From 32d76c7c9220367db87793b0b1d5c90189381e7a Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Tue, 8 Jan 2019 17:46:07 +0100 Subject: [PATCH 1/2] Correctly handle the classification of events in the activity stream Signed-off-by: Joas Schilling --- apps/dav/lib/CalDAV/Activity/Backend.php | 10 +++++++++- apps/dav/lib/CalDAV/Activity/Provider/Event.php | 13 +++++++++++-- 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/apps/dav/lib/CalDAV/Activity/Backend.php b/apps/dav/lib/CalDAV/Activity/Backend.php index 9f929dc195..73bd9b5daf 100644 --- a/apps/dav/lib/CalDAV/Activity/Backend.php +++ b/apps/dav/lib/CalDAV/Activity/Backend.php @@ -27,6 +27,7 @@ namespace OCA\DAV\CalDAV\Activity; use OCA\DAV\CalDAV\Activity\Provider\Calendar; use OCA\DAV\CalDAV\Activity\Provider\Event; +use OCA\DAV\CalDAV\CalDavBackend; use OCP\Activity\IEvent; use OCP\Activity\IManager as IActivityManager; use OCP\IGroup; @@ -415,6 +416,7 @@ class Backend { $currentUser = $owner; } + $classification = $objectData['classification'] ?? CalDavBackend::CLASSIFICATION_PUBLIC; $object = $this->getObjectNameAndType($objectData); $action = $action . '_' . $object['type']; @@ -434,6 +436,11 @@ class Backend { $users[] = $owner; foreach ($users as $user) { + if ($classification === CalDavBackend::CLASSIFICATION_PRIVATE && $user !== $owner) { + // Private events are only shown to the owner + continue; + } + $event->setAffectedUser($user) ->setSubject( $user === $currentUser ? $action . '_self' : $action, @@ -446,7 +453,8 @@ class Backend { ], 'object' => [ 'id' => $object['id'], - 'name' => $object['name'], + 'name' => $classification === CalDavBackend::CLASSIFICATION_CONFIDENTIAL && $user !== $owner ? 'Busy' : $object['name'], + 'classified' => $classification === CalDavBackend::CLASSIFICATION_CONFIDENTIAL && $user !== $owner, ], ] ); diff --git a/apps/dav/lib/CalDAV/Activity/Provider/Event.php b/apps/dav/lib/CalDAV/Activity/Provider/Event.php index 378a18397e..666660cdb1 100644 --- a/apps/dav/lib/CalDAV/Activity/Provider/Event.php +++ b/apps/dav/lib/CalDAV/Activity/Provider/Event.php @@ -23,6 +23,7 @@ namespace OCA\DAV\CalDAV\Activity\Provider; +use OCA\DAV\CalDAV\CalDavBackend; use OCP\Activity\IEvent; use OCP\Activity\IEventMerger; use OCP\Activity\IManager; @@ -131,14 +132,14 @@ class Event extends Base { return [ 'actor' => $this->generateUserParameter($parameters['actor']), 'calendar' => $this->generateCalendarParameter($parameters['calendar'], $this->l), - 'event' => $this->generateObjectParameter($parameters['object']), + 'event' => $this->generateClassifiedObjectParameter($parameters['object']), ]; case self::SUBJECT_OBJECT_ADD . '_event_self': case self::SUBJECT_OBJECT_DELETE . '_event_self': case self::SUBJECT_OBJECT_UPDATE . '_event_self': return [ 'calendar' => $this->generateCalendarParameter($parameters['calendar'], $this->l), - 'event' => $this->generateObjectParameter($parameters['object']), + 'event' => $this->generateClassifiedObjectParameter($parameters['object']), ]; } } @@ -168,4 +169,12 @@ class Event extends Base { throw new \InvalidArgumentException(); } + + private function generateClassifiedObjectParameter(array $eventData) { + $parameter = $this->generateObjectParameter($eventData); + if ($eventData['classified']) { + $parameter['name'] = $this->l->t('Busy'); + } + return $parameter; + } } From 9f2d14447ff1f9212ead7fc5c4c98126b7f36452 Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Tue, 8 Jan 2019 18:39:40 +0100 Subject: [PATCH 2/2] Add a repair step to remove sensitive event activity Signed-off-by: Joas Schilling --- apps/dav/appinfo/info.xml | 3 +- .../composer/composer/autoload_classmap.php | 1 + .../dav/composer/composer/autoload_static.php | 1 + .../RemoveClassifiedEventActivity.php | 124 ++++++++++++++++++ 4 files changed, 128 insertions(+), 1 deletion(-) create mode 100644 apps/dav/lib/Migration/RemoveClassifiedEventActivity.php diff --git a/apps/dav/appinfo/info.xml b/apps/dav/appinfo/info.xml index 633658674c..46bbca0b3d 100644 --- a/apps/dav/appinfo/info.xml +++ b/apps/dav/appinfo/info.xml @@ -5,7 +5,7 @@ WebDAV WebDAV endpoint WebDAV endpoint - 1.9.0 + 1.9.1 agpl owncloud.org DAV @@ -31,6 +31,7 @@ OCA\DAV\Migration\CalDAVRemoveEmptyValue OCA\DAV\Migration\BuildCalendarSearchIndex OCA\DAV\Migration\RefreshWebcalJobRegistrar + OCA\DAV\Migration\RemoveClassifiedEventActivity diff --git a/apps/dav/composer/composer/autoload_classmap.php b/apps/dav/composer/composer/autoload_classmap.php index 537bd72d4c..539ba5d053 100644 --- a/apps/dav/composer/composer/autoload_classmap.php +++ b/apps/dav/composer/composer/autoload_classmap.php @@ -155,6 +155,7 @@ return array( 'OCA\\DAV\\Migration\\CalDAVRemoveEmptyValue' => $baseDir . '/../lib/Migration/CalDAVRemoveEmptyValue.php', 'OCA\\DAV\\Migration\\FixBirthdayCalendarComponent' => $baseDir . '/../lib/Migration/FixBirthdayCalendarComponent.php', 'OCA\\DAV\\Migration\\RefreshWebcalJobRegistrar' => $baseDir . '/../lib/Migration/RefreshWebcalJobRegistrar.php', + 'OCA\\DAV\\Migration\\RemoveClassifiedEventActivity' => $baseDir . '/../lib/Migration/RemoveClassifiedEventActivity.php', 'OCA\\DAV\\Migration\\Version1004Date20170825134824' => $baseDir . '/../lib/Migration/Version1004Date20170825134824.php', 'OCA\\DAV\\Migration\\Version1004Date20170919104507' => $baseDir . '/../lib/Migration/Version1004Date20170919104507.php', 'OCA\\DAV\\Migration\\Version1004Date20170924124212' => $baseDir . '/../lib/Migration/Version1004Date20170924124212.php', diff --git a/apps/dav/composer/composer/autoload_static.php b/apps/dav/composer/composer/autoload_static.php index d6c5628b19..5a23166b02 100644 --- a/apps/dav/composer/composer/autoload_static.php +++ b/apps/dav/composer/composer/autoload_static.php @@ -170,6 +170,7 @@ class ComposerStaticInitDAV 'OCA\\DAV\\Migration\\CalDAVRemoveEmptyValue' => __DIR__ . '/..' . '/../lib/Migration/CalDAVRemoveEmptyValue.php', 'OCA\\DAV\\Migration\\FixBirthdayCalendarComponent' => __DIR__ . '/..' . '/../lib/Migration/FixBirthdayCalendarComponent.php', 'OCA\\DAV\\Migration\\RefreshWebcalJobRegistrar' => __DIR__ . '/..' . '/../lib/Migration/RefreshWebcalJobRegistrar.php', + 'OCA\\DAV\\Migration\\RemoveClassifiedEventActivity' => __DIR__ . '/..' . '/../lib/Migration/RemoveClassifiedEventActivity.php', 'OCA\\DAV\\Migration\\Version1004Date20170825134824' => __DIR__ . '/..' . '/../lib/Migration/Version1004Date20170825134824.php', 'OCA\\DAV\\Migration\\Version1004Date20170919104507' => __DIR__ . '/..' . '/../lib/Migration/Version1004Date20170919104507.php', 'OCA\\DAV\\Migration\\Version1004Date20170924124212' => __DIR__ . '/..' . '/../lib/Migration/Version1004Date20170924124212.php', diff --git a/apps/dav/lib/Migration/RemoveClassifiedEventActivity.php b/apps/dav/lib/Migration/RemoveClassifiedEventActivity.php new file mode 100644 index 0000000000..1f1edf285a --- /dev/null +++ b/apps/dav/lib/Migration/RemoveClassifiedEventActivity.php @@ -0,0 +1,124 @@ + + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + * + */ + +namespace OCA\DAV\Migration; + +use OCA\DAV\CalDAV\CalDavBackend; +use OCP\IDBConnection; +use OCP\Migration\IOutput; +use OCP\Migration\IRepairStep; + +class RemoveClassifiedEventActivity implements IRepairStep { + + /** @var IDBConnection */ + private $connection; + + public function __construct(IDBConnection $connection) { + $this->connection = $connection; + } + + /** + * @inheritdoc + */ + public function getName() { + return 'Remove activity entries of private events'; + } + + /** + * @inheritdoc + */ + public function run(IOutput $output) { + if (!