From aef77db6970494a75283da0c5c378fb0a3001cf1 Mon Sep 17 00:00:00 2001
From: lalka2016 <99399973+lalka2016@users.noreply.github.com>
Date: Fri, 14 Jul 2023 19:29:46 +0300
Subject: [PATCH] idk
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Запрет likes.isLiked при недоступном user_id, запрет просмотра и доступа через API к опросам которые были созданы закрытым профилем, добавление кнопки блокировки в поддержке для закрытых профилей
---
VKAPI/Handlers/Likes.php | 5 ++++-
VKAPI/Handlers/Polls.php | 11 ++++++++++-
Web/Models/Entities/Poll.php | 4 ++--
Web/Presenters/PollPresenter.php | 6 ++++++
Web/Presenters/templates/Group/View.xml | 7 +++----
Web/Presenters/templates/User/View.xml | 13 +++++++++++--
Web/static/img/deleted_club_200.png | Bin 3693 -> 3493 bytes
7 files changed, 36 insertions(+), 10 deletions(-)
diff --git a/VKAPI/Handlers/Likes.php b/VKAPI/Handlers/Likes.php
index 11ab4700..11ad9743 100644
--- a/VKAPI/Handlers/Likes.php
+++ b/VKAPI/Handlers/Likes.php
@@ -70,9 +70,12 @@ final class Likes extends VKAPIRequestHandler
switch($type) {
case "post":
$user = (new UsersRepo)->get($user_id);
- if (is_null($user))
+ if(is_null($user))
$this->fail(100, "One of the parameters specified was missing or invalid: user not found");
+ if(!$user->canBeViewedBy($this->getUser()))
+ $this->fail(1983, "Access to user denied");
+
$post = (new PostsRepo)->getPostById($owner_id, $item_id);
if (is_null($post))
$this->fail(100, "One of the parameters specified was missing or invalid: object not found");
diff --git a/VKAPI/Handlers/Polls.php b/VKAPI/Handlers/Polls.php
index be947a44..3497120f 100755
--- a/VKAPI/Handlers/Polls.php
+++ b/VKAPI/Handlers/Polls.php
@@ -14,9 +14,12 @@ final class Polls extends VKAPIRequestHandler
{
$poll = (new PollsRepo)->get($poll_id);
- if (!$poll)
+ if(!$poll)
$this->fail(100, "One of the parameters specified was missing or invalid: poll_id is incorrect");
+ if(!$poll->canBeViewedBy($this->getUser()))
+ $this->fail(256, "Access to poll denied");
+
$users = array();
$answers = array();
foreach($poll->getResults()->options as $answer) {
@@ -73,6 +76,9 @@ final class Polls extends VKAPIRequestHandler
if(!$poll)
$this->fail(251, "Invalid poll id");
+ if(!$poll->canBeViewedBy($this->getUser()))
+ $this->fail(256, "Access to poll denied");
+
try {
