problem - https://www.phpbb.com/community/viewtop ... #p15189181
David
Remember: You only know what you know -
and you do not know what you do not know!

Post Reply