Restrict ability to delete backups

Kristan Kenney · Kristan Kenney · commit 13895cc247b3 · 2021-03-19T22:20:05.000-03:00
diff --git a/web/templates/admin/list_backup.html b/web/templates/admin/list_backup.html
@@ -85,15 +85,19 @@
                       <div class="actions-panel clearfix">
                         <div class="actions-panel__col actions-panel__download shortcut-d" key-action="href"><a href="/download/backup/?backup=<?=$key?>&token=<?=$_SESSION['token']?>" title="<?=_('download')?>"><i class="fas fa-file-download status-icon lightblue status-icon dim"></i></a></div>
                         <div class="actions-panel__col actions-panel__list shortcut-enter" key-action="href"><a href="/list/backup/?backup=<?=$key?>&token=<?=$_SESSION['token']?>" title="<?=_('restore')?>"><i class="fas fa-undo status-icon green status-icon dim"></i></a></div>
-                        <div class="actions-panel__col actions-panel__delete shortcut-delete" key-action="js">
-                          <a id="delete_link_<?=$i?>" class="data-controls do_delete" title="<?=_('delete')?>">
-                            <i class="fas fa-trash status-icon red status-icon dim do_delete"></i>
-                            <input type="hidden" name="delete_url" value="/delete/backup/?backup=<?=$key?>&token=<?=$_SESSION['token']?>" />
-                            <div id="delete_dialog_<?=$i?>" class="confirmation-text-delete hidden" title="<?=_('Confirmation')?>">
-                              <p class="confirmation"><?=sprintf(_('DELETE_BACKUP_CONFIRMATION'),$key)?></p>
-                            </div>
-                          </a>
-                        </div>
+                        <? if (($_SESSION['userContext'] === 'admin') && ($_SESSION['look'] === 'admin')) {?>
+                          <!-- Restrict ability to delete backups when impersonating 'admin' account -->
+                        <? } else { ?>
+                          <div class="actions-panel__col actions-panel__delete shortcut-delete" key-action="js">
+                            <a id="delete_link_<?=$i?>" class="data-controls do_delete" title="<?=_('delete')?>">
+                              <i class="fas fa-trash status-icon red status-icon dim do_delete"></i>
+                              <input type="hidden" name="delete_url" value="/delete/backup/?backup=<?=$key?>&token=<?=$_SESSION['token']?>" />
+                              <div id="delete_dialog_<?=$i?>" class="confirmation-text-delete hidden" title="<?=_('Confirmation')?>">
+                                <p class="confirmation"><?=sprintf(_('DELETE_BACKUP_CONFIRMATION'),$key)?></p>
+                              </div>
+                            </a>
+                          </div>
+                        <? } ?> 
                       </div>
                     </div>
                   </div>
