Skip to content

Commit 9f2d144

Browse files
committed
Add a repair step to remove sensitive event activity
Signed-off-by: Joas Schilling <coding@schilljs.com>
1 parent 32d76c7 commit 9f2d144

File tree

4 files changed

+128
-1
lines changed

4 files changed

+128
-1
lines changed

apps/dav/appinfo/info.xml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@
55
<name>WebDAV</name>
66
<summary>WebDAV endpoint</summary>
77
<description>WebDAV endpoint</description>
8-
<version>1.9.0</version>
8+
<version>1.9.1</version>
99
<licence>agpl</licence>
1010
<author>owncloud.org</author>
1111
<namespace>DAV</namespace>
@@ -31,6 +31,7 @@
3131
<step>OCA\DAV\Migration\CalDAVRemoveEmptyValue</step>
3232
<step>OCA\DAV\Migration\BuildCalendarSearchIndex</step>
3333
<step>OCA\DAV\Migration\RefreshWebcalJobRegistrar</step>
34+
<step>OCA\DAV\Migration\RemoveClassifiedEventActivity</step>
3435
</post-migration>
3536
</repair-steps>
3637

apps/dav/composer/composer/autoload_classmap.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -155,6 +155,7 @@
155155
'OCA\\DAV\\Migration\\CalDAVRemoveEmptyValue' => $baseDir . '/../lib/Migration/CalDAVRemoveEmptyValue.php',
156156
'OCA\\DAV\\Migration\\FixBirthdayCalendarComponent' => $baseDir . '/../lib/Migration/FixBirthdayCalendarComponent.php',
157157
'OCA\\DAV\\Migration\\RefreshWebcalJobRegistrar' => $baseDir . '/../lib/Migration/RefreshWebcalJobRegistrar.php',
158+
'OCA\\DAV\\Migration\\RemoveClassifiedEventActivity' => $baseDir . '/../lib/Migration/RemoveClassifiedEventActivity.php',
158159
'OCA\\DAV\\Migration\\Version1004Date20170825134824' => $baseDir . '/../lib/Migration/Version1004Date20170825134824.php',
159160
'OCA\\DAV\\Migration\\Version1004Date20170919104507' => $baseDir . '/../lib/Migration/Version1004Date20170919104507.php',
160161
'OCA\\DAV\\Migration\\Version1004Date20170924124212' => $baseDir . '/../lib/Migration/Version1004Date20170924124212.php',

