From 8b8feea12f886a22f7eb66456be7828b7aef455e Mon Sep 17 00:00:00 2001
From: sirius <sirius83@gmx.de>
Date: Mon, 14 Apr 2014 00:45:24 +0200
Subject: Added hackish support for permissions-sync between profile and
 profile-pictures

---
 mod/profile_photo.php | 33 +++++++++++++++++++++++++++++++++
 mod/profperm.php      | 12 ++++++++----
 2 files changed, 41 insertions(+), 4 deletions(-)

diff --git a/mod/profile_photo.php b/mod/profile_photo.php
index 876e3a931..2cf7a8abf 100644
--- a/mod/profile_photo.php
+++ b/mod/profile_photo.php
@@ -2,6 +2,34 @@
 
 require_once('include/photo/photo_driver.php');
 
+function profile_photo_set_profile_perms($profileid) {
+
+	$allowcid = '';
+	$r = q("SELECT photo, profile_guid, id  FROM profile WHERE profile.id = %d LIMIT 1", intval($profileid));
+	$profile = $r[0];
+	
+	if(x($profile['photo'])) {
+		preg_match("@\w*(?=-\d*$)@i", $profile['photo'], $resource_id);
+		$resource_id = $resource_id[0];
+
+		if(x($profileid)) {
+
+			$r1 = q("SELECT abook.abook_xchan FROM abook WHERE abook_profile = %d ", intval($profile['id']));
+			$r2 = q("SELECT abook.abook_xchan FROM abook WHERE abook_profile = '%s'", dbesc($profile['profile_guid']));
+			foreach ($r1 as $entry) {
+				$allowcid .= "<" . $entry['abook_xchan'] . ">"; 
+			}
+			foreach ($r2 as $entry) {
+                                $allowcid .= "<" . $entry['abook_xchan'] . ">";
+                        }
+			if(x($allowcid)) {
+				q("UPDATE `photo` SET allow_cid = '%s' WHERE resource_id = '%s'",dbesc($allowcid),dbesc($resource_id));
+			}
+		}
+	}
+	return;
+}
+
 function profile_photo_init(&$a) {
 
 	if(! local_user()) {
@@ -142,6 +170,11 @@ function profile_photo_post(&$a) {
 
 				// Update directory in background
 				proc_run('php',"include/directory.php",$channel['channel_id']);
+
+				// Now copy profile-permissions to pictures, to prevent privacyleaks by automatically created folder 'Profile Pictures'
+
+                                profile_photo_set_profile_perms($_REQUEST['profile']);
+
 			}
 			else
 				notice( t('Unable to process image') . EOL);
diff --git a/mod/profperm.php b/mod/profperm.php
index 08838831b..4a52447b8 100644
--- a/mod/profperm.php
+++ b/mod/profperm.php
@@ -10,7 +10,7 @@ function profperm_init(&$a) {
 	$channel = $a->get_channel();
 	$which = $channel['channel_address'];
 
-	$profile = $a->argv[1];		
+	$profile = $a->argv[1];
 
 	profile_load($a,$which,$profile);
 
@@ -89,6 +89,10 @@ function profperm_content(&$a) {
 
 			}
 
+			//Time to update the permissions on the profile-pictures as well
+			require_once('mod/profile_photo.php');
+			profile_photo_set_profile_perms($profile['id']);
+
 			$r = q("SELECT * FROM abook left join xchan on abook_xchan = xchan_hash WHERE abook_channel = %d AND abook_profile = %d",
 				intval(local_user()),
 				intval(argv(1))
@@ -111,9 +115,9 @@ function profperm_content(&$a) {
 	}
 
 	$o .= '<div id="prof-update-wrapper">';
-	if($change) 
+	if($change)
 		$o = '';
-	
+
 	$o .= '<div id="prof-members-title">';
 	$o .= '<h3>' . t('Visible To') . '</h3>';
 	$o .= '</div>';
@@ -134,7 +138,7 @@ function profperm_content(&$a) {
 	$o .= '<h3>' . t("All Connections") . '</h3>';
 	$o .= '</div>';
 	$o .= '<div id="prof-all-contacts">';
-		
+
 		$r = abook_connections(local_user());
 
 		if($r) {
-- 
cgit v1.2.3