MokoConsulting/MokoSuiteBackup
1
0
Fork 0
Code Issues 5 Pull Requests Packages Projects Releases 3 Wiki Activity

Release v01.05.00 — dashboard menu, [DEFAULT_DIR], live validation, security hardening #41

Closed
jmiller wants to merge 0 commits from dev into main
pull from: dev
merge into: :main
Conversation 0 Commits - Files Changed -
+398 -26
jmiller commented 2026-06-07 14:18:20 +00:00
Owner
Copy Link
Copy Source

Summary

  • Add Dashboard as first submenu entry with FA6 icon injection
  • Add [DEFAULT_DIR] placeholder for portable backup directory configuration
  • Add live AJAX directory validation on backup_dir field (debounced checkDir endpoint)
  • Web-accessible warning badges and inline security warnings
  • Auto-create .htaccess protection (Apache 2.2 + 2.4 compatible) on profile save and backup time
  • Sync menu icons to #__menu on install/update via syncMenuIcons() postflight
  • Add encryptionPassword to SteppedSession for upcoming encryption support

Security hardening (from PR review)

  • .htaccess now supports both Apache 2.4 (Require all denied) and 2.2 (Order deny,allow)
  • Log failures on security-critical .htaccess/index.html writes instead of silent suppression
  • Add core.manage ACL check to checkDir() AJAX endpoint
  • Guard browseDir parent navigation to prevent directory traversal outside allowed paths
  • Add r.ok HTTP status check to all JS fetch calls before JSON parsing
  • Add error_log() to all empty catch blocks
  • Explicit (int) cast on viewLog SQL query
  • Log temp SQL file deletion failures

