X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=mod%2Fphotos.php;h=466fe44d3e2c6b026f408085b9bfb52daae818fe;hb=84805501449aa03e86d985f3e2d9734184cea0db;hp=86754cdf4e20b1d44cae3ec576ccfa40168b9c81;hpb=3b51f28d257e556b74e61b7d5340bcc54a3e3311;p=friendica.git

diff --git a/mod/photos.php b/mod/photos.php
old mode 100644
new mode 100755
index 86754cdf4e..466fe44d3e
--- a/mod/photos.php
+++ b/mod/photos.php
@@ -3,6 +3,7 @@ require_once('include/Photo.php');
 require_once('include/items.php');
 require_once('include/acl_selectors.php');
 require_once('include/bbcode.php');
+require_once('include/security.php');
 
 function photos_init(&$a) {
 
@@ -23,28 +24,71 @@ function photos_init(&$a) {
 
 		$a->data['user'] = $r[0];
 
-		$albums = q("SELECT distinct(`album`) AS `album` FROM `photo` WHERE `uid` = %d",
+		$sql_extra = permissions_sql($a->data['user']['uid']);
+
+		$albums = q("SELECT distinct(`album`) AS `album` FROM `photo` WHERE `uid` = %d $sql_extra ",
 			intval($a->data['user']['uid'])
 		);
 
 		if(count($albums)) {
 			$a->data['albums'] = $albums;
 
-			$o .= '<h4><a href="' . $a->get_baseurl() . '/profile/' . $a->data['user']['nickname'] . '">' . $a->data['user']['username'] . '</a></h4>';
-			$o .= '<h4>' . '<a href="' . $a->get_baseurl() . '/photos/' . $a->data['user']['nickname'] . '">' . t('Photo Albums') . '</a></h4>';
-		
+			$o .= '<div class="vcard">';
+			$o .= '<div class="fn">' . $a->data['user']['username'] . '</div>';
+			$o .= '<div id="profile-photo-wrapper"><img class="photo" style="width: 175px; height: 175px;" src="' . $a->get_baseurl() . '/photo/profile/' . $a->data['user']['uid'] . '.jpg" alt="' . $a->data['user']['username'] . '" /></div>';
+			$o .= '</div>';
+			
+			$o .= '<div id="side-bar-photos-albums" class="widget">';
+			$o .= '<h3>' . '<a href="' . $a->get_baseurl() . '/photos/' . $a->data['user']['nickname'] . '">' . t('Photo Albums') . '</a></h3>';
+					
 			$o .= '<ul>';
 			foreach($albums as $album) {
-				if((! strlen($album['album'])) || ($album['album'] == t('Contact Photos')))
+
+				// don't show contact photos. We once translated this name, but then you could still access it under
+				// a different language setting. Now we store the name in English and check in English (and translated for legacy albums).
+
+				if((! strlen($album['album'])) || ($album['album'] === 'Contact Photos') || ($album['album'] === t('Contact Photos')))
 					continue;
-				$o .= '<li>' . '<a href="photos/' . $a->argv[1] . '/album/' . bin2hex($album['album']) . '" />' . $album['album'] . '</a></li>'; 
+				$o .= '<li>' . '<a href="photos/' . $a->argv[1] . '/album/' . bin2hex($album['album']) . '" >' . $album['album'] . '</a></li>'; 
 			}
 			$o .= '</ul>';
+
+			if(local_user() && $a->data['user']['uid'] == local_user()) {
+				$o .= '<div id="photo-albums-upload-link"><a href="' . $a->get_baseurl() . '/photos/' . $a->data['user']['nickname'] . '/upload" >' .t('Upload New Photos') . '</a></div>';
+			}
+
+			$o .= '</div>';
 		}
 
 		if(! x($a->page,'aside'))
 			$a->page['aside'] = '';
 		$a->page['aside'] .= $o;
+
+
+		$a->page['htmlhead'] .= "<script> var ispublic = '" . t('everybody') . "';" ;
+
+		$a->page['htmlhead'] .= <<< EOT
+
+		$(document).ready(function() {
+
+			$('#contact_allow, #contact_deny, #group_allow, #group_deny').change(function() {
+				var selstr;
+				$('#contact_allow option:selected, #contact_deny option:selected, #group_allow option:selected, #group_deny option:selected').each( function() {
+					selstr = $(this).text();
+					$('#jot-perms-icon').removeClass('unlock').addClass('lock');
+					$('#jot-public').hide();
+				});
+				if(selstr == null) { 
+					$('#jot-perms-icon').removeClass('lock').addClass('unlock');
+					$('#jot-public').show();
+				}
+
+			}).trigger('change');
+
+		});
+
+		</script>
+EOT;
 	}
 
 	return;
@@ -54,15 +98,11 @@ function photos_init(&$a) {
 
 function photos_post(&$a) {
 
-logger('mod/photos.php: photos_post(): begin' , 'LOGGER_DEBUG');
+	logger('mod-photos: photos_post: begin' , 'LOGGER_DEBUG');
 
