Index: node_images.module
===================================================================
RCS file: /cvs/drupal-contrib/contributions/modules/node_images/node_images.module,v
retrieving revision 1.1.2.6
diff -u -r1.1.2.6 node_images.module
--- node_images.module	13 Jan 2007 14:48:55 -0000	1.1.2.6
+++ node_images.module	26 Jan 2007 20:09:52 -0000
@@ -50,26 +50,24 @@
   } else {
     if (arg(0) == 'node' && is_numeric(arg(1))) {
       $node = node_load(arg(1));
-      if ($node->nid && $node->type != 'image') {
-	if (variable_get('node_images_position_'.$node->type, 'hide') != 'hide') {
-          $items[] = array(
-            'path' => 'node/' . arg(1) . '/images',
-            'title' => t('images'),
-            'callback' => '_node_images_edit_form',
-	    'callback arguments' => array($node),
-            'access' => $access && node_access('update', $node),
-            'type' => MENU_LOCAL_TASK,
-            'weight' => 2
-          );
-          $items[] = array(
-            'path' => 'node/' . arg(1) . '/image_gallery',
-            'title' => t('gallery'),
-            'callback' => '_node_images_gallery',
-	    'callback arguments' => array($node),
-            'access' => node_access('view', $node),
-            'type' => MENU_CALLBACK
-          );
-	}
+      if ($node->nid && variable_get('node_images_position_'.$node->type, 'hide') != 'hide') {
+        $items[] = array(
+          'path' => 'node/' . arg(1) . '/images',
+          'title' => t('images'),
+          'callback' => '_node_images_edit_form',
+          'callback arguments' => array($node),
+          'access' => $access && node_access('update', $node),
+          'type' => MENU_LOCAL_TASK,
+          'weight' => 2
+        );
+        $items[] = array(
+          'path' => 'node/' . arg(1) . '/image_gallery',
+          'title' => t('gallery'),
+          'callback' => '_node_images_gallery',
+	  'callback arguments' => array($node),
+          'access' => node_access('view', $node),
+          'type' => MENU_CALLBACK
+        );
       }
     }
   }
@@ -166,9 +164,10 @@
       break;
 
     case 'insert':
-      if (user_access('create node images') && variable_get('node_images_position_'.$node->type, 'hide') != 'hide') {
-        drupal_set_message(t('Click the <strong>!images</strong> tab to add images to this node.',
-          array('!images' => l(t('images'), 'node/'.$node->nid.'/images'))));
+      if (user_access('create node images') && node_access('update', $node) &&
+        variable_get('node_images_position_'.$node->type, 'hide') != 'hide') {
+          drupal_set_message(t('Click the <strong>!images</strong> tab to add images to this node.',
+            array('!images' => l(t('images'), 'node/'.$node->nid.'/images'))));
       }
       break;
 
@@ -242,14 +241,8 @@
 function node_images_user($type, &$edit, &$user, $category = NULL) {
   switch ($type) {
     case 'delete':
-      // Delete image and thumbnail files
-      $sql = db_query('SELECT filepath, thumbpath FROM {node_images} WHERE uid=%d', $user->nid);
-      while ($r = db_fetch_object($sql)) {
-        file_delete($r->filepath);
-	file_delete($r->thumbpath);
-      }
-      // Delete all images uploaded by the user
-      db_query('DELETE FROM {node_images} WHERE uid=%d', $user->uid);
+      // Set uid=0 for images uploaded by the deleted user
+      db_query('UPDATE {node_images} SET uid=0 WHERE uid=%d', $user->uid);
   }
 }
 
