Add auth to load sequence for photos

This allows private photos to load on any page.  Previously auth
depended on some other thing like the enclosing page triggering the
authentication of the specific contact for the photo owner.
This commit is contained in:
Dean Townsley 2019-06-22 12:24:30 -05:00
parent cd2f390df6
commit b5e195b415

View file

@ -16,6 +16,7 @@ use Friendica\Database\DBA;
use Friendica\Database\DBStructure;
use Friendica\Model\Storage\IStorage;
use Friendica\Object\Image;
use Friendica\Protocol\DFRN;
use Friendica\Util\DateTimeFormat;
use Friendica\Util\Network;
use Friendica\Util\Security;
@ -133,8 +134,16 @@ class Photo extends BaseObject
if ($r === false) {
return false;
}
$uid = $r["uid"];
$sql_acl = Security::getPermissionsSQLByUserId($r["uid"]);
// This is the first place, when retrieving just a photo, that we know who owns the photo.
// Make sure that the requester's session is appropriately authenticated to that user
// otherwise permissions checks done by getPermissionsSQLByUserId() won't work correctly
$r = DBA::selectFirst("user", ["nickname"], ["uid" => $uid], []);
// this will either just return (if auth all ok) or will redirect and exit (starting over)
DFRN::autoRedir(self::getApp(), $r["nickname"]);
$sql_acl = Security::getPermissionsSQLByUserId($uid);
$conditions = [
"`resource-id` = ? AND `scale` <= ? " . $sql_acl,