diff --git a/VKAPI/Handlers/Friends.php b/VKAPI/Handlers/Friends.php index 3e06ba87..56af8d11 100644 --- a/VKAPI/Handlers/Friends.php +++ b/VKAPI/Handlers/Friends.php @@ -14,25 +14,22 @@ final class Friends extends VKAPIRequestHandler $this->requireUser(); - if ($user_id == 0) { + if ($user_id == 0) { $user_id = $this->getUser()->getId(); } - $user = $users->get($user_id); - - if(!$user || $user->isDeleted()) - $this->fail(100, "Invalid user"); - - if(!$user->getPrivacyPermission("friends.read", $this->getUser())) - $this->fail(15, "Access denied: this user chose to hide his friends."); - - if(!$user->canBeViewedBy($this->getUser())) - $this->fail(15, "Access denied"); + $user = $users->get($user_id); - foreach($user->getFriends($offset, $count) as $friend) { - $friends[$i] = $friend->getId(); - $i++; - } + if(!$user || $user->isDeleted()) + $this->fail(100, "Invalid user"); + + if(!$user->getPrivacyPermission("friends.read", $this->getUser())) + $this->fail(15, "Access denied: this user chose to hide his friends."); + + foreach($user->getFriends($offset, $count) as $friend) { + $friends[$i] = $friend->getId(); + $i++; + } $response = $friends; diff --git a/VKAPI/Handlers/Groups.php b/VKAPI/Handlers/Groups.php index 025af433..ffa4fedd 100644 --- a/VKAPI/Handlers/Groups.php +++ b/VKAPI/Handlers/Groups.php @@ -19,14 +19,11 @@ final class Groups extends VKAPIRequestHandler $users = new UsersRepo; $user = $users->get($user_id); - if(is_null($user) || $user->isDeleted()) + if(is_null($user) || $user->isDeleted()) $this->fail(15, "Access denied"); - - if(!$user->canBeViewedBy($this->getUser())) - $this->fail(15, "Access denied"); - if(!$user->getPrivacyPermission('groups.read', $this->getUser())) - $this->fail(15, "Access denied: this user chose to hide his groups."); + if(!$user->getPrivacyPermission('groups.read', $this->getUser())) + $this->fail(15, "Access denied: this user chose to hide his groups."); foreach($user->getClubs($offset, $filter == "admin", $count, true) as $club) $clbs[] = $club; @@ -406,9 +403,15 @@ final class Groups extends VKAPIRequestHandler ]; foreach($filds as $fild) { + $canView = $member->canBeViewedBy($this->getUser()); switch($fild) { case "bdate": - $arr->items[$i]->bdate = $member->getBirthday()->format('%e.%m.%Y'); + if(!$canView) { + $arr->items[$i]->bdate = "01.01.1970"; + break; + } + + $arr->items[$i]->bdate = $member->getBirthday() ? $member->getBirthday()->format('%e.%m.%Y') : NULL; break; case "can_post": $arr->items[$i]->can_post = $club->canBeModifiedBy($member); @@ -429,6 +432,11 @@ final class Groups extends VKAPIRequestHandler $arr->items[$i]->connections = 1; break; case "contacts": + if(!$canView) { + $arr->items[$i]->contacts = "secret@gmail.com"; + break; + } + $arr->items[$i]->contacts = $member->getContactEmail(); break; case "country": @@ -444,15 +452,30 @@ final class Groups extends VKAPIRequestHandler $arr->items[$i]->has_mobile = false; break; case "last_seen": + if(!$canView) { + $arr->items[$i]->last_seen = 0; + break; + } + $arr->items[$i]->last_seen = $member->getOnline()->timestamp(); break; case "lists": $arr->items[$i]->lists = ""; break; case "online": + if(!$canView) { + $arr->items[$i]->online = false; + break; + } + $arr->items[$i]->online = $member->isOnline(); break; case "online_mobile": + if(!