Why does the admin panel let a copy be made of the entire database?

(John Cave) #1

When reading this thread about what to do if your Discourse is hacked, I was prompted to post a question that’s been bugging me since I first used Discourse: Why even include the option to download the whole database to the local computer? I can see no reason why an admin would want to back up her database to her own desktop computer, nor any reason he would want to spend hours waiting for a file which could potentially be gigabytes in size to download.

I feel like this should be a command line option and allow the admin to back up the database to an S3 bucket or remote FTP host. I feel like what data is contained inside the database is of no concern to anyone but the person responsible for maintaining that database / the server. If an admin starts to feel disillusioned with the other admins, they can take a copy of the database to do whatever they please with, including to blackmail the other admins.

This feature is common among forum software and is often used to compromise open-source projects’ data, like the case this week with Linux Mint. Why tempt fate?

(Jeff Atwood) #2

So you can easily move your Discourse to another web host, analyze the data, etc. the whole point is that your data belongs to you.

I am more interested in enforcing stronger admin passwords than anything else.

(John Cave) #3

I suppose that’s true, yes. I’ve always had a dedicated server so I’ve never been in the situation of only being able to access my own data through a web browser. Perhaps an option to disable it that can only be changed by editing the configuration file would provide an extra layer of security, though?

(Sam Saffron) #4

Sure, I am fine for an ENV var DISCOURSE_DISABLE_BACKUPS if you want to make a PR for it, we have no plans on working on it though.