- security-functions now demand user-object as argument

code/Image/macros.js

@@ -64,7 +64,7 @@ function url_macro(param) {
  */
 
 function editlink_macro(param) {
-   if (!this.isEditDenied()) {
+   if (!this.isEditDenied(user)) {
       res.write(param.prefix);
       var linkParam = new Object();
       linkParam.linkto = "edit";
@@ -84,7 +84,7 @@ function editlink_macro(param) {
  */
 
 function deletelink_macro(param) {
-   if (!this.isDeleteDenied()) {
+   if (!this.isDeleteDenied(user)) {
       res.write(param.prefix);
       var linkParam = new Object();
       linkParam.linkto = "delete";
@@ -108,7 +108,7 @@ function show_macro(param) {
       var img = this.thumbnail;
    else
       var img = this;
-   if (!this.isEditDenied()) {
+   if (!this.isEditDenied(user)) {
       var linkParam = new Object();
       linkParam.linkto = "edit";
       this.openLink(linkParam);

code/Image/securityFunction.js

@@ -2,13 +2,13 @@
  * check if user is allowed to edit this image
  */
 
-function isEditDenied() {
-   if (!user.uid) {
-      user.cache.referer = this.href("edit");
+function isEditDenied(usr) {
+   if (!usr.uid) {
+      usr.cache.referer = this.href("edit");
       return ("Please login first!");
-   } else if (user.isBlocked())
+   } else if (usr.isBlocked())
       return ("Sorry, your account was disabled!");
-   else if (this.creator != user && !this.weblog.isUserAdmin())
+   else if (this.creator != usr && !this.weblog.isUserAdmin(usr))
       return ("Sorry, this image belongs to someone else!");
    return null;
 }
@@ -18,10 +18,10 @@ function isEditDenied() {
  * check if user is allowed to delete this image
  */
 
-function isDeleteDenied() {
-   if (user.isBlocked())
+function isDeleteDenied(usr) {
+   if (usr.isBlocked())
       return ("Sorry, your account was disabled!");
-   else if (this.creator != user && !this.weblog.isUserAdmin())
+   else if (this.creator != usr && !this.weblog.isUserAdmin(usr))
       return ("Sorry, this image belongs to someone else!");
    return null;
 }