Merge branch 'master', remote-tracking branch 'remotes/upstream/master'

* remotes/upstream/master:
  apply max-width to images in posts, duepuntozero
  theming for default group selector
  catch more places to apply default group
  make it difficult to setup a private forum with no privacy
  more private forums, default privacy group for new contacts
  tell browser not to cache permission denied (private) photos so that after authenticating we don't have to fight the browser - plus more prvgroup work

* master:

1 files changed, 19 insertions, 2 deletions

diff --git a/mod/photo.php b/mod/photo.php
index 1d38fe8e4..3cd8250a9 100644
--- a/mod/photo.php
+++ b/mod/photo.php
@@ -28,6 +28,8 @@ function photo_init(&$a) {
 		}
 	}*/
 
+	$prvcachecontrol = false;
+
 	switch($a->argc) {
 		case 4:
 			$person = $a->argv[3];
@@ -134,6 +136,7 @@ function photo_init(&$a) {
 				);
 				if(count($r)) {
 					$data = file_get_contents('images/nosign.jpg');
+					$prvcachecontrol = true;
 				}
 			}
 		}
@@ -179,8 +182,22 @@ function photo_init(&$a) {
 	}
 
 	header("Content-type: image/jpeg");
- 	header("Expires: " . gmdate("D, d M Y H:i:s", time() + (3600*24)) . " GMT");
-	header("Cache-Control: max-age=" . (3600*24));
+
+	if($prvcachecontrol) {
+
+		// it is a private photo that they have no permission to view.
+		// tell the browser not to cache it, in case they authenticate
+		// and subsequently have permission to see it
+
+		header("Cache-Control: no-store, no-cache, must-revalidate");
+
+	}
+	else {
+
+	 	header("Expires: " . gmdate("D, d M Y H:i:s", time() + (3600*24)) . " GMT");
+		header("Cache-Control: max-age=" . (3600*24));
+
+	}
 	echo $data;
 	killme();
 	// NOTREACHED