diff --git a/mod/photos.php b/mod/photos.php
index 187eb154cc..f8059fc08e 100644
--- a/mod/photos.php
+++ b/mod/photos.php
@@ -23,7 +23,41 @@ function photos_init(&$a) {
 
 		$a->data['user'] = $r[0];
 
-		$albums = q("SELECT distinct(`album`) AS `album` FROM `photo` WHERE `uid` = %d",
+
+		// default permissions - anonymous user
+
+		$sql_extra = " AND `allow_cid` = '' AND `allow_gid` = '' AND `deny_cid` = '' AND `deny_gid` = '' ";
+
+		// Profile owner - everything is visible
+
+		if(local_user() && (local_user() == $a->data['user']['uid'])) {
+			$sql_extra = ''; 	
+		}
+		elseif(remote_user()) {
+
+			$groups = init_groups_visitor(remote_user());
+
+			// authenticated visitor - here lie dragons
+			$gs = '<<>>'; // should be impossible to match
+			if(count($groups)) {
+				foreach($groups as $g)
+					$gs .= '|<' . intval($g) . '>';
+			} 
+			$sql_extra = sprintf(
+				" AND ( `allow_cid` = '' OR `allow_cid` REGEXP '<%d>' ) 
+				  AND ( `deny_cid`  = '' OR  NOT `deny_cid` REGEXP '<%d>' ) 
+				  AND ( `allow_gid` = '' OR `allow_gid` REGEXP '%s' )
+				  AND ( `deny_gid`  = '' OR NOT `deny_gid` REGEXP '%s') ",
+
+				intval(remote_user()),
+				intval(remote_user()),
+				dbesc($gs),
+				dbesc($gs)
+			);
+		}
+
+
+		$albums = q("SELECT distinct(`album`) AS `album` FROM `photo` WHERE `uid` = %d $sql_extra ",
 			intval($a->data['user']['uid'])
 		);