$this->connection->tableExists('activity')) { + return; + } + + $deletedEvents = $this->removePrivateEventActivity(); + $deletedEvents += $this->removeConfidentialUncensoredEventActivity(); + + $output->info("Removed $deletedEvents activity entries"); + } + + protected function removePrivateEventActivity(): int { + $deletedEvents = 0; + + $delete = $this->connection->getQueryBuilder(); + $delete->delete('activity') + ->where($delete->expr()->neq('affecteduser', $delete->createParameter('owner'))) + ->andWhere($delete->expr()->eq('object_type', $delete->createParameter('type'))) + ->andWhere($delete->expr()->eq('object_id', $delete->createParameter('calendar_id'))) + ->andWhere($delete->expr()->like('subjectparams', $delete->createParameter('event_uid'))); + + $query = $this->connection->getQueryBuilder(); + $query->select('c.principaluri', 'o.calendarid', 'o.uid') + ->from('calendarobjects', 'o') + ->leftJoin('o', 'calendars', 'c', $query->expr()->eq('c.id', 'o.calendarid')) + ->where($query->expr()->eq('o.classification', $query->createNamedParameter(CalDavBackend::CLASSIFICATION_PRIVATE))); + $result = $query->execute(); + + while ($row = $result->fetch()) { + $delete->setParameter('owner', $this->getPrincipal($row['principaluri'])) + ->setParameter('type', 'calendar') + ->setParameter('calendar_id', $row['calendarid']) + ->setParameter('event_uid', '%' . $this->connection->escapeLikeParameter('{"id":"' . $row['uid'] . '"') . '%'); + $deletedEvents += $delete->execute(); + } + $result->closeCursor(); + + return $deletedEvents; + } + + protected function removeConfidentialUncensoredEventActivity(): int { + $deletedEvents = 0; + + $delete = $this->connection->getQueryBuilder(); + $delete->delete('activity') + ->where($delete->expr()->neq('affecteduser', $delete->createParameter('owner'))) + ->andWhere($delete->expr()->eq('object_type', $delete->createParameter('type'))) + ->andWhere($delete->expr()->eq('object_id', $delete->createParameter('calendar_id'))) + ->andWhere($delete->expr()->like('subjectparams', $delete->createParameter('event_uid'))) + ->andWhere($delete->expr()->notLike('subjectparams', $delete->createParameter('filtered_name'))); + + $query = $this->connection->getQueryBuilder(); + $query->select('c.principaluri', 'o.calendarid', 'o.uid') + ->from('calendarobjects', 'o') + ->leftJoin('o', 'calendars', 'c', $query->expr()->eq('c.id', 'o.calendarid')) + ->where($query->expr()->eq('o.classification', $query->createNamedParameter(CalDavBackend::CLASSIFICATION_CONFIDENTIAL))); + $result = $query->execute(); + + while ($row = $result->fetch()) { + $delete->setParameter('owner', $this->getPrincipal($row['principaluri'])) + ->setParameter('type', 'calendar') + ->setParameter('calendar_id', $row['calendarid']) + ->setParameter('event_uid', '%' . $this->connection->escapeLikeParameter('{"id":"' . $row['uid'] . '"') . '%') + ->setParameter('filtered_name', '%' . $this->connection->escapeLikeParameter('{"id":"' . $row['uid'] . '","name":"Busy"') . '%'); + $deletedEvents += $delete->execute(); + } + $result->closeCursor(); + + return $deletedEvents; + } + + protected function getPrincipal(string $principalUri): string { + $uri = explode('/', $principalUri); + return $uri[2]; + } +}