10 files changed, 55 insertions, 30 deletions
diff --git a/perllib/FixMyStreet/App.pm b/perllib/FixMyStreet/App.pm
index 36f736cd2..e9c3fac8d 100644
--- a/perllib/FixMyStreet/App.pm
+++ b/perllib/FixMyStreet/App.pm
@@ -34,6 +34,12 @@ extends 'Catalyst';
 
 our $VERSION = '0.01';
 
+my $store = {         # Catalyst::Authentication::Store::DBIx::Class
+    class => 'DBIx::Class',
+    user_model => 'DB::User',
+    store_user_class => 'Catalyst::Authentication::Store::FixMyStreetUser',
+};
+
 __PACKAGE__->config(
 
     # Use REQUEST_URI, not PATH_INFO, to infer path. This fixes an issue
@@ -83,20 +89,14 @@ __PACKAGE__->config(
                   },
                 ],
             },
-            store => {         # Catalyst::Authentication::Store::DBIx::Class
-                class      => 'DBIx::Class',
-                user_model => 'DB::User',
-            },
+            store => $store,
         },
         no_password => {       # use post confirm etc
             credential => {    # Catalyst::Authentication::Credential::Password
                 class         => 'Password',
                 password_type => 'none',
             },
-            store => {         # Catalyst::Authentication::Store::DBIx::Class
-                class      => 'DBIx::Class',
-                user_model => 'DB::User',
-            },
+            store => $store,
         },
         access_token => {
             use_session => 0,
@@ -106,10 +106,7 @@ __PACKAGE__->config(
                 # This means the token has to be 18 characters long (as generated by AuthToken)
                 token_lookup => { like => "%access_token,T18:TOKEN,%" },
             },
-            store => {
-                class => 'DBIx::Class',
-                user_model => 'DB::User',
-            },
+            store => $store,
         },
     },
 );
diff --git a/perllib/FixMyStreet/App/Controller/Admin.pm b/perllib/FixMyStreet/App/Controller/Admin.pm
index 05ac48c8c..6167a16f5 100644
--- a/perllib/FixMyStreet/App/Controller/Admin.pm
+++ b/perllib/FixMyStreet/App/Controller/Admin.pm
@@ -535,8 +535,8 @@ sub report_edit : Path('report_edit') : Args(1) {
             $self->remove_photo($c, $problem, $remove_photo_param);
         }
 
-        if ($problem->state eq 'hidden') {
-            $problem->get_photoset->delete_cached;
+        if ($problem->state eq 'hidden' || $problem->non_public) {
+            $problem->get_photoset->delete_cached(plus_updates => 1);
         }
 
         if ( $problem->is_visible() and $old_state eq 'unconfirmed' ) {
diff --git a/perllib/FixMyStreet/App/Controller/Admin/Users.pm b/perllib/FixMyStreet/App/Controller/Admin/Users.pm
index bcbc808ed..6af4ae831 100644
--- a/perllib/FixMyStreet/App/Controller/Admin/Users.pm
+++ b/perllib/FixMyStreet/App/Controller/Admin/Users.pm
@@ -497,7 +497,7 @@ sub user_hide_everywhere : Private {
     my ( $self, $c, $user ) = @_;
     my $problems = $user->problems->search({ state => { '!=' => 'hidden' } });
     while (my $problem = $problems->next) {
-        $problem->get_photoset->delete_cached;
+        $problem->get_photoset->delete_cached(plus_updates => 1);
         $problem->update({ state => 'hidden' });
     }
     my $updates = $user->comments->search({ state => { '!=' => 'hidden' } });
diff --git a/perllib/FixMyStreet/App/Controller/Moderate.pm b/perllib/FixMyStreet/App/Controller/Moderate.pm
index 22869d531..f71698e84 100644
--- a/perllib/FixMyStreet/App/Controller/Moderate.pm
+++ b/perllib/FixMyStreet/App/Controller/Moderate.pm
@@ -214,7 +214,7 @@ sub report_moderate_hide : Private {
     if ($c->get_param('problem_hide')) {
 
         $problem->update({ state => 'hidden' });
-        $problem->get_photoset->delete_cached;
+        $problem->get_photoset->delete_cached(plus_updates => 1);
 
