Add auth to load sequence for photos

[friendica.git] / src / Model / Photo.php

diff --git a/src/Model/Photo.php b/src/Model/Photo.php
index 68665126fb44c21aa26420ff3147bf87219e5d2b..7df96fccdb4bef8d954fbc42fa9b795512d45578 100644 (file)
--- a/src/Model/Photo.php
+++ b/src/Model/Photo.php
@@ -16,6 +16,7 @@ use Friendica\Database\DBA;
 use Friendica\Database\DBStructure;
 use Friendica\Model\Storage\IStorage;
 use Friendica\Object\Image;
+use Friendica\Protocol\DFRN;
 use Friendica\Util\DateTimeFormat;
 use Friendica\Util\Network;
 use Friendica\Util\Security;
@@ -133,8 +134,16 @@ class Photo extends BaseObject
                if ($r === false) {
                        return false;
                }
+               $uid = $r["uid"];
 
-               $sql_acl = Security::getPermissionsSQLByUserId($r["uid"]);
+               // This is the first place, when retrieving just a photo, that we know who owns the photo.
+               // Make sure that the requester's session is appropriately authenticated to that user
+               // otherwise permissions checks done by getPermissionsSQLByUserId() won't work correctly
+               $r = DBA::selectFirst("user", ["nickname"], ["uid" => $uid], []);
+               // this will either just return (if auth all ok) or will redirect and exit (starting over)
+               DFRN::autoRedir(self::getApp(), $r["nickname"]);
+
+               $sql_acl = Security::getPermissionsSQLByUserId($uid);
 
                $conditions = [
                        "`resource-id` = ? AND `scale` <= ? " . $sql_acl,