Fixed issue where SymsysGroupViewer did not respect permissions for v…

…iewing photos.

deme_django/modules/symsys/views.py

@@ -51,12 +51,12 @@ def item_show_html(self):
                 member_details = {}
                 member_details['item'] = member
                 if member.photo:
-                    if self.cur_agent_can('view SymsysAffiliate.photo', member):
+                    if self.cur_agent_can('view SymsysAffiliate.photo', member) and self.cur_agent_can('view FileDocument.datafile', member.photo):
                         member_details['photo'] = member.photo
                 careers = self.permission_cache.filter_items('view SymsysCareer.symsys_affiliate', member.symsys_careers).filter(active=True)
                 for career in careers:
                     if not ('photo' in member_details.keys()) and career.original_photo:
-                        if self.cur_agent_can('view SymsysCareer.original_photo', career):
+                        if self.cur_agent_can('view SymsysCareer.original_photo', career) and self.cur_agent_can('view FileDocument.datafile', career.original_photo):
                             member_details['photo'] = career.original_photo
                     if issubclass(career.actual_item_type(), StudentSymsysCareer):
                         career = career.downcast()
@@ -471,4 +471,4 @@ def type_show_ajax(self):
         opener = urllib.FancyURLopener({})
         f = opener.open(url)
         return HttpResponse(f)
-
+