[Fix] image display with only a version id is legal.

src/image.display.php

@@ -30,20 +30,23 @@ $download     = isset($_REQUEST['down']);
 
 $photo_sel = "";
 
-/* Sanity check Photo ID -- REQUIRED argument */
-if (!$photo_id || !is_numeric($photo_id)) {
-    header("HTTP/1.1 404 Not found");
-    exit();
-}
-/* Sanity check Photo Version -- OPTIONAL argument */
-if ($version && !is_numeric($version)) {
+/* We must have one or both of Photo ID and Photo Version */
+$has_photo = $has_ver = FALSE;
+if ($photo_id && is_numeric($photo_id)) {
+	$has_photo = TRUE;
+}
+if ($version && is_numeric($version)) {
+	$has_ver = TRUE;
+}
+if (!$has_photo && !$has_ver) {
     header("HTTP/1.1 404 Not found");
     exit();
 }
+
 /* Sanity check Image Size -- OPTIONAL argument */
 if ($image_size && !is_numeric($image_size)) {
     header("HTTP/1.1 404 Not found");
-    exit();   
+    exit();
 }
 
 /* Translate image sizes */
@@ -66,15 +69,20 @@ $database = site_prolog();
 $cache_ctrl = FALSE;
 
 /* Figure out SQL based on image */
-$photo_sel = " photo.identifier = '$photo_id' ";
-$photo_sel .= $version ? " and photo_version.identifier='$version' " : " and photo_version.master='t' ";
+if ($has_photo) {
+	$photo_sel .= " photo.identifier = '$photo_id' ";
+	$photo_sel .= $has_ver ? " and photo_version.identifier='$version' " : " and photo_version.master='t' ";
+} elseif ($has_ver) {
+	$photo_sel .= " photo_version.identifier='$version' ";
+	$photo_sel .= " and photo.identifier = photo_version.photo ";
+}
 $photo_sel .= " and size = '$image_size' ";
 
 $photo_data = pg_fetch_assoc(pg_query($database, "
   select users, access_rights, hide_original, original_image_name,
          created, filesize, path,
          can_access_photo(photo.identifier, $po_user[id], '{".$passwords."}') as ok
-    from photo 
+    from photo
          right join photo_version on photo.identifier = photo_version.photo
 	 right join files on photo_version.identifier = files.version
    where $photo_sel"));