1 files changed, 47 insertions, 2 deletions

diff --git a/mod/photo.php b/mod/photo.php
index f922c7ab2..6e4d981d2 100644
--- a/mod/photo.php
+++ b/mod/photo.php
@@ -44,6 +44,7 @@ function photo_init(&$a) {
 		}
 	}
 	else {
+
 		$resolution = 0;
 		$photo = str_replace('.jpg','',$photo);
 	
@@ -52,12 +53,56 @@ function photo_init(&$a) {
 			$photo = substr($photo,0,-2);
 		}
 
-		$r = q("SELECT * FROM `photo` WHERE `resource-id` = '%s' AND `scale` = %d LIMIT 1",
+		$r = q("SELECT `uid` FROM `photo` WHERE `resource-id` = '%s' AND `scale` = %d LIMIT 1",
 			dbesc($photo),
 			intval($resolution)
 		);
 		if(count($r)) {
-			$data = $r[0]['data'];
+			
+			$owner = $r[0]['uid'];
+
+			$sql_extra = " AND `allow_cid` = '' AND `allow_gid` = '' AND `deny_cid` = '' AND `deny_gid` = '' ";
+
+			if(local_user() && ($owner == $_SESSION['uid'])) {
+
+				// Owner can always see his/her photos
+				$sql_extra = ''; 
+
+			}
+			elseif(remote_user()) {
+
+				// authenticated visitor - here lie dragons
+
+				$groups = init_groups_visitor($_SESSION['visitor_id']);
+				$gs = '<<>>'; // should be impossible to match
+				if(count($groups)) {
+					foreach($groups as $g)
+						$gs .= '|<' . intval($g) . '>';
+				} 
+
+				$sql_extra = sprintf(
+					" AND ( `allow_cid` = '' OR `allow_cid` REGEXP '<%d>' ) 
+					  AND ( `deny_cid`  = '' OR  NOT `deny_cid` REGEXP '<%d>' ) 
+					  AND ( `allow_gid` = '' OR `allow_gid` REGEXP '%s' )
+					  AND ( `deny_gid`  = '' OR NOT `deny_gid` REGEXP '%s') ",
+
+					intval($_SESSION['visitor_id']),
+					intval($_SESSION['visitor_id']),
+					dbesc($gs),
+					dbesc($gs)
+				);
+			}
+
+			// Now we'll see if we can access the photo
+
+			$r = q("SELECT * FROM `photo` WHERE `resource-id` = '%s' AND `scale` = %d $sql_extra LIMIT 1",
+				dbesc($photo),
+				intval($resolution)
+			);
+
+			if(count($r)) {
+				$data = $r[0]['data'];
+			}
 		}
 	}