-foreach($_REQUEST AS $key => $val) {
-	logger('mod/photos.php: photos_post(): $_REQUEST key: ' . $key . ' val: ' . $val , 'LOGGER_DEBUG');
-}
 
-foreach($_FILES AS $key => $val) {
-	logger('mod/photos.php: photos_post(): $_FILES key: ' . $key . ' val: ' . $val , 'LOGGER_DEBUG');
-}
+	logger('mod_photos: REQUEST ' . print_r($_REQUEST,true), LOGGER_DATA);
+	logger('mod_photos: FILES '   . print_r($_FILES,true), LOGGER_DATA);
 
 	$can_post  = false;
 	$visitor   = 0;
@@ -107,7 +147,7 @@ foreach($_FILES AS $key => $val) {
 	if(($a->argc > 3) && ($a->argv[2] === 'album')) {
 		$album = hex2bin($a->argv[3]);
 
-		if($album == t('Profile Photos') || $album == t('Contact Photos')) {
+		if($album === t('Profile Photos') || $album === 'Contact Photos' || $album === t('Contact Photos')) {
 			goaway($a->get_baseurl() . '/' . $_SESSION['photo_return']);
 			return; // NOTREACHED
 		}
@@ -314,6 +354,7 @@ foreach($_FILES AS $key => $val) {
 			$arr['deny_gid']      = $p[0]['deny_gid'];
 			$arr['last-child']    = 1;
 			$arr['visible']       = $visibility;
+			$arr['origin']        = 1;
 			
 			$arr['body']          = '[url=' . $a->get_baseurl() . '/photos/' . $a->data['user']['nickname'] . '/image/' . $p[0]['resource-id'] . ']' 
 						. '[img]' . $a->get_baseurl() . '/photo/' . $p[0]['resource-id'] . '-' . $p[0]['scale'] . '.jpg' . '[/img]' 
@@ -350,6 +391,8 @@ foreach($_FILES AS $key => $val) {
 
 			if(count($tags)) {
 				foreach($tags as $tag) {
+					if(isset($profile))
+						unset($profile);
 					if(strpos($tag,'@') === 0) {
 						$name = substr($tag,1);
 						if((strpos($name,'@')) || (strpos($name,'http://'))) {
@@ -371,7 +414,18 @@ foreach($_FILES AS $key => $val) {
 						}
 						else {
 							$newname = $name;
-							if(strstr($name,'_')) {
+							$alias = '';
+							$tagcid = 0;
+							if(strrpos($newname,'+'))
+								$tagcid = intval(substr($newname,strrpos($newname,'+') + 1));
+
+							if($tagcid) {
+								$r = q("SELECT * FROM `contact` WHERE `id` = %d AND `uid` = %d LIMIT 1",
+									intval($tagcid),
+									intval($profile_uid)
+								);
+							}
+							elseif(strstr($name,'_') || strstr($name,' ')) {
 								$newname = str_replace('_',' ',$name);
 								$r = q("SELECT * FROM `contact` WHERE `name` = '%s' AND `uid` = %d LIMIT 1",
 									dbesc($newname),
@@ -379,7 +433,8 @@ foreach($_FILES AS $key => $val) {
 								);
 							}
 							else {
-								$r = q("SELECT * FROM `contact` WHERE `nick` = '%s' AND `uid` = %d LIMIT 1",
+								$r = q("SELECT * FROM `contact` WHERE `attag` = '%s' OR `nick` = '%s' AND `uid` = %d ORDER BY `attag` DESC LIMIT 1",
+									dbesc($name),
 									dbesc($name),
 									intval($page_owner_uid)
 								);
@@ -469,7 +524,7 @@ foreach($_FILES AS $key => $val) {
 					$arr['target-type']   = ACTIVITY_OBJ_PHOTO;
 					$arr['tag']           = $tagged[4];
 					$arr['inform']        = $tagged[2];
-
+					$arr['origin']        = 1;
 					$arr['body']          = '[url=' . $tagged[1] . ']' . $tagged[0] . '[/url]' . ' ' . t('was tagged in a') . ' ' . '[url=' . $a->get_baseurl() . '/photos/' . $owner_record['nickname'] . '/image/' . $p[0]['resource-id'] . ']' . t('photo') . '[/url]' . ' ' . t('by') . ' ' . '[url=' . $owner_record['url'] . ']' . $owner_record['name'] . '[/url]' ;
 					$arr['body'] .= "\n\n" . '[url=' . $a->get_baseurl() . '/photos/' . $owner_record['nickname'] . '/image/' . $p[0]['resource-id'] . ']' . '[img]' . $a->get_baseurl() . "/photo/" . $p[0]['resource-id'] . '-' . $best . '.jpg' . '[/img][/url]' . "\n" ;
 