         $c->res->redirect( '/' ); # Go directly to front-page
         $c->detach( 'report_moderate_audit', ['hide'] ); # break chain here.
diff --git a/perllib/FixMyStreet/App/Controller/Photo.pm b/perllib/FixMyStreet/App/Controller/Photo.pm
index 7b536a292..d7a5b4bb3 100644
--- a/perllib/FixMyStreet/App/Controller/Photo.pm
+++ b/perllib/FixMyStreet/App/Controller/Photo.pm
@@ -39,6 +39,7 @@ sub during :LocalRegex('^(temp|fulltemp)\.([0-9a-f]{40}\.(?:jpeg|png|gif|tiff))$
     $size = $size eq 'temp' ? 'default' : 'full';
     my $photo = $photoset->get_image_data(size => $size, default => $c->cobrand->default_photo_resize);
 
+    $c->stash->{non_public} = 0;
     $c->forward( 'output', [ $photo ] );
 }
 
@@ -52,10 +53,11 @@ sub index :LocalRegex('^(c/)?([1-9]\d*)(?:\.(\d+))?(?:\.(full|tn|fp))?\.(?:jpeg|
     my $item;
     if ( $is_update ) {
         ($item) = $c->model('DB::Comment')->search( {
-            id => $id,
-            state => 'confirmed',
-            photo => { '!=', undef },
-        } );
+            'me.id' => $id,
+            'me.state' => 'confirmed',
+            'problem.state' => [ FixMyStreet::DB::Result::Problem->visible_states() ],
+            'me.photo' => { '!=', undef },
+        }, { prefetch => 'problem' });
     } else {
         ($item) = $c->cobrand->problems->search( {
             id => $id,
@@ -68,6 +70,19 @@ sub index :LocalRegex('^(c/)?([1-9]\d*)(?:\.(\d+))?(?:\.(full|tn|fp))?\.(?:jpeg|
 
     $c->detach( 'no_photo' ) unless $c->cobrand->allow_photo_display($item, $photo_number); # Should only be for reports, not updates
 
+    my $problem = $is_update ? $item->problem : $item;
+    $c->stash->{non_public} = $problem->non_public;
+
+    if ($c->stash->{non_public}) {
+        my $body_ids = $problem->bodies_str_ids;
+        # Check permission
+        $c->detach('no_photo') unless $c->user_exists;
+        $c->detach('no_photo') unless $c->user->is_superuser
+            || $c->user->id == $problem->user->id
+            || $c->user->has_permission_to('report_inspect', $body_ids)
+            || $c->user->has_permission_to('report_mark_private', $body_ids);
+    }
+
     my $photo;
     $photo = $item->get_photoset
         ->get_image_data( num => $photo_number, size => $size, default => $c->cobrand->default_photo_resize )
@@ -80,10 +95,12 @@ sub output : Private {
     my ( $self, $c, $photo ) = @_;
 
     # Save to file
-    path(FixMyStreet->path_to('web', 'photo', 'c'))->mkpath;
-    my $out = FixMyStreet->path_to('web', $c->req->path);
-    my $symlink_exists = $photo->{symlink} ? symlink($photo->{symlink}, $out) : undef;
-    path($out)->spew_raw($photo->{data}) unless $symlink_exists;
+    if (!FixMyStreet->config('LOGIN_REQUIRED') && !$c->stash->{non_public}) {
+        path(FixMyStreet->path_to('web', 'photo', 'c'))->mkpath;
+        my $out = FixMyStreet->path_to('web', $c->req->path);
+        my $symlink_exists = $photo->{symlink} ? symlink($photo->{symlink}, $out) : undef;
+        path($out)->spew_raw($photo->{data}) unless $symlink_exists;
+    }
 
     $c->res->content_type( $photo->{content_type} );
     $c->res->body( $photo->{data} );
diff --git a/perllib/FixMyStreet/App/Controller/Report.pm b/perllib/FixMyStreet/App/Controller/Report.pm
index 7f798f4f4..f2f411635 100644
--- a/perllib/FixMyStreet/App/Controller/Report.pm
+++ b/perllib/FixMyStreet/App/Controller/Report.pm
@@ -435,7 +435,7 @@ sub inspect : Private {
                 $problem->confirmed( \'current_timestamp' );
             }
             if ( $problem->state eq 'hidden' ) {
-                $problem->get_photoset->delete_cached;
+                $problem->get_photoset->delete_cached(plus_updates => 1);
             }
             if ( $problem->state eq 'duplicate') {
                 if (my $duplicate_of = $c->get_param('duplicate_of')) {
@@ -477,6 +477,9 @@ sub inspect : Private {
         }
 
