Issues in Data.php (master) - Issues in master - nextcloud/activity - Measure and Improve Code Quality continuously with Scrutinizer

Issues (159)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

lib/Data.php (1 issue)

Labels

Severity

Informational 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * @copyright Copyright (c) 2016, ownCloud, Inc.
 *
 * @author Frank Karlitschek <[email protected]>
 * @author Joas Schilling <[email protected]>
 * @author Thomas Müller <[email protected]>
 *
 * @license AGPL-3.0
 *
 * This code is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License, version 3,
 * as published by the Free Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License, version 3,
 * along with this program.  If not, see <http://www.gnu.org/licenses/>
 *
 */

namespace OCA\Activity;

use OCP\Activity\IEvent;
use OCP\Activity\IExtension;
use OCP\Activity\IFilter;
use OCP\Activity\IManager;
use OCP\DB\QueryBuilder\IQueryBuilder;
use OCP\IDBConnection;
use OCP\IL10N;

/**
 * @brief Class for managing the data in the activities
 */
class Data {
	/** @var IManager */
	protected $activityManager;

	/** @var IDBConnection */
	protected $connection;

	/**
	 * @param IManager $activityManager
	 * @param IDBConnection $connection
	 */
	public function __construct(IManager $activityManager, IDBConnection $connection) {
		$this->activityManager = $activityManager;
		$this->connection = $connection;
	}

	/**
	 * Send an event into the activity stream
	 *
	 * @param IEvent $event
	 * @return bool
	 */
	public function send(IEvent $event) {
		if ($event->getAffectedUser() === '' || $event->getAffectedUser() === null) {
			return false;
		}

		// store in DB
		$queryBuilder = $this->connection->getQueryBuilder();
		$queryBuilder->insert('activity')
			->values([
				'app' => $queryBuilder->createParameter('app'),
				'subject' => $queryBuilder->createParameter('subject'),
				'subjectparams' => $queryBuilder->createParameter('subjectparams'),
				'message' => $queryBuilder->createParameter('message'),
				'messageparams' => $queryBuilder->createParameter('messageparams'),
				'file' => $queryBuilder->createParameter('object_name'),
				'link' => $queryBuilder->createParameter('link'),
				'user' => $queryBuilder->createParameter('user'),
				'affecteduser' => $queryBuilder->createParameter('affecteduser'),
				'timestamp' => $queryBuilder->createParameter('timestamp'),
				'priority' => $queryBuilder->createParameter('priority'),
				'type' => $queryBuilder->createParameter('type'),
				'object_type' => $queryBuilder->createParameter('object_type'),
				'object_id' => $queryBuilder->createParameter('object_id'),
			])
			->setParameters([
				'app' => $event->getApp(),
				'type' => $event->getType(),
				'affecteduser' => $event->getAffectedUser(),
				'user' => $event->getAuthor(),
				'timestamp' => (int) $event->getTimestamp(),
				'subject' => $event->getSubject(),
				'subjectparams' => json_encode($event->getSubjectParameters()),
				'message' => $event->getMessage(),
				'messageparams' => json_encode($event->getMessageParameters()),
				'priority' => IExtension::PRIORITY_MEDIUM,
				'object_type' => $event->getObjectType(),
				'object_id' => (int) $event->getObjectId(),
				'object_name' => $event->getObjectName(),
				'link' => $event->getLink(),
			])
			->execute();

		return true;
	}

	/**
	 * Send an event as email
	 *
	 * @param IEvent $event
	 * @param int    $latestSendTime Activity $timestamp + batch setting of $affectedUser
	 * @return bool
	 */
	public function storeMail(IEvent $event, int $latestSendTime): bool {
		$affectedUser = $event->getAffectedUser();
		if ($affectedUser === '' || $affectedUser === null) {
			return false;
		}