@@ -484,8 +539,15 @@ foreach($_FILES AS $key => $val) {
 					$arr['target'] .= '<link>' . xmlify('<link rel="alternate" type="text/html" href="' . $a->get_baseurl() . '/photos/' . $owner_record['nickname'] . '/image/' . $p[0]['resource-id'] . '" />' . "\n" . '<link rel="preview" type="image/jpeg" href="' . $a->get_baseurl() . "/photo/" . $p[0]['resource-id'] . '-' . $best . '.jpg' . '" />') . '</link></target>';
 
 					$item_id = item_store($arr);
-					if($item_id)
+					if($item_id) {
+						q("UPDATE `item` SET `plink` = '%s' WHERE `uid` = %d AND `id` = %d LIMIT 1",
+							dbesc($a->get_baseurl() . '/display/' . $owner_record['nickname'] . '/' . $item_id),
+							intval($page_owner_uid),
+							intval($item_id)
+						);
+
 						proc_run('php',"include/notifier.php","tag","$item_id");
+					}
 				}
 
 			}
@@ -522,13 +584,13 @@ foreach($_FILES AS $key => $val) {
 	 *
 	 * We create a wall item for every photo, but we don't want to
 	 * overwhelm the data stream with a hundred newly uploaded photos.
-	 * So we will make one photo (the first one uploaded to this album)
+	 * So we will make the first photo uploaded to this album in the last several hours
 	 * visible by default, the rest will become visible over time when and if
 	 * they acquire comments, likes, dislikes, and/or tags 
 	 *
 	 */
 
-	$r = q("SELECT * FROM `photo` WHERE `album` = '%s' AND `uid` = %d",
+	$r = q("SELECT * FROM `photo` WHERE `album` = '%s' AND `uid` = %d AND `created` > UTC_TIMESTAMP() - INTERVAL 3 HOUR ",
 		dbesc($album),
 		intval($page_owner_uid)
 	);
@@ -536,6 +598,9 @@ foreach($_FILES AS $key => $val) {
 		$visible = 1;
 	else
 		$visible = 0;
+	
+	if(intval($_REQUEST['not_visible']) || $_REQUEST['not_visible'] === 'true')
+		$visible = 0;
 
 	$str_group_allow   = perms2str(((is_array($_REQUEST['group_allow']))   ? $_REQUEST['group_allow']   : explode(',',$_REQUEST['group_allow'])));
 	$str_contact_allow = perms2str(((is_array($_REQUEST['contact_allow'])) ? $_REQUEST['contact_allow'] : explode(',',$_REQUEST['contact_allow'])));
@@ -557,11 +622,24 @@ foreach($_FILES AS $key => $val) {
 		$filesize   = intval($_FILES['userfile']['size']);
 	}
 
+
+	logger('photos: upload: received file: ' . $filename . ' as ' . $src . ' ' . $filesize . ' bytes', LOGGER_DEBUG);
+
 	$maximagesize = get_config('system','maximagesize');
 
 	if(($maximagesize) && ($filesize > $maximagesize)) {
 		notice( t('Image exceeds size limit of ') . $maximagesize . EOL);
 		@unlink($src);
+		$foo = 0;
+		call_hooks('photo_post_end',$foo);
+		return;
+	}
+
+	if(! $filesize) {
+		notice( t('Image file is empty.') . EOL);
+		@unlink($src);
+		$foo = 0;
+		call_hooks('photo_post_end',$foo);
 		return;
 	}
 
@@ -574,6 +652,8 @@ foreach($_FILES AS $key => $val) {
 		logger('mod/photos.php: photos_post(): unable to process image' , 'LOGGER_DEBUG');
 		notice( t('Unable to process image.') . EOL );
 		@unlink($src);
+		$foo = 0;
+		call_hooks('photo_post_end',$foo);
 		killme();
 	}
 
