[PHPBB3-15928] Remove support for downloading backups

Discuss requests for comments/changes posted in the Issue Tracker for the development of phpBB. Current releases are 3.2/Rhea and 3.3/Proteus.
User avatar
Scanialady
Registered User
Posts: 24
Joined: Sat Sep 12, 2015 3:17 pm

Re: [PHPBB3-15928] Remove support for downloading backups

Post by Scanialady »

I don't like this idea to remove support for downloading backups. And I don't like the "one founder"-idea.
Permissions to download a backup can save or compromit a board as well. However, assigning the rights incorrectly is a human problem, not one of the software. To have at least 2 founders may be the last rescue if the main admin is no longer available (sick / dead / listless / on vacation ...).

To better support the GDPR there would be a lot of other functions with more priority and more effect. All were discussed extensively a year ago.

User avatar
DavidIQ
Customisations Team Leader
Customisations Team Leader
Posts: 1904
Joined: Thu Mar 02, 2006 4:29 pm
Location: Earth
Contact:

Re: [PHPBB3-15928] Remove support for downloading backups

Post by DavidIQ »

Well I guess you should ask yourself: under what circumstance would an administrator need to download a database backup from within the ACP through their browser? If it's for convenience then does that make their data safe or does it put them in the same precarious situation that many sites have been in with massive data leaks?

Situations where a forum administrator does not have access to the server are very rare so to continue putting everyone at risk for that tiny fraction of a percent of admins that might end up needing to download a backup through the browser does not seem to merit keeping the functionality.
Image

User avatar
3Di
Registered User
Posts: 951
Joined: Tue Nov 01, 2005 9:50 pm
Location: Milano 🇮🇹 Frankfurt 🇩🇪
Contact:

Re: [PHPBB3-15928] Remove support for downloading backups

Post by 3Di »

DavidIQ wrote: Fri Jan 11, 2019 8:27 pm Situations where a forum administrator does not have access to the server are very rare so to continue putting everyone at risk for that tiny fraction of a percent of admins that might end up needing to download a backup through the browser does not seem to merit keeping the functionality.
Agreed.
🆓 Free support for our extensions also provided here: phpBB Studio
🚀 Looking for a specific feature or alternative option? We will rock you!
Please PM me only to request paid works. Thx. Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user º Extensions, Scripts, MOD porting, Update/Upgrades

User avatar
3Di
Registered User
Posts: 951
Joined: Tue Nov 01, 2005 9:50 pm
Location: Milano 🇮🇹 Frankfurt 🇩🇪
Contact:

Re: [PHPBB3-15928] Remove support for downloading backups

Post by 3Di »

Ger wrote: Thu Jan 10, 2019 12:19 pm
3Di wrote: Thu Jan 10, 2019 10:38 am
v3d wrote: Thu Jan 10, 2019 10:08 am Why not create an admin permission "can download backups" or more commonly "can use the backup functionality (create, restore, delete, download)"?
It might be an idea for phpBB 3.3/4, I don't see it as something to implement in 3.2 anyway.
Why would an extra permission need to wait for a new major version, while removal of functionality can be done in a minor upgrade?

Not that I really care, I never use that phpBB function anyway (MySQL Workbench ftw).
I have to say that in light of the reasons why functionality has been removed, I don't even think it's a good idea today to add a permit to the existing ones.
🆓 Free support for our extensions also provided here: phpBB Studio
🚀 Looking for a specific feature or alternative option? We will rock you!
Please PM me only to request paid works. Thx. Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user º Extensions, Scripts, MOD porting, Update/Upgrades

v3d
Registered User
Posts: 4
Joined: Tue Jan 08, 2019 8:42 am

Re: [PHPBB3-15928] Remove support for downloading backups

Post by v3d »

DavidIQ wrote: Fri Jan 11, 2019 8:27 pm Well I guess you should ask yourself: under what circumstance would an administrator need to download a database backup from within the ACP through their browser? If it's for convenience then does that make their data safe or does it put them in the same precarious situation that many sites have been in with massive data leaks?
phpMyAdmin, a commonly used web app, has the very same download/export feature. Hosting providers offer similar functionality through admin panels, also web-based. And it goes without saying that browser operated cloud software is becoming more and more prevalent.

For the data leaks part, as far as I am aware, the most common root cause was unintended access through the API - this was the case from Wordpress to Facebook, Google+ and the most recent Linkedin debacle. Then there's the case of Cloudflare.

Once again, it is unclear where lies the vulnerability for phpBB? At web browser level, the ACP, permission control ("rogue" admins) or the backup functionality itself? The "no feature, no problem" approach doesn't prevent the risk as the ACP could still be exploited to gain access to user data (mass email functionality, extensions).

User avatar
AlfredoRamos
Registered User
Posts: 10
Joined: Wed Jul 02, 2014 9:44 pm
Location: /dev/null
Contact:

Re: [PHPBB3-15928] Remove support for downloading backups

Post by AlfredoRamos »

v3d wrote: Wed Jan 23, 2019 8:31 am phpMyAdmin, a commonly used web app, has the very same download/export feature. Hosting providers offer similar functionality through admin panels, also web-based. And it goes without saying that browser operated cloud software is becoming more and more prevalent.
Not all administrators have phpMyAdmin or cPanel access and yet any administrator could download the database from the ACP.

I think that's one of the reasons why it has been removed that option.
Some of my phpBB extensions:
Image Imgur | :chart_with_upwards_trend: SEO Metadata | Image Markdown | :lock: Auto-lock Topics
:trophy: Check out all my validated extensions :trophy:

:penguin: Arch Linux user :penguin:

User avatar
david63
Registered User
Posts: 355
Joined: Mon Feb 07, 2005 7:23 am

Re: [PHPBB3-15928] Remove support for downloading backups

Post by david63 »

Here is a case in point where being able to download a backup is possibly the only way out of the problem - https://www.phpbb.com/community/viewtop ... #p15189181
David
Remember: You only know what you know -
and you do not know what you do not know!

User avatar
Tastenplayer
Registered User
Posts: 40
Joined: Thu Dec 06, 2018 11:14 am
Contact:

Re: [PHPBB3-15928] Remove support for downloading backups

Post by Tastenplayer »

Although the contribution is already 1 year old:
It is not about laziness of the administrator / founder. But there was definitely an additional security to be able to download an additional backup from the ACP before an update. Unfortunately my server is configured quite extreme. According to the operator, all for the security of the users. I do think that in an emergency you should somehow have a way to do this.
Since some forum operators have quite some problems updating to 3.3.0, without this additional backup I now lack the courage to try the update on my server.
Be the best version of yourself rather than a bad copy of someone else!

User avatar
DavidIQ
Customisations Team Leader
Customisations Team Leader
Posts: 1904
Joined: Thu Mar 02, 2006 4:29 pm
Location: Earth
Contact:

Re: [PHPBB3-15928] Remove support for downloading backups

Post by DavidIQ »

So you have a forum you set up, configured, and likely customized and did all that without FTP access?
Image

Post Reply