1 files changed, 17 insertions, 3 deletions

diff --git a/src/Controller/Village.php b/src/Controller/Village.php
index 16a8981..c678779 100644
--- a/src/Controller/Village.php
+++ b/src/Controller/Village.php
@@ -3,6 +3,7 @@
 namespace App\Controller;
 
 use App\DB;
+use App\Guard;
 use App\Model\Event\SendUnits;
 use App\Model\Event\TrainUnits;
 use App\Model\Event\UpgradeBuilding;
@@ -19,7 +20,15 @@ class Village
   #[Route(path: '/villages', methods: ['GET'])]
   public function list(): Response
   {
-    $villages = DB::fetch(Model::class, "select * from villages");
+    $villages = DB::fetch(
+      Model::class,
+      <<<SQL
+      select * from villages
+      join user_villages on villages.id = user_villages.village_id
+      where user_villages.user_id=:id
+      SQL,
+      ['id' => $_SESSION['user']['id']]
+    );
 
     return new Response(View::render('villages.twig', [
       'villages' => $villages,
@@ -30,6 +39,11 @@ class Village
   public function show(Request $request): Response
   {
     $village = Model::getByCoordinates($request->get('x'), $request->get('y'));
+
+    if (! Guard::ownsVillage($village->id)) {
+      return new Response(View::render('error.twig', ['message' => 'Insufficient permission']), 403);
+    }
+
     $events = [];
 
     $eventsBuilding = DB::query(
@@ -41,7 +55,7 @@ class Village
     )->fetchAll();
 
     foreach ($eventsBuilding as $row) {
-      $events['UpgradeBuilding'][] = DB::convertToModel(UpgradeBuilding::class, $row);
+      $events['UpgradeBuilding'][$row['type']][] = DB::convertToModel(UpgradeBuilding::class, $row);
     }
 
     $eventsUnits = DB::query(
@@ -68,7 +82,7 @@ class Village
       <<<SQL
       select * from events_send_units as event
       left join events on event.event_id = events.id
-      where destination=:id and is_canceled=false
+      where (destination=:id or source=:id) and village_id!=:id and is_canceled=false
       SQL, ['id' => $village->id]
     )->fetchAll();