@@ -633,6 +713,8 @@ foreach($_FILES AS $key => $val) {
 	$arr['deny_gid']      = $str_group_deny;
 	$arr['last-child']    = 1;
 	$arr['visible']       = $visible;
+	$arr['origin']        = 1;
+
 	$arr['body']          = '[url=' . $a->get_baseurl() . '/photos/' . $owner_record['nickname'] . '/image/' . $photo_hash . ']' 
 				. '[img]' . $a->get_baseurl() . "/photo/{$photo_hash}-{$smallest}.jpg" . '[/img]' 
 				. '[/url]';
@@ -666,6 +748,7 @@ function photos_content(&$a) {
 	// URLs:
 	// photos/name
 	// photos/name/upload
+	// photos/name/upload/xxxxx (xxxxx is album name)
 	// photos/name/album/xxxxx
 	// photos/name/album/xxxxx/edit
 	// photos/name/image/xxxxx
@@ -759,34 +842,18 @@ function photos_content(&$a) {
 		}
 	}
 
-	// default permissions - anonymous user
+	if($a->data['user']['hidewall'] && (local_user() != $owner_uid) && (! $remote_contact)) {
+		notice( t('Access to this item is restricted.') . EOL);
+		return;
+	}
 
-	$sql_extra = " AND `allow_cid` = '' AND `allow_gid` = '' AND `deny_cid` = '' AND `deny_gid` = '' ";
+	$sql_extra = permissions_sql($owner_uid,$remote_contact,$groups);
 
-	// Profile owner - everything is visible
+	$o = "";
 
-	if(local_user() && (local_user() == $owner_uid)) {
-		$sql_extra = ''; 	
-	}
-	elseif(remote_user()) {
-		// authenticated visitor - here lie dragons
-		$gs = '<<>>'; // should be impossible to match
-		if(count($groups)) {
-			foreach($groups as $g)
-				$gs .= '|<' . intval($g) . '>';
-		} 
-		$sql_extra = sprintf(
-			" AND ( `allow_cid` = '' OR `allow_cid` REGEXP '<%d>' ) 
-			  AND ( `deny_cid`  = '' OR  NOT `deny_cid` REGEXP '<%d>' ) 
-			  AND ( `allow_gid` = '' OR `allow_gid` REGEXP '%s' )
-			  AND ( `deny_gid`  = '' OR NOT `deny_gid` REGEXP '%s') ",
-
-			intval(remote_user()),
-			intval(remote_user()),
-			dbesc($gs),
-			dbesc($gs)
-		);
-	}
+	// tabs
+	$_is_owner = (local_user() && (local_user() == $owner_uid));
+	$o .= profile_tabs($a,$_is_owner, $a->data['user']['nickname']);	
 
 	//
 	// dispatch request
@@ -798,14 +865,21 @@ function photos_content(&$a) {
 			notice( t('Permission denied.'));
 			return;
 		}
+
+
+		$selname = (($datum) ? hex2bin($datum) : '');
+
+
 		$albumselect = '<select id="photos-upload-album-select" name="album" size="4">';
 
-		$albumselect .= '<option value="" selected="selected" >&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</option>';
+		
+		$albumselect .= '<option value="" ' . ((! $selname) ? ' selected="selected" ' : '') . '>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</option>';
 		if(count($a->data['albums'])) {
 			foreach($a->data['albums'] as $album) {
-				if(($album['album'] === '') || ($album['album'] == t('Contact Photos')))
+				if(($album['album'] === '') || ($album['album'] === 'Contact Photos') || ($album['album'] === t('Contact Photos')))
 					continue;
-				$albumselect .= '<option value="' . $album['album'] . '">' . $album['album'] . '</option>';
+				$selected = (($selname === $album['album']) ? ' selected="selected" ' : '');
+				$albumselect .= '<option value="' . $album['album'] . '"' . $selected . '>' . $album['album'] . '</option>';
 			}
 		}
 
@@ -828,16 +902,17 @@ function photos_content(&$a) {
 
  
 
-		$tpl = load_view_file('view/photos_upload.tpl');
+		$tpl = get_markup_template('photos_upload.tpl');
 		$o .= replace_macros($tpl,array(
 			'$pagename' => t('Upload Photos'),
 			'$sessid' => session_id(),
 			'$nickname' => $a->data['user']['nickname'],
 			'$newalbum' => t('New album name: '),
 			'$existalbumtext' => t('or existing album name: '),
-			'$albumselect' => $albumselect,
+			'$nosharetext' => t('Do not show a status post for this upload'),
+			'$albumselect' => template_escape($albumselect),
 			'$permissions' => t('Permissions'),
-			'$aclselect' => (($visitor) ? '' : populate_acl($a->user, $celeb)),
+			'$aclselect' => (($visitor) ? '' : template_escape(populate_acl($a->user, $celeb))),
 			'$uploader' => $ret['addon_text'],
 			'$default' => (($ret['default_upload']) ? $default_upload : ''),
 			'$uploadurl' => $ret['post_url']
@@ -852,7 +927,7 @@ function photos_content(&$a) {
 		$album = hex2bin($datum);
 