apps/dav/composer/composer/autoload_static.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -170,6 +170,7 @@ class ComposerStaticInitDAV
170170
'OCA\\DAV\\Migration\\CalDAVRemoveEmptyValue' => __DIR__ . '/..' . '/../lib/Migration/CalDAVRemoveEmptyValue.php',
171171
'OCA\\DAV\\Migration\\FixBirthdayCalendarComponent' => __DIR__ . '/..' . '/../lib/Migration/FixBirthdayCalendarComponent.php',
172172
'OCA\\DAV\\Migration\\RefreshWebcalJobRegistrar' => __DIR__ . '/..' . '/../lib/Migration/RefreshWebcalJobRegistrar.php',
173+
'OCA\\DAV\\Migration\\RemoveClassifiedEventActivity' => __DIR__ . '/..' . '/../lib/Migration/RemoveClassifiedEventActivity.php',
173174
'OCA\\DAV\\Migration\\Version1004Date20170825134824' => __DIR__ . '/..' . '/../lib/Migration/Version1004Date20170825134824.php',
174175
'OCA\\DAV\\Migration\\Version1004Date20170919104507' => __DIR__ . '/..' . '/../lib/Migration/Version1004Date20170919104507.php',
175176
'OCA\\DAV\\Migration\\Version1004Date20170924124212' => __DIR__ . '/..' . '/../lib/Migration/Version1004Date20170924124212.php',
Lines changed: 124 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,124 @@
1+
<?php
2+
declare(strict_types=1);
3+
/**
4+
* @copyright Copyright (c) 2019 Joas Schilling <coding@schilljs.com>
5+
*
6+
* @license GNU AGPL version 3 or any later version
7+
*
8+
* This program is free software: you can redistribute it and/or modify
9+
* it under the terms of the GNU Affero General Public License as
10+
* published by the Free Software Foundation, either version 3 of the
11+
* License, or (at your option) any later version.
12+
*
13+
* This program is distributed in the hope that it will be useful,
14+
* but WITHOUT ANY WARRANTY; without even the implied warranty of
15+
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16+
* GNU Affero General Public License for more details.
17+
*
18+
* You should have received a copy of the GNU Affero General Public License
19+
* along with this program. If not, see <http://www.gnu.org/licenses/>.
20+
*
21+
*/
22+
23+
namespace OCA\DAV\Migration;
24+
25+
use OCA\DAV\CalDAV\CalDavBackend;
26+
use OCP\IDBConnection;
27+
use OCP\Migration\IOutput;
28+
use OCP\Migration\IRepairStep;
29+
30+
class RemoveClassifiedEventActivity implements IRepairStep {
31+
32+
/** @var IDBConnection */
33+
private $connection;
34+
35+
public function __construct(IDBConnection $connection) {
36+
$this->connection = $connection;
37+
}
38+
39+
/**
40+
* @inheritdoc
41+
*/
42+
public function getName() {
43+
return 'Remove activity entries of private events';
44+
}
45+
46+
/**
47+
* @inheritdoc
48+
*/
49+
public function run(IOutput $output) {
50+
if (!$this->connection->tableExists('activity')) {
51+
return;
52+
}
53+
54+
$deletedEvents = $this->removePrivateEventActivity();
55+
$deletedEvents += $this->removeConfidentialUncensoredEventActivity();
56+
57+
$output->info("Removed $deletedEvents activity entries");
58+
}
59+
60+
protected function removePrivateEventActivity(): int {
61+
$deletedEvents = 0;
62+
63+
$delete = $this->connection->getQueryBuilder();
64+
$delete->delete('activity')
65+
->where($delete->expr()->neq('affecteduser', $delete->createParameter('owner')))
66+
->andWhere($delete->expr()->eq('object_type', $delete->createParameter('type')))
67+
->andWhere($delete->expr()->eq('object_id', $delete->createParameter('calendar_id')))
68+
->andWhere($delete->expr()->like('subjectparams', $delete->createParameter('event_uid')));
69+
70+
$query = $this->connection->getQueryBuilder();
71+
$query->select('c.principaluri', 'o.calendarid', 'o.uid')
72+
->from('calendarobjects', 'o')
73+
->leftJoin('o', 'calendars', 'c', $query->expr()->eq('c.id', 'o.calendarid'))
74+
->where($query->expr()->eq('o.classification', $query->createNamedParameter(CalDavBackend::CLASSIFICATION_PRIVATE)));
75+
$result = $query->execute();
76+
77+
while ($row = $result->fetch()) {
78+
$delete->setParameter('owner', $this->getPrincipal($row['principaluri']))
79+
->setParameter('type', 'calendar')
80+
->setParameter('calendar_id', $row['calendarid'])
81+
->setParameter('event_uid', '%' . $this->connection->escapeLikeParameter('{"id":"' . $row['uid'] . '"') . '%');
82+
$deletedEvents += $delete->execute();
83+
}
84+
$result->closeCursor();
85+
86+
return $deletedEvents;
87+
}
88+
89+
protected function removeConfidentialUncensoredEventActivity(): int {
90+
$deletedEvents = 0;
91+
92+
$delete = $this->connection->getQueryBuilder();
93+
$delete->delete('activity')
94+
->where($delete->expr()->neq('affecteduser', $delete->createParameter('owner')))
95+
->andWhere($delete->expr()->eq('object_type', $delete->createParameter('type')))
96+
->andWhere($delete->expr()->eq('object_id', $delete->createParameter('calendar_id')))
97+
->andWhere($delete->expr()->like('subjectparams', $delete->createParameter('event_uid')))
98+
->andWhere($delete->expr()->notLike('subjectparams', $delete->createParameter('filtered_name')));
99+
100+
$query = $this->connection->getQueryBuilder();
101+
$query->select('c.principaluri', 'o.calendarid', 'o.uid')
102+
->from('calendarobjects', 'o')
103+
->leftJoin('o', 'calendars', 'c', $query->expr()->eq('c.id', 'o.calendarid'))
104+
->where($query->expr()->eq('o.classification', $query->createNamedParameter(CalDavBackend::CLASSIFICATION_CONFIDENTIAL)));
105+
$result = $query->execute();
106+
107+
while ($row = $result->fetch()) {
108+
$delete->setParameter('owner', $this->getPrincipal($row['principaluri']))
109+
->setParameter('type', 'calendar')
110+
->setParameter('calendar_id', $row['calendarid'])
111+
->setParameter('event_uid', '%' . $this->connection->escapeLikeParameter('{"id":"' . $row['uid'] . '"') . '%')
112+
->setParameter('filtered_name', '%' . $this->connection->escapeLikeParameter('{"id":"' . $row['uid'] . '","name":"Busy"') . '%');
113+
$deletedEvents += $delete->execute();
114+
}
115+
$result->closeCursor();
116+
117+
return $deletedEvents;
118+
}
119+
120+
protected function getPrincipal(string $principalUri): string {
121+
$uri = explode('/', $principalUri);
122+
return $uri[2];
123+
}
124+
}

0 commit comments

Comments
 (0)