$poll->vote($this->getUser(), explode(",", $answers_ids));
return 1;
@@ -95,6 +101,9 @@ final class Polls extends VKAPIRequestHandler
if(!$poll)
$this->fail(251, "Invalid poll id");
+ if(!$poll->canBeViewedBy($this->getUser()))
+ $this->fail(256, "Access to poll denied");
+
try {
$poll->revokeVote($this->getUser());
return 1;
diff --git a/Web/Models/Entities/Poll.php b/Web/Models/Entities/Poll.php
index 043b0eba..4ec48219 100644
--- a/Web/Models/Entities/Poll.php
+++ b/Web/Models/Entities/Poll.php
@@ -293,8 +293,8 @@ class Poll extends Attachable
}
}
- function canBeViewedBy(?User $user): bool
+ function canBeViewedBy(?User $user = NULL): bool
{
- return true;
+ return $this->getOwner()->canBeViewedBy($user);
}
}
diff --git a/Web/Presenters/PollPresenter.php b/Web/Presenters/PollPresenter.php
index 9c75e3bf..950459a8 100644
--- a/Web/Presenters/PollPresenter.php
+++ b/Web/Presenters/PollPresenter.php
@@ -19,6 +19,9 @@ final class PollPresenter extends OpenVKPresenter
$poll = $this->polls->get($id);
if(!$poll)
$this->notFound();
+
+ if(!$poll->canBeViewedBy($this->user->identity))
+ $this->notFound();
$this->template->id = $poll->getId();
$this->template->title = $poll->getTitle();
@@ -53,6 +56,9 @@ final class PollPresenter extends OpenVKPresenter
if(!$poll)
$this->notFound();
+ if(!$poll->canBeViewedBy($this->user->identity))
+ $this->notFound();
+
if($poll->isAnonymous())
$this->flashFail("err", tr("forbidden"), tr("poll_err_anonymous"));
diff --git a/Web/Presenters/templates/Group/View.xml b/Web/Presenters/templates/Group/View.xml
index 010edf67..7e120ba0 100644
--- a/Web/Presenters/templates/Group/View.xml
+++ b/Web/Presenters/templates/Group/View.xml
@@ -135,13 +135,12 @@
function banClub() {
let name = {$club->getName()}
let body = tr("ban_group_desc", {$club->getName()})
- let cool = tr("come_up_with_something_cool")
let num = {$club->getId()}
body += `
-
- ` + tr('delete_every_post') +
- `
` + tr('unsubscribe_everyoune')
+
+
+
`
MessageBox({_ban_group} + " " + {$club->getName()}, body, [{_ok}, {_cancel}], [
diff --git a/Web/Presenters/templates/User/View.xml b/Web/Presenters/templates/User/View.xml
index d2b16bda..e7c00ae1 100644
--- a/Web/Presenters/templates/User/View.xml
+++ b/Web/Presenters/templates/User/View.xml
@@ -110,6 +110,15 @@
{/if}