 		$r = q("SELECT `resource-id`, max(`scale`) AS `scale` FROM `photo` WHERE `uid` = %d AND `album` = '%s' 
-			$sql_extra GROUP BY `resource-id`",
+			AND `scale` <= 4 $sql_extra GROUP BY `resource-id`",
 			intval($owner_uid),
 			dbesc($album)
 		);
@@ -862,7 +937,7 @@ function photos_content(&$a) {
 		}
 
 		$r = q("SELECT `resource-id`, `id`, `filename`, max(`scale`) AS `scale`, `desc` FROM `photo` WHERE `uid` = %d AND `album` = '%s' 
-			$sql_extra GROUP BY `resource-id` ORDER BY `created` DESC LIMIT %d , %d",
+			AND `scale` <= 4 $sql_extra GROUP BY `resource-id` ORDER BY `created` DESC LIMIT %d , %d",
 			intval($owner_uid),
 			dbesc($album),
 			intval($a->pager['start']),
@@ -872,13 +947,13 @@ function photos_content(&$a) {
 		$o .= '<h3>' . $album . '</h3>';
 		
 		if($cmd === 'edit') {		
-			if(($album != t('Profile Photos')) && ($album != t('Contact Photos'))) {
+			if(($album !== t('Profile Photos')) && ($album !== 'Contact Photos') && ($album !== t('Contact Photos'))) {
 				if($can_post) {
-					$edit_tpl = load_view_file('view/album_edit.tpl');
+					$edit_tpl = get_markup_template('album_edit.tpl');
 					$o .= replace_macros($edit_tpl,array(
 						'$nametext' => t('New album name: '),
 						'$nickname' => $a->data['user']['nickname'],
-						'$album' => $album,
+						'$album' => template_escape($album),
 						'$hexalbum' => bin2hex($album),
 						'$submit' => t('Submit'),
 						'$dropsubmit' => t('Delete Album')
@@ -887,7 +962,7 @@ function photos_content(&$a) {
 			}
 		}
 		else {
-			if(($album != t('Profile Photos')) && ($album != t('Contact Photos'))) {
+			if(($album !== t('Profile Photos')) && ($album !== 'Contact Photos') && ($album !== t('Contact Photos'))) {
 				if($can_post) {
 					$o .= '<div id="album-edit-link"><a href="'. $a->get_baseurl() . '/photos/' 
 						. $a->data['user']['nickname'] . '/album/' . bin2hex($album) . '/edit' . '">' 
@@ -895,7 +970,12 @@ function photos_content(&$a) {
  				}
 			}
 		}
-		$tpl = load_view_file('view/photo_album.tpl');
+
+		if($can_post) {
+			$o .= '<div class="photos-upload-link" ><a href="' . $a->get_baseurl() . '/photos/' . $a->data['user']['nickname'] . '/upload/' . bin2hex($album) . '" >' . t('Upload New Photos') . '</a></div>';
+		}
+
+		$tpl = get_markup_template('photo_album.tpl');
 		if(count($r))
 			foreach($r as $rr) {
 				$o .= replace_macros($tpl,array(
@@ -903,8 +983,8 @@ function photos_content(&$a) {
 					'$photolink' => $a->get_baseurl() . '/photos/' . $a->data['user']['nickname'] . '/image/' . $rr['resource-id'],
 					'$phototitle' => t('View Photo'),
 					'$imgsrc' => $a->get_baseurl() . '/photo/' . $rr['resource-id'] . '-' . $rr['scale'] . '.jpg',
-					'$imgalt' => $rr['filename'],
-					'$desc'=> $rr['desc']
+					'$imgalt' => template_escape($rr['filename']),
+					'$desc'=> template_escape($rr['desc'])
 				));
 
 		}
@@ -920,7 +1000,7 @@ function photos_content(&$a) {
 
 
 
-		$o = '';
+		//$o = '';
 		// fetch image, item containing image, then comments
 
