Back in the day there were good reasons for showing a permission denied photo instead of a null img. It distinguished a 403 from a 404 in an unmistakable way. What we've discovered is that nothing that is gained from this knowledge and it mostly just annoys and confuses people who can't really do anything about it except to express their annoyance/confusion. So just do a 403/404 instead.

1 files changed, 9 insertions, 8 deletions

diff --git a/Zotlabs/Module/Photo.php b/Zotlabs/Module/Photo.php
index b3171fe75..9cafc8d07 100644
--- a/Zotlabs/Module/Photo.php
+++ b/Zotlabs/Module/Photo.php
@@ -144,9 +144,11 @@ class Photo extends \Zotlabs\Web\Controller {
 						if(! in_array($resolution,[4,5,6]))
 							$allowed = (-1);
 				}
-				if($allowed === (-1))
+
+				if($allowed === (-1)) {
 					$allowed = attach_can_view($r[0]['uid'],$observer_xchan,$photo);
-				
+				}
+
 				$channel = channelx_by_n($r[0]['uid']);
 
 				// Now we'll see if we can access the photo
@@ -166,13 +168,12 @@ class Photo extends \Zotlabs\Web\Controller {
 				}
 				else {
 					if(! $allowed) {
-						logger('mod_photo: forbidden. ' . \App::$query_string);
-						$observer = \App::get_observer();
-						logger('mod_photo: observer = ' . (($observer) ? $observer['xchan_addr'] : '(not authenticated)'));
-						$data = file_get_contents('images/nosign.png');
-						$mimetype = 'image/png';
-						$prvcachecontrol = true;
+						http_status_exit(403,'forbidden');
+					}
+					if(! $exists) {
+						http_status_exit(404,'not found');
 					}
+
 				}
 			}
 		}