--- image.php	2008-04-30 20:36:36.000000000 -0400
+++ image.php.fixed	2008-04-30 20:28:20.000000000 -0400
@@ -1,21 +1,64 @@
 <?php
 /* $Id: image.php,v 1.15 2008/03/31 19:24:45 tjfulopp Exp $ */
 
-if ( strpos( base64_decode( $_GET['imgp'] ), "://" ) !== false ) { # Fixing a possible URL injection problem. Using ':' was not enough because Windows paths contain it as well.
+
+# First, get the correct session. Drupal mangles the session_name, 
+# sometimes it is based on a script location. Since we're not the main 
+# drupal index.php we might get a different session name, thus in order 
+# to get the correct session, we need to carry session_name in $_GET['sn']. 
+#
+# Note that this is not the actual session, session_name is a static per-site 
+# variable, so using session_name in the url is safe.
+
+global $session_id;
+if (isset($_GET['sn'])) {
+   $session_name=$_GET['sn'];
+   $session_id=$_COOKIE[$session_name];
+   session_id("$session_id");
+}
+
+if ( !isset($_GET['imgp']) || # No image path - don't bother
+     strpos( base64_decode( $_GET['imgp'] ), "://" ) !== false ) { # Fixing a possible URL injection problem. Using ':' was not enough because Windows paths contain it as well.
      header("HTTP/1.0 404 Not Found");
      exit();
-   }
+}
 
 drupalize();
+
 function drupalize() {
- while (!@stat('./includes/bootstrap.inc')) {
-   chdir ('..');
- }
- require_once './includes/bootstrap.inc';
- #drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL);
- drupal_bootstrap(DRUPAL_BOOTSTRAP_DATABASE);
-#drupal_cron_run();
+  # Find drupal
+  while (!@stat('./includes/bootstrap.inc')) {
+    chdir ('..');
+  }
+
+  # Load drupal - we need everything!
+  require_once './includes/bootstrap.inc';
+  drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL);
 }
+
+authorize();
+
+function authorize(){
+  # do not attempt to redirect to login, etc, since 
+  # regular user of the gallery without access will not 
+  # even have links to image.php. If invalid user got here
+  # then it is not a regular gallery page, just deny it.
+  # first, check if it is not a cross-site forged request
+
+  if (!isset($_GET['t']) || !@drupal_valid_token($_GET['t'], "Brilliant Gallery")){
+    header('HTTP/1.0 403 Forbidden');
+    exit();
+  }
+
+  # request looks legit, check user permissions
+  if (!@user_access('access brilliant_gallery')) {
+    header('HTTP/1.0 403 Forbidden');
+    exit();
+  }
+}
+
+#exit();
+
 $GLOBALS['devel_shutdown'] = FALSE; # Crucial - to suppress Devel (if installed and enabled) output appearing in the generated XML!
 
 $bgcachexpire = 3600*24*3; # Cache expiration time.
@@ -26,6 +69,16 @@
 #require_once '../../../../../includes/bootstrap.inc';
 #drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL);
 
+
+# no sizes - return original, no cache, no resizing needed
+if (!isset($_GET['imgw']) && !isset($_GET['imgh'])) { # original size - return it
+  $imagepath = base64_decode($_GET['imgp']);
+  $imgsize = @getimagesize($imagepath);
+  header("Content-type: {$imgsize['mime']}");
+  file_transfer($imagepath, array());
+  exit(); # IMPORTANT
+}
+
 #if ( $_SERVER['SERVER_ADDR'] == '64.13.192.90' ) {
 if ( variable_get('brilliant_gallery_cache', 'd') == 'f' ) {
      #echo '.....................' . $_SERVER['SERVER_ADDR'];
@@ -78,8 +131,8 @@
 
 function resizeimage_wrapper_dbcache($reset = FALSE) {
   global $bgcachexpire;
-  global $user;
-   $userId = $user->uid;
+  #global $user;
+  #$userId = $user->uid;
   $bgcacheid = 'bg_' . md5($_GET['imgp'] . $_GET['imgw'] . $_GET['imgh']);
   #echo $bgcacheid;
   static $my_data;