		$query = $this->connection->getQueryBuilder();
		$query->insert('activity_mq')
			->values([
				'amq_appid' => $query->createNamedParameter($event->getApp()),
				'amq_subject' => $query->createNamedParameter($event->getSubject()),
				'amq_subjectparams' => $query->createNamedParameter(json_encode($event->getSubjectParameters())),
				'amq_affecteduser' => $query->createNamedParameter($affectedUser),
				'amq_timestamp' => $query->createNamedParameter((int) $event->getTimestamp()),
				'amq_type' => $query->createNamedParameter($event->getType()),
				'amq_latest_send' => $query->createNamedParameter($latestSendTime),
				'object_type' => $query->createNamedParameter($event->getObjectType()),
				'object_id' => $query->createNamedParameter($event->getObjectId()),
			]);
		$query->execute();

		return true;
	}

	/**
	 * Read a list of events from the activity stream
	 *
	 * @param GroupHelper $groupHelper Allows activities to be grouped
	 * @param UserSettings $userSettings Gets the settings of the user
	 * @param string $user User for whom we display the stream
	 *
	 * @param int $since The integer ID of the last activity that has been seen.
	 * @param int $limit How many activities should be returned
	 * @param string $sort Should activities be given ascending or descending
	 *
	 * @param string $filter Filter the activities
	 * @param string $objectType Allows to filter the activities to a given object. May only appear together with $objectId
	 * @param int $objectId Allows to filter the activities to a given object. May only appear together with $objectType
	 *
	 * @return array
	 *
	 * @throws \OutOfBoundsException if the user (Code: 1) or the since (Code: 2) is invalid
	 * @throws \BadMethodCallException if the user has selected to display no types for this filter (Code: 3)
	 */
	public function get(GroupHelper $groupHelper, UserSettings $userSettings, $user, $since, $limit, $sort, $filter, $objectType = '', $objectId = 0) {
		// get current user
		if ($user === '') {
			throw new \OutOfBoundsException('Invalid user', 1);
		}
		$groupHelper->setUser($user);

		$activeFilter = null;
		try {
			$activeFilter = $this->activityManager->getFilterById($filter);
		} catch (\InvalidArgumentException $e) {
			// Unknown filter => ignore and show all activities
		}

		$enabledNotifications = $userSettings->getNotificationTypes($user, 'stream');
		if ($activeFilter instanceof IFilter) {
			$enabledNotifications = $activeFilter->filterTypes($enabledNotifications);
		}
		$enabledNotifications = array_unique($enabledNotifications);

		// We don't want to display any activities
		if (empty($enabledNotifications)) {
			throw new \BadMethodCallException('No settings enabled', 3);
		}

		$query = $this->connection->getQueryBuilder();
		$query->select('*')
			->from('activity');

		$query->where($query->expr()->eq('affecteduser', $query->createNamedParameter($user)))
			->andWhere($query->expr()->in('type', $query->createNamedParameter($enabledNotifications, IQueryBuilder::PARAM_STR_ARRAY)));
		if ($filter === 'self') {
			$query->andWhere($query->expr()->eq('user', $query->createNamedParameter($user)));

		} else if ($filter === 'by') {
			$query->andWhere($query->expr()->neq('user', $query->createNamedParameter($user)));

		} else if ($filter === 'all' && !$userSettings->getUserSetting($user, 'setting', 'self')) {
			$query->andWhere($query->expr()->orX(
				$query->expr()->neq('user', $query->createNamedParameter($user)),
				$query->expr()->notIn('type', $query->createNamedParameter([
					'file_created',
					'file_changed',
					'file_deleted',
					'file_restored',
				], IQueryBuilder::PARAM_STR_ARRAY))
			));

		} else if ($filter === 'filter') {
			if (!$userSettings->getUserSetting($user, 'setting', 'self')) {
				$query->andWhere($query->expr()->orX(
					$query->expr()->neq('user', $query->createNamedParameter($user)),
					$query->expr()->notIn('type', $query->createNamedParameter([
						'file_created',
						'file_changed',
						'file_deleted',
						'file_restored',
					], IQueryBuilder::PARAM_STR_ARRAY))
				));
			}

