From b5e195b41526b12b292e0814a955ee5d0a8708ed Mon Sep 17 00:00:00 2001
From: Dean Townsley <dean@townsley.com>
Date: Sat, 22 Jun 2019 12:24:30 -0500
Subject: [PATCH] Add auth to load sequence for photos

This allows private photos to load on any page.  Previously auth
depended on some other thing like the enclosing page triggering the
authentication of the specific contact for the photo owner.
---
 src/Model/Photo.php | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/Model/Photo.php b/src/Model/Photo.php
index 68665126fb..7df96fccdb 100644
--- a/src/Model/Photo.php
+++ b/src/Model/Photo.php
@@ -16,6 +16,7 @@ use Friendica\Database\DBA;
 use Friendica\Database\DBStructure;
 use Friendica\Model\Storage\IStorage;
 use Friendica\Object\Image;
+use Friendica\Protocol\DFRN;
 use Friendica\Util\DateTimeFormat;
 use Friendica\Util\Network;
 use Friendica\Util\Security;
@@ -133,8 +134,16 @@ class Photo extends BaseObject
 		if ($r === false) {
 			return false;
 		}
+		$uid = $r["uid"];
 
-		$sql_acl = Security::getPermissionsSQLByUserId($r["uid"]);
+		// This is the first place, when retrieving just a photo, that we know who owns the photo.
+		// Make sure that the requester's session is appropriately authenticated to that user
+		// otherwise permissions checks done by getPermissionsSQLByUserId() won't work correctly
+		$r = DBA::selectFirst("user", ["nickname"], ["uid" => $uid], []);
+		// this will either just return (if auth all ok) or will redirect and exit (starting over)
+		DFRN::autoRedir(self::getApp(), $r["nickname"]);
+
+		$sql_acl = Security::getPermissionsSQLByUserId($uid);
 
 		$conditions = [
 			"`resource-id` = ? AND `scale` <= ? " . $sql_acl,