aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--include/section_init.inc.php39
-rw-r--r--picture.php80
2 files changed, 81 insertions, 38 deletions
diff --git a/include/section_init.inc.php b/include/section_init.inc.php
index 305025ff3..d8b2f62c2 100644
--- a/include/section_init.inc.php
+++ b/include/section_init.inc.php
@@ -93,6 +93,10 @@ if (script_basename() == 'picture') // basename without file extention
if ( is_numeric($token) )
{
$page['image_id'] = $token;
+ if ($page['image_id']==0)
+ {
+ bad_request('invalid picture identifier');
+ }
}
else
{
@@ -525,40 +529,7 @@ if (isset($page['chronology_field']))
if (script_basename() == 'picture'
and !isset($page['image_id']) )
{
- if ( !empty($page['items']) )
- {
- $query = '
-SELECT id,file
- FROM '.IMAGES_TABLE .'
- WHERE file LIKE "' . $page['image_file'] . '.%" ESCAPE "|"';
- if ( count($page['items']) < 500)
- {// for very large item sets do not add IN - because slow
- $query .= '
- AND id IN ('.implode(',',$page['items']).')
- LIMIT 0,1';
- }
- $result = pwg_query($query);
- switch (mysql_num_rows($result))
- {
- case 0: break;
- case 1:
- list($page['image_id'], $page['image_file']) = mysql_fetch_row($result);
- break;
- default: // more than 1 file name match
- while ($row = mysql_fetch_row($result) )
- {
- if ( in_array($row[0], $page['items']) )
- {
- list($page['image_id'], $page['image_file']) = $row;
- break;
- }
- }
- }
- }
- if ( !isset($page['image_id']) )
- {
- $page['image_id'] = -1; // will fail in picture.php
- }
+ $page['image_id'] = 0; // more work in picture.php
}
// add meta robots noindex, nofollow to avoid unnecesary robot crawls
diff --git a/picture.php b/picture.php
index 84dd43c04..d4cde5ed7 100644
--- a/picture.php
+++ b/picture.php
@@ -41,10 +41,82 @@ $page['rank_of'] = array_flip($page['items']);
// displayed, and execution is stopped
if ( !isset($page['rank_of'][$page['image_id']]) )
{
- page_not_found(
- 'The requested image does not belong to this image set',
- duplicate_index_url()
- );
+ $query = '
+SELECT id, file, level
+ FROM '.IMAGES_TABLE.'
+ WHERE ';
+ if ($page['image_id']>0)
+ {
+ $query .= 'id = '.$page['image_id'];
+ }
+ else
+ {// url given by file name
+ assert( !empty($page['image_file']) );
+ $query .= 'file LIKE "' . $page['image_file'] . '.%" ESCAPE "|" LIMIT 1';
+ }
+ if ( ! ( $row = mysql_fetch_array(pwg_query($query)) ) )
+ {// element does not exist
+ page_not_found( 'The requested image does not exist',
+ duplicate_index_url()
+ );
+ }
+ if ($row['level']>$user['level'])
+ {
+ access_denied();
+ }
+ list($page['image_id'], $page['image_file']) = $row;
+ if ( !isset($page['rank_of'][$page['image_id']]) )
+ {// the image can still be non accessible (filter/cat perm) and/or not in the set
+ global $filter;
+ if ( !empty($filter['visible_images']) and
+ !in_array($page['image_id'], explode(',',$filter['visible_images']) ) )
+ {
+ page_not_found( 'The requested image is filtered',
+ duplicate_index_url()
+ );
+ }
+ if ('categories'==$page['section'] and !isset($page['category']) )
+ {// flat view - all items
+ access_denied();
+ }
+ else
+ {// try to see if we can access it differently
+ $query = '
+SELECT id
+ FROM '.IMAGES_TABLE.' INNER JOIN '.IMAGE_CATEGORY_TABLE.' ON id=image_id
+ WHERE id='.$page['image_id']
+ . get_sql_condition_FandF(
+ array('forbidden_categories' => 'category_id'),
+ " AND"
+ ).'
+ LIMIT 1';
+ if ( mysql_num_rows( pwg_query($query) ) == 0 )
+ {
+ access_denied();
+ }
+ else
+ {
+ if ('best_rated'==$page['section'])
+ {
+ $page['rank_of'][$page['image_id']] = count($page['items']);
+ array_push($page['items'], $page['image_id'] );
+ }
+ else
+ {
+ $url = make_picture_url(
+ array(
+ 'image_id' => $page['image_id'],
+ 'image_file' => $page['image_file'],
+ 'section' => 'categories',
+ 'flat' => true,
+ )
+ );
+ set_status_header( 'recent_pics'==$page['section'] ? 301 : 302);
+ redirect_http( $url );
+ }
+ }
+ }
+ }
}
// There is cookie, so we must handle it at the beginning