			$query->andWhere($query->expr()->eq('object_type', $query->createNamedParameter($objectType)));
			$query->andWhere($query->expr()->eq('object_id', $query->createNamedParameter($objectId)));
		}

		if ($activeFilter instanceof IFilter) {
			$apps = $activeFilter->allowedApps();
			if (!empty($apps)) {
				$query->andWhere($query->expr()->in('app', $query->createNamedParameter($apps, IQueryBuilder::PARAM_STR_ARRAY)));
			}
		}

		if (
			$filter === 'files_favorites' ||
			(in_array($filter, ['all', 'by', 'self']) && $userSettings->getUserSetting($user, 'stream', 'files_favorites'))
		) {
			try {
				$favoriteFilter = $this->activityManager->getFilterById('files_favorites');
				/** @var \OCA\Files\Activity\Filter\Favorites $favoriteFilter */
				$favoriteFilter->filterFavorites($query);
			} catch (\InvalidArgumentException $e) {

			}
		}

		/**
		 * Order and specify the offset
		 */
		$sqlSort = ($sort === 'asc') ? 'ASC' : 'DESC';
		$headers = $this->setOffsetFromSince($query, $user, $since, $sqlSort);
		$query->orderBy('timestamp', $sqlSort)
			->addOrderBy('activity_id', $sqlSort);

		$query->setMaxResults($limit + 1);

		$result = $query->execute();
		$hasMore = false;
		while ($row = $result->fetch()) {
			if ($limit === 0) {
				$hasMore = true;
				break;
			}
			$headers['X-Activity-Last-Given'] = (int) $row['activity_id'];
			$groupHelper->addActivity($row);
			$limit--;
		}
		$result->closeCursor();

		return ['data' => $groupHelper->getActivities(), 'has_more' => $hasMore, 'headers' => $headers];
	}

	/**
	 * @param IQueryBuilder $query
	 * @param string $user
	 * @param int $since
	 * @param string $sort
	 *
	 * @return array Headers that should be set on the response
	 *
	 * @throws \OutOfBoundsException If $since is not owned by $user
	 */
	protected function setOffsetFromSince(IQueryBuilder $query, $user, $since, $sort) {
		if ($since) {
			$queryBuilder = $this->connection->getQueryBuilder();
			$queryBuilder->select(['affecteduser', 'timestamp'])
				->from('activity')
				->where($queryBuilder->expr()->eq('activity_id', $queryBuilder->createNamedParameter((int) $since)));
			$result = $queryBuilder->execute();
			$activity = $result->fetch();
			$result->closeCursor();

			if ($activity) {
				if ($activity['affecteduser'] !== $user) {
					throw new \OutOfBoundsException('Invalid since', 2);
				}
				$timestamp = (int) $activity['timestamp'];

				if ($sort === 'DESC') {
					$query->andWhere($query->expr()->lte('timestamp', $query->createNamedParameter($timestamp)));
					$query->andWhere($query->expr()->lt('activity_id', $query->createNamedParameter($since)));
				} else {
					$query->andWhere($query->expr()->gte('timestamp', $query->createNamedParameter($timestamp)));
					$query->andWhere($query->expr()->gt('activity_id', $query->createNamedParameter($since)));
				}
				return [];
			}
		}

		/**
		 * Couldn't find the since, so find the oldest one and set the header
		 */
		$fetchQuery = $this->connection->getQueryBuilder();
		$fetchQuery->select('activity_id')
			->from('activity')
			->where($fetchQuery->expr()->eq('affecteduser', $fetchQuery->createNamedParameter($user)))
			->orderBy('timestamp', $sort)
			->setMaxResults(1);
		$result = $fetchQuery->execute();
		$activity = $result->fetch();
		$result->closeCursor();

		if ($activity !== false) {
			return [
				'X-Activity-First-Known' => (int) $activity['activity_id'],
			];
		}

		return [];
	}

	/**
	 * Verify that the filter is valid
	 *
	 * @param string $filterValue
	 * @return string
	 */
	public function validateFilter($filterValue) {
		if (!isset($filterValue)) {
			return 'all';
		}

		switch ($filterValue) {
			case 'filter':
				return $filterValue;
			default:
				try {
					$this->activityManager->getFilterById($filterValue);
					return $filterValue;
				} catch (\InvalidArgumentException $e) {
					return 'all';
				}
		}
	}

	/**
	 * Delete old events
	 *
	 * @param int $expireDays Minimum 1 day
	 */
	public function expire($expireDays = 365) {
		$ttl = (60 * 60 * 24 * max(1, $expireDays));

		$timelimit = time() - $ttl;
		$this->deleteActivities(array(
			'timestamp' => array($timelimit, '<'),
		));
	}