$canView) { + $arr->items[$i]->online_mobile = false; + break; + } + $arr->items[$i]->online_mobile = $member->getOnlinePlatform() == "android" || $member->getOnlinePlatform() == "iphone" || $member->getOnlinePlatform() == "mobile"; break; case "photo_100": @@ -483,12 +506,27 @@ final class Groups extends VKAPIRequestHandler $arr->items[$i]->schools = 0; break; case "sex": + if(!$canView) { + $arr->items[$i]->sex = -1; + break; + } + $arr->items[$i]->sex = $member->isFemale() ? 1 : 2; break; case "site": + if(!$canView) { + $arr->items[$i]->site = NULL; + break; + } + $arr->items[$i]->site = $member->getWebsite(); break; case "status": + if(!$canView) { + $arr->items[$i]->status = "r"; + break; + } + $arr->items[$i]->status = $member->getStatus(); break; case "universities": diff --git a/VKAPI/Handlers/Likes.php b/VKAPI/Handlers/Likes.php index fab127f2..8b478a3b 100644 --- a/VKAPI/Handlers/Likes.php +++ b/VKAPI/Handlers/Likes.php @@ -44,7 +44,7 @@ final class Likes extends VKAPIRequestHandler if(is_null($postable) || $postable->isDeleted()) $this->fail(100, "One of the parameters specified was missing or invalid: object not found"); - if(method_exists($postable, "canBeViewedBy") && !$postable->canBeViewedBy($this->getUser() ?? NULL)) { + if(!$postable->canBeViewedBy($this->getUser() ?? NULL)) { $this->fail(2, "Access to postable denied"); } @@ -89,7 +89,7 @@ final class Likes extends VKAPIRequestHandler if(is_null($postable) || $postable->isDeleted()) $this->fail(100, "One of the parameters specified was missing or invalid: object not found"); - if(method_exists($postable, "canBeViewedBy") && !$postable->canBeViewedBy($this->getUser() ?? NULL)) { + if(!$postable->canBeViewedBy($this->getUser() ?? NULL)) { $this->fail(2, "Access to postable denied"); } @@ -111,7 +111,7 @@ final class Likes extends VKAPIRequestHandler if(is_null($user) || $user->isDeleted()) $this->fail(100, "One of the parameters specified was missing or invalid: user not found"); - if(method_exists($user, "canBeViewedBy") && !$user->canBeViewedBy($this->getUser())) { + if(!$user->canBeViewedBy($this->getUser())) { $this->fail(1984, "Access denied: you can't see this user"); } @@ -181,6 +181,9 @@ final class Likes extends VKAPIRequestHandler if(!$object || $object->isDeleted()) $this->fail(56, "Invalid postable"); + if(!$object->canBeViewedBy($this->getUser())) + $this->fail(665, "Access to postable denied"); + $res = (object)[ "count" => $object->getLikesCount(), "items" => [] diff --git a/VKAPI/Handlers/Photos.php b/VKAPI/Handlers/Photos.php index 3db8ff34..d06ecde3 100644 --- a/VKAPI/Handlers/Photos.php +++ b/VKAPI/Handlers/Photos.php @@ -307,9 +307,6 @@ final class Photos extends VKAPIRequestHandler if(!$user->getPrivacyPermission('photos.read', $this->getUser())) $this->fail(21, "This user chose to hide his albums."); - if(!$user->canBeViewedBy($this->getUser())) - $this->fail(15, "Access denied"); - $albums = array_slice(iterator_to_array((new Albums)->getUserAlbums($user, 1, $count + $offset)), $offset); foreach($albums as $album) { @@ -365,9 +362,8 @@ final class Photos extends VKAPIRequestHandler $this->requireUser(); $this->willExecuteWriteAction(); - if($user_id == 0 && $group_id == 0 || $user_id > 0 && $group_id > 0) { + if($user_id == 0 && $group_id == 0 || $user_id > 0 && $group_id > 0) $this->fail(21, "Select user_id or group_id"); - } if($user_id > 0) { $us = (new UsersRepo)->get($user_id); @@ -376,15 +372,11 @@ final class Photos extends VKAPIRequestHandler if(!