Add a repair step to remove sensitive event activity

Signed-off-by: Joas Schilling <coding@schilljs.com>
This commit is contained in:
Joas Schilling 2019-01-08 18:39:40 +01:00
parent 32d76c7c92
commit 9f2d14447f
No known key found for this signature in database
GPG Key ID: 7076EA9751AACDDA
4 changed files with 128 additions and 1 deletions

View File

@ -5,7 +5,7 @@
<name>WebDAV</name>
<summary>WebDAV endpoint</summary>
<description>WebDAV endpoint</description>
<version>1.9.0</version>
<version>1.9.1</version>
<licence>agpl</licence>
<author>owncloud.org</author>
<namespace>DAV</namespace>
@ -31,6 +31,7 @@
<step>OCA\DAV\Migration\CalDAVRemoveEmptyValue</step>
<step>OCA\DAV\Migration\BuildCalendarSearchIndex</step>
<step>OCA\DAV\Migration\RefreshWebcalJobRegistrar</step>
<step>OCA\DAV\Migration\RemoveClassifiedEventActivity</step>
</post-migration>
</repair-steps>

View File

@ -155,6 +155,7 @@ return array(
'OCA\\DAV\\Migration\\CalDAVRemoveEmptyValue' => $baseDir . '/../lib/Migration/CalDAVRemoveEmptyValue.php',
'OCA\\DAV\\Migration\\FixBirthdayCalendarComponent' => $baseDir . '/../lib/Migration/FixBirthdayCalendarComponent.php',
'OCA\\DAV\\Migration\\RefreshWebcalJobRegistrar' => $baseDir . '/../lib/Migration/RefreshWebcalJobRegistrar.php',
'OCA\\DAV\\Migration\\RemoveClassifiedEventActivity' => $baseDir . '/../lib/Migration/RemoveClassifiedEventActivity.php',
'OCA\\DAV\\Migration\\Version1004Date20170825134824' => $baseDir . '/../lib/Migration/Version1004Date20170825134824.php',
'OCA\\DAV\\Migration\\Version1004Date20170919104507' => $baseDir . '/../lib/Migration/Version1004Date20170919104507.php',
'OCA\\DAV\\Migration\\Version1004Date20170924124212' => $baseDir . '/../lib/Migration/Version1004Date20170924124212.php',

View File

@ -170,6 +170,7 @@ class ComposerStaticInitDAV
'OCA\\DAV\\Migration\\CalDAVRemoveEmptyValue' => __DIR__ . '/..' . '/../lib/Migration/CalDAVRemoveEmptyValue.php',
'OCA\\DAV\\Migration\\FixBirthdayCalendarComponent' => __DIR__ . '/..' . '/../lib/Migration/FixBirthdayCalendarComponent.php',
'OCA\\DAV\\Migration\\RefreshWebcalJobRegistrar' => __DIR__ . '/..' . '/../lib/Migration/RefreshWebcalJobRegistrar.php',
'OCA\\DAV\\Migration\\RemoveClassifiedEventActivity' => __DIR__ . '/..' . '/../lib/Migration/RemoveClassifiedEventActivity.php',
'OCA\\DAV\\Migration\\Version1004Date20170825134824' => __DIR__ . '/..' . '/../lib/Migration/Version1004Date20170825134824.php',
'OCA\\DAV\\Migration\\Version1004Date20170919104507' => __DIR__ . '/..' . '/../lib/Migration/Version1004Date20170919104507.php',
'OCA\\DAV\\Migration\\Version1004Date20170924124212' => __DIR__ . '/..' . '/../lib/Migration/Version1004Date20170924124212.php',