	/**
	 * Delete activities that match certain conditions
	 *
	 * @param array $conditions Array with conditions that have to be met
	 *                      'field' => 'value'  => `field` = 'value'
	 *    'field' => array('value', 'operator') => `field` operator 'value'
	 */
	public function deleteActivities($conditions) {
		$sqlWhere = '';
		$sqlParameters = $sqlWhereList = array();
		foreach ($conditions as $column => $comparison) {
			$sqlWhereList[] = " `$column` " . ((is_array($comparison) && isset($comparison[1])) ? $comparison[1] : '=') . ' ? ';
			$sqlParameters[] = (is_array($comparison)) ? $comparison[0] : $comparison;
		}

		if (!empty($sqlWhereList)) {
			$sqlWhere = ' WHERE ' . implode(' AND ', $sqlWhereList);
		}

		$query = $this->connection->prepare(
			'DELETE FROM `*PREFIX*activity`' . $sqlWhere);
		$query->execute($sqlParameters);
	}
}


1		<?php
2		/**
3		* @copyright Copyright (c) 2016, ownCloud, Inc.
4		*
5		* @author Frank Karlitschek <[email protected]>
6		* @author Joas Schilling <[email protected]>
7		* @author Thomas Müller <[email protected]>
8		*
9		* @license AGPL-3.0
10		*
11		* This code is free software: you can redistribute it and/or modify
12		* it under the terms of the GNU Affero General Public License, version 3,
13		* as published by the Free Software Foundation.
14		*
15		* This program is distributed in the hope that it will be useful,
16		* but WITHOUT ANY WARRANTY; without even the implied warranty of
17		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18		* GNU Affero General Public License for more details.
19		*
20		* You should have received a copy of the GNU Affero General Public License, version 3,
21		* along with this program. If not, see <http://www.gnu.org/licenses/>
22		*
23		*/
24
25		namespace OCA\Activity;
26
27		use OCP\Activity\IEvent;
28		use OCP\Activity\IExtension;
29		use OCP\Activity\IFilter;
30		use OCP\Activity\IManager;
31		use OCP\DB\QueryBuilder\IQueryBuilder;
32		use OCP\IDBConnection;
33		use OCP\IL10N;
34
35		/**
36		* @brief Class for managing the data in the activities
37		*/
38		class Data {
39		/** @var IManager */
40		protected $activityManager;
41
42		/** @var IDBConnection */
43		protected $connection;
44
45		/**
46		* @param IManager $activityManager
47		* @param IDBConnection $connection
48		*/
49	40	public function __construct(IManager $activityManager, IDBConnection $connection) {
50	40	$this->activityManager = $activityManager;
51	40	$this->connection = $connection;
52	40	}
53
54		/**
55		* Send an event into the activity stream
56		*
57		* @param IEvent $event
58		* @return bool
59		*/
60	5	public function send(IEvent $event) {
61	5	if ($event->getAffectedUser() === '' \|\| $event->getAffectedUser() === null) {
62	2	return false;
63		}
64
65		// store in DB
66	3	$queryBuilder = $this->connection->getQueryBuilder();
67	3	$queryBuilder->insert('activity')
68	3	->values([
69	3	'app' => $queryBuilder->createParameter('app'),
70	3	'subject' => $queryBuilder->createParameter('subject'),
71	3	'subjectparams' => $queryBuilder->createParameter('subjectparams'),
72	3	'message' => $queryBuilder->createParameter('message'),
73	3	'messageparams' => $queryBuilder->createParameter('messageparams'),
74	3	'file' => $queryBuilder->createParameter('object_name'),
75	3	'link' => $queryBuilder->createParameter('link'),
76	3	'user' => $queryBuilder->createParameter('user'),
77	3	'affecteduser' => $queryBuilder->createParameter('affecteduser'),
78	3	'timestamp' => $queryBuilder->createParameter('timestamp'),
79	3	'priority' => $queryBuilder->createParameter('priority'),
80	3	'type' => $queryBuilder->createParameter('type'),
81	3	'object_type' => $queryBuilder->createParameter('object_type'),
82	3	'object_id' => $queryBuilder->createParameter('object_id'),
83		])
