show permission denied photo when direct link was accessed and authentication is insufficient to view

2 files changed, 18 insertions, 0 deletions

diff --git a/images/nosign.jpg b/images/nosign.jpg
new file mode 100644
index 000000000..b73629332
--- /dev/null
+++ b/images/nosign.jpg
diff --git a/mod/photo.php b/mod/photo.php
index 7f13d1cbf..2f8d180fd 100644
--- a/mod/photo.php
+++ b/mod/photo.php
@@ -108,6 +108,24 @@ function photo_init(&$a) {
 			if(count($r)) {
 				$data = $r[0]['data'];
 			}
+			else {
+
+				// Does the picture exist? It may be a remote person with no credentials,
+				// but who should otherwise be able to view it. Show a default image to let 
+				// them know permissions was denied. It may be possible to view the image 
+				// through an authenticated profile visit.
+				// There won't be many complete unauthorised people seeing this because
+				// they won't have the photo link, so there's a reasonable chance that the person
+				// might be able to obtain permission to view it.
+ 
+				$r = q("SELECT * FROM `photo` WHERE `resource-id` = '%s' AND `scale` = %d LIMIT 1",
+					dbesc($photo),
+					intval($resolution)
+				);
+				if(count($r)) {
+					$data = file_get_contents('images/nosign.jpg');
+				}
+			}
 		}
 	}