+ {if $thisUser->getChandlerUser()->can('write')->model('openvk\Web\Models\Entities\TicketReply')->whichBelongsTo(0)}
+
+ {if $user->isBannedInSupport()}
+ {_unban_in_support_user_action}
+ {else}
+ {_ban_in_support_user_action}
+ {/if}
+
+ {/if}
@@ -728,6 +737,8 @@
}
+ {/if}
+
- {/if}
-
{else} {* isBanned() *}
{include "banned.xml"}
{/if}
diff --git a/Web/static/img/deleted_club_200.png b/Web/static/img/deleted_club_200.png
index 6050ba2ac1f6ee0dfbf1b6bf468a356d6857d784..eb634f19b27eaab4f50477a5c36e1d0f1022dec6 100644
GIT binary patch
delta 3270
zcmV;%3_0`d9HkqOK>=csLa%?~;^J^{a1<020000Q8XAa*h^D5d5D*Y8EiLNm>h$#V
z2L}g5MMYs@VHXz{EG#TBF)?0VUN0{%V`F38-Q5ih4ILdF+S=NemzPXTOc)p#*x1;f
zo}O}Ya#vSZBO@c<-`^1t5mr`KY;0^~WMnETDqCAyA0HoCSy?M9E7?5R*^P~j@bK^f
z0RbBu8|CHYtE;PrhlhrShU4Soi;Ihbf`WsCgSfc30|Nt=
zKLQtj3(QGGK~#8N?VO8O<4hTcGijP+k~Fs#7J4BR+GbiA8=LzbjBr-jHUlz?Gc
zwk8)vM{!lt)OF~*xn?PpOTe`%MtN=h-Nt6MR&Q(-WJA+UPkc+`1r)Z+5^UN#yRCM|
zN67cPo!-Xg-aar**Lgcb9|)zgqrZ0#`d9>3LH;KA?RSSp;J%rm0)+BFv5r8!6RAjl
zfza`~VCi5`d>c~A1IY?@s+}Ks2MY&?usm)n%s=uc+wPIn_n*=*1(Aqj9?ZIpxfh2bu
zdc`ZRyb@6fz)94vnC&A(>HTsOfi+`I?yk|@Omi3KM%~}>W+3G8t@_|B*kqQ
z{u2L_WbIlOtF(#$Ni%CHYg7DxDhz*(|6y6a-xDi1R%G?EM0-eITqr4ePNCCkE@$7S7{VBhHgs7K2Aee2BccG|tm+WL91qI%1f0wfqa
zj09>rLf3x||H5>nGTV1BD+H9vPNjKsiR+Rw5#9cS94xm{un=d0kiUlE-`M4t5LRzU
zdE0HO52M=_xYEXr4ogdajKqMbN;Ia5V78;bhaq5>X(8LX!|Ejz2jY=@pDaW%2zAaY
zda<}PPXG%scC$i03&R6;nab=Hb(z&0QVNWdRG|daISlmDHY=4s0IDC^Ph*(v=pX<5
z7rROe={s8X2D=uy5v*(qqNJ(fd3i}~0u1%A%PgH_Pg=;Oqp(_kF+g-Gx1?XOvMF%d
zS+S{XFUwyBo>@3fjAcfkPoF;Rvdff^s+bufz>=dFfR#-J`%wj32dB#lVPsvYCe~6L
z5c+o*{)b(rgzT~^Lx3EdM+KsiBf)-D<@&vG!;0pPXsQRPc!V-Z27ZYHT!?HASXEqZEZC>Xo2GrZtl=&yAQ|nEA!D#C-`^eYS-`LxEIS+Q)8w|$94u{7
zl$5=AWu}IVLUVk-`#3H{RLl=a#qnUDCU;3$und3
zCL8Rt^b5;aUZ5qG-mxZOhKvwp;CuU+8MLzI_9xweDA;G|Z9$ipCIrZ(hv6(b4mHT%
z6Eb0+V(&A1M=M6bew@B#WmeJrZ~}#Tj?9t~s6qWf*3Xi?#BpY2BWSQ6XEa=8X)PiE
z)273OnKD9uWDeTXGNB0Yj3ks{WeF_Uk25ZWNl|4^09PMGy`9-ILS#;7&CYo6z*8o)
zNF40P8M{U{7|RXpInoVzYRf2*IcIlPR*3Azv+uBC670tr7ujGeKd=z*c_H0%m=)q!
z@p_n490vPwdc$1e-ViYK!n0iq`x;WVhe+^lT*xqg*pJiK3|4v>0QkaS$9-!nduK({
ziJco(HWlp0>03+eS%MrGwdj|r4Wm$l{JNFdoC6xHj|mwD`z*b;yr^9eWnI6G9kh}+^oJ)9W#F6>vhzD;mMqeiOezk8eVTlB%Sz@A5Ix;0#X6n?bq`H7+qu{v
zp~j~}OPbtYN>qiLLsTq#Cw@5nEC}60GZR~gJ8hOr85M&3jO(8R07we70`FrhGUa93
z+9y*Q>s-Kfqo|!4pJ|c9B`hKU0L8YH?cMf&6#a^_W;S(~oYiJuL2#NkWSCIn)8O)`
zrDnHS7YsH=R8_E5Z($p#nJfwiSgD*KPyDcZ6_jeY