$us->getPrivacyPermission('photos.read', $this->getUser())) $this->fail(21, "This user chose to hide his albums."); - - if(!$us->canBeViewedBy($this->getUser())) - $this->fail(15, "Access dennieeeddd"); return (new Albums)->getUserAlbumsCount($us); } - if($group_id > 0) - { + if($group_id > 0) { $cl = (new Clubs)->get($group_id); if(!$cl) { $this->fail(21, "Invalid club"); @@ -409,14 +401,8 @@ final class Photos extends VKAPIRequestHandler if(!$photo || $photo->isDeleted()) $this->fail(21, "Invalid photo"); - if($photo->getOwner()->isDeleted()) - $this->fail(21, "Owner of this photo is deleted"); - - if(!$photo->getOwner()->getPrivacyPermission('photos.read', $this->getUser())) - $this->fail(21, "This user chose to hide his photos."); - if(!$photo->canBeViewedBy($this->getUser())) - $this->fail(15, "Access denied..."); + $this->fail(15, "Access denied"); $res[] = $photo->toVkApiStruct($photo_sizes, $extended); } @@ -523,7 +509,7 @@ final class Photos extends VKAPIRequestHandler $this->fail(21, "Invalid photo"); if($photo->isDeleted()) - $this->fail(21, "Photo already deleted"); + $this->fail(21, "Photo is already deleted"); $photo->delete(); } else { @@ -535,17 +521,14 @@ final class Photos extends VKAPIRequestHandler $phot = (new PhotosRepo)->getByOwnerAndVID((int)$id[0], (int)$id[1]); - if($this->getUser()->getId() !== $phot->getOwner()->getId()) { + if($this->getUser()->getId() !== $phot->getOwner()->getId()) $this->fail(21, "You can't delete another's photo"); - } - if(!$phot) { + if(!$phot) $this->fail(21, "Invalid photo"); - } - if($phot->isDeleted()) { + if($phot->isDeleted()) $this->fail(21, "Photo already deleted"); - } $phot->delete(); } @@ -565,17 +548,11 @@ final class Photos extends VKAPIRequestHandler $this->willExecuteWriteAction(); $comment = (new CommentsRepo)->get($comment_id); - if(!$comment) { + if(!$comment) $this->fail(21, "Invalid comment"); - } - if(!$comment->canBeModifiedBy($this->getUser())) { - $this->fail(21, "Forbidden"); - } - - if($comment->isDeleted()) { - $this->fail(4, "Comment already deleted"); - } + if(!$comment->canBeModifiedBy($this->getUser())) + $this->fail(21, "Access denied"); $comment->delete(); @@ -592,14 +569,11 @@ final class Photos extends VKAPIRequestHandler $photo = (new PhotosRepo)->getByOwnerAndVID($owner_id, $photo_id); - if(!$photo) - $this->fail(180, "Photo not found"); - - if($photo->isDeleted()) - $this->fail(189, "Photo is deleted"); + if(!$photo || $photo->isDeleted()) + $this->fail(180, "Invalid photo"); if(!$photo->canBeViewedBy($this->getUser())) - $this->fail(15, "Access to photo denied."); + $this->fail(15, "Access to photo denied"); $comment = new Comment; $comment->setOwner($this->getUser()->getId()); @@ -671,11 +645,10 @@ final class Photos extends VKAPIRequestHandler if(!$user->getPrivacyPermission('photos.read', $this->getUser())) $this->fail(21, "This user chose to hide his albums."); - if(!$user->canBeViewedBy($this->getUser())) - $this->fail(15, "Access denied"); - $photos = array_slice(iterator_to_array((new PhotosRepo)->getEveryUserPhoto($user, 1, $count + $offset)), $offset); - $res = []; + $res = [ + "items" => [], + ]; foreach($photos as $photo) { if(!