Test plan

  • Install package — verify Dashboard appears as first submenu item with home icon
  • Verify Backups and Profiles submenu items show database and cog icons
  • Create profile with [DEFAULT_DIR] — verify backup runs and resolves correctly
  • Edit profile backup_dir — verify live status updates (writable/not found/placeholder)
  • Verify .htaccess contains both Apache 2.2 and 2.4 directives
  • Verify browseDir cannot navigate above JPATH_ROOT or HOME boundaries
## Summary - Add Dashboard as first submenu entry with FA6 icon injection - Add `[DEFAULT_DIR]` placeholder for portable backup directory configuration - Add live AJAX directory validation on backup_dir field (debounced checkDir endpoint) - Web-accessible warning badges and inline security warnings - Auto-create `.htaccess` protection (Apache 2.2 + 2.4 compatible) on profile save and backup time - Sync menu icons to `#__menu` on install/update via `syncMenuIcons()` postflight - Add `encryptionPassword` to SteppedSession for upcoming encryption support ### Security hardening (from PR review) - `.htaccess` now supports both Apache 2.4 (`Require all denied`) and 2.2 (`Order deny,allow`) - Log failures on security-critical `.htaccess`/`index.html` writes instead of silent suppression - Add `core.manage` ACL check to `checkDir()` AJAX endpoint - Guard `browseDir` parent navigation to prevent directory traversal outside allowed paths - Add `r.ok` HTTP status check to all JS fetch calls before JSON parsing - Add `error_log()` to all empty catch blocks - Explicit `(int)` cast on `viewLog` SQL query - Log temp SQL file deletion failures ## Test plan - [ ] Install package — verify Dashboard appears as first submenu item with home icon - [ ] Verify Backups and Profiles submenu items show database and cog icons - [ ] Create profile with `[DEFAULT_DIR]` — verify backup runs and resolves correctly - [ ] Edit profile backup_dir — verify live status updates (writable/not found/placeholder) - [ ] Verify `.htaccess` contains both Apache 2.2 and 2.4 directives - [ ] Verify browseDir cannot navigate above JPATH_ROOT or HOME boundaries
jmiller added 7 commits 2026-06-07 14:18:20 +00:00
feat: add dashboard menu, [DEFAULT_DIR] placeholder, live dir validation, and backup security
Generic: Repo Health / Scripts governance (push) Blocked by required conditions
Details
Generic: Repo Health / Repository health (push) Blocked by required conditions
Details
Generic: Repo Health / Report Issues (push) Blocked by required conditions
Details
Generic: Repo Health / Site Health (push) Has been skipped
Details
Generic: Repo Health / Access control (push) Successful in 1s
Details
Universal: Auto Version Bump / Version Bump (push) Successful in 8s
Details
608aeb3641 
- Add Dashboard as first submenu entry in component manifest
- Add [DEFAULT_DIR] placeholder to PlaceholderResolver for portable profiles
- Add live AJAX directory permission checking on backup_dir field changes
- Add web-accessible warning badge on backup download buttons
- Auto-create .htaccess protection in web-accessible backup dirs on profile save
- Auto-create .htaccess protection at backup time in both engines
- Add checkDir AJAX endpoint for real-time directory validation
- Fix script.php warnMissingLicenseKey running on uninstall
chore(version): pre-release bump to 01.04.01-dev [skip ci] 3ee620eca1
feat: add submenu icons via FA6 CSS injection and sync menu icons on install
Generic: Repo Health / Scripts governance (push) Blocked by required conditions
Details
Generic: Repo Health / Repository health (push) Blocked by required conditions
Details
Generic: Repo Health / Report Issues (push) Blocked by required conditions
Details
Generic: Repo Health / Site Health (push) Has been skipped
Details
Generic: Repo Health / Access control (push) Successful in 1s
Details
Universal: Auto Version Bump / Version Bump (push) Successful in 7s
Details
6e18c77670 
- Inject Font Awesome 6 icons for Dashboard, Backups, and Profiles submenu
  items via MokoJoomBackupComponent::boot() using WebAssetManager
- Add syncMenuIcons() to installer script to set img column in #__menu
  on both install and update (Joomla doesn't refresh icons on upgrade)
- Add encryptionPassword property to SteppedSession for stepped backup
  encryption support
chore(version): pre-release bump to 01.04.02-dev [skip ci] 3339eac9de
docs: update changelog with all unreleased changes for v01.05.00
Joomla: Extension CI / Tests (PHP 8.2) (pull_request) Blocked by required conditions
Details
Joomla: Extension CI / Tests (PHP 8.3) (pull_request) Blocked by required conditions
Details
Joomla: Extension CI / PHPStan Analysis (pull_request) Blocked by required conditions
Details
Universal: PR Check / Build RC Package (pull_request) Blocked by required conditions
Details
Universal: PR Check / Report Issues (pull_request) Blocked by required conditions
Details
Generic: Repo Health / Scripts governance (pull_request) Blocked by required conditions
Details
Generic: Repo Health / Repository health (pull_request) Blocked by required conditions
Details
Generic: Repo Health / Report Issues (pull_request) Blocked by required conditions
Details
Generic: Repo Health / Site Health (pull_request) Has been skipped
Details
Universal: PR Check / Branch Policy (pull_request) Successful in 2s
Details
Generic: Repo Health / Access control (pull_request) Successful in 2s
Details
Joomla: Extension CI / Release Readiness Check (pull_request) Failing after 8s
Details
Joomla: Extension CI / Lint & Validate (pull_request) Failing after 8s
Details
Universal: Secret Scanning / Gitleaks Secret Scan (pull_request) Successful in 10s
Details
Universal: PR Check / Validate PR (pull_request) Failing after 12s
Details
Generic: Repo Health / Scripts governance (push) Blocked by required conditions
Details
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || 'development' }}) (pull_request_target) Failing after 13s
Details
Generic: Repo Health / Repository health (push) Blocked by required conditions
Details
Generic: Repo Health / Report Issues (push) Blocked by required conditions
Details
Generic: Repo Health / Site Health (push) Has been skipped
Details
Branch Cleanup / Delete merged branch (pull_request) Has been skipped
Details