zHKvt;L8w}?0?XEw;c0VGiylEzNcpytXV)TK+_h|PYw}^tXTkPeUc0t!>!w1-yPM7-)CZv)NiB2KoJqfo5BQZHV~GOu8e)tWOb@-OMduCpy%lU{Gr(yNfe}jodhp
zuom5LO!yGl%&bol73~bjA+J0TWfymU@T-&gWkle?vUdtArmB9V{gYXrf|jeotT(U-
zfanI=)n1SN&ir6Y`{!N|DC@(gL=!-rn{0@@07Tgcl!w{o+^0b3Y_Dupr0TQZh1Ng0
z(e$!V@X)l1yYcqut3hbv$_nl}?BhgGzt}XD1xo>rrkvj6-)BGaT5!X*?*g}f%0529
z@kghkYw{xZO##&IS__jwz};*6zx(ayhl$@`ADEVDENrX*rBY0t4Ok4QY76)5`U!Bu
zoxR%^b?A<}&hr5r-DA(m76|HI>yPaEX>d2_J&N{Xo-l|I?k{Yd4?*ktAUUM^G-SGN
zlvLGu{i@=;MKXo*#7$MEyKl3CY6_fI2$8Z`%xsU%0+1?R>VVk-
z!ApsrI$!i6sP>vB!Or{9&G78ZLP2$P+n;8*Q&3;im{oHCJk6-FZ(1~esO1S~XY9kv
zpmy1wf8qk3e#kaA7Y_2vPHP4s-5YEEW1F&J*B9z#r9lVoUU!DR^$6#E&I<&f>A6h4
z5$ImM>KwBVFGE(IIUPtW#Mbhevk0gIgx2&zeDpu)&etS(&Z-DgI7IV;9^4Oox|ux<
zs4vYK$m590-hbtG!*ig2OYQK!HU0OaEp@)71bBA(-1x#log1k-eT(>LZ_d3H$LOX2o&puy^hy{TGHv|^b;^1RMuP$ml{8`%?s4MQeFsnM?gI|
zj}S3Xrgu;01J#Vi3@zfLfj#@S3Xm%|@jcNcaHemxda8Qm07bF1`OOunE~>jS%-3bgLd
z*0&scCr7_`2x{nm@sX#gK)q8qix8luUh>Wp>;Z#WmPFrQ&z_Qe2FI53b+ckn*MWU@
zJr$_ujlZ$=G(hyMQr@dN1MTRkmwsOcq3s#Ag@6Nx?;S0KZl}{ZYh!wZ7GdL(aI$Zg
zPwolT512j7?geH&;*s#sAe<8p_V*9&Ccle486(C`&|=hi1Q|y|-`**|Uo>%9$s7bJu0d$~Ya@#hKY$
zIk~vF1O)|!g@pwK1nB7KWMyR&5)zh|m+^SKg@px$LRnl~ymsvxBO@aR2S-LmhNh+_
z5{aazr?0K8g+iel8ykm*hdewyB_$=y%*^TO=`%AkKYskUbmO&K*@%
z)%yDS+qZAKxw)~jvLX-&K0dzK*x0D3D06djM@L6~etvCjZDV6&F)^{++*}_YA2l^K
zAt50Q2BWU7P9P9eR8-j6*$WB^l$4YtB(M@eK|zX&iqX;0hK7b{H2U)8%M}$B3JMB3
zIyx{I%-Pu)4u@A)SBr~_GcYi)u&~(K*|oH^L_|bfzkYpwejbHFfj}T#UEQ^{waL#@
z&jA1cbBL)65&+=%^q&E>=9xtrHgH~(D;D-v2e0I3
zmOZ&o4uH92Z@s+C}r^H*9k0lZE!ur4QWiUo))u5v-ed&X5fpxO`4ZOEdrl-nlp@h#b
zRF|=6{by9{+X_?p;m|zGw5wP6^s6gH)g^o^x_H1AHc|&;ZPI)hpgUPrqY8Tjcw0Wb<((?X=b9R3JL8P#_d;^StgIpv+fJ9|$F2>u>%7RyH~nT$bP14Fq#;nx
zcfWhp5edYHeh_-K(YIy6Wr=VHBVNGd3O1cs7WOO5GzEWS{;uWfjF%f=KSkQfgBoK@
zEcSz>;}InhaW|`r19RFcUyP`u=F;PXt>>41%znt_?8LXdP@B!`yy~u3sf3%|0caUX
zDkT{-?(h`loBsCbIWf_{n9304jQYd7r*lf9(Es{bzF09@x@M_-=zXTuLi-W58{4w0
zvtMOpvSC}sXL0AvB}sN4f&Te^UddCF;HciYd8HlQ-%~3Qx3rzkcp`}O{rvcs?qhB;
zUAhC5wWy?;g-3xc{;O;A!}I9nN8`O_EVGjpTz+aVL3XIg4UOdE)wL9g7RE~V)Ueqn
zuCeZ?R!b=b#EfLXE^UUegvC1NV+oo&+uXb?qwHw~6k;N->eU}6zcp5?0n%ria?$Vm
zY$wWIcixN`C0)_`%hphTCvvig63W^?I-RGykS2z!HmsT2A>))5v
zz4$Dz)-@gaj=E*6?cw0}iNLki^WmP9KxZm3$GDMc*-L3!>27!tB@ZDZfE6E^5+d?L
zKY+%;6aS6N+3RFNjn@L`%6)L|4J2d2GqZ>OYA<~ADT=~OdKqDBK&y9*;r~YH8tIG;#eT>
zi>aeWx$2R8X>O>I(N0q_)?!cL-rpIy)0jkfmOLuyY*zV7sKL~Y0sErI$}la{-iXg?