84	3	->setParameters([
85	3	'app' => $event->getApp(),
86	3	'type' => $event->getType(),
87	3	'affecteduser' => $event->getAffectedUser(),
88	3	'user' => $event->getAuthor(),
89	3	'timestamp' => (int) $event->getTimestamp(),
90	3	'subject' => $event->getSubject(),
91	3	'subjectparams' => json_encode($event->getSubjectParameters()),
92	3	'message' => $event->getMessage(),
93	3	'messageparams' => json_encode($event->getMessageParameters()),
94	3	'priority' => IExtension::PRIORITY_MEDIUM,
95	3	'object_type' => $event->getObjectType(),
96	3	'object_id' => (int) $event->getObjectId(),
97	3	'object_name' => $event->getObjectName(),
98	3	'link' => $event->getLink(),
99		])
100	3	->execute();
101
102	3	return true;
103		}
104
105		/**
106		* Send an event as email
107		*
108		* @param IEvent $event
109		* @param int $latestSendTime Activity $timestamp + batch setting of $affectedUser
110		* @return bool
111		*/
112	4	public function storeMail(IEvent $event, int $latestSendTime): bool {
113	4	$affectedUser = $event->getAffectedUser();
114	4	if ($affectedUser === '' \|\| $affectedUser === null) {
115	2	return false;
116		}
117
118	2	$query = $this->connection->getQueryBuilder();
119	2	$query->insert('activity_mq')
120	2	->values([
121	2	'amq_appid' => $query->createNamedParameter($event->getApp()),
122	2	'amq_subject' => $query->createNamedParameter($event->getSubject()),
123	2	'amq_subjectparams' => $query->createNamedParameter(json_encode($event->getSubjectParameters())),
124	2	'amq_affecteduser' => $query->createNamedParameter($affectedUser),
125	2	'amq_timestamp' => $query->createNamedParameter((int) $event->getTimestamp()),
126	2	'amq_type' => $query->createNamedParameter($event->getType()),
127	2	'amq_latest_send' => $query->createNamedParameter($latestSendTime),
128	2	'object_type' => $query->createNamedParameter($event->getObjectType()),
129	2	'object_id' => $query->createNamedParameter($event->getObjectId()),
130		]);
131	2	$query->execute();
132
133	2	return true;
134		}
135
136		/**
137		* Read a list of events from the activity stream
138		*
139		* @param GroupHelper $groupHelper Allows activities to be grouped
140		* @param UserSettings $userSettings Gets the settings of the user
141		* @param string $user User for whom we display the stream
142		*
143		* @param int $since The integer ID of the last activity that has been seen.
144		* @param int $limit How many activities should be returned
145		* @param string $sort Should activities be given ascending or descending
146		*
147		* @param string $filter Filter the activities
148		* @param string $objectType Allows to filter the activities to a given object. May only appear together with $objectId
149		* @param int $objectId Allows to filter the activities to a given object. May only appear together with $objectType
150		*
151		* @return array
152		*
153		* @throws \OutOfBoundsException if the user (Code: 1) or the since (Code: 2) is invalid
154		* @throws \BadMethodCallException if the user has selected to display no types for this filter (Code: 3)
155		*/
156	5	public function get(GroupHelper $groupHelper, UserSettings $userSettings, $user, $since, $limit, $sort, $filter, $objectType = '', $objectId = 0) {
157		// get current user
158	5	if ($user === '') {
159		throw new \OutOfBoundsException('Invalid user', 1);
160		}
161	5	$groupHelper->setUser($user);
162
163	5	$activeFilter = null;
164		try {
165	5	$activeFilter = $this->activityManager->getFilterById($filter);
166	5	} catch (\InvalidArgumentException $e) {
167		// Unknown filter => ignore and show all activities
168		}
169
170	5	$enabledNotifications = $userSettings->getNotificationTypes($user, 'stream');
171	5	if ($activeFilter instanceof IFilter) {
172		$enabledNotifications = $activeFilter->filterTypes($enabledNotifications);
