Quite new to oxwall, but I like it so far :-)

Currently I am working on a plugin to block photos that are set to beeing shared with friends only. The initial install already contains fields in the ow_photo table for friends_only/everybody at the privacy field, but once the URL to the image is published elsewhere, anybody on the www can access it.

My approach is to create a rewrite roule like this:

RewriteEngine onRewriteBase /img/RewriteRule ^(.*).jpg$ /img/rewrite_img.php?data=$1 [L]

...then /img/rewrite_img.php will deliver the image after some checks (to the client it looks like: www.mypage.com/img/1/photo_4.jpg), instead of the direct Apache call. This will allow us to check for authorisation and even deny the image to be loaded if set so. This simple fix already works like a charm :-)

As any photo on the site would have to go through this, things have to be kept light and small, so I do:

1.) Check, if the desired image file exists.

2.) Query DB if photo is "friends_only".

3.) Check if user trying to load the image is a "friend" of image owner.

4.) Depending on results, deliver or deny image.

Except for 3.) I got it all working. The problem is, I can't get the "userId" of the logged in user outside of oxwall world. This is needed to check if the image owner and the person attempting to load the image are friends.

Maybe someone already went through ow session handling and is willing to help me out? For any image call I can't load ow core to get the data, as this slows down the server significantly with huge galleries.

Any ideas? 

Thanx,

Sebastian