diff options
Diffstat (limited to '')
-rw-r--r-- | include/section_init.inc.php | 39 | ||||
-rw-r--r-- | picture.php | 80 |
2 files changed, 81 insertions, 38 deletions
diff --git a/include/section_init.inc.php b/include/section_init.inc.php index 305025ff3..d8b2f62c2 100644 --- a/include/section_init.inc.php +++ b/include/section_init.inc.php @@ -93,6 +93,10 @@ if (script_basename() == 'picture') // basename without file extention if ( is_numeric($token) ) { $page['image_id'] = $token; + if ($page['image_id']==0) + { + bad_request('invalid picture identifier'); + } } else { @@ -525,40 +529,7 @@ if (isset($page['chronology_field'])) if (script_basename() == 'picture' and !isset($page['image_id']) ) { - if ( !empty($page['items']) ) - { - $query = ' -SELECT id,file - FROM '.IMAGES_TABLE .' - WHERE file LIKE "' . $page['image_file'] . '.%" ESCAPE "|"'; - if ( count($page['items']) < 500) - {// for very large item sets do not add IN - because slow - $query .= ' - AND id IN ('.implode(',',$page['items']).') - LIMIT 0,1'; - } - $result = pwg_query($query); - switch (mysql_num_rows($result)) - { - case 0: break; - case 1: - list($page['image_id'], $page['image_file']) = mysql_fetch_row($result); - break; - default: // more than 1 file name match - while ($row = mysql_fetch_row($result) ) - { - if ( in_array($row[0], $page['items']) ) - { - list($page['image_id'], $page['image_file']) = $row; - break; - } - } - } - } - if ( !isset($page['image_id']) ) - { - $page['image_id'] = -1; // will fail in picture.php - } + $page['image_id'] = 0; // more work in picture.php } // add meta robots noindex, nofollow to avoid unnecesary robot crawls diff --git a/picture.php b/picture.php index 84dd43c04..d4cde5ed7 100644 --- a/picture.php +++ b/picture.php @@ -41,10 +41,82 @@ $page['rank_of'] = array_flip($page['items']); // displayed, and execution is stopped if ( !isset($page['rank_of'][$page['image_id']]) ) { - page_not_found( - 'The requested image does not belong to this image set', - duplicate_index_url() - ); + $query = ' +SELECT id, file, level + FROM '.IMAGES_TABLE.' + WHERE '; + if ($page['image_id']>0) + { + $query .= 'id = '.$page['image_id']; + } + else + {// url given by file name + assert( !empty($page['image_file']) ); + $query .= 'file LIKE "' . $page['image_file'] . '.%" ESCAPE "|" LIMIT 1'; + } + if ( ! ( $row = mysql_fetch_array(pwg_query($query)) ) ) + {// element does not exist + page_not_found( 'The requested image does not exist', + duplicate_index_url() + ); + } + if ($row['level']>$user['level']) + { + access_denied(); + } + list($page['image_id'], $page['image_file']) = $row; + if ( !isset($page['rank_of'][$page['image_id']]) ) + {// the image can still be non accessible (filter/cat perm) and/or not in the set + global $filter; + if ( !empty($filter['visible_images']) and + !in_array($page['image_id'], explode(',',$filter['visible_images']) ) ) + { + page_not_found( 'The requested image is filtered', + duplicate_index_url() + ); + } + if ('categories'==$page['section'] and !isset($page['category']) ) + {// flat view - all items + access_denied(); + } + else + {// try to see if we can access it differently + $query = ' +SELECT id + FROM '.IMAGES_TABLE.' INNER JOIN '.IMAGE_CATEGORY_TABLE.' ON id=image_id + WHERE id='.$page['image_id'] + . get_sql_condition_FandF( + array('forbidden_categories' => 'category_id'), + " AND" + ).' + LIMIT 1'; + if ( mysql_num_rows( pwg_query($query) ) == 0 ) + { + access_denied(); + } + else + { + if ('best_rated'==$page['section']) + { + $page['rank_of'][$page['image_id']] = count($page['items']); + array_push($page['items'], $page['image_id'] ); + } + else + { + $url = make_picture_url( + array( + 'image_id' => $page['image_id'], + 'image_file' => $page['image_file'], + 'section' => 'categories', + 'flat' => true, + ) + ); + set_status_header( 'recent_pics'==$page['section'] ? 301 : 302); + redirect_http( $url ); + } + } + } + } } // There is cookie, so we must handle it at the beginning |