From d090033a0aab7197af9dc7f3e2cf21ebdf042b21 Mon Sep 17 00:00:00 2001 From: Mike Macgirvin Date: Wed, 4 Aug 2010 20:03:38 -0700 Subject: more photo progress --- mod/photo.php | 49 +++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 47 insertions(+), 2 deletions(-) (limited to 'mod/photo.php') diff --git a/mod/photo.php b/mod/photo.php index f922c7ab2..6e4d981d2 100644 --- a/mod/photo.php +++ b/mod/photo.php @@ -44,6 +44,7 @@ function photo_init(&$a) { } } else { + $resolution = 0; $photo = str_replace('.jpg','',$photo); @@ -52,12 +53,56 @@ function photo_init(&$a) { $photo = substr($photo,0,-2); } - $r = q("SELECT * FROM `photo` WHERE `resource-id` = '%s' AND `scale` = %d LIMIT 1", + $r = q("SELECT `uid` FROM `photo` WHERE `resource-id` = '%s' AND `scale` = %d LIMIT 1", dbesc($photo), intval($resolution) ); if(count($r)) { - $data = $r[0]['data']; + + $owner = $r[0]['uid']; + + $sql_extra = " AND `allow_cid` = '' AND `allow_gid` = '' AND `deny_cid` = '' AND `deny_gid` = '' "; + + if(local_user() && ($owner == $_SESSION['uid'])) { + + // Owner can always see his/her photos + $sql_extra = ''; + + } + elseif(remote_user()) { + + // authenticated visitor - here lie dragons + + $groups = init_groups_visitor($_SESSION['visitor_id']); + $gs = '<<>>'; // should be impossible to match + if(count($groups)) { + foreach($groups as $g) + $gs .= '|<' . intval($g) . '>'; + } + + $sql_extra = sprintf( + " AND ( `allow_cid` = '' OR `allow_cid` REGEXP '<%d>' ) + AND ( `deny_cid` = '' OR NOT `deny_cid` REGEXP '<%d>' ) + AND ( `allow_gid` = '' OR `allow_gid` REGEXP '%s' ) + AND ( `deny_gid` = '' OR NOT `deny_gid` REGEXP '%s') ", + + intval($_SESSION['visitor_id']), + intval($_SESSION['visitor_id']), + dbesc($gs), + dbesc($gs) + ); + } + + // Now we'll see if we can access the photo + + $r = q("SELECT * FROM `photo` WHERE `resource-id` = '%s' AND `scale` = %d $sql_extra LIMIT 1", + dbesc($photo), + intval($resolution) + ); + + if(count($r)) { + $data = $r[0]['data']; + } } } -- cgit v1.2.3