# HG changeset patch
# User bsw
# Date 1415642074 -3600
# Node ID 5b77825ecfa6e91f73bfd897ebde6cd3b5eef94a
# Parent  9461c738ea0b9ab42cbce558271568e0ae2ddb0f
Backported missing access control for member profile images from version 3.0.3

diff -r 9461c738ea0b -r 5b77825ecfa6 app/main/_filter/21_auth.lua
--- a/app/main/_filter/21_auth.lua	Mon Nov 10 18:48:58 2014 +0100
+++ b/app/main/_filter/21_auth.lua	Mon Nov 10 18:54:34 2014 +0100
@@ -44,9 +44,20 @@
 
 end
 
+if app.session:has_access("authors_pseudonymous") then
+  if module == "member_image" and view == "show" and param.get("image_type") == "avatar" then
+    auth_needed = false
+  end
+end
+
+if app.session:has_access("everything") then
+  if module == "member_image" and view == "show" then
+    auth_needed = false
+  end
+end
+
 if app.session:has_access("all_pseudonymous") then
-  if module == "member_image" and view == "show"
-   or module == "vote" and view == "show_incoming"
+  if module == "vote" and view == "show_incoming"
    or module == "interest" and view == "show_incoming"
    or module == "supporter" and view == "show_incoming" 
    or module == "vote" and view == "list" then