173		}
174	5	$enabledNotifications = array_unique($enabledNotifications);
175
176		// We don't want to display any activities
177	5	if (empty($enabledNotifications)) {
178		throw new \BadMethodCallException('No settings enabled', 3);
179		}
180
181	5	$query = $this->connection->getQueryBuilder();
182	5	$query->select('*')
183	5	->from('activity');
184
185	5	$query->where($query->expr()->eq('affecteduser', $query->createNamedParameter($user)))
186	5	->andWhere($query->expr()->in('type', $query->createNamedParameter($enabledNotifications, IQueryBuilder::PARAM_STR_ARRAY)));
187	5	if ($filter === 'self') {
188		$query->andWhere($query->expr()->eq('user', $query->createNamedParameter($user)));
189
190	5	} else if ($filter === 'by') {
191		$query->andWhere($query->expr()->neq('user', $query->createNamedParameter($user)));
192
193	5	} else if ($filter === 'all' && !$userSettings->getUserSetting($user, 'setting', 'self')) {
194		$query->andWhere($query->expr()->orX(
195		$query->expr()->neq('user', $query->createNamedParameter($user)),
196		$query->expr()->notIn('type', $query->createNamedParameter([
197		'file_created',
198		'file_changed',
199		'file_deleted',
200		'file_restored',
201		], IQueryBuilder::PARAM_STR_ARRAY))
202		));
203
204	5	} else if ($filter === 'filter') {
205		if (!$userSettings->getUserSetting($user, 'setting', 'self')) {
206		$query->andWhere($query->expr()->orX(
207		$query->expr()->neq('user', $query->createNamedParameter($user)),
208		$query->expr()->notIn('type', $query->createNamedParameter([
209		'file_created',
210		'file_changed',
211		'file_deleted',
212		'file_restored',
213		], IQueryBuilder::PARAM_STR_ARRAY))
214		));
215		}
216
217		$query->andWhere($query->expr()->eq('object_type', $query->createNamedParameter($objectType)));
218		$query->andWhere($query->expr()->eq('object_id', $query->createNamedParameter($objectId)));
219		}
220
221	5	if ($activeFilter instanceof IFilter) {
222		$apps = $activeFilter->allowedApps();
223		if (!empty($apps)) {
224		$query->andWhere($query->expr()->in('app', $query->createNamedParameter($apps, IQueryBuilder::PARAM_STR_ARRAY)));
225		}
226		}
227
228		if (
229	5	$filter === 'files_favorites' \|\|
230	5	(in_array($filter, ['all', 'by', 'self']) && $userSettings->getUserSetting($user, 'stream', 'files_favorites'))
231		) {
232		try {
233		$favoriteFilter = $this->activityManager->getFilterById('files_favorites');
234		/** @var \OCA\Files\Activity\Filter\Favorites $favoriteFilter */
235		$favoriteFilter->filterFavorites($query);
236		} catch (\InvalidArgumentException $e) {
		0 ignored issues – show Coding Style Comprehensibility introduced 2016-12-12 16:11 UTC by Report Bug Copy Issue Report Show Similar Issues like this Consider adding a comment why this CATCH block is empty. Loading history...
237		}
238		}
239
240		/**
241		* Order and specify the offset
242		*/
243	5	$sqlSort = ($sort === 'asc') ? 'ASC' : 'DESC';
244	5	$headers = $this->setOffsetFromSince($query, $user, $since, $sqlSort);
245	5	$query->orderBy('timestamp', $sqlSort)
246	5	->addOrderBy('activity_id', $sqlSort);
247
248	5	$query->setMaxResults($limit + 1);
249
250	5	$result = $query->execute();
251	5	$hasMore = false;
252	5	while ($row = $result->fetch()) {
253	4	if ($limit === 0) {
254	2	$hasMore = true;
255	2	break;
256		}
257	4	$headers['X-Activity-Last-Given'] = (int) $row['activity_id'];
258	4	$groupHelper->addActivity($row);
259	4	$limit--;
260		}
261	5	$result->closeCursor();
262
263	5	return ['data' => $groupHelper->getActivities(), 'has_more' => $hasMore, 'headers' => $headers];
264		}
265
266		/**
267		* @param IQueryBuilder $query
268		* @param string $user
269		* @param int $since
270		* @param string $sort
271		*
272		* @return array Headers that should be set on the response
