From a06f7fbe2e78de428489d824c1329ef29c4d1f42 Mon Sep 17 00:00:00 2001
From: redmatrix <redmatrix@redmatrix.me>
Date: Tue, 17 Nov 2015 15:03:27 -0800
Subject: photo album widget permissions issue

---
 include/api.php     | 2 ++
 include/widgets.php | 4 ++++
 2 files changed, 6 insertions(+)

(limited to 'include')

diff --git a/include/api.php b/include/api.php
index f781987d1..f279b2aa3 100644
--- a/include/api.php
+++ b/include/api.php
@@ -742,6 +742,8 @@ require_once('include/api_auth.php');
 		}
 		$user_info = api_get_user($a);
 
+//		logger('status_with_media: ' . print_r($_REQUEST,true), LOGGER_DEBUG);
+
 		$_REQUEST['type'] = 'wall';
 		$_REQUEST['profile_uid'] = api_user();
 		$_REQUEST['api_source'] = true;
diff --git a/include/widgets.php b/include/widgets.php
index 5a135ae52..fc6fee2ef 100644
--- a/include/widgets.php
+++ b/include/widgets.php
@@ -1229,6 +1229,10 @@ function widget_album($args) {
 	$owner_uid = get_app()->profile_uid;
 	$sql_extra = permissions_sql($owner_uid);
 
+
+	if(! perm_is_allowed($owner_uid,get_observer_hash(),'view_storage'))
+		return '';
+
 	if($args['album'])
 		$album = $args['album'];
 	if($args['title'])
-- 
cgit v1.2.3