Generic: Repo Health / Access control (push) Successful in 1s
Details
Universal: Build & Release / Promote to RC (pull_request) Has been skipped
Details
Universal: Build & Release / Build & Release Pipeline (pull_request) Has been skipped
Details
Universal: Auto Version Bump / Version Bump (push) Successful in 9s
Details
3edf635a4c
fix: address PR review — error logging, ACL check, fetch error handling
Generic: Repo Health / Scripts governance (push) Blocked by required conditions
Details
Generic: Repo Health / Repository health (push) Blocked by required conditions
Details
Generic: Repo Health / Report Issues (push) Blocked by required conditions
Details
Generic: Repo Health / Site Health (push) Has been skipped
Details
Generic: Repo Health / Access control (push) Successful in 1s
Details
Universal: Auto Version Bump / Version Bump (push) Successful in 7s
Details
Joomla: Extension CI / Tests (PHP 8.2) (pull_request) Blocked by required conditions
Details
Joomla: Extension CI / Tests (PHP 8.3) (pull_request) Blocked by required conditions
Details
Joomla: Extension CI / PHPStan Analysis (pull_request) Blocked by required conditions
Details
Universal: PR Check / Build RC Package (pull_request) Blocked by required conditions
Details
Universal: PR Check / Report Issues (pull_request) Blocked by required conditions
Details
Generic: Repo Health / Scripts governance (pull_request) Blocked by required conditions
Details
Generic: Repo Health / Repository health (pull_request) Blocked by required conditions
Details
Generic: Repo Health / Report Issues (pull_request) Blocked by required conditions
Details
Universal: PR Check / Branch Policy (pull_request) Successful in 2s
Details
Generic: Repo Health / Site Health (pull_request) Has been skipped
Details
Generic: Repo Health / Access control (pull_request) Successful in 2s
Details
Joomla: Extension CI / Release Readiness Check (pull_request) Failing after 5s
Details
Universal: Secret Scanning / Gitleaks Secret Scan (pull_request) Successful in 6s
Details
Universal: PR Check / Validate PR (pull_request) Failing after 8s
Details
Joomla: Extension CI / Lint & Validate (pull_request) Failing after 10s
Details
Universal: Build & Release / Build & Release Pipeline (pull_request) Has been skipped
Details
Branch Cleanup / Delete merged branch (pull_request) Has been skipped
Details
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || 'development' }}) (pull_request_target) Failing after 10s
Details
Universal: Build & Release / Promote to RC (pull_request) Successful in 14s
Details
e72a007041 
- Log failures in protectBackupDir() and protectWebAccessibleDir() instead
  of silently suppressing with @ (security-critical .htaccess writes)
- Add error_log() to empty catch blocks in boot() and syncMenuIcons()
- Add core.manage ACL check to checkDir() AJAX endpoint
- Surface opendir() failures in browseDir() with warning message
- Add HTTP status check (r.ok) to JS fetch calls before parsing JSON
- Log temp SQL file deletion failures in SteppedBackupEngine
fix: address code review — Apache 2.4 htaccess, browseDir traversal, SQL cast
Joomla: Extension CI / Tests (PHP 8.2) (pull_request) Blocked by required conditions
Details
Joomla: Extension CI / Tests (PHP 8.3) (pull_request) Blocked by required conditions
Details
Joomla: Extension CI / PHPStan Analysis (pull_request) Blocked by required conditions
Details
Universal: PR Check / Build RC Package (pull_request) Blocked by required conditions
Details
Universal: PR Check / Report Issues (pull_request) Blocked by required conditions
Details
Generic: Repo Health / Scripts governance (pull_request) Blocked by required conditions
Details
Generic: Repo Health / Repository health (pull_request) Blocked by required conditions
Details
Generic: Repo Health / Report Issues (pull_request) Blocked by required conditions
Details
Universal: PR Check / Branch Policy (pull_request) Successful in 1s
Details
Generic: Repo Health / Site Health (pull_request) Has been skipped
Details
Generic: Repo Health / Access control (pull_request) Successful in 3s
Details
Joomla: Extension CI / Release Readiness Check (pull_request) Failing after 7s
Details
Joomla: Extension CI / Lint & Validate (pull_request) Failing after 9s
Details
Universal: Secret Scanning / Gitleaks Secret Scan (pull_request) Successful in 9s
Details
Universal: PR Check / Validate PR (pull_request) Failing after 12s
Details
Branch Cleanup / Delete merged branch (pull_request) Has been skipped
Details
Universal: Build & Release / Build & Release Pipeline (pull_request) Has been skipped
Details
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || 'development' }}) (pull_request_target) Failing after 14s
Details
Universal: Build & Release / Promote to RC (pull_request) Successful in 19s
Details
Generic: Repo Health / Scripts governance (push) Blocked by required conditions
Details
Generic: Repo Health / Repository health (push) Blocked by required conditions
Details
Generic: Repo Health / Report Issues (push) Blocked by required conditions
Details
Generic: Repo Health / Site Health (push) Has been skipped
Details
Generic: Repo Health / Access control (push) Successful in 1s
Details
Universal: Auto Version Bump / Version Bump (push) Successful in 7s
Details
41b481dbfe 
- Update .htaccess content to support both Apache 2.4 (Require all denied)
  and Apache 2.2 (Order deny,allow) in all four locations
- Guard browseDir parent navigation to prevent escaping allowed boundaries
- Add explicit (int) cast on viewLog SQL query for defense-in-depth
jmiller closed this pull request 2026-06-07 14:18:38 +00:00
jmiller deleted branch dev 2026-06-07 14:18:39 +00:00

Pull request closed

Please reopen this pull request to perform a merge.
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
component: admin
Admin UI and views
 component: api
REST API
 component: engine
Backup/restore engine
 component: remote
Remote storage (FTP/GDrive)
 component: scheduler
Scheduled tasks
No labels
Priority -
Type -
Milestone
No items
No Milestone
Projects
Clear projects
No projects
Assignees
Clear assignees
jmiller (Jonathan Miller)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: MokoConsulting/MokoSuiteBackup#41
Delete Branch "dev"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?