f9c1c6b18609750c0206dade1e92337d52b9f84a
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || github.ref_name }}) (push) Successful in 16s
Generic: Project CI / Lint & Validate (pull_request) Has been cancelled
Universal: PR Check / Branch Policy (pull_request) Has been cancelled
Universal: PR Check / Require Docs Update (pull_request) Has been cancelled
Universal: PR Check / Wiki Update Reminder (pull_request) Has been cancelled
Universal: PR Check / Secret Scan (pull_request) Has been cancelled
Universal: PR Check / Validate PR (pull_request) Has been cancelled
Joomla: Metadata Validation / Validate Joomla Metadata (pull_request) Has been cancelled
Generic: Project CI / Tests (pull_request) Has been cancelled
Universal: PR Check / Build RC Package (pull_request) Has been cancelled
Universal: PR Check / Report Issues (pull_request) Has been cancelled
fix(review): open-redirect, btoa UTF-8 safety, honest duplicate-mode txn Pre-release review findings on dev -> main: - Return-URL open-redirect (MED): a base64 returnurl like "/\evil.com" passed the root-relative allow-list (raw[1] is "\", not "/"), and a browser normalises leading "/\" to "//", yielding a protocol-relative redirect off-site. Reject any backslash or control char in the decoded return URL outright — legitimate Joomla admin URLs never contain them. - installer-backup.js btoa() (LOW): btoa() throws on non-Latin1 input (e.g. a UTF-8 filter value in the list query string), and the throw was uncaught after preventDefault(), leaving the toolbar button dead. Build the redirect (UTF-8-safe base64) BEFORE swallowing the click; if it still fails, bail without preventing so Joomla proceeds normally. - Snapshot duplicate-mode transaction (HIGH): restore() wrapped duplicate mode in transactionStart()/Rollback(), but duplicate mode writes via Joomla Table API whose Nested tables (categories/tags) issue LOCK TABLES, which implicitly COMMITS the open transaction in MySQL — so the rollback promise was illusory and a mid-inject failure left a slave half-updated. Run only the raw-DB modes (replace/create/merge) inside the transaction; duplicate mode runs outside it, matching its existing per-item defensive design (bad item skipped + logged, never fatal). Claude-Session: https://claude.ai/code/session_01WbGBN9VyRK61zczYWcCQ2i @
MokoSuiteBackup
Full-site backup and restore for Joomla — database, files, and configuration.
| Field | Value |
|---|---|
| Package | pkg_mokosuitebackup |
| Type | Joomla Package (9 sub-extensions + MokoSuiteClient) |
| Joomla | 6.x+ |
| PHP | 8.1+ |
| License | GPL-3.0-or-later |
Features
Backup
- Full site, database-only, files-only, and differential backup modes
- Pre-flight validation — checks directory, disk space, extensions, credentials before starting
- Auto-verify archive integrity after creation
- Stepped AJAX engine prevents timeout on shared hosting
- AES-256 ZIP encryption with configurable password
- Configurable archive naming with placeholders ([HOST], [DATE], [SITE_NAME], etc.)
- Per-profile retention — configure max backup count and max age (days) per profile, with global defaults
- Data sanitization — optionally clear user passwords, emails, and sessions in backup
Content Snapshots
- Lightweight JSON snapshots of articles, categories, and modules
- Includes tags, custom fields, workflow associations
- Restore modes: Replace (clean slate) or Merge (upsert)
- Selective article restore — browse and pick individual items
- Automatic retention (max count + max age)
- Scheduled snapshot task via com_scheduler
Remote Storage
- Multi-remote — upload to multiple destinations per profile simultaneously
- SFTP with SSH key file auth + remote directory browser
- Amazon S3 and S3-compatible (DigitalOcean Spaces, Wasabi, MinIO)
- Google Drive with OAuth2 and resumable uploads
- Graceful degradation — local backup preserved if upload fails
MokoRestore Standalone Wizard
- 9-step restore wizard that works without Joomla installed
- Per-table conflict resolution: Replace / Skip / Merge / Data Only
- Post-restore actions: reset passwords, hits, versions, sessions, cache
- Auto-detect sanitized passwords and prompt for reset
- Standalone mode: restore.php scans directory for ZIP files
- Wrapped mode: restore.php bundled inside backup ZIP
- Security gate with filesystem verification
Notifications
- Email on success/failure per profile
- ntfy push notifications
- Notifications for restore and snapshot operations
Admin Dashboard
- Last backup status, next scheduled, total count, storage used
- Snapshot widget with latest info and type badges
- 30-day backup trend chart
- Per-profile storage breakdown
- System health checks
CLI
mokosuitebackup:run --profile=1— run backupmokosuitebackup:restore 1 --files-only --db-only --password=xxxmokosuitebackup:snapshot create|restore|list|delete
REST API
- Backup: start, list, download, delete, profiles
- Snapshots: create, list, restore, delete, download
- Profile credentials masked in API responses
Bundled: MokoSuiteClient
- Full MokoSuiteClient package installed automatically alongside MokoSuiteBackup
- Provides admin dashboard, security firewall, tenant management, and developer tools
Installation
- Download from Releases
- Joomla Administrator > Extensions > Install
- Components > MokoSuiteBackup > Dashboard
Documentation
See the Wiki for guides and reference.
License
GPL-3.0-or-later
Author
Description
Full-site backup and restore for Joomla - database, files, and configuration
https://mokoconsulting.tech/support/products/mokosuitebackup
Readme
5.4 MiB