Add auth to load sequence for photos

This allows private photos to load on any page.  Previously auth
depended on some other thing like the enclosing page triggering the
authentication of the specific contact for the photo owner.

diff --git a/src/Model/Photo.php b/src/Model/Photo.php
index 68665126fb44c21aa26420ff3147bf87219e5d2b..7df96fccdb4bef8d954fbc42fa9b795512d45578 100644 (file)
--- a/src/Model/Photo.php
+++ b/src/Model/Photo.php
@@ -16,6 +16,7 @@ use Friendica\Database\DBA;
 use Friendica\Database\DBStructure;
 use Friendica\Model\Storage\IStorage;
 use Friendica\Object\Image;
+use Friendica\Protocol\DFRN;
 use Friendica\Util\DateTimeFormat;
 use Friendica\Util\Network;
 use Friendica\Util\Security;
@@ -133,8 +134,16 @@ class Photo extends BaseObject
                if ($r === false) {
                        return false;
                }
+               $uid = $r["uid"];
 
-               $sql_acl = Security::getPermissionsSQLByUserId($r["uid"]);
+               // This is the first place, when retrieving just a photo, that we know who owns the photo.
+               // Make sure that the requester's session is appropriately authenticated to that user
+               // otherwise permissions checks done by getPermissionsSQLByUserId() won't work correctly
+               $r = DBA::selectFirst("user", ["nickname"], ["uid" => $uid], []);
+               // this will either just return (if auth all ok) or will redirect and exit (starting over)
+               DFRN::autoRedir(self::getApp(), $r["nickname"]);
+
+               $sql_acl = Security::getPermissionsSQLByUserId($uid);
 
                $conditions = [
                        "`resource-id` = ? AND `scale` <= ? " . $sql_acl,