$photo || $photo->isDeleted()) continue; @@ -715,4 +688,4 @@ final class Photos extends VKAPIRequestHandler return $res; } -} \ No newline at end of file +} diff --git a/VKAPI/Handlers/Status.php b/VKAPI/Handlers/Status.php index a1b104a2..5234a7fc 100644 --- a/VKAPI/Handlers/Status.php +++ b/VKAPI/Handlers/Status.php @@ -16,6 +16,10 @@ final class Status extends VKAPIRequestHandler $this->fail(501, "Group statuses are not implemented"); else { $user = (new UsersRepo)->get($user_id); + + if(!$user || $user->isDeleted() || !$user->canBeViewedBy($this->getUser())) + $this->fail(15, "Invalid user"); + $audioStatus = $user->getCurrentAudioStatus(); if($audioStatus) { return [ diff --git a/VKAPI/Handlers/Users.php b/VKAPI/Handlers/Users.php index 8b706a5a..c0735e95 100644 --- a/VKAPI/Handlers/Users.php +++ b/VKAPI/Handlers/Users.php @@ -54,8 +54,8 @@ final class Users extends VKAPIRequestHandler ]; $flds = explode(',', $fields); - - foreach($flds as $field) { + $canView = $usr->canBeViewedBy($this->getUser()); + foreach($flds as $field) { switch($field) { case "verified": $response[$i]->verified = intval($usr->isVerified()); @@ -149,7 +149,7 @@ final class Users extends VKAPIRequestHandler ]; } case "music": - if(!$usr->canBeViewedBy($this->getUser())) { + if(!$canView) { $response[$i]->music = "secret"; break; } @@ -157,7 +157,7 @@ final class Users extends VKAPIRequestHandler $response[$i]->music = $usr->getFavoriteMusic(); break; case "movies": - if(!$usr->canBeViewedBy($this->getUser())) { + if(!$canView) { $response[$i]->movies = "secret"; break; } @@ -165,7 +165,7 @@ final class Users extends VKAPIRequestHandler $response[$i]->movies = $usr->getFavoriteFilms(); break; case "tv": - if(!$usr->canBeViewedBy($this->getUser())) { + if(!$canView) { $response[$i]->tv = "secret"; break; } @@ -173,7 +173,7 @@ final class Users extends VKAPIRequestHandler $response[$i]->tv = $usr->getFavoriteShows(); break; case "books": - if(!$usr->canBeViewedBy($this->getUser())) { + if(!$canView) { $response[$i]->books = "secret"; break; } @@ -181,7 +181,7 @@ final class Users extends VKAPIRequestHandler $response[$i]->books = $usr->getFavoriteBooks(); break; case "city": - if(!$usr->canBeViewedBy($this->getUser())) { + if(!$canView) { $response[$i]->city = "Воскресенск"; break; } @@ -189,7 +189,7 @@ final class Users extends VKAPIRequestHandler $response[$i]->city = $usr->getCity(); break; case "interests": - if(!$usr->canBeViewedBy($this->getUser())) { + if(!$canView) { $response[$i]->interests = "secret"; break; } @@ -197,18 +197,43 @@ final class Users extends VKAPIRequestHandler $response[$i]->interests = $usr->getInterests(); break; case "quotes": - $response[$i]->interests = $usr->getFavoriteQuote(); + if(!$canView) { + $response[$i]->quotes = "secret"; + break; + } + + $response[$i]->quotes = $usr->getFavoriteQuote(); break; case "email": - $response[$i]->interests = $usr->getEmail(); + if(!$canView) { + $response[$i]->email = "secret@gmail.com"; + break; + } + + $response[$i]->email = $usr->getContactEmail(); break; case "telegram": - $response[$i]->interests = $usr->getTelegram(); + if(!$canView) { + $response[$i]->telegram = "@secret"; + break; + } + + $response[$i]->telegram = $usr->getTelegram(); break; case "about": - $response[$i]->interests = $usr->getDescription(); + if(!