From 2f9a9ec8b108bf6a38dca324772da4b4e4135019 Mon Sep 17 00:00:00 2001 From: friendica Date: Wed, 30 Jan 2013 19:52:07 -0800 Subject: enforce the new enhanced permissions (not just simple access controls) on photos - caveat: the default profile photo cannot be restricted. Any such restrictions will be ignored. --- mod/photo.php | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) (limited to 'mod') diff --git a/mod/photo.php b/mod/photo.php index 5033033ff..c8fd55706 100644 --- a/mod/photo.php +++ b/mod/photo.php @@ -22,13 +22,15 @@ function photo_init(&$a) { // NOTREACHED } + $observer_xchan = get_observer_hash(); + $default = 'images/person-175.jpg'; if(isset($type)) { - /** - * Profile photos + * Profile photos - Access controls on default profile photos are not honoured since they need to be exchanged with remote sites. + * */ if($type === 'profile') { @@ -84,8 +86,10 @@ function photo_init(&$a) { dbesc($photo), intval($resolution) ); - if(count($r)) { + if($r) { + $allowed = perm_is_allowed($r[0]['uid'],$observer_xchan,'view_photos'); + $sql_extra = permissions_sql($r[0]['uid']); // Now we'll see if we can access the photo @@ -95,7 +99,7 @@ function photo_init(&$a) { intval($resolution) ); - if(count($r)) { + if($r && $allowed) { $data = $r[0]['data']; $mimetype = $r[0]['type']; } @@ -113,7 +117,7 @@ function photo_init(&$a) { dbesc($photo), intval($resolution) ); - if(count($r)) { + if($r) { $data = file_get_contents('images/nosign.jpg'); $mimetype = 'image/jpeg'; $prvcachecontrol = true; -- cgit v1.2.3