View File

@ -0,0 +1,124 @@
<?php
declare(strict_types=1);
/**
* @copyright Copyright (c) 2019 Joas Schilling <coding@schilljs.com>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace OCA\DAV\Migration;
use OCA\DAV\CalDAV\CalDavBackend;
use OCP\IDBConnection;
use OCP\Migration\IOutput;
use OCP\Migration\IRepairStep;
class RemoveClassifiedEventActivity implements IRepairStep {
/** @var IDBConnection */
private $connection;
public function __construct(IDBConnection $connection) {
$this->connection = $connection;
}
/**
* @inheritdoc
*/
public function getName() {
return 'Remove activity entries of private events';
}
/**
* @inheritdoc
*/
public function run(IOutput $output) {
if (!$this->connection->tableExists('activity')) {
return;
}
$deletedEvents = $this->removePrivateEventActivity();
$deletedEvents += $this->removeConfidentialUncensoredEventActivity();
$output->info("Removed $deletedEvents activity entries");
}
protected function removePrivateEventActivity(): int {
$deletedEvents = 0;
$delete = $this->connection->getQueryBuilder();
$delete->delete('activity')
->where($delete->expr()->neq('affecteduser', $delete->createParameter('owner')))
->andWhere($delete->expr()->eq('object_type', $delete->createParameter('type')))
->andWhere($delete->expr()->eq('object_id', $delete->createParameter('calendar_id')))
->andWhere($delete->expr()->like('subjectparams', $delete->createParameter('event_uid')));
$query = $this->connection->getQueryBuilder();
$query->select('c.principaluri', 'o.calendarid', 'o.uid')
->from('calendarobjects', 'o')
->leftJoin('o', 'calendars', 'c', $query->expr()->eq('c.id', 'o.calendarid'))
->where($query->expr()->eq('o.classification', $query->createNamedParameter(CalDavBackend::CLASSIFICATION_PRIVATE)));
$result = $query->execute();
while ($row = $result->fetch()) {
$delete->setParameter('owner', $this->getPrincipal($row['principaluri']))
->setParameter('type', 'calendar')
->setParameter('calendar_id', $row['calendarid'])
->setParameter('event_uid', '%' . $this->connection->escapeLikeParameter('{"id":"' . $row['uid'] . '"') . '%');
$deletedEvents += $delete->execute();
}
$result->closeCursor();
return $deletedEvents;
}
protected function removeConfidentialUncensoredEventActivity(): int {
$deletedEvents = 0;
$delete = $this->connection->getQueryBuilder();
$delete->delete('activity')
->where($delete->expr()->neq('affecteduser', $delete->createParameter('owner')))
->andWhere($delete->expr()->eq('object_type', $delete->createParameter('type')))
->andWhere($delete->expr()->eq('object_id', $delete->createParameter('calendar_id')))
->andWhere($delete->expr()->like('subjectparams', $delete->createParameter('event_uid')))
->andWhere($delete->expr()->notLike('subjectparams', $delete->createParameter('filtered_name')));
$query = $this->connection->getQueryBuilder();
$query->select('c.principaluri', 'o.calendarid', 'o.uid')
->from('calendarobjects', 'o')
->leftJoin('o', 'calendars', 'c', $query->expr()->eq('c.id', 'o.calendarid'))
->where($query->expr()->eq('o.classification', $query->createNamedParameter(CalDavBackend::CLASSIFICATION_CONFIDENTIAL)));
$result = $query->execute();
while ($row = $result->fetch()) {
$delete->setParameter('owner', $this->getPrincipal($row['principaluri']))
->setParameter('type', 'calendar')
->setParameter('calendar_id', $row['calendarid'])
->setParameter('event_uid', '%' . $this->connection->escapeLikeParameter('{"id":"' . $row['uid'] . '"') . '%')
->setParameter('filtered_name', '%' . $this->connection->escapeLikeParameter('{"id":"' . $row['uid'] . '","name":"Busy"') . '%');
$deletedEvents += $delete->execute();
}
$result->closeCursor();
return $deletedEvents;
}
protected function getPrincipal(string $principalUri): string {
$uri = explode('/', $principalUri);
return $uri[2];
}
}