diff --git a/mod/photos.php b/mod/photos.php index 187eb154..f8059fc0 100644 --- a/mod/photos.php +++ b/mod/photos.php @@ -23,7 +23,41 @@ function photos_init(&$a) { $a->data['user'] = $r[0]; - $albums = q("SELECT distinct(`album`) AS `album` FROM `photo` WHERE `uid` = %d", + + // default permissions - anonymous user + + $sql_extra = " AND `allow_cid` = '' AND `allow_gid` = '' AND `deny_cid` = '' AND `deny_gid` = '' "; + + // Profile owner - everything is visible + + if(local_user() && (local_user() == $a->data['user']['uid'])) { + $sql_extra = ''; + } + elseif(remote_user()) { + + $groups = init_groups_visitor(remote_user()); + + // authenticated visitor - here lie dragons + $gs = '<<>>'; // should be impossible to match + if(count($groups)) { + foreach($groups as $g) + $gs .= '|<' . intval($g) . '>'; + } + $sql_extra = sprintf( + " AND ( `allow_cid` = '' OR `allow_cid` REGEXP '<%d>' ) + AND ( `deny_cid` = '' OR NOT `deny_cid` REGEXP '<%d>' ) + AND ( `allow_gid` = '' OR `allow_gid` REGEXP '%s' ) + AND ( `deny_gid` = '' OR NOT `deny_gid` REGEXP '%s') ", + + intval(remote_user()), + intval(remote_user()), + dbesc($gs), + dbesc($gs) + ); + } + + + $albums = q("SELECT distinct(`album`) AS `album` FROM `photo` WHERE `uid` = %d $sql_extra ", intval($a->data['user']['uid']) );