         $problem->non_public($c->get_param('non_public') ? 1 : 0);
+        if ($problem->non_public) {
+            $problem->get_photoset->delete_cached(plus_updates => 1);
+        }
 
         if ( !$c->forward( '/admin/report_edit_location', [ $problem ] ) ) {
             # New lat/lon isn't valid, show an error
diff --git a/perllib/FixMyStreet/App/Controller/Reports.pm b/perllib/FixMyStreet/App/Controller/Reports.pm
index 49bdce379..8109fda2e 100644
--- a/perllib/FixMyStreet/App/Controller/Reports.pm
+++ b/perllib/FixMyStreet/App/Controller/Reports.pm
@@ -659,7 +659,7 @@ sub check_non_public_reports_permission : Private {
     if ( $c->user_exists ) {
         my $user_has_permission;
 
-        if ( $c->user->is_super_user ) {
+        if ( $c->user->is_superuser ) {
             $user_has_permission = 1;
         } else {
             my $body = $c->stash->{body};
diff --git a/perllib/FixMyStreet/App/Model/PhotoSet.pm b/perllib/FixMyStreet/App/Model/PhotoSet.pm
index 58b352c73..8621286b0 100644
--- a/perllib/FixMyStreet/App/Model/PhotoSet.pm
+++ b/perllib/FixMyStreet/App/Model/PhotoSet.pm
@@ -235,7 +235,7 @@ sub get_image_data {
 }
 
 sub delete_cached {
-    my ($self) = @_;
+    my ($self, %params) = @_;
     my $object = $self->object or return;
     my $id = $object->id or return;
 
@@ -256,6 +256,11 @@ sub delete_cached {
             unlink FixMyStreet->path_to(@dirs, "$id.$i$size.$type");
         }
     }
+
+    # Loop through all the updates as well if requested
+    if ($params{plus_updates}) {
+        $_->get_photoset->delete_cached() foreach $object->comments->all;
+    }
 }
 
 sub remove_images {
diff --git a/perllib/FixMyStreet/DB/ResultSet/Problem.pm b/perllib/FixMyStreet/DB/ResultSet/Problem.pm
index 37fc34057..9e45ac35e 100644
--- a/perllib/FixMyStreet/DB/ResultSet/Problem.pm
+++ b/perllib/FixMyStreet/DB/ResultSet/Problem.pm
@@ -158,7 +158,7 @@ sub _recent {
             # Need to reattach schema so that confirmed column gets reinflated.
             $probs->[0]->result_source->schema( $rs->result_source->schema ) if $probs->[0];
             # Catch any cached ones since hidden
-            $probs = [ grep { $_->photo && ! $_->is_hidden } @$probs ];
+            $probs = [ grep { $_->photo && ! $_->is_hidden && !$_->non_public } @$probs ];
         } else {
             $probs = [ $rs->search( $query, $attrs )->all ];
             Memcached::set($key, $probs, _cache_timeout());
diff --git a/perllib/FixMyStreet/Roles/PhotoSet.pm b/perllib/FixMyStreet/Roles/PhotoSet.pm
index 4a40ef3f9..27a63bad5 100644
--- a/perllib/FixMyStreet/Roles/PhotoSet.pm
+++ b/perllib/FixMyStreet/Roles/PhotoSet.pm
@@ -38,15 +38,18 @@ sub photos {
     my $id = $self->id;
     my $typ = $self->result_source->name eq 'comment' ? 'c/' : '';
 
+    my $non_public = $self->result_source->name eq 'comment'
+        ? $self->problem->non_public : $self->non_public;
+
     my @photos = map {
         my $cachebust = substr($_, 0, 8);
         # Some Varnish configurations (e.g. on mySociety infra) strip cookies from
         # images, which means image requests will be redirected to the login page
-        # if LOGIN_REQUIRED is set. To stop this happening, Varnish should be
+        # if e.g. LOGIN_REQUIRED is set. To stop this happening, Varnish should be
         # configured to not strip cookies if the cookie_passthrough param is
         # present, which this line ensures will be if LOGIN_REQUIRED is set.
         my $extra = '';
-        if (FixMyStreet->config('LOGIN_REQUIRED')) {
+        if (FixMyStreet->config('LOGIN_REQUIRED') || $non_public) {
             $cachebust .= '&cookie_passthrough=1';
             $extra = '?cookie_passthrough=1';
         }