X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=mod%2Fphoto.php;h=2f8d180fdb9c60c1824bb84858d3068515f0ecda;hb=c1144912e2d2dab07c1e23aec5377e12bcf3e631;hp=f922c7ab26355043d01fc336c25ccf789791f1d8;hpb=c3fd5ed73202f4dd17dda87ac968b0db4f44d423;p=friendica.git diff --git a/mod/photo.php b/mod/photo.php index f922c7ab26..2f8d180fdb 100644 --- a/mod/photo.php +++ b/mod/photo.php @@ -13,18 +13,25 @@ function photo_init(&$a) { case 1: default: killme(); - return; // NOTREACHED + // NOTREACHED } - if(x($type)) { + $default = 'images/default-profile.jpg'; + + if(isset($type)) { switch($type) { case 'profile': $resolution = 4; break; + case 'micro': + $resolution = 6; + $default = 'images/default-profile-mm.jpg'; + break; case 'avatar': default: $resolution = 5; + $default = 'images/default-profile-sm.jpg'; break; } @@ -37,13 +44,12 @@ function photo_init(&$a) { if(count($r)) { $data = $r[0]['data']; } - if(x($data) === false) { - $data = file_get_contents(($resolution == 5) - ? 'images/default-profile-sm.jpg' - : 'images/default-profile.jpg'); + if(! isset($data)) { + $data = file_get_contents($default); } } else { + $resolution = 0; $photo = str_replace('.jpg','',$photo); @@ -52,22 +58,84 @@ function photo_init(&$a) { $photo = substr($photo,0,-2); } - $r = q("SELECT * FROM `photo` WHERE `resource-id` = '%s' AND `scale` = %d LIMIT 1", + $r = q("SELECT `uid` FROM `photo` WHERE `resource-id` = '%s' AND `scale` = %d LIMIT 1", dbesc($photo), intval($resolution) ); if(count($r)) { - $data = $r[0]['data']; + + $owner = $r[0]['uid']; + + $sql_extra = " AND `allow_cid` = '' AND `allow_gid` = '' AND `deny_cid` = '' AND `deny_gid` = '' "; + + if(local_user() && ($owner == $_SESSION['uid'])) { + + // Owner can always see his/her photos + $sql_extra = ''; + + } + elseif(remote_user()) { + + // authenticated visitor - here lie dragons + + $groups = init_groups_visitor($_SESSION['visitor_id']); + $gs = '<<>>'; // should be impossible to match + if(count($groups)) { + foreach($groups as $g) + $gs .= '|<' . intval($g) . '>'; + } + + $sql_extra = sprintf( + " AND ( `allow_cid` = '' OR `allow_cid` REGEXP '<%d>' ) + AND ( `deny_cid` = '' OR NOT `deny_cid` REGEXP '<%d>' ) + AND ( `allow_gid` = '' OR `allow_gid` REGEXP '%s' ) + AND ( `deny_gid` = '' OR NOT `deny_gid` REGEXP '%s') ", + + intval($_SESSION['visitor_id']), + intval($_SESSION['visitor_id']), + dbesc($gs), + dbesc($gs) + ); + } + + // Now we'll see if we can access the photo + + $r = q("SELECT * FROM `photo` WHERE `resource-id` = '%s' AND `scale` = %d $sql_extra LIMIT 1", + dbesc($photo), + intval($resolution) + ); + + if(count($r)) { + $data = $r[0]['data']; + } + else { + + // Does the picture exist? It may be a remote person with no credentials, + // but who should otherwise be able to view it. Show a default image to let + // them know permissions was denied. It may be possible to view the image + // through an authenticated profile visit. + // There won't be many complete unauthorised people seeing this because + // they won't have the photo link, so there's a reasonable chance that the person + // might be able to obtain permission to view it. + + $r = q("SELECT * FROM `photo` WHERE `resource-id` = '%s' AND `scale` = %d LIMIT 1", + dbesc($photo), + intval($resolution) + ); + if(count($r)) { + $data = file_get_contents('images/nosign.jpg'); + } + } } } - if(x($data) === false) { + if(! isset($data)) { killme(); - return; // NOTREACHED + // NOTREACHED } - header("Content-type: image/jpeg"); - echo $data; + header("Content-type: image/jpeg"); + echo $data; killme(); - return; //NOTREACHED + // NOTREACHED } \ No newline at end of file