From c6fa7b510dc938a14ddd1d2ecf2c98017924b9da Mon Sep 17 00:00:00 2001
From: brettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544>
Date: Mon, 14 Feb 2011 01:24:51 +0000
Subject: Refs #2912. Added checks for constraints in dangerous functions. Unit
 tests no longer remove all metadata/annotations.

git-svn-id: http://code.elgg.org/elgg/trunk@8215 36083f99-b078-4883-b0ff-0f9b5a30f544
---
 engine/lib/annotations.php    |  4 ++--
 engine/lib/deprecated-1.8.php |  2 +-
 engine/lib/elgglib.php        | 55 +++++++++++++++++++++++++++++++++++++++++++
 engine/lib/metadata.php       |  6 +++--
 4 files changed, 62 insertions(+), 5 deletions(-)

(limited to 'engine/lib')

diff --git a/engine/lib/annotations.php b/engine/lib/annotations.php
index 9b3b49626..d4483ab82 100644
--- a/engine/lib/annotations.php
+++ b/engine/lib/annotations.php
@@ -200,7 +200,7 @@ function elgg_get_annotations(array $options = array()) {
  * @since 1.8
  */
 function elgg_delete_annotations(array $options) {
-	if (!$options || !is_array($options)) {
+	if (!elgg_is_valid_options_for_batch_operation($options, 'annotations')) {
 		return false;
 	}
 
@@ -218,7 +218,7 @@ function elgg_delete_annotations(array $options) {
  * @since 1.8
  */
 function elgg_disable_annotations(array $options) {
-	if (!$options || !is_array($options)) {
+	if (!elgg_is_valid_options_for_batch_operation($options, 'annotations')) {
 		return false;
 	}
 
diff --git a/engine/lib/deprecated-1.8.php b/engine/lib/deprecated-1.8.php
index f86d94621..431e32a23 100644
--- a/engine/lib/deprecated-1.8.php
+++ b/engine/lib/deprecated-1.8.php
@@ -3630,7 +3630,7 @@ function clear_metadata_by_owner($owner_guid) {
 	if (!$owner_guid) {
 		return false;
 	}
-	return elgg_delete_metadata(array('metadata_owner' => $owner_guid, 'limit' => 0));
+	return elgg_delete_metadata(array('metadata_owner_guid' => $owner_guid, 'limit' => 0));
 }
 
 /**
diff --git a/engine/lib/elgglib.php b/engine/lib/elgglib.php
index a00b21c52..95330844d 100644
--- a/engine/lib/elgglib.php
+++ b/engine/lib/elgglib.php
@@ -1725,6 +1725,61 @@ function elgg_batch_delete_callback($object) {
 	return $object->delete() ? true : false;
 }
 
+/**
+ * Checks if there are some constraints on the options array for
+ * potentially dangerous operations.
+ *
+ * @param array  $options Options array
+ * @param string $type    Options type: metadata or annotations
+ * @return bool
+ */
+function elgg_is_valid_options_for_batch_operation($options, $type) {
+	if (!$options || !is_array($options)) {
+		return false;
+	}
+
+	// at least one of these is required.
+	$required = array(
+		// generic restraints
+		'guid', 'guids', 'limit'
+	);
+
+	switch ($type) {
+		case 'metadata':
+			$metadata_required = array(
+				'metadata_owner_guid', 'metadata_owner_guids',
+				'metadata_name', 'metadata_names',
+				'metadata_value', 'metadata_values'
+			);
+
+			$required = array_merge($required, $metadata_required);
+			break;
+
+		case 'annotations':
+		case 'annotation':
+			$annotations_required = array(
+				'annotation_owner_guid', 'annotation_owner_guids',
+				'annotation_name', 'annotation_names',
+				'annotation_value', 'annotation_values'
+			);
+
+			$required = array_merge($required, $annotations_required);
+			break;
+
+		default:
+			return false;
+	}
+
+	foreach ($required as $key) {
+		// check that it exists and is something.
+		if (isset($options[$key]) && $options[$key]) {
+			return true;
+		}
+	}
+
+	return false;
+}
+
 /**
  * Intercepts the index page when Walled Garden mode is enabled.
  *
diff --git a/engine/lib/metadata.php b/engine/lib/metadata.php
index 8a62929d5..c3aebb111 100644
--- a/engine/lib/metadata.php
+++ b/engine/lib/metadata.php
@@ -281,13 +281,15 @@ function elgg_get_metadata(array $options = array()) {
  * Deletes metadata based on $options.
  *
  * @warning Unlike elgg_get_metadata() this will not accept an empty options array!
+ *          This requires some constraints: metadata_owner_guid(s),
+ *          metadata_name(s), metadata_value(s), or limit must be set.
  *
  * @param array $options An options array. {@See elgg_get_metadata()}
  * @return mixed
  * @since 1.8
  */
 function elgg_delete_metadata(array $options) {
-	if (!$options || !is_array($options)) {
+	if (!elgg_is_valid_options_for_batch_operation($options, 'metadata')) {
 		return false;
 	}
 
@@ -305,7 +307,7 @@ function elgg_delete_metadata(array $options) {
  * @since 1.8
  */
 function elgg_disable_metadata(array $options) {
-	if (!$options || !is_array($options)) {
+	if (!elgg_is_valid_options_for_batch_operation($options, 'metadata')) {
 		return false;
 	}
 
-- 
cgit v1.2.3