friendica/include/api.php

<?php
/**
 * @file include/api.php
 * Friendica implementation of statusnet/twitter API
 *
 * @todo Automatically detect if incoming data is HTML or BBCode
 */

use Friendica\App;
use Friendica\Core\System;
use Friendica\Core\Config;
use Friendica\Core\NotificationsManager;
use Friendica\Core\Worker;
use Friendica\Database\DBM;
use Friendica\Protocol\Diaspora;

require_once 'include/HTTPExceptions.php';
require_once 'include/bbcode.php';
require_once 'include/datetime.php';
require_once 'include/conversation.php';
require_once 'include/oauth.php';
require_once 'include/html2plain.php';
require_once 'mod/share.php';
require_once 'include/Photo.php';
require_once 'mod/item.php';
require_once 'include/security.php';
require_once 'include/contact_selectors.php';
require_once 'include/html2bbcode.php';
require_once 'mod/wall_upload.php';
require_once 'mod/proxy.php';
require_once 'include/message.php';
require_once 'include/group.php';
require_once 'include/like.php';
require_once 'include/plaintext.php';
require_once 'include/xml.php';

define('API_METHOD_ANY', '*');
define('API_METHOD_GET', 'GET');
define('API_METHOD_POST', 'POST,PUT');
define('API_METHOD_DELETE', 'POST,DELETE');

$API = array();
$called_api = null;

/// @TODO Fix intending
	/**
	 * @brief Auth API user
	 *
	 * It is not sufficient to use local_user() to check whether someone is allowed to use the API,
	 * because this will open CSRF holes (just embed an image with src=friendicasite.com/api/statuses/update?status=CSRF
	 * into a page, and visitors will post something without noticing it).
	 */
	function api_user() {
		if (x($_SESSION, 'allow_api')) {
			return local_user();
		}

		return false;
	}

	/**
	 * @brief Get source name from API client
	 *
	 * Clients can send 'source' parameter to be show in post metadata
	 * as "sent via <source>".
	 * Some clients doesn't send a source param, we support ones we know
	 * (only Twidere, atm)
	 *
	 * @return string
	 * 		Client source name, default to "api" if unset/unknown
	 */
	function api_source() {
		if (requestdata('source')) {
			return requestdata('source');
		}

		// Support for known clients that doesn't send a source name
		if (strpos($_SERVER['HTTP_USER_AGENT'], "Twidere") !== false) {
			return "Twidere";
		}

		logger("Unrecognized user-agent ".$_SERVER['HTTP_USER_AGENT'], LOGGER_DEBUG);

		return "api";
	}

	/**
	 * @brief Format date for API
	 *
	 * @param string $str Source date, as UTC
	 * @return string Date in UTC formatted as "D M d H:i:s +0000 Y"
	 */
	function api_date($str) {
		// Wed May 23 06:01:13 +0000 2007
		return datetime_convert('UTC', 'UTC', $str, "D M d H:i:s +0000 Y" );
	}

	/**
	 * @brief Register API endpoint
	 *
	 * Register a function to be the endpont for defined API path.
	 *
	 * @param string $path API URL path, relative to System::baseUrl()
	 * @param string $func Function name to call on path request
	 * @param bool $auth API need logged user
	 * @param string $method HTTP method reqiured to call this endpoint.
	 *
	 * One of API_METHOD_ANY, API_METHOD_GET, API_METHOD_POST.
	 * Default to API_METHOD_ANY
	 */
	function api_register_func($path, $func, $auth = false, $method = API_METHOD_ANY) {
		global $API;

		$API[$path] = array(
			'func'   => $func,
			'auth'   => $auth,
			'method' => $method,
		);

		// Workaround for hotot
		$path = str_replace("api/", "api/1.1/", $path);

		$API[$path] = array(
			'func'   => $func,
			'auth'   => $auth,
			'method' => $method,
		);
	}

	/**
	 * @brief Login API user
	 *
	 * Log in user via OAuth1 or Simple HTTP Auth.
	 * Simple Auth allow username in form of <pre>user@server</pre>, ignoring server part
	 *
	 * @param App $a
	 * @hook 'authenticate'
	 * 		array $addon_auth
	 *			'username' => username from login form
	 *			'password' => password from login form
	 *			'authenticated' => return status,
	 *			'user_record' => return authenticated user record
	 * @hook 'logged_in'
	 * 		array $user	logged user record
	 */
	function api_login(App $a) {
		// login with oauth
		try {
			$oauth = new FKOAuth1();
			list($consumer,$token) = $oauth->verify_request(OAuthRequest::from_request());
			if (!is_null($token)) {
				$oauth->loginUser($token->uid);
				call_hooks('logged_in', $a->user);
				return;
			}
			echo __FILE__.__LINE__.__FUNCTION__ . "<pre>";
			var_dump($consumer, $token);
			die();
		} catch (Exception $e) {
			logger($e);
		}

