First, sorry for my bad English.

I've been testing ways to add more privacy to this plugin, and I made a small hack that could be interesting.

The problem I found is that while a picture is marked as private, could always be seen by accessing the full path.

http://www.domain.tld/ow_userfiles/plugins/photo/photo_preview_ [num]. jpg

To avoid this, I thought that could change the controller "photo.php" by adding a function like this:

public function imgToFile(array $params) {
$contentOwner = $this->photoService->findPhotoOwner($params['id']);
$userId = OW::getUser()->getId();
$modPermissions = OW::getUser()->isAuthorized('photo');
$ownerMode = $contentOwner == $userId;
if ( !$ownerMode && !$modPermissions ) {
$privacyParams = array('action' => 'photo_view_album', 'ownerId' => $contentOwner, 'viewerId' => $userId);
$event = new OW_Event('privacy_check_permission', $privacyParams);
OW::getEventManager()->trigger($event);
}
$imageFileName='nombre-imagen.jpg';
header("Content-type: image/jpg");
//This is incorrect, only for testing
$imageFileName = '/[oxwall_dir]/ow_userfiles/plugins/photo/photo_' . $params['id']. '.jpg';
readfile($imageFileName);
exit;
}

Thus, even be checked by directly accessing security.

Then it would be necessary to modify the "public function view (array $ params)" by modifying the line:

$ this-> assign ('url', $ this-> PhotoService-> getPhotoUrlExtra ($ photo-> id));

by:

$ this-> assign ('url', OW: getRoute () -> urlForRoute ('photo_list_testing_antonio', array ('id' => $ photo)));

Finally, we add the "init.php" the route:

OW:: getRoute () -> addRoute (new OW_Route ('photo_list_testing_antonio', 'photopath /: id /', 'PHOTO_CTRL_Photo', 'imgToFile'));

I understand that this is still far to be correct, but I wonder if in the future could be added to the official plugin changes.

If necessary, I agree to have a full version to make it easy to include.

I like to help more, but unfortunately there is very little documentation available for developers.

Regards, Antonio