X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=mod%2Fphoto.php;h=2f8d180fdb9c60c1824bb84858d3068515f0ecda;hb=8c245a5d2f4e6882211ac17561f86537a7089c73;hp=bd0e415bfaa36f6fd4a26053e80e25455318d214;hpb=6348e70daa113e8b3203de8fbc919d08c90d972e;p=friendica.git diff --git a/mod/photo.php b/mod/photo.php index bd0e415bfa..2f8d180fdb 100644 --- a/mod/photo.php +++ b/mod/photo.php @@ -2,24 +2,140 @@ function photo_init(&$a) { - if($a->argc != 2) { - killme(); + switch($a->argc) { + case 3: + $person = $a->argv[2]; + $type = $a->argv[1]; + break; + case 2: + $photo = $a->argv[1]; + break; + case 1: + default: + killme(); + // NOTREACHED } - $resolution = 0; - $photo = $a->argv[1]; - $photo = str_replace('.jpg','',$photo); - if(substr($photo,-2,1) == '-') { - $resolution = intval(substr($photo,-1,1)); - $photo = substr($photo,0,-2); + + $default = 'images/default-profile.jpg'; + + if(isset($type)) { + switch($type) { + + case 'profile': + $resolution = 4; + break; + case 'micro': + $resolution = 6; + $default = 'images/default-profile-mm.jpg'; + break; + case 'avatar': + default: + $resolution = 5; + $default = 'images/default-profile-sm.jpg'; + break; + } + + $uid = str_replace('.jpg', '', $person); + + $r = q("SELECT * FROM `photo` WHERE `scale` = %d AND `uid` = %d AND `profile` = 1 LIMIT 1", + intval($resolution), + intval($uid) + ); + if(count($r)) { + $data = $r[0]['data']; + } + if(! isset($data)) { + $data = file_get_contents($default); + } + } + else { + + $resolution = 0; + $photo = str_replace('.jpg','',$photo); + + if(substr($photo,-2,1) == '-') { + $resolution = intval(substr($photo,-1,1)); + $photo = substr($photo,0,-2); + } + + $r = q("SELECT `uid` FROM `photo` WHERE `resource-id` = '%s' AND `scale` = %d LIMIT 1", + dbesc($photo), + intval($resolution) + ); + if(count($r)) { + + $owner = $r[0]['uid']; + + $sql_extra = " AND `allow_cid` = '' AND `allow_gid` = '' AND `deny_cid` = '' AND `deny_gid` = '' "; + + if(local_user() && ($owner == $_SESSION['uid'])) { + + // Owner can always see his/her photos + $sql_extra = ''; + + } + elseif(remote_user()) { + + // authenticated visitor - here lie dragons + + $groups = init_groups_visitor($_SESSION['visitor_id']); + $gs = '<<>>'; // should be impossible to match + if(count($groups)) { + foreach($groups as $g) + $gs .= '|<' . intval($g) . '>'; + } + + $sql_extra = sprintf( + " AND ( `allow_cid` = '' OR `allow_cid` REGEXP '<%d>' ) + AND ( `deny_cid` = '' OR NOT `deny_cid` REGEXP '<%d>' ) + AND ( `allow_gid` = '' OR `allow_gid` REGEXP '%s' ) + AND ( `deny_gid` = '' OR NOT `deny_gid` REGEXP '%s') ", + + intval($_SESSION['visitor_id']), + intval($_SESSION['visitor_id']), + dbesc($gs), + dbesc($gs) + ); + } + + // Now we'll see if we can access the photo + + $r = q("SELECT * FROM `photo` WHERE `resource-id` = '%s' AND `scale` = %d $sql_extra LIMIT 1", + dbesc($photo), + intval($resolution) + ); + + if(count($r)) { + $data = $r[0]['data']; + } + else { + + // Does the picture exist? It may be a remote person with no credentials, + // but who should otherwise be able to view it. Show a default image to let + // them know permissions was denied. It may be possible to view the image + // through an authenticated profile visit. + // There won't be many complete unauthorised people seeing this because + // they won't have the photo link, so there's a reasonable chance that the person + // might be able to obtain permission to view it. + + $r = q("SELECT * FROM `photo` WHERE `resource-id` = '%s' AND `scale` = %d LIMIT 1", + dbesc($photo), + intval($resolution) + ); + if(count($r)) { + $data = file_get_contents('images/nosign.jpg'); + } + } + } } - $r = q("SELECT * FROM `photo` WHERE `resource-id` = '%s' - AND `scale` = %d LIMIT 1", - dbesc($photo), - intval($resolution)); - if($r === NULL || (! count($r))) { + + if(! isset($data)) { killme(); + // NOTREACHED } - header("Content-type: image/jpeg"); - echo $r[0]['data']; + header("Content-type: image/jpeg"); + echo $data; + killme(); + // NOTREACHED } \ No newline at end of file