From af85e498ceb768beba04df743036abbdf9ef1f2b Mon Sep 17 00:00:00 2001
From: Dean Townsley <dean@townsley.com>
Date: Sat, 8 Jun 2019 10:11:02 -0500
Subject: [PATCH] expand permission check to remote array

This check was preventing multiple private images from different
users on the same server from loading on the same page.
It was only checking for permission for the single id returned by the
remote_user() function rather than the multiple possible autheniticated
id's stored in the remote arry session variable.
---
 src/Util/Security.php | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/src/Util/Security.php b/src/Util/Security.php
index d1e668e0d..0680bc08c 100644
--- a/src/Util/Security.php
+++ b/src/Util/Security.php
@@ -120,9 +120,21 @@ class Security extends BaseObject
 			 */
 
 			if (!$remote_verified) {
-				if (DBA::exists('contact', ['id' => $remote_user, 'uid' => $owner_id, 'blocked' => false])) {
+				$cid = 0;
+
+				if (!empty($_SESSION['remote'])) {
+					foreach ($_SESSION['remote'] as $visitor) {
+						Logger::log("this remote array entry is".$visitor);
+						if ($visitor['uid'] == $owner_id) {
+							$cid = $visitor['cid'];
+							break;
+						}
+					}
+				}
+
+				if ($cid && DBA::exists('contact', ['id' => $cid, 'uid' => $owner_id, 'blocked' => false])) {
 					$remote_verified = true;
-					$groups = Group::getIdsByContactId($remote_user);
+					$groups = Group::getIdsByContactId($cid);
 				}
 			}
 
@@ -140,9 +152,9 @@ class Security extends BaseObject
 					  AND ( allow_cid REGEXP '<%d>' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') )
 					  )
 					",
-					intval($remote_user),
+					intval($cid),
 					DBA::escape($gs),
-					intval($remote_user),
+					intval($cid),
 					DBA::escape($gs)
 				);
 			}