use Friendica\Database\DBStructure;
use Friendica\Model\Storage\IStorage;
use Friendica\Object\Image;
+use Friendica\Protocol\DFRN;
use Friendica\Util\DateTimeFormat;
use Friendica\Util\Network;
use Friendica\Util\Security;
if ($r === false) {
return false;
}
+ $uid = $r["uid"];
- $sql_acl = Security::getPermissionsSQLByUserId($r["uid"]);
+ // This is the first place, when retrieving just a photo, that we know who owns the photo.
+ // Make sure that the requester's session is appropriately authenticated to that user
+ // otherwise permissions checks done by getPermissionsSQLByUserId() won't work correctly
+ $r = DBA::selectFirst("user", ["nickname"], ["uid" => $uid], []);
+ // this will either just return (if auth all ok) or will redirect and exit (starting over)
+ DFRN::autoRedir(self::getApp(), $r["nickname"]);
+
+ $sql_acl = Security::getPermissionsSQLByUserId($uid);
$conditions = [
"`resource-id` = ? AND `scale` <= ? " . $sql_acl,