diff --git a/Gemfile.lock b/Gemfile.lock
index 8534f580a34..44d386e33a3 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -258,7 +258,7 @@ DEPENDENCIES
   autotest
   bson (= 1.0.7)
   bson_ext (= 1.0.7)
-  bundler (= 1.0.0)
+  bundler (>= 1.0.0)
   capybara (~> 0.3.9)
   carrierwave!
   cucumber-rails (= 0.3.2)
diff --git a/app/controllers/photos_controller.rb b/app/controllers/photos_controller.rb
index 4d865573c8c..dca51037415 100644
--- a/app/controllers/photos_controller.rb
+++ b/app/controllers/photos_controller.rb
@@ -9,7 +9,8 @@ class PhotosController < ApplicationController
   respond_to :json, :only => :show
 
   def create
-    album = Album.find_by_id params[:album_id]
+    album = current_user.find_visible_post_by_id( params[:album_id] )
+
     begin
 
       ######################## dealing with local files #############
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 1cc28057792..3e6472786df 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -13,7 +13,7 @@ def edit
     @user    = current_user
     @person  = @user.person
     @profile = @user.person.profile
-    @photos  = Photo.find_all_by_person_id(@person.id).paginate :page => params[:page], :order => 'created_at DESC'
+    @photos  = current_user.visible_posts(:person_id => current_user.person.id, :_type => 'Photo').paginate :page => params[:page], :order => 'created_at DESC'
 
     @fb_access_url = MiniFB.oauth_url(FB_APP_ID, APP_CONFIG[:pod_url] + "services/create",
                                       :scope=>MiniFB.scopes.join(","))