Index: openacs-4/packages/acs-subsite/www/file.vuh
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/www/file.vuh,v
diff -u -r1.7 -r1.8
--- openacs-4/packages/acs-subsite/www/file.vuh	14 May 2007 22:53:04 -0000	1.7
+++ openacs-4/packages/acs-subsite/www/file.vuh	12 Jul 2009 01:08:30 -0000	1.8
@@ -6,7 +6,7 @@
 # @creation-date 2006-08-01
 # @cvs-id $Id$
 
-if {![regexp {^/([0-9]{1,8})(/(private)/([0-9]{1,8}))?(/(.*))?$} [ad_conn path_info] match object_id private_slash private dummy anchor]} {
+if {![regexp {^/([0-9]{1,8})(/(private)/([0-9]{1,8}))?(/(.*))?$} [ad_conn path_info] match object_id private_slash private private_parent_id anchor]} {
     ad_return_warning "Invalid object id" [subst {
         The identifier given for this object is invalid.  Please check your url 
         or contact the webmaster if you think it should work.
@@ -15,37 +15,38 @@
 }
 
 # check permissions!
-if {$private eq "private"} {
-    # find if the image has a parent link to the object
+if { $private eq "private" } {
+    # find if the item has a parent link to the object
     # that is, if the image is used in a content item and you can read the
     # content item, you can read the image regardless of the permissions
     
-    if {![application_data_link::link_exists \
-	      -from_object_id $private_parent_id \
-	      -to_object_id $object_id]} {
-	# if the link does not exist it might be
-	# because its a new object
-	# that means you uploaded the image so you can see it in the editor while you are working on it
-	if {![permission::permission_p \
-		  -object_id $object_id \
-		  -privilege "read" \
-		  -party_id [ad_conn user_id]]} {
-	    # if you don't have permission to see it, it doesn't exist
-	    ns_returnnotfound
-	    ad_script_abort
-	}
-    } elseif {![permission::permission_p \
-		    -privilege "read" \
-		    -object_id $private_parent_id \
-		    -party_id [ad_conn user_id]]} {
-	ns_returnnotfound
-	ad_script_abort
-    } else {
-	permission::require_permission \
-	    -privilege "read" \
-	    -object_id $object_id \
-	    -party_id [ad_conn user_id]
+    set object_to_check $object_id
+
+    if { [application_data_link::link_exists \
+              -from_object_id $private_parent_id \
+              -to_object_id $object_id] } {
+        # if the link does not exist it might be
+        # because its a new object
+        # that means you uploaded the image so you can see it in the editor while you are working on it
+        set object_to_check $private_parent_id
     }
+
+    if { ![permission::permission_p \
+               -object_id $object_to_check \
+               -privilege "read" \
+               -party_id [ad_conn user_id]] } {
+        # if you don't have permission to see it, it doesn't exist
+        ns_returnnotfound
+        ad_script_abort
+    }
+
+} else {
+
+    permission::require_permission \
+        -privilege "read" \
+        -object_id $object_id \
+        -party_id [ad_conn user_id]
+
 }
 
 # find a cr_item and serve it