		// workaround for HTTP-auth in CGI mode
		if (x($_SERVER, 'REDIRECT_REMOTE_USER')) {
			$userpass = base64_decode(substr($_SERVER["REDIRECT_REMOTE_USER"], 6)) ;
			if (strlen($userpass)) {
				list($name, $password) = explode(':', $userpass);
				$_SERVER['PHP_AUTH_USER'] = $name;
				$_SERVER['PHP_AUTH_PW'] = $password;
			}
		}

		if (!x($_SERVER, 'PHP_AUTH_USER')) {
			logger('API_login: ' . print_r($_SERVER,true), LOGGER_DEBUG);
			header('WWW-Authenticate: Basic realm="Friendica"');
			throw new UnauthorizedException("This API requires login");
		}

		$user = $_SERVER['PHP_AUTH_USER'];
		$password = $_SERVER['PHP_AUTH_PW'];
		$encrypted = hash('whirlpool', trim($password));

		// allow "user@server" login (but ignore 'server' part)
		$at = strstr($user, "@", true);
		if ($at) {
			$user = $at;
		}

		// next code from mod/auth.php. needs better solution
		$record = null;

		$addon_auth = array(
			'username' => trim($user),
			'password' => trim($password),
			'authenticated' => 0,
			'user_record' => null,
		);

		/*
		 * A plugin indicates successful login by setting 'authenticated' to non-zero value and returning a user record
		 * Plugins should never set 'authenticated' except to indicate success - as hooks may be chained
		 * and later plugins should not interfere with an earlier one that succeeded.
		 */
		call_hooks('authenticate', $addon_auth);

		if (($addon_auth['authenticated']) && (count($addon_auth['user_record']))) {
			$record = $addon_auth['user_record'];
		} else {
			// process normal login request
			$r = q("SELECT * FROM `user` WHERE (`email` = '%s' OR `nickname` = '%s')
				AND `password` = '%s' AND NOT `blocked` AND NOT `account_expired` AND NOT `account_removed` AND `verified` LIMIT 1",
				dbesc(trim($user)),
				dbesc(trim($user)),
				dbesc($encrypted)
			);
			if (DBM::is_result($r)) {
				$record = $r[0];
			}
		}

		if ((! $record) || (! count($record))) {
			logger('API_login failure: ' . print_r($_SERVER, true), LOGGER_DEBUG);
			header('WWW-Authenticate: Basic realm="Friendica"');
			//header('HTTP/1.0 401 Unauthorized');
			//die('This api requires login');
			throw new UnauthorizedException("This API requires login");
		}

		authenticate_success($record);

		$_SESSION["allow_api"] = true;

		call_hooks('logged_in', $a->user);

	}

	/**
	 * @brief Check HTTP method of called API
	 *
	 * API endpoints can define which HTTP method to accept when called.
	 * This function check the current HTTP method agains endpoint
	 * registered method.
	 *
	 * @param string $method Required methods, uppercase, separated by comma
	 * @return bool
	 */
	 function api_check_method($method) {
		if ($method == "*") {
			return true;
		}
		return (strpos($method, $_SERVER['REQUEST_METHOD']) !== false);
	 }

	/**
	 * @brief Main API entry point
	 *
	 * Authenticate user, call registered API function, set HTTP headers
	 *
	 * @param App $a
	 * @return string API call result
	 */
	function api_call(App $a) {
		global $API, $called_api;

		$type = "json";
		if (strpos($a->query_string, ".xml") > 0) {
			$type = "xml";
		}
		if (strpos($a->query_string, ".json") > 0) {
			$type = "json";
		}
		if (strpos($a->query_string, ".rss") > 0) {
			$type = "rss";
		}
		if (strpos($a->query_string, ".atom") > 0) {
			$type = "atom";
		}

		try {
			foreach ($API as $p => $info) {
				if (strpos($a->query_string, $p) === 0) {
					if (!api_check_method($info['method'])) {
						throw new MethodNotAllowedException();
					}

