Add auth to load sequence for photos

This allows private photos to load on any page.  Previously auth
depended on some other thing like the enclosing page triggering the
authentication of the specific contact for the photo owner.

diff --git a/src/Model/Photo.php b/src/Model/Photo.php
index 6866512..7df96fc 100644 (file)
--- a/src/Model/Photo.php
+++ b/src/Model/Photo.php
@@ -16,6 +16,7 @@ use Friendica\Database\DBA;
 use Friendica\Database\DBStructure;
 use Friendica\Model\Storage\IStorage;
 use Friendica\Object\Image;
+use Friendica\Protocol\DFRN;
 use Friendica\Util\DateTimeFormat;
 use Friendica\Util\Network;
 use Friendica\Util\Security;
@@ -133,8 +134,16 @@ class Photo extends BaseObject
                if ($r === false) {
                        return false;
                }
+               $uid = $r["uid"];
 
-               $sql_acl = Security::getPermissionsSQLByUserId($r["uid"]);
+               // This is the first place, when retrieving just a photo, that we know who owns the photo.
+               // Make sure that the requester's session is appropriately authenticated to that user
+               // otherwise permissions checks done by getPermissionsSQLByUserId() won't work correctly
+               $r = DBA::selectFirst("user", ["nickname"], ["uid" => $uid], []);
+               // this will either just return (if auth all ok) or will redirect and exit (starting over)
+               DFRN::autoRedir(self::getApp(), $r["nickname"]);
+
+               $sql_acl = Security::getPermissionsSQLByUserId($uid);
 
                $conditions = [
                        "`resource-id` = ? AND `scale` <= ? " . $sql_acl,