From 56b12f655546dc122e734654e1d5e5fc6dd06c43 Mon Sep 17 00:00:00 2001
From: redmatrix <mike@macgirvin.com>
Date: Fri, 30 Sep 2016 13:00:15 -0700
Subject: issue #538 continued

---
 Zotlabs/Module/Getfile.php | 6 +++---
 include/attach.php         | 8 ++++----
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/Zotlabs/Module/Getfile.php b/Zotlabs/Module/Getfile.php
index 12c1d0842..3d859d94b 100644
--- a/Zotlabs/Module/Getfile.php
+++ b/Zotlabs/Module/Getfile.php
@@ -30,9 +30,9 @@ class Getfile extends \Zotlabs\Web\Controller {
 
 		logger('post: ' . print_r($_POST,true),LOGGER_DEBUG,LOG_INFO);
 	
-		$hash = $_POST['hash'];
-		$time = $_POST['time'];
-		$sig = $_POST['signature'];
+		$hash     = $_POST['hash'];
+		$time     = $_POST['time'];
+		$sig      = $_POST['signature'];
 		$resource = $_POST['resource'];
 		$revision = intval($_POST['revision']);
 	
diff --git a/include/attach.php b/include/attach.php
index 8fa46a8b1..3d55b3bcb 100644
--- a/include/attach.php
+++ b/include/attach.php
@@ -254,7 +254,7 @@ function attach_by_hash($hash, $observer_hash, $rev = 0) {
 		return $ret;
 	}
 
-	$sql_extra = permissions_sql($r[0]['uid']);
+	$sql_extra = permissions_sql($r[0]['uid'],$observer_hash);
 
 	// Now we'll see if we can access the attachment
 
@@ -269,7 +269,7 @@ function attach_by_hash($hash, $observer_hash, $rev = 0) {
 	}
 
 	if($r[0]['folder']) {
-		$x = attach_can_view_folder($r[0]['uid'],get_observer_hash(),$r[0]['folder']);
+		$x = attach_can_view_folder($r[0]['uid'],$observer_hash,$r[0]['folder']);
 		if(! $x) {
 			$ret['message'] = t('Permission denied.');
 			return $ret;
@@ -340,7 +340,7 @@ function attach_by_hash_nodata($hash, $observer_hash, $rev = 0) {
 		return $ret;
 	}
 
-	$sql_extra = permissions_sql($r[0]['uid']);
+	$sql_extra = permissions_sql($r[0]['uid'],$observer_hash);
 
 	// Now we'll see if we can access the attachment
 
@@ -355,7 +355,7 @@ function attach_by_hash_nodata($hash, $observer_hash, $rev = 0) {
 	}
 
 	if($r[0]['folder']) {
-		$x = attach_can_view_folder($r[0]['uid'],get_observer_hash(),$r[0]['folder']);
+		$x = attach_can_view_folder($r[0]['uid'],$observer_hash,$r[0]['folder']);
 		if(! $x) {
 			$ret['message'] = t('Permission denied.');
 			return $ret;
-- 
cgit v1.2.3