 		$ph = q("SELECT * FROM `photo` WHERE `uid` = %d AND `resource-id` = '%s' 
@@ -930,7 +1010,15 @@ function photos_content(&$a) {
 		);
 
 		if(! count($ph)) {
-			notice( t('Photo not available') . EOL );
+			$ph = q("SELECT `id` FROM `photo` WHERE `uid` = %d AND `resource-id` = '%s' 
+				LIMIT 1",
+				intval($owner_uid),
+				dbesc($datum)
+			);
+			if(count($ph)) 
+				notice( t('Permission denied. Access to this item may be restricted.'));
+			else
+				notice( t('Photo not available') . EOL );
 			return;
 		}
 
@@ -955,8 +1043,9 @@ function photos_content(&$a) {
 					break;
 				}
 			}
-			$prevlink = $a->get_baseurl() . '/photos/' . $a->data['user']['nickname'] . '/image/' . $prvnxt[$prv]['resource-id'] ;
-			$nextlink = $a->get_baseurl() . '/photos/' . $a->data['user']['nickname'] . '/image/' . $prvnxt[$nxt]['resource-id'] ;
+			$edit_suffix = ((($cmd === 'edit') && ($can_post)) ? '/edit' : '');
+			$prevlink = $a->get_baseurl() . '/photos/' . $a->data['user']['nickname'] . '/image/' . $prvnxt[$prv]['resource-id'] . $edit_suffix;
+			$nextlink = $a->get_baseurl() . '/photos/' . $a->data['user']['nickname'] . '/image/' . $prvnxt[$nxt]['resource-id'] . $edit_suffix;
  		}
 
 
@@ -979,7 +1068,7 @@ function photos_content(&$a) {
  
 		if($can_post && ($ph[0]['uid'] == $owner_uid)) {
 			$tools = array(
-				'edit'	=> array($a->get_baseurl() . '/photos/' . $a->data['user']['nickname'] . '/image/' . $datum . '/edit', t('Edit photo')),
+				'edit'	=> array($a->get_baseurl() . '/photos/' . $a->data['user']['nickname'] . '/image/' . $datum . (($cmd === 'edit') ? '' : '/edit'), (($cmd === 'edit') ? t('View photo') : t('Edit photo'))),
 				'profile'=>array($a->get_baseurl() . '/profile_photo/use/'.$ph[0]['resource-id'], t('Use as profile photo')),
 			);
 
@@ -993,7 +1082,7 @@ function photos_content(&$a) {
 		}
 
 		if($prevlink)
-			$prevlink = array($prevlink, t('<< Prev')) ;
+			$prevlink = array($prevlink, '<div class="icon prev"></div>') ;
 
 		$photo = array(
 			'href' => $a->get_baseurl() . '/photo/' . $hires['resource-id'] . '-' . $hires['scale'] . '.jpg',
@@ -1002,7 +1091,7 @@ function photos_content(&$a) {
 		);
 
 		if($nextlink)
-			$nextlink = array($nextlink, t('Next >>'));
+			$nextlink = array($nextlink, '<div class="icon next"></div>');
 
 
 		// Do we have an item for this photo?
@@ -1014,7 +1103,7 @@ function photos_content(&$a) {
 			$link_item = $linked_items[0];
 			$r = q("SELECT COUNT(*) AS `total`
 				FROM `item` LEFT JOIN `contact` ON `contact`.`id` = `item`.`contact-id`
-				WHERE `parent-uri` = '%s' AND `uri` != '%s' AND `item`.`deleted` = 0
+				WHERE `parent-uri` = '%s' AND `uri` != '%s' AND `item`.`deleted` = 0 and `item`.`moderated` = 0
 				AND `contact`.`blocked` = 0 AND `contact`.`pending` = 0
 				AND `item`.`uid` = %d 
 				$sql_extra ",
@@ -1033,7 +1122,7 @@ function photos_content(&$a) {
 				`contact`.`rel`, `contact`.`thumb`, `contact`.`self`, 
 				`contact`.`id` AS `cid`, `contact`.`uid` AS `contact-uid`
 				FROM `item` LEFT JOIN `contact` ON `contact`.`id` = `item`.`contact-id`
-				WHERE `parent-uri` = '%s' AND `uri` != '%s' AND `item`.`deleted` = 0
+				WHERE `parent-uri` = '%s' AND `uri` != '%s' AND `item`.`deleted` = 0 and `item`.`moderated` = 0
 				AND `contact`.`blocked` = 0 AND `contact`.`pending` = 0
 				AND `item`.`uid` = %d
 				$sql_extra
@@ -1055,6 +1144,7 @@ function photos_content(&$a) {
 		}
 
