3 files changed, 33 insertions, 32 deletions

diff --git a/Zotlabs/Module/Photos.php b/Zotlabs/Module/Photos.php
index dca58c15a..d993c481e 100644
--- a/Zotlabs/Module/Photos.php
+++ b/Zotlabs/Module/Photos.php
@@ -612,8 +612,14 @@ class Photos extends \Zotlabs\Web\Controller {
 			if(! $aclselect) {
 				$aclselect = '<input id="group_allow" type="hidden" name="allow_gid[]" value="" /><input id="contact_allow" type="hidden" name="allow_cid[]" value="" /><input id="group_deny" type="hidden" name="deny_gid[]" value="" /><input id="contact_deny" type="hidden" name="deny_cid[]" value="" />';
 			}
-	
-			$selname = (($datum) ? hex2bin($datum) : '');
+
+			$selname = '';
+
+			if($datum) {
+				$h = attach_by_hash_nodata($datum,get_observer_hash());
+				$selname = $h['data']['display_path'];
+			}	
+
 	
 			$albums = ((array_key_exists('albums', \App::$data)) ? \App::$data['albums'] : photos_albums_list(\App::$data['channel'],\App::$data['observer']));
 	
@@ -694,12 +700,12 @@ class Photos extends \Zotlabs\Web\Controller {
 
 			// edit album name
 			$album_edit = null;
-			if(($album !== t('Profile Photos')) && ($album !== 'Profile Photos') && ($album !== 'Contact Photos') && ($album !== t('Contact Photos'))) {
-				if($can_post) {
-					$album_e = $album;
-					$albums = ((array_key_exists('albums', \App::$data)) ? \App::$data['albums'] : photos_albums_list(\App::$data['channel'],\App::$data['observer']));
+
+			if($can_post) {
+				$album_e = $album;
+				$albums = ((array_key_exists('albums', \App::$data)) ? \App::$data['albums'] : photos_albums_list(\App::$data['channel'],\App::$data['observer']));
 	
-					// @fixme - syncronise actions with DAV
+				// @fixme - syncronise actions with DAV
 		
 	//				$edit_tpl = get_markup_template('album_edit.tpl');
 	//				$album_edit = replace_macros($edit_tpl,array(
@@ -713,7 +719,6 @@ class Photos extends \Zotlabs\Web\Controller {
 	//					'$dropsubmit' => t('Delete Album')
 	//				));
 	
-				}
 			}
 	
 			if($_GET['order'] === 'posted')
@@ -1244,9 +1249,9 @@ class Photos extends \Zotlabs\Web\Controller {
 
 		\App::set_pager_itemspage(60);
 		
-		$r = q("SELECT p.resource_id, p.id, p.filename, p.mimetype, p.album, p.imgscale, p.created FROM photo p 
-			INNER JOIN ( SELECT resource_id, attach.folder as folder, max(imgscale) imgscale FROM photo left join attach on
-				photo.resource_id = attach.hash 
+		$r = q("SELECT p.resource_id, p.id, p.filename, p.mimetype, p.album, p.imgscale, p.created, p.display_path 
+			FROM photo p 
+			INNER JOIN ( SELECT resource_id, max(imgscale) imgscale FROM photo 
 				WHERE photo.uid = %d AND photo_usage IN ( %d, %d ) 
 				AND is_nsfw = %d $sql_extra group by resource_id ) ph 
 			ON (p.resource_id = ph.resource_id and p.imgscale = ph.imgscale) 
@@ -1265,23 +1270,18 @@ class Photos extends \Zotlabs\Web\Controller {
 		if($r) {
 			$twist = 'rotright';
 			foreach($r as $rr) {
+
+				if(! attach_can_view_folder(\App::$data['channel']['channel_id'],get_observer_hash(),$rr['resource_id']))
+					continue;
+
 				if($twist == 'rotright')
 					$twist = 'rotleft';
 				else
 					$twist = 'rotright';
 				$ext = $phototypes[$rr['mimetype']];
 				
-				if(\App::get_template_engine() === 'internal') {
-					$alt_e = template_escape($rr['filename']);
-					$name_e = template_escape($rr['album']);
-				}
-				else {
-					$alt_e = $rr['filename'];
-					$name_e = $rr['album'];
-				}
-
-					
-
+				$alt_e = $rr['filename'];
+				$name_e = dirname($rr['display_path']);
 
 				$photos[] = array(
 					'id'       => $rr['id'],
@@ -1291,9 +1291,7 @@ class Photos extends \Zotlabs\Web\Controller {
 					'src'     	=> z_root() . '/photo/' . $rr['resource_id'] . '-' . ((($rr['imgscale']) == 6) ? 4 : $rr['imgscale']) . '.' . $ext,
 					'alt'     	=> $alt_e,
 					'album'	=> array(
-						'link'  => z_root() . '/photos/' . \App::$data['channel']['channel_address'] . '/album/' . bin2hex($rr['album']),
 						'name'  => $name_e,
-						'alt'   => t('View Album'),
 					),
 					
 				);
diff --git a/include/attach.php b/include/attach.php
index c8582f8d3..675dd0da2 100644
--- a/include/attach.php
+++ b/include/attach.php
@@ -209,7 +209,7 @@ function attach_list_files($channel_id, $observer, $hash = '', $filename = '', $
 
 	// Retrieve all columns except 'data'
 
