Add restore_only permission

README.md

@@ -63,6 +63,7 @@ Please check https://github.com/netinvent/npbackup/releases
   - Repository permissions allowing to limit clients
     - Backup only permission
     - Backup, list and restore permissions
+    - Restore only permissions
     - Full permissions including destructive operations
   - Encrypted data viewing requires additional password
   - AES-256 keys can't be guessed in executables thanks to Nuitka Commercial compiler
@@ -245,6 +246,7 @@ In that case, you can set permissions via the GUI or directly in the configurati
 Permissions are:
 - full: Set by default, allows all including destructive operations
 - restore: Allows everything backup does plus restore, check and dump operations
+- restore_noly: Allows only restoring backups, but not creating ones
 - backup: Allows, backup, snapshot/object listing operations and repo unlocking
 
 ## Logs

npbackup/core/runner.py

@@ -520,6 +520,7 @@ def has_permission(fn: Callable):
         Possible permissions are:
         - backup:   Init, Backup, list backups and unlock
         - restore:  Init, Backup, restore, recover and list snapshots
+        - restore_only: Restore only
         - full:     Full permissions
 
         Only one permission can be set per repo
@@ -531,13 +532,13 @@ def wrapper(self, *args, **kwargs):
             required_permissions = {
                 "init": ["backup", "restore", "full"],
                 "backup": ["backup", "restore", "full"],
-                "has_recent_snapshot": ["backup", "restore", "full"],
-                "snapshots": ["backup", "restore", "full"],
+                "has_recent_snapshot": ["backup", "restore", "restore_only", "full"],
+                "snapshots": ["backup", "restore", "restore_only", "full"],
                 "stats": ["backup", "restore", "full"],
-                "ls": ["backup", "restore", "full"],
-                "find": ["backup", "restore", "full"],
-                "restore": ["restore", "full"],
-                "dump": ["restore", "full"],
+                "ls": ["backup", "restore", "restore_only", "full"],
+                "find": ["backup", "restore", "restore_only", "full"],
+                "restore": ["restore", "restore_only", "full"],
+                "dump": ["restore", "retore_only", "full"],
                 "check": ["restore", "full"],
                 "recover": ["restore", "full"],
                 "list": ["full"],

npbackup/gui/__main__.py

@@ -145,7 +145,7 @@ def viewer_create_repo(viewer_repo_uri: str, viewer_repo_password: str) -> dict:
     # Let's set default backup age to 24h
     repo_config.s("repo_opts.minimum_backup_age", 1440)
     # NPF-SEC-00005 Add restore permission
-    repo_config.s("permissions", "restore")
+    repo_config.s("permissions", "restore_only")
 
     return repo_config
 

npbackup/gui/config.py

@@ -107,6 +107,7 @@ def config_gui(full_config: dict, config_file: str):
         "permissions": {
             "backup": _t("config_gui.backup_perms"),
             "restore": _t("config_gui.restore_perms"),
+            "restore_only": _t("config_gui.restore_only_perms"),
             "full": _t("config_gui.full_perms"),
         },
     }

npbackup/translations/config_gui.en.yml

@@ -145,6 +145,7 @@ en:
   permissions: Permissions
   backup_perms: Backup only
   restore_perms: Backup, verify, recover and restore
+  restore_only_perms: Restore only
   full_perms: Full permissions
   setting_permissions_requires_manager_password: Setting permissions requires manager password
   manager_password_too_simple: Manager password needs at least 8 uppercase, lowercase and digits characters

npbackup/translations/config_gui.fr.yml

@@ -146,6 +146,7 @@ fr:
   permissions: Permissions
   backup_perms: Sauvegardes uniquement
   restore_perms: Sauvegarde, vérification, récupération et restauration
+  restore_only_perms: Restauration uniquement
   full_perms: Accès total
   setting_permissions_requires_manager_password: Un mot de passe gestionnaire est requis pour définir des permissions
   manager_password_too_simple: Le mot de passe gestionnaire nécessite au moins 8 caractères majuscules, minuscules et chiffres