zqa{Q>5;P;BA-CeQeo?fdgk=!o~0U68@AkmHWf
z-LINQY^SR>{E!)Nva*X`Xv@QCnt(!W#|ko^f*L6m{;|?u=6nv@(xLPV`k0-pEGOgV
zbQSKS`Kz(hkPbJSBKMv8O&zFccy}Enb?_$w5%lamxQxp&a*U`?a?sQsGQhzia>+bx
z{`(+kU;?suE<<2`?gFlF4cJg?3tz4;Y@NU&vWhxRZZ;Ig{IOj6UdUiF
z*RR+5w|vnEdqlL=Sh}t8+OZy_#UCri9zb*B#^cy@2+ojYrU
zytr`f8^o&TW5iIAGhGD&ZS5Ss0b>7%`ks6}AjL)9Ek?ZPF(w{AWM0jp(H|IatSZGR
zzNFgm#{D8c0GYc2Uz6#+=yf@7&&i)=-r4{vVmD%4!o%{3BXY<<8Z(MpNzZIC2HzNZ
zU_}Z8c{AG`FvVYcDQzBha|+fIN%E%&qKNGBBlSQ>2b(-+5(RtqcX+3YQ`
zhhK8
zMc?I(FD6Kv{zxTJW5?{P<+nH-M=~fScFCNb1r_xEtf=Wl&n-Hw*l$=G5DCkiy)*NA
zX!FBI@|P1Zu@)&gaM=N4GVxk91(ZN%Ac%K-OM6HVacXMvK>NPyw~EYPUm?vK~YL|X|VV1Dk#15Y2KQ%r4e;DgV6-nxr2u8M|k`SY(R~X
zc>mp}8$c>Lz$CTH00&^L@uk6;$}d?s@XO77{}}Ey`CcR>@C`Eb0zH(R
z^i%|lHytdNY|5KFKM+U41>Vu(v^nr(&lrk>)0EhQ!EJ`yuY|@u;pJ<=`hPkc#1OqK
z92UCm>Ye*P-2j8do7f%brn-@+HOp(T`=BjOj&;@-QIpBIHMNxzAWiO5hTj5vrVeHy
z=lP)fP@h0`osbjPM?v6OZSx}A_L}v=o6XMp5XCv~6l6HaUDcPgLxX}-HslGWj+hM{
z5wiUjLiptV?Q`oJmr)TRnzEM~dLvOn&QMn|SdnH-tL+XJMs=FEH8V0CZU0r{(O2%d
z>nxPN)|6PH59zdJA^4lO{@jdd{r#pGEumq})Wd-pmeyN!$)9jMDi-_2#8Av@_M3Zx6x)QTz9BXOsY5LPz
z>8|dI_C;ZvnN8>gNYcKzkUF5Wi%bNVhKzT(C>v;vO&_wCUp2sjM8U=qt+?8n6Ii7<
ze@MBH50m7nXVjtR^LBs5bnt*b!$gfobaKZ-sf_o-X+ly8yuyzOoduC40lIzDtieBo
z)nZ8yHnh4Yo^h2cM;M+=dy!K!3Xkin5z@E~!CsTE4+zSAq~y~=BmIB`5qGlh-Js7C
zeFS9O|Lx*KT}(0xZK|T1Hf}+#cml)v;2t4aTGp3BgA(m>514P#ExOpwDIM0#!(uLJ
z%*fH`?>0_^+JL%)B-r!-D`jIQX04?2=goq&`)iQWxE6X@)0a%{cipLn;nzS_l~1V2
zSXyt-U*7zrzD!K%aH|$hKgqyQyTokn`vpa4_wi>#12Nj%pa;o&f>zSys)t=Z6{;CS
z4Nzdf*t9B^PT-w;BFOGWao`(FXIyxRM5R1*<1_C2SAYMk6ShA3qN*QDRXQDdSE>xe
znVOFd#CL@=S&Otp;&&#U`V*g++c{60VGrlhgn8?0gSn9)&;$0#7IRN@96FfRRIb*f
z=OR@8G60-KJY1LxY?nU1OnW*^3CmTiTza~fuT7nTgUg@$il-=1ThRZ_@c-B5&xGRz-OoAi$PEu8{1N^C
Pz77DWk)