-	$r = q("select id, aid, uid, hash, filename, filetype, filesize, revision, folder, os_storage, is_dir, is_photo, flags, created, edited, allow_cid, allow_gid, deny_cid, deny_gid from attach where uid = %d $sql_extra ORDER BY $orderby $limit",
+	$r = q("select id, aid, uid, hash, filename, filetype, filesize, revision, folder, os_path, display_path, os_storage, is_dir, is_photo, flags, created, edited, allow_cid, allow_gid, deny_cid, deny_gid from attach where uid = %d $sql_extra ORDER BY $orderby $limit",
 		intval($channel_id)
 	);
 
@@ -284,6 +284,7 @@ function attach_by_hash($hash, $observer_hash, $rev = 0) {
 	return $ret;
 }
 
+
 function attach_can_view_folder($uid,$ob_hash,$folder_hash) {
 
 	$sql_extra = permissions_sql($uid,$ob_hash);
@@ -348,7 +349,7 @@ function attach_by_hash_nodata($hash, $observer_hash, $rev = 0) {
 
 	// Now we'll see if we can access the attachment
 
-	$r = q("select id, aid, uid, hash, creator, filename, filetype, filesize, revision, folder, os_storage, is_photo, is_dir, flags, created, edited, allow_cid, allow_gid, deny_cid, deny_gid from attach where uid = %d and hash = '%s' $sql_extra limit 1",
+	$r = q("select id, aid, uid, hash, creator, filename, filetype, filesize, revision, folder, os_storage, is_photo, os_path, display_path, is_dir, flags, created, edited, allow_cid, allow_gid, deny_cid, deny_gid from attach where uid = %d and hash = '%s' $sql_extra limit 1",
 		intval($r[0]['uid']),
 		dbesc($hash)
 	);
@@ -531,7 +532,7 @@ function attach_store($channel, $observer_hash, $options = '', $arr = null) {
 		if($options === 'update' &&  $arr && array_key_exists('revision',$arr))
 			$sql_options = " and revision = " . intval($arr['revision']) . " ";
 
-		$x = q("select id, aid, uid, filename, filetype, filesize, hash, revision, folder, os_storage, is_photo, flags, created, edited, allow_cid, allow_gid, deny_cid, deny_gid from attach where hash = '%s' and uid = %d $sql_options limit 1",
+		$x = q("select id, aid, uid, filename, filetype, filesize, hash, revision, folder, os_storage, is_photo, os_path, display_path, flags, created, edited, allow_cid, allow_gid, deny_cid, deny_gid from attach where hash = '%s' and uid = %d $sql_options limit 1",
 			dbesc($arr['hash']),
 			intval($channel_id)
 		);
@@ -929,7 +930,7 @@ function z_readdir($channel_id, $observer_hash, $pathname, $parent_hash = '') {
 	else
 		$paths = array($pathname);
 
-	$r = q("select id, aid, uid, hash, creator, filename, filetype, filesize, revision, folder, is_photo, is_dir, os_storage, flags, created, edited, allow_cid, allow_gid, deny_cid, deny_gid from attach where id = %d and folder = '%s' and filename = '%s' and is_dir != 0 " . permissions_sql($channel_id),
+	$r = q("select id, aid, uid, hash, creator, filename, filetype, filesize, revision, folder, os_path, display_path, is_photo, is_dir, os_storage, flags, created, edited, allow_cid, allow_gid, deny_cid, deny_gid from attach where id = %d and folder = '%s' and filename = '%s' and is_dir != 0 " . permissions_sql($channel_id),
 		intval($channel_id),
 		dbesc($parent_hash),
 		dbesc($paths[0])
@@ -2342,4 +2343,5 @@ function attach_upgrade() {
 			}
 		}
 	}
-}
\ No newline at end of file
+}
+
diff --git a/include/photos.php b/include/photos.php
index e73428478..a3869a72e 100644
--- a/include/photos.php
+++ b/include/photos.php
@@ -459,23 +459,24 @@ function photos_albums_list($channel, $observer, $sort_key = 'display_path', $di
 	$sort_key = dbesc($sort_key);
 	$direction = dbesc($direction);
 
-	$r = q("select display_path, hash from attach where is_dir = 1 and uid = %d order by $sort_key $direction",
+	$r = q("select display_path, hash from attach where is_dir = 1 and uid = %d $sql_extra order by $sort_key $direction",
 		intval($channel_id)
 	);
+
 	array_unshift($r,[ 'display_path' => '/', 'hash' => '' ]);
 	$str = ids_to_querystr($r,'hash',true);
 
 	$albums = [];
 
 	if($str) {
-		$x = q("select count( distinct hash ) as total, folder from attach where is_photo = 1 and uid = %d and folder in ( $str ) group by folder ",
+		$x = q("select count( distinct hash ) as total, folder from attach where is_photo = 1 and uid = %d and folder in ( $str ) $sql_extra group by folder ",
 			intval($channel_id)
 		);
 		if($x) {
 			foreach($r as $rv) {
 				foreach($x as $xv) {
 					if($xv['folder'] === $rv['hash']) {
-						if($xv['total'] != 0) {
+						if($xv['total'] != 0 && attach_can_view_folder($channel_id,$observer_xchan,$xv['folder'])) {
 							$albums[] = [ 'album' => $rv['display_path'], 'folder' => $xv['folder'], 'total' => $xv['total'] ];
 						}
 						continue;