feat: Complete config.xml and access.xml audit + enforce ACL across codebase #137

New Issue

Closed

opened 2026-06-23 18:36:13 +00:00 by jmiller · 0 comments

jmiller commented 2026-06-23 18:36:13 +00:00

Owner

Copy Link

Copy Source

Summary

Audit and complete the component configuration and ACL permissions, then enforce them consistently across all controllers, API endpoints, and AJAX handlers.

config.xml gaps

• Global ntfy server/topic/token (fallback when profile doesn't set them)
• Default MokoRestore mode (none/wrapped/standalone)
• Default archive format (zip/tar.gz/7z)
• Default sanitization settings (passwords, emails, sessions)
• Log retention (days to keep .log files alongside archives)
• API rate limiting settings

access.xml gaps

• mokosuitebackup.backup.purge — separate permission for purging old backups
• mokosuitebackup.backup.compare — permission for comparing backups
• mokosuitebackup.backup.browse — permission for browsing archive contents

ACL enforcement audit

• BackupsController: verify all actions check correct permission
• SnapshotsController: verify all actions check snapshot.manage
• AjaxController: verify all AJAX endpoints check correct permission
• API BackupsController: verify download uses backup.download, not just core.manage
• API SnapshotsController: verify all endpoints check snapshot.manage
• System plugin webcron: verify permission checks

## Summary Audit and complete the component configuration and ACL permissions, then enforce them consistently across all controllers, API endpoints, and AJAX handlers. ## config.xml gaps - [ ] Global ntfy server/topic/token (fallback when profile doesn't set them) - [ ] Default MokoRestore mode (none/wrapped/standalone) - [ ] Default archive format (zip/tar.gz/7z) - [ ] Default sanitization settings (passwords, emails, sessions) - [ ] Log retention (days to keep .log files alongside archives) - [ ] API rate limiting settings ## access.xml gaps - [ ] `mokosuitebackup.backup.purge` — separate permission for purging old backups - [ ] `mokosuitebackup.backup.compare` — permission for comparing backups - [ ] `mokosuitebackup.backup.browse` — permission for browsing archive contents ## ACL enforcement audit - [ ] BackupsController: verify all actions check correct permission - [ ] SnapshotsController: verify all actions check snapshot.manage - [ ] AjaxController: verify all AJAX endpoints check correct permission - [ ] API BackupsController: verify download uses backup.download, not just core.manage - [ ] API SnapshotsController: verify all endpoints check snapshot.manage - [ ] System plugin webcron: verify permission checks

jmiller added the component: enginecomponent: admin labels 2026-06-23 18:36:13 +00:00

jmiller referenced this issue from a commit 2026-06-23 19:17:03 +00:00

feat: complete config.xml and access.xml (#137)

jmiller referenced this issue from a commit 2026-06-23 19:17:03 +00:00

fix: enforce correct ACL permissions across all controllers (#137)

jmiller referenced a pull request that will close this issue 2026-06-23 19:17:12 +00:00

feat: Complete config.xml, access.xml + ACL enforcement audit (#137) #138

jmiller closed this issue 2026-06-23 19:17:51 +00:00

jmiller referenced this issue from a commit 2026-06-23 19:17:52 +00:00

Merge pull request 'feat: Complete config.xml, access.xml + ACL enforcement audit (#137)' (#138) from feat/config-acl-audit into main

Sign in to join this conversation.

Labels

Clear labels

component: admin

Admin UI and views

component: api

REST API

component: engine

Backup/restore engine

component: remote

Remote storage (FTP/GDrive)

component: scheduler

Scheduled tasks

No labels component: admin component: engine

Priority Medium

Type Feature

Milestone

No items

No Milestone

Assignees

Clear assignees

jmiller (Jonathan Miller)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: MokoConsulting/MokoSuiteBackup#137