@@ -389,8 +382,10 @@
  *    a form representing the image list.
  */
 function _node_images_list($node, $result) {
+  global $user;
   $images = array();
   $form['rows'] = array('#tree' => TRUE);
+  $delete_access = node_access('delete', $node);
 
   while ($image = db_fetch_object($result)) {
     $images[$image->id] = $image;
@@ -404,9 +399,13 @@
       '#type' => 'weight',
       '#default_value' => $image->weight,
     );
-    $form['rows'][$image->id]['delete'] = array('#type' => 'checkbox');
+
+    // images can be deleted only by users having delete access or users who uploaded the images
+    $attributes = ($delete_access || $user->uid == $image->uid ? array() : array('disabled' => TRUE));
+    $form['rows'][$image->id]['delete'] = array('#type' => 'checkbox', '#attributes' => $attributes);
   }
 
+  $form['nid'] = array('#type' => 'value', '#value' => $node->nid);
   $form['save'] = array(
     '#type' => 'submit',
     '#value' => t('Save changes'),
@@ -453,16 +452,28 @@
  * Process result from node images list.
  */
 function _node_images_list_submit($form_id, $form_values) {
+  global $user;
+  $node = node_load($form_values['nid']);
+  if (!node_access('update', $node)) return;
+  $delete_access = node_access('delete', $node);
+
   foreach($form_values['rows'] as $id => $edit) {
     if ($edit['delete']) {
+      $r = db_fetch_object(db_query('SELECT filepath, thumbpath, uid FROM {node_images} WHERE id=%d AND nid=%d',
+        $id, $node->nid));
+
+      // if user has no delete access to the node, he can delete his own images only
+      if (!$delete_access && $user->uid != $r->uid) continue;
+      
       // delete selected image
-      $r = db_fetch_object(db_query('SELECT filepath, thumbpath FROM {node_images} WHERE id=%d', $id));
       file_delete($r->filepath);
       file_delete($r->thumbpath);
-      db_query('DELETE FROM {node_images} WHERE id=%d', $id);
-    } else {
+      db_query('DELETE FROM {node_images} WHERE id=%d AND nid=%d', $id, $node->nid);
+    }
+    else {
       // update image data
-      db_query('UPDATE {node_images} SET description="%s", weight=%d WHERE id=%d', $edit['description'], $edit['weight'], $id);
+      db_query('UPDATE {node_images} SET description="%s", weight=%d WHERE id=%d AND nid=%d',
+        $edit['description'], $edit['weight'], $id, $node->nid);
     }
   }
   drupal_set_message(t('The changes have been saved.'));
@@ -496,8 +507,8 @@
     $sql = db_query('SELECT * FROM {node_images} WHERE nid=%d', $node->nid);
     $max = variable_get('node_images_max_images', 4);
     $count = db_num_rows($sql);
-    if ($count>=$max) {
-      drupal_set_message(t('The selected file %name can not be uploaded, because it exceeded the maximum limit of %max files.', array('%name' => theme('placeholder', $file->filename), '%max' => theme('placeholder', $max))), 'error');
+    if ($count >= $max) {
+      drupal_set_message(t('The selected file %name can not be uploaded, because it exceeds the maximum limit of %max files.', array('%name' => theme('placeholder', $file->filename), '%max' => theme('placeholder', $max))), 'error');
       return FALSE;
     }
 
@@ -538,7 +549,7 @@
 /**
  * Show node images in the node view.
  */
-function theme_node_images_view($node, $teaser, $page) {
+function theme_node_images_view($node, $teaser, $page, $format = NULL) {
   if (arg(2) == 'image_gallery' || empty($node->node_images)) return;
 
   $output = '';
@@ -548,7 +559,9 @@
   $view = ($teaser ? 'teaser' : 'body');
   $count = variable_get('node_images_'.$view.'_images_'.$node->type, 2);
   if (isset($count) && $count === 0) return;
-  $format = variable_get('node_images_'.$view.'_format_'.$node->type, 'thumbs');
+  if (!$format) {
+    $format = variable_get('node_images_'.$view.'_format_'.$node->type, 'thumbs');
+  }
   
   foreach((array)$node->node_images as $id=>$image) {
     $description = check_plain($image->description);