diff options
Diffstat (limited to 'Zotlabs/Module/Photo.php')
| -rw-r--r-- | Zotlabs/Module/Photo.php | 104 |
1 files changed, 38 insertions, 66 deletions
diff --git a/Zotlabs/Module/Photo.php b/Zotlabs/Module/Photo.php index 8a110f925..8efc00707 100644 --- a/Zotlabs/Module/Photo.php +++ b/Zotlabs/Module/Photo.php @@ -4,6 +4,7 @@ namespace Zotlabs\Module; require_once('include/security.php'); require_once('include/attach.php'); require_once('include/photo/photo_driver.php'); +require_once('include/photos.php'); class Photo extends \Zotlabs\Web\Controller { @@ -13,7 +14,8 @@ class Photo extends \Zotlabs\Web\Controller { $prvcachecontrol = false; $streaming = null; $channel = null; - + $person = 0; + switch(argc()) { case 4: $person = argv(3); @@ -30,8 +32,8 @@ class Photo extends \Zotlabs\Web\Controller { } $observer_xchan = get_observer_hash(); - - $default = get_default_profile_photo(); + + $default = z_root() . '/' . get_default_profile_photo(); if(isset($type)) { @@ -45,11 +47,11 @@ class Photo extends \Zotlabs\Web\Controller { case 'm': $resolution = 5; - $default = get_default_profile_photo(80); + $default = z_root() . '/' . get_default_profile_photo(80); break; case 's': $resolution = 6; - $default = get_default_profile_photo(48); + $default = z_root() . '/' . get_default_profile_photo(48); break; case 'l': default: @@ -83,7 +85,7 @@ class Photo extends \Zotlabs\Web\Controller { $data = file_get_contents($data); } if(! $data) { - $data = file_get_contents($default); + $data = fetch_image_from_url($default,$mimetype); } if(! $mimetype) { $mimetype = 'image/png'; @@ -127,98 +129,69 @@ class Photo extends \Zotlabs\Web\Controller { } } - $r = q("SELECT uid FROM photo WHERE resource_id = '%s' AND imgscale = %d LIMIT 1", + $r = q("SELECT uid, photo_usage FROM photo WHERE resource_id = '%s' AND imgscale = %d LIMIT 1", dbesc($photo), intval($resolution) ); if($r) { - - $allowed = (($r[0]['uid']) ? perm_is_allowed($r[0]['uid'],$observer_xchan,'view_storage') : true); - - $sql_extra = permissions_sql($r[0]['uid']); - if(! $sql_extra) - $sql_extra = ' and true '; + $allowed = (-1); - // Only check permissions on normal photos. Those photos we don't check includes - // profile photos, xchan photos (which are also profile photos), 'thing' photos, - // and cover photos - - $sql_extra = " and (( photo_usage = 0 $sql_extra ) or photo_usage != 0 )"; + if(intval($r[0]['photo_usage'])) { + $allowed = 1; + if(intval($r[0]['photo_usage']) === PHOTO_COVER) + if($resolution < PHOTO_RES_COVER_1200) + $allowed = (-1); + if(intval($r[0]['photo_usage']) === PHOTO_PROFILE) + if(! in_array($resolution,[4,5,6])) + $allowed = (-1); + } + + if($allowed === (-1)) { + $allowed = attach_can_view($r[0]['uid'],$observer_xchan,$photo); + } $channel = channelx_by_n($r[0]['uid']); // Now we'll see if we can access the photo - $r = q("SELECT * FROM photo WHERE resource_id = '%s' AND imgscale = %d $sql_extra LIMIT 1", + $e = q("SELECT * FROM photo WHERE resource_id = '%s' AND imgscale = %d $sql_extra LIMIT 1", dbesc($photo), intval($resolution) ); - // viewing cover photos is allowed unless a plugin chooses to block it. - - if($r && intval($r[0]['photo_usage']) === PHOTO_COVER && $resolution >= PHOTO_RES_COVER_1200) - $allowed = 1; - - $d = [ 'imgscale' => $resolution, 'resource_id' => $photo, 'photo' => $r, 'allowed' => $allowed ]; - call_hooks('get_photo',$d); - - $resolution = $d['imgscale']; - $photo = $d['resource_id']; - $r = $d['photo']; - $allowed = $d['allowed']; + $exists = (($e) ? true : false); - if($r && $allowed) { - $data = dbunescbin($r[0]['content']); - $mimetype = $r[0]['mimetype']; - if(intval($r[0]['os_storage'])) { + if($exists && $allowed) { + $data = dbunescbin($e[0]['content']); + $mimetype = $e[0]['mimetype']; + if(intval($e[0]['os_storage'])) { $streaming = $data; } } else { - - // Does the picture exist? It may be a remote person with no credentials, - // but who should otherwise be able to view it. Show a default image to let - // them know permissions was denied. It may be possible to view the image - // through an authenticated profile visit. - // There won't be many completely unauthorised people seeing this because - // they won't have the photo link, so there's a reasonable chance that the person - // might be able to obtain permission to view it. - - $r = q("SELECT * FROM photo WHERE resource_id = '%s' AND imgscale = %d LIMIT 1", - dbesc($photo), - intval($resolution) - ); - - if($r) { - logger('mod_photo: forbidden. ' . \App::$query_string); - $observer = \App::get_observer(); - logger('mod_photo: observer = ' . (($observer) ? $observer['xchan_addr'] : '(not authenticated)')); - $data = file_get_contents('images/nosign.png'); - $mimetype = 'image/png'; - $prvcachecontrol = true; + if(! $allowed) { + http_status_exit(403,'forbidden'); } + if(! $exists) { + http_status_exit(404,'not found'); + } + } } } - - - if(! isset($data)) { if(isset($resolution)) { switch($resolution) { case 4: - $data = file_get_contents(get_default_profile_photo()); - $mimetype = 'image/png'; + $data = fetch_image_from_url(z_root() . '/' . get_default_profile_photo(),$mimetype); break; case 5: - $data = file_get_contents(get_default_profile_photo(80)); - $mimetype = 'image/png'; + $data = fetch_image_from_url(z_root() . '/' . get_default_profile_photo(80),$mimetype); break; case 6: - $data = file_get_contents(get_default_profile_photo(48)); - $mimetype = 'image/png'; + $data = fetch_image_from_url(z_root() . '/' . get_default_profile_photo(48),$mimetype); break; default: killme(); @@ -295,7 +268,6 @@ class Photo extends \Zotlabs\Web\Controller { } killme(); - // NOTREACHED } } |