$canView) { + $response[$i]->about = "secret"; + break; + } + + $response[$i]->about = $usr->getDescription(); break; case "rating": + if(!$canView) { + $response[$i]->rating = 22; + break; + } + $response[$i]->rating = $usr->getRating(); break; } diff --git a/VKAPI/Handlers/Video.php b/VKAPI/Handlers/Video.php index 9158ce0f..f468686d 100755 --- a/VKAPI/Handlers/Video.php +++ b/VKAPI/Handlers/Video.php @@ -36,23 +36,16 @@ final class Video extends VKAPIRequestHandler ]; } else { if ($owner_id > 0) - $user = (new UsersRepo)->get($owner_id); + $user = (new UsersRepo)->get($owner_id); else $this->fail(1, "Not implemented"); - if(!$user->getPrivacyPermission('videos.read', $this->getUser())) { - $this->fail(20, "Access denied: this user chose to hide his videos"); - } - if(!$user || $user->isDeleted()) $this->fail(14, "Invalid user"); if(!$user->getPrivacyPermission('videos.read', $this->getUser())) $this->fail(21, "This user chose to hide his videos."); - if(!$user->canBeViewedBy($this->getUser())) - $this->fail(15, "Access denied"); - $videos = (new VideosRepo)->getByUser($user, $offset + 1, $count); $videosCount = (new VideosRepo)->getUserVideosCount($user); diff --git a/Web/Models/Entities/User.php b/Web/Models/Entities/User.php index 49f2d002..57276192 100644 --- a/Web/Models/Entities/User.php +++ b/Web/Models/Entities/User.php @@ -508,6 +508,9 @@ class User extends RowModel else if($user->getId() === $this->getId()) return true; + if($permission != "messages.write" && !$this->canBeViewedBy($user)) + return false; + switch($permStatus) { case User::PRIVACY_ONLY_FRIENDS: return $this->getSubscriptionStatus($user) === User::SUBSCRIPTION_MUTUAL; diff --git a/Web/Presenters/NotesPresenter.php b/Web/Presenters/NotesPresenter.php index 6f952a09..67105fe3 100644 --- a/Web/Presenters/NotesPresenter.php +++ b/Web/Presenters/NotesPresenter.php @@ -19,7 +19,7 @@ final class NotesPresenter extends OpenVKPresenter { $user = (new Users)->get($owner); if(!$user) $this->notFound(); - if(!$user->getPrivacyPermission('notes.read', $this->user->identity ?? NULL) || !$user->canBeViewedBy($this->user->identity)) + if(!$user->getPrivacyPermission('notes.read', $this->user->identity ?? NULL)) $this->flashFail("err", tr("forbidden"), tr("forbidden_comment")); $this->template->notes = $this->notes->getUserNotes($user, (int)($this->queryParam("p") ?? 1)); diff --git a/Web/Presenters/PhotosPresenter.php b/Web/Presenters/PhotosPresenter.php index 1a3780c7..09130c60 100644 --- a/Web/Presenters/PhotosPresenter.php +++ b/Web/Presenters/PhotosPresenter.php @@ -25,7 +25,7 @@ final class PhotosPresenter extends OpenVKPresenter if($owner > 0) { $user = $this->users->get($owner); if(!$user) $this->notFound(); - if (!$user->getPrivacyPermission('photos.read', $this->user->identity ?? NULL) || !$user->canBeViewedBy($this->user->identity)) + if (!$user->getPrivacyPermission('photos.read', $this->user->identity ?? NULL)) $this->flashFail("err", tr("forbidden"), tr("forbidden_comment")); $this->template->albums = $this->albums->getUserAlbums($user, (int)($this->queryParam("p") ?? 1)); $this->template->count = $this->albums->getUserAlbumsCount($user); diff --git a/Web/Presenters/UserPresenter.php b/Web/Presenters/UserPresenter.php index efd3141b..dcf9e3d5 100644 --- a/Web/Presenters/UserPresenter.php +++ b/Web/Presenters/UserPresenter.php @@ -65,7 +65,7 @@ final class UserPresenter extends OpenVKPresenter $page = abs((int)($this->queryParam("p") ?? 