					$called_api = explode("/", $p);
					//unset($_SERVER['PHP_AUTH_USER']);

					/// @TODO should be "true ==[=] $info['auth']", if you miss only one = character, you assign a variable (only with ==). Let's make all this even.
					if ($info['auth'] === true && api_user() === false) {
						api_login($a);
					}

					logger('API call for ' . $a->user['username'] . ': ' . $a->query_string);
					logger('API parameters: ' . print_r($_REQUEST, true));

					$stamp =  microtime(true);
					$r = call_user_func($info['func'], $type);
					$duration = (float) (microtime(true) - $stamp);
					logger("API call duration: " . round($duration, 2) . "\t" . $a->query_string, LOGGER_DEBUG);

					if (Config::get("system", "profiler")) {
						$duration = microtime(true)-$a->performance["start"];

						/// @TODO round() really everywhere?
						logger(parse_url($a->query_string, PHP_URL_PATH) . ": " . sprintf("Database: %s/%s, Network: %s, I/O: %s, Other: %s, Total: %s",
							round($a->performance["database"] - $a->performance["database_write"], 3),
							round($a->performance["database_write"], 3),
							round($a->performance["network"], 2),
							round($a->performance["file"], 2),
							round($duration - ($a->performance["database"] + $a->performance["network"]
								+ $a->performance["file"]), 2),
							round($duration, 2)),
							LOGGER_DEBUG
						);

						if (Config::get("rendertime", "callstack")) {
							$o = "Database Read:\n";
							foreach ($a->callstack["database"] AS $func => $time) {
								$time = round($time, 3);
								if ($time > 0) {
									$o .= $func . ": " . $time . "\n";
								}
							}
							$o .= "\nDatabase Write:\n";
							foreach ($a->callstack["database_write"] AS $func => $time) {
								$time = round($time, 3);
								if ($time > 0) {
									$o .= $func . ": " . $time . "\n";
								}
							}

							$o .= "\nNetwork:\n";
							foreach ($a->callstack["network"] AS $func => $time) {
								$time = round($time, 3);
								if ($time > 0) {
									$o .= $func . ": " . $time . "\n";
								}
							}
							logger($o, LOGGER_DEBUG);
						}
					}

					if (false === $r) {
						/*
						 * api function returned false withour throw an
						 * exception. This should not happend, throw a 500
						 */
						throw new InternalServerErrorException();
					}

					switch ($type) {
						case "xml":
							header ("Content-Type: text/xml");
							return $r;
							break;
						case "json":
							header ("Content-Type: application/json");
							foreach ($r as $rr)
								$json = json_encode($rr);
								if (x($_GET, 'callback')) {
									$json = $_GET['callback'] . "(" . $json . ")";
								}
								return $json;
							break;
						case "rss":
							header ("Content-Type: application/rss+xml");
							return '<?xml version="1.0" encoding="UTF-8"?>' . "\n" . $r;
							break;
						case "atom":
							header ("Content-Type: application/atom+xml");
							return '<?xml version="1.0" encoding="UTF-8"?>' . "\n" . $r;
							break;
					}
				}
			}

			logger('API call not implemented: ' . $a->query_string);
			throw new NotImplementedException();
		} catch (HTTPException $e) {
			header("HTTP/1.1 {$e->httpcode} {$e->httpdesc}");
			return api_error($type, $e);
		}
	}

	/**
	 * @brief Format API error string
	 *
	 * @param string $type Return type (xml, json, rss, as)
	 * @param HTTPException $error Error object
	 * @return strin error message formatted as $type
	 */
	function api_error($type, $e) {

		$a = get_app();

		$error = ($e->getMessage() !== "" ? $e->getMessage() : $e->httpdesc);
		/// @TODO:  https://dev.twitter.com/overview/api/response-codes

		$error = array("error" => $error,
				"code" => $e->httpcode . " " . $e->httpdesc,
				"request" => $a->query_string);

		$ret = api_format_data('status', $type, array('status' => $error));

		switch ($type) {
			case "xml":
				header ("Content-Type: text/xml");
				return $ret;
				break;
			case "json":
				header ("Content-Type: application/json");
				return json_encode($ret);
				break;
			case "rss":
				header ("Content-Type: application/rss+xml");
				return $ret;
				break;
			case "atom":
				header ("Content-Type: application/atom+xml");
				return $ret;
				break;
		}
	}