273		*
274		* @throws \OutOfBoundsException If $since is not owned by $user
275		*/
276	10	protected function setOffsetFromSince(IQueryBuilder $query, $user, $since, $sort) {
277	10	if ($since) {
278	5	$queryBuilder = $this->connection->getQueryBuilder();
279	5	$queryBuilder->select(['affecteduser', 'timestamp'])
280	5	->from('activity')
281	5	->where($queryBuilder->expr()->eq('activity_id', $queryBuilder->createNamedParameter((int) $since)));
282	5	$result = $queryBuilder->execute();
283	5	$activity = $result->fetch();
284	5	$result->closeCursor();
285
286	5	if ($activity) {
287	4	if ($activity['affecteduser'] !== $user) {
288	1	throw new \OutOfBoundsException('Invalid since', 2);
289		}
290	3	$timestamp = (int) $activity['timestamp'];
291
292	3	if ($sort === 'DESC') {
293	2	$query->andWhere($query->expr()->lte('timestamp', $query->createNamedParameter($timestamp)));
294	2	$query->andWhere($query->expr()->lt('activity_id', $query->createNamedParameter($since)));
295		} else {
296	1	$query->andWhere($query->expr()->gte('timestamp', $query->createNamedParameter($timestamp)));
297	1	$query->andWhere($query->expr()->gt('activity_id', $query->createNamedParameter($since)));
298		}
299	3	return [];
300		}
301		}
302
303		/**
304		* Couldn't find the since, so find the oldest one and set the header
305		*/
306	6	$fetchQuery = $this->connection->getQueryBuilder();
307	6	$fetchQuery->select('activity_id')
308	6	->from('activity')
309	6	->where($fetchQuery->expr()->eq('affecteduser', $fetchQuery->createNamedParameter($user)))
310	6	->orderBy('timestamp', $sort)
311	6	->setMaxResults(1);
312	6	$result = $fetchQuery->execute();
313	6	$activity = $result->fetch();
314	6	$result->closeCursor();
315
316	6	if ($activity !== false) {
317		return [
318	4	'X-Activity-First-Known' => (int) $activity['activity_id'],
319		];
320		}
321
322	2	return [];
323		}
324
325		/**
326		* Verify that the filter is valid
327		*
328		* @param string $filterValue
329		* @return string
330		*/
331		public function validateFilter($filterValue) {
332		if (!isset($filterValue)) {
333		return 'all';
334		}
335
336		switch ($filterValue) {
337		case 'filter':
338		return $filterValue;
339		default:
340		try {
341		$this->activityManager->getFilterById($filterValue);
342		return $filterValue;
343		} catch (\InvalidArgumentException $e) {
344		return 'all';
345		}
346		}
347		}
348
349		/**
350		* Delete old events
351		*
352		* @param int $expireDays Minimum 1 day
353		*/
354	1	public function expire($expireDays = 365) {
355	1	$ttl = (60 * 60 * 24 * max(1, $expireDays));
356
357	1	$timelimit = time() - $ttl;
358	1	$this->deleteActivities(array(
359	1	'timestamp' => array($timelimit, '<'),
360		));
361	1	}
362
363		/**
364		* Delete activities that match certain conditions
365		*
366		* @param array $conditions Array with conditions that have to be met
367		* 'field' => 'value' => `field` = 'value'
368		* 'field' => array('value', 'operator') => `field` operator 'value'
369		*/
370	11	public function deleteActivities($conditions) {
371	11	$sqlWhere = '';
372	11	$sqlParameters = $sqlWhereList = array();
373	11	foreach ($conditions as $column => $comparison) {
374	11	$sqlWhereList[] = " `$column` " . ((is_array($comparison) && isset($comparison[1])) ? $comparison[1] : '=') . ' ? ';
375	11	$sqlParameters[] = (is_array($comparison)) ? $comparison[0] : $comparison;
376		}
377
378	11	if (!empty($sqlWhereList)) {
379	11	$sqlWhere = ' WHERE ' . implode(' AND ', $sqlWhereList);
380		}
381
382	11	$query = $this->connection->prepare(
383	11	'DELETE FROM `PREFIXactivity`' . $sqlWhere);
384	11	$query->execute($sqlParameters);
385	11	}
386		}
387

nextcloud / activity

Issues (159)

Security Analysis no request data

lib/Data.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like