Index: openacs-4/packages/acs-subsite/www/file.vuh =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/www/file.vuh,v diff -u -r1.1 -r1.2 --- openacs-4/packages/acs-subsite/www/file.vuh 31 Aug 2006 15:41:48 -0000 1.1 +++ openacs-4/packages/acs-subsite/www/file.vuh 9 Oct 2006 19:32:40 -0000 1.2 @@ -6,7 +6,7 @@ # @creation-date 2006-08-01 # @cvs-id $Id$ -if {![regexp {^/([0-9]{1,8})(/(.+))?$} [ad_conn path_info] match object_id dummy anchor]} { +if {![regexp {^/([0-9]{1,8})(/(private)/([0-9]{1,8}))?(/(.+))?$} [ad_conn path_info] match object_id private_slash private dummy anchor]} { ad_return_warning "Invalid object id" [subst { The identifier given for this object is invalid. Please check your url or contact the webmaster if you think it should work. @@ -15,12 +15,37 @@ } # check permissions! - -permission::require_permission \ +if {$private eq "private"} { + # find if the image has a parent link to the object + # that is, if the image is used in a content item and you can read the + # content item, you can read the image regardless of the permissions + + if {![application_data_link::link_exists \ + -from_object_id $private_parent_id \ + -to_object_id $object_id]} { + # if the link does not exist it might be + # because its a new object + # that means you uploaded the image so you can see it in the editor while you are working on it + if {![permission::permission_p \ + -object_id $object_id \ + -privilege "read" \ + -party_id [ad_conn user_id]]} { + # if you don't have permission to see it, it doesn't exist + ns_returnnotfound + ad_script_abort + } + } elseif {![permission::permission_p \ + -privilege "read" \ + -object_id $private_parent_id \ + -party_id [ad_conn user_id]]} { + ns_returnnotfound + ad_script_abort +} else { + permission::require_permission \ -privilege "read" \ -object_id $object_id \ -party_id [ad_conn user_id] - +} # find a cr_item and serve it cr_write_content -item_id $object_id \ No newline at end of file