	/**
	 * @brief Set values for RSS template
	 *
	 * @param App $a
	 * @param array $arr Array to be passed to template
	 * @param array $user_info
	 * @return array
	 * @todo find proper type-hints
	 */
	function api_rss_extra(App $a, $arr, $user_info) {
		if (is_null($user_info)) {
			$user_info = api_get_user($a);
		}

		$arr['$user'] = $user_info;
		$arr['$rss'] = array(
			'alternate'    => $user_info['url'],
			'self'         => System::baseUrl() . "/" . $a->query_string,
			'base'         => System::baseUrl(),
			'updated'      => api_date(null),
			'atom_updated' => datetime_convert('UTC', 'UTC', 'now', ATOM_TIME),
			'language'     => $user_info['language'],
			'logo'         => System::baseUrl() . "/images/friendica-32.png",
		);

		return $arr;
	}


	/**
	 * @brief Unique contact to contact url.
	 *
	 * @param int $id Contact id
	 * @return bool|string
	 * 		Contact url or False if contact id is unknown
	 */
	function api_unique_id_to_url($id) {
		$r = dba::select('contact', array('url'), array('uid' => 0, 'id' => $id), array('limit' => 1));

		if (DBM::is_result($r)) {
			return $r["url"];
		} else {
			return false;
		}
	}

	/**
	 * @brief Get user info array.
	 *
	 * @param Api $a
	 * @param int|string $contact_id Contact ID or URL
	 * @param string $type Return type (for errors)
	 */
	function api_get_user(App $a, $contact_id = null, $type = "json") {
		global $called_api;

		$user = null;
		$extra_query = "";
		$url = "";
		$nick = "";

		logger("api_get_user: Fetching user data for user ".$contact_id, LOGGER_DEBUG);

		// Searching for contact URL
		if (!is_null($contact_id) && (intval($contact_id) == 0)) {
			$user = dbesc(normalise_link($contact_id));
			$url = $user;
			$extra_query = "AND `contact`.`nurl` = '%s' ";
			if (api_user() !== false) {
				$extra_query .= "AND `contact`.`uid`=" . intval(api_user());
			}
		}

		// Searching for contact id with uid = 0
		if (!is_null($contact_id) && (intval($contact_id) != 0)) {
			$user = dbesc(api_unique_id_to_url($contact_id));

			if ($user == "") {
				throw new BadRequestException("User not found.");
			}

			$url = $user;
			$extra_query = "AND `contact`.`nurl` = '%s' ";
			if (api_user() !== false) {
				$extra_query .= "AND `contact`.`uid`=" . intval(api_user());
			}
		}

		if (is_null($user) && x($_GET, 'user_id')) {
			$user = dbesc(api_unique_id_to_url($_GET['user_id']));

			if ($user == "") {
				throw new BadRequestException("User not found.");
			}

			$url = $user;
			$extra_query = "AND `contact`.`nurl` = '%s' ";
			if (api_user() !== false) {
				$extra_query .= "AND `contact`.`uid`=" . intval(api_user());
			}
		}
		if (is_null($user) && x($_GET, 'screen_name')) {
			$user = dbesc($_GET['screen_name']);
			$nick = $user;
			$extra_query = "AND `contact`.`nick` = '%s' ";
			if (api_user() !== false) {
				$extra_query .= "AND `contact`.`uid`=".intval(api_user());
			}
		}

		if (is_null($user) && x($_GET, 'profileurl')) {
			$user = dbesc(normalise_link($_GET['profileurl']));
			$nick = $user;
			$extra_query = "AND `contact`.`nurl` = '%s' ";
			if (api_user() !== false) {
				$extra_query .= "AND `contact`.`uid`=".intval(api_user());
			}
		}

		if (is_null($user) && ($a->argc > (count($called_api) - 1)) && (count($called_api) > 0)) {
			$argid = count($called_api);
			list($user, $null) = explode(".", $a->argv[$argid]);
			if (is_numeric($user)) {
				$user = dbesc(api_unique_id_to_url($user));

				if ($user == "") {
					return false;
				}

				$url = $user;
				$extra_query = "AND `contact`.`nurl` = '%s' ";
				if (api_user() !== false) {
					$extra_query .= "AND `contact`.`uid`=" . intval(api_user());
				}
			} else {
				$user = dbesc($user);
				$nick = $user;
				$extra_query = "AND `contact`.`nick` = '%s' ";
				if (api_user() !== false) {
					$extra_query .= "AND `contact`.`uid`=" . intval(api_user());
				}
			}
		}

		logger("api_get_user: user ".$user, LOGGER_DEBUG);

		if (!$user) {
			if (api_user() === false) {
				api_login($a);
				return false;
			} else {
				$user = $_SESSION['uid'];
				$extra_query = "AND `contact`.`uid` = %d AND `contact`.`self` ";
			}