 		$tags=Null;
+
 		if(count($linked_items) && strlen($link_item['tag'])) {
 			$arr = explode(',',$link_item['tag']);
 			// parse tags and add links
@@ -1065,27 +1155,28 @@ function photos_content(&$a) {
 				$tag_str .= bbcode($t);
 			} 
 			$tags = array(t('Tags: '), $tag_str);
-			if($cmd === 'edit')
+			if($cmd === 'edit') {
 				$tags[] = $a->get_baseurl() . '/tagrm/' . $link_item['id'];
 				$tags[] = t('[Remove any tag]');
+			}
 		}
 
 
 		$edit = Null;
 		if(($cmd === 'edit') && ($can_post)) {
-			$edit_tpl = load_view_file('view/photo_edit.tpl');
+			$edit_tpl = get_markup_template('photo_edit.tpl');
 			$edit = replace_macros($edit_tpl, array(
 				'$id' => $ph[0]['id'],
-				'$album' => $ph[0]['album'],
+				'$album' => template_escape($ph[0]['album']),
 				'$newalbum' => t('New album name'), 
 				'$nickname' => $a->data['user']['nickname'],
 				'$resource_id' => $ph[0]['resource-id'],
 				'$capt_label' => t('Caption'),
-				'$caption' => $ph[0]['desc'],
+				'$caption' => template_escape($ph[0]['desc']),
 				'$tag_label' => t('Add a Tag'),
 				'$tags' => $link_item['tag'],
 				'$permissions' => t('Permissions'),
-				'$aclselect' => populate_acl($ph[0]),
+				'$aclselect' => template_escape(populate_acl($ph[0])),
 				'$help_tags' => t('Example: @bob, @Barbara_Jensen, @jim@example.com, #California, #camping'),
 				'$item_id' => ((count($linked_items)) ? $link_item['id'] : 0),
 				'$submit' => t('Submit'),
@@ -1095,11 +1186,11 @@ function photos_content(&$a) {
 
 		if(count($linked_items)) {
 
-			$cmnt_tpl = load_view_file('view/comment_item.tpl');
-			$tpl = load_view_file('view/photo_item.tpl');
+			$cmnt_tpl = get_markup_template('comment_item.tpl');
+			$tpl = get_markup_template('photo_item.tpl');
 			$return_url = $a->cmd;
 
-			$like_tpl = load_view_file('view/like_noshare.tpl');
+			$like_tpl = get_markup_template('like_noshare.tpl');
 
 			$likebuttons = '';
 
@@ -1129,6 +1220,7 @@ function photos_content(&$a) {
 							'$myphoto' => $contact['thumb'],
 							'$comment' => t('Comment'),
 							'$submit' => t('Submit'),
+							'$preview' => t('Preview'),
 							'$ww' => ''
 						));
 					}
@@ -1225,17 +1317,17 @@ function photos_content(&$a) {
 					$drop = '';
 
 					if(($item['contact-id'] == remote_user()) || ($item['uid'] == local_user()))
-						$drop = replace_macros(load_view_file('view/wall_item_drop.tpl'), array('$id' => $item['id'], '$delete' => t('Delete')));
+						$drop = replace_macros(get_markup_template('photo_drop.tpl'), array('$id' => $item['id'], '$delete' => t('Delete')));
 
 
 					$comments .= replace_macros($template,array(
 						'$id' => $item['item_id'],
 						'$profile_url' => $profile_link,
-						'$name' => $profile_name,
+						'$name' => template_escape($profile_name),
 						'$thumb' => $profile_avatar,
 						'$sparkle' => $sparkle,
-						'$title' => $item['title'],
-						'$body' => bbcode($item['body']),
+						'$title' => template_escape($item['title']),
+						'$body' => template_escape(bbcode($item['body'])),
 						'$ago' => relative_date($item['created']),
 						'$indent' => (($item['parent'] != $item['item_id']) ? ' comment' : ''),
 						'$drop' => $drop,
@@ -1247,21 +1339,21 @@ function photos_content(&$a) {
 			$paginate = paginate($a);
 		}
 		
-		$photo_tpl = load_view_file('view/photo_view.tpl');
+		$photo_tpl = get_markup_template('photo_view.tpl');
 		$o .= replace_macros($photo_tpl, array(
 			'$id' => $ph[0]['id'],
-			'$album' => array($album_link,$ph[0]['album']),
+			'$album' => array($album_link,template_escape($ph[0]['album'])),
 			'$tools' => $tools,
 			'$lock' => $lock,
 			'$photo' => $photo,
 			'$prevlink' => $prevlink,
 			'$nextlink' => $nextlink,
 			'$desc' => $ph[0]['desc'],
-			'$tags' => $tags,
+			'$tags' => template_escape($tags),
 			'$edit' => $edit,	
 			'$likebuttons' => $likebuttons,
-			'$like' => $like,
-			'$dislike' => $dislike,
+			'$like' => template_escape($like),
+			'$dislike' => template_escape($dislike),
 			'$comments' => $comments,
 			'$paginate' => $paginate,
 		));
@@ -1270,11 +1362,12 @@ function photos_content(&$a) {
 	}
 