1)); if(!$user) $this->notFound(); - elseif (!$user->getPrivacyPermission('friends.read', $this->user->identity ?? NULL) || !$user->canBeViewedBy($this->user->identity)) + elseif (!$user->getPrivacyPermission('friends.read', $this->user->identity ?? NULL)) $this->flashFail("err", tr("forbidden"), tr("forbidden_comment")); else $this->template->user = $user; @@ -93,7 +93,7 @@ final class UserPresenter extends OpenVKPresenter $user = $this->users->get($id); if(!$user) $this->notFound(); - elseif (!$user->getPrivacyPermission('groups.read', $this->user->identity ?? NULL) || !$user->canBeViewedBy($this->user->identity)) + elseif (!$user->getPrivacyPermission('groups.read', $this->user->identity ?? NULL)) $this->flashFail("err", tr("forbidden"), tr("forbidden_comment")); else { if($this->queryParam("act") === "managed" && $this->user->id !== $user->getId()) diff --git a/Web/Presenters/VideosPresenter.php b/Web/Presenters/VideosPresenter.php index f6f2d5e3..625f4877 100644 --- a/Web/Presenters/VideosPresenter.php +++ b/Web/Presenters/VideosPresenter.php @@ -22,7 +22,7 @@ final class VideosPresenter extends OpenVKPresenter { $user = $this->users->get($id); if(!$user) $this->notFound(); - if(!$user->getPrivacyPermission('videos.read', $this->user->identity ?? NULL) || !$user->canBeViewedBy($this->user->identity)) + if(!$user->getPrivacyPermission('videos.read', $this->user->identity ?? NULL)) $this->flashFail("err", tr("forbidden"), tr("forbidden_comment")); $this->template->user = $user; @@ -43,7 +43,7 @@ final class VideosPresenter extends OpenVKPresenter if(!$user) $this->notFound(); if(!$video || $video->isDeleted()) $this->notFound(); - if(!$user->getPrivacyPermission('videos.read', $this->user->identity ?? NULL) || !$video->canBeViewedBy($this->user->identity)) + if(!$user->getPrivacyPermission('videos.read', $this->user->identity ?? NULL)) $this->flashFail("err", tr("forbidden"), tr("forbidden_comment")); $this->template->user = $user; diff --git a/Web/Presenters/WallPresenter.php b/Web/Presenters/WallPresenter.php index c2406c35..b29968d0 100644 --- a/Web/Presenters/WallPresenter.php +++ b/Web/Presenters/WallPresenter.php @@ -238,7 +238,7 @@ final class WallPresenter extends OpenVKPresenter $wallOwner = ($wall > 0 ? (new Users)->get($wall) : (new Clubs)->get($wall * -1)) ?? $this->flashFail("err", tr("failed_to_publish_post"), tr("error_4")); - if ($wallOwner->isBanned() || !$wallOwner->canBeViewedBy($this->user->identity)) + if ($wallOwner->isBanned()) $this->flashFail("err", tr("error"), tr("forbidden")); if($wall > 0) { diff --git a/Web/Presenters/templates/components/attachment.xml b/Web/Presenters/templates/components/attachment.xml index fbc36ede..5a656a74 100644 --- a/Web/Presenters/templates/components/attachment.xml +++ b/Web/Presenters/templates/components/attachment.xml @@ -10,7 +10,6 @@ {/if} {elseif $attachment instanceof \openvk\Web\Models\Entities\Video} - {if !$attachment->isDeleted()} {if $attachment->getType() === 0}
@@ -28,10 +27,6 @@ {$attachment->getName()}
- - {else} - {_video_is_deleted} - {/if} {elseif $attachment instanceof \openvk\Web\Models\Entities\Poll} {presenter "openvk!Poll->view", $attachment->getId()} {elseif $attachment instanceof \openvk\Web\Models\Entities\Note}