		}

		logger('api_user: ' . $extra_query . ', user: ' . $user);

		// user info
		$uinfo = q("SELECT *, `contact`.`id` AS `cid` FROM `contact`
				WHERE 1
				$extra_query",
				$user
		);

		// Selecting the id by priority, friendica first
		api_best_nickname($uinfo);

		// if the contact wasn't found, fetch it from the contacts with uid = 0
		if (!DBM::is_result($uinfo)) {
			$r = array();

			if ($url != "") {
				$r = q("SELECT * FROM `contact` WHERE `uid` = 0 AND `nurl` = '%s' LIMIT 1", dbesc(normalise_link($url)));
			}

			if (DBM::is_result($r)) {
				$network_name = network_to_name($r[0]['network'], $r[0]['url']);

				// If no nick where given, extract it from the address
				if (($r[0]['nick'] == "") || ($r[0]['name'] == $r[0]['nick'])) {
					$r[0]['nick'] = api_get_nick($r[0]["url"]);
				}

				$ret = array(
					'id' => $r[0]["id"],
					'id_str' => (string) $r[0]["id"],
					'name' => $r[0]["name"],
					'screen_name' => (($r[0]['nick']) ? $r[0]['nick'] : $r[0]['name']),
					'location' => ($r[0]["location"] != "") ? $r[0]["location"] : $network_name,
					'description' => $r[0]["about"],
					'profile_image_url' => $r[0]["micro"],
					'profile_image_url_https' => $r[0]["micro"],
					'url' => $r[0]["url"],
					'protected' => false,
					'followers_count' => 0,
					'friends_count' => 0,
					'listed_count' => 0,
					'created_at' => api_date($r[0]["created"]),
					'favourites_count' => 0,
					'utc_offset' => 0,
					'time_zone' => 'UTC',
					'geo_enabled' => false,
					'verified' => false,
					'statuses_count' => 0,
					'lang' => '',
					'contributors_enabled' => false,
					'is_translator' => false,
					'is_translation_enabled' => false,
					'following' => false,
					'follow_request_sent' => false,
					'statusnet_blocking' => false,
					'notifications' => false,
					'statusnet_profile_url' => $r[0]["url"],
					'uid' => 0,
					'cid' => get_contact($r[0]["url"], api_user(), true),
					'self' => 0,
					'network' => $r[0]["network"],
				);

				return $ret;
			} else {
				throw new BadRequestException("User not found.");
			}
		}

		if ($uinfo[0]['self']) {

			if ($uinfo[0]['network'] == "") {
				$uinfo[0]['network'] = NETWORK_DFRN;
			}

			$usr = q("SELECT * FROM `user` WHERE `uid` = %d LIMIT 1",
				intval(api_user())
			);
			$profile = q("SELECT * FROM `profile` WHERE `uid` = %d AND `is-default` = 1 LIMIT 1",
				intval(api_user())
			);

			/// @TODO old-lost code? (twice)
			// Counting is deactivated by now, due to performance issues
			// count public wall messages
			//$r = q("SELECT COUNT(*) as `count` FROM `item` WHERE `uid` = %d AND `wall`",
			//		intval($uinfo[0]['uid'])
			//);
			//$countitms = $r[0]['count'];
			$countitms = 0;
		} else {
			// Counting is deactivated by now, due to performance issues
			//$r = q("SELECT count(*) as `count` FROM `item`
			//		WHERE  `contact-id` = %d",
			//		intval($uinfo[0]['id'])
			//);
			//$countitms = $r[0]['count'];
			$countitms = 0;
		}

		/// @TODO old-lost code? (twice)
/*
		// Counting is deactivated by now, due to performance issues
		// count friends
		$r = q("SELECT count(*) as `count` FROM `contact`
				WHERE  `uid` = %d AND `rel` IN ( %d, %d )
				AND `self`=0 AND NOT `blocked` AND NOT `pending` AND `hidden`=0",
				intval($uinfo[0]['uid']),
				intval(CONTACT_IS_SHARING),
				intval(CONTACT_IS_FRIEND)
		);
		$countfriends = $r[0]['count'];