 	// Default - show recent photos with upload link (if applicable)
-	$o = '';
+	//$o = '';
 
-	$r = q("SELECT `resource-id`, max(`scale`) AS `scale` FROM `photo` WHERE `uid` = %d AND `album` != '%s' 
+	$r = q("SELECT `resource-id`, max(`scale`) AS `scale` FROM `photo` WHERE `uid` = %d AND `album` != '%s' AND `album` != '%s' 
 		$sql_extra GROUP BY `resource-id`",
 		intval($a->data['user']['uid']),
+		dbesc('Contact Photos'),
 		dbesc( t('Contact Photos'))
 	);
 	if(count($r)) {
@@ -1283,38 +1376,45 @@ function photos_content(&$a) {
 	}
 
 	$r = q("SELECT `resource-id`, `id`, `filename`, `album`, max(`scale`) AS `scale` FROM `photo`
-		WHERE `uid` = %d AND `album` != '%s' 
+		WHERE `uid` = %d AND `album` != '%s' AND `album` != '%s'  
 		$sql_extra GROUP BY `resource-id` ORDER BY `created` DESC LIMIT %d , %d",
 		intval($a->data['user']['uid']),
+		dbesc('Contact Photos'),
 		dbesc( t('Contact Photos')),
 		intval($a->pager['start']),
 		intval($a->pager['itemspage'])
 	);
 
-	$o .= '<h3>' . t('Recent Photos') . '</h3>';
 
-	if($can_post) {
-		$o .= '<div id="photo-top-links"><a id="photo-top-upload-link" href="'. $a->get_baseurl() . '/photos/' 
-			. $a->data['user']['nickname'] . '/upload' . '">' . t('Upload New Photos') . '</a></div>';
-	}
 
-	$tpl = load_view_file('view/photo_top.tpl');
+	$photos = array();
 	if(count($r)) {
 		foreach($r as $rr) {
-			$o .= replace_macros($tpl,array(
-				'$id'         => $rr['id'],
-				'$photolink'  => $a->get_baseurl() . '/photos/' . $a->data['user']['nickname'] . '/image/' . $rr['resource-id'],
-				'$phototitle' => t('View Photo'),
-				'$imgsrc'     => $a->get_baseurl() . '/photo/' . $rr['resource-id'] . '-' . ((($rr['scale']) == 6) ? 4 : $rr['scale']) . '.jpg',
-				'$albumlink'  => $a->get_baseurl() . '/photos/' . $a->data['user']['nickname'] . '/album/' . bin2hex($rr['album']),
-				'$albumname'  => $rr['album'],
-				'$albumalt'   => t('View Album'),
-				'$imgalt'     => $rr['filename']
-			));
-
+			$photos[] = array(
+				'id'       => $rr['id'],
+				'link'  	=> $a->get_baseurl() . '/photos/' . $a->data['user']['nickname'] . '/image/' . $rr['resource-id'],
+				'title' 	=> t('View Photo'),
+				'src'     	=> $a->get_baseurl() . '/photo/' . $rr['resource-id'] . '-' . ((($rr['scale']) == 6) ? 4 : $rr['scale']) . '.jpg',
+				'alt'     	=> template_escape($rr['filename']),
+				'album'	=> array(
+					'link'  => $a->get_baseurl() . '/photos/' . $a->data['user']['nickname'] . '/album/' . bin2hex($rr['album']),
+					'name'  => template_escape($rr['album']),
+					'alt'   => t('View Album'),
+				),
+				
+			);
 		}
-		$o .= '<div id="photo-top-end"></div>';
 	}
+	
+	$tpl = get_markup_template('photos_recent.tpl'); 
+	$o .= replace_macros($tpl,array(
+		'$title' => t('Recent Photos'),
+		'$can_post' => $can_post,
+		'$upload' => array(t('Upload New Photos'), $a->get_baseurl().'/photos/'.$a->data['user']['nickname'].'/upload'),
+		'$photos' => $photos,
+	));
+
+	
 	$o .= paginate($a);
 	return $o;
 }