		$r = q("SELECT count(*) as `count` FROM `contact`
				WHERE  `uid` = %d AND `rel` IN ( %d, %d )
				AND `self`=0 AND NOT `blocked` AND NOT `pending` AND `hidden`=0",
				intval($uinfo[0]['uid']),
				intval(CONTACT_IS_FOLLOWER),
				intval(CONTACT_IS_FRIEND)
		);
		$countfollowers = $r[0]['count'];

		$r = q("SELECT count(*) as `count` FROM item where starred = 1 and uid = %d and deleted = 0",
			intval($uinfo[0]['uid'])
		);
		$starred = $r[0]['count'];


		if (! $uinfo[0]['self']) {
			$countfriends = 0;
			$countfollowers = 0;
			$starred = 0;
		}
*/
		$countfriends = 0;
		$countfollowers = 0;
		$starred = 0;

		// Add a nick if it isn't present there
		if (($uinfo[0]['nick'] == "") || ($uinfo[0]['name'] == $uinfo[0]['nick'])) {
			$uinfo[0]['nick'] = api_get_nick($uinfo[0]["url"]);
		}

		$network_name = network_to_name($uinfo[0]['network'], $uinfo[0]['url']);

		$pcontact_id  = get_contact($uinfo[0]['url'], 0, true);

		$ret = array(
			'id' => intval($pcontact_id),
			'id_str' => (string) intval($pcontact_id),
			'name' => (($uinfo[0]['name']) ? $uinfo[0]['name'] : $uinfo[0]['nick']),
			'screen_name' => (($uinfo[0]['nick']) ? $uinfo[0]['nick'] : $uinfo[0]['name']),
			'location' => ($usr) ? $usr[0]['default-location'] : $network_name,
			'description' => (($profile) ? $profile[0]['pdesc'] : NULL),
			'profile_image_url' => $uinfo[0]['micro'],
			'profile_image_url_https' => $uinfo[0]['micro'],
			'url' => $uinfo[0]['url'],
			'protected' => false,
			'followers_count' => intval($countfollowers),
			'friends_count' => intval($countfriends),
			'listed_count' => 0,
			'created_at' => api_date($uinfo[0]['created']),
			'favourites_count' => intval($starred),
			'utc_offset' => "0",
			'time_zone' => 'UTC',
			'geo_enabled' => false,
			'verified' => true,
			'statuses_count' => intval($countitms),
			'lang' => '',
			'contributors_enabled' => false,
			'is_translator' => false,
			'is_translation_enabled' => false,
			'following' => (($uinfo[0]['rel'] == CONTACT_IS_FOLLOWER) || ($uinfo[0]['rel'] == CONTACT_IS_FRIEND)),
			'follow_request_sent' => false,
			'statusnet_blocking' => false,
			'notifications' => false,
			/// @TODO old way?
			//'statusnet_profile_url' => System::baseUrl()."/contacts/".$uinfo[0]['cid'],
			'statusnet_profile_url' => $uinfo[0]['url'],
			'uid' => intval($uinfo[0]['uid']),
			'cid' => intval($uinfo[0]['cid']),
			'self' => $uinfo[0]['self'],
			'network' => $uinfo[0]['network'],
		);

		return $ret;

	}

	/**
	 * @brief return api-formatted array for item's author and owner
	 *
	 * @param App $a
	 * @param array $item : item from db
	 * @return array(array:author, array:owner)
	 */
	function api_item_get_user(App $a, $item) {

		$status_user = api_get_user($a, $item["author-link"]);

		$status_user["protected"] = (($item["allow_cid"] != "") ||
						($item["allow_gid"] != "") ||
						($item["deny_cid"] != "") ||
						($item["deny_gid"] != "") ||
						$item["private"]);

		if ($item['thr-parent'] == $item['uri']) {
			$owner_user = api_get_user($a, $item["owner-link"]);
		} else {
			$owner_user = $status_user;
		}

		return (array($status_user, $owner_user));
	}

	/**
	 * @brief walks recursively through an array with the possibility to change value and key
	 *
	 * @param array $array The array to walk through
	 * @param string $callback The callback function
	 *
	 * @return array the transformed array
	 */
	function api_walk_recursive(array &$array, callable $callback) {

		$new_array = array();

		foreach ($array as $k => $v) {
			if (is_array($v)) {
				if ($callback($v, $k)) {