Merge pull request #407 from shadlaws/fixes_20130614

Fixes 20130614

modules/comment/classes/Comment/Controller/Rest/ItemComments.php

@@ -19,14 +19,14 @@
  */
 class Comment_Controller_Rest_ItemComments extends Controller_Rest {
   /**
-   * This resource represents a collection of tag resources on a specified item.
+   * This resource represents a collection of comment resources on a specified item.
    *
    * GET displays the collection of comments (no parameters accepted).
    *   @see  Controller_Rest_ItemComments::get_members()
    *
    * PUT can accept the following post parameters:
    *   members
-   *     Replace the collection of comment on the item with this list (remove only, no add)
+   *     Replace the collection of comments on the item with this list (remove only, no add)
    *   @see  Controller_Rest_ItemComments::put_members()
    *
    * DELETE removes all comments from the item (no parameters accepted).
@@ -59,6 +59,7 @@ static function get_members($id, $params) {
   /**
    * PUT the comment members of the item_comments resource.  This replaces the comments list
    * with this one, and removes (but doesn't add) comments as needed.  This is only for admins.
+   * @see  Controller_Rest_UserComments::put_members()
    */
   static function put_members($id, $params) {
     if (!Identity::active_user()->admin) {

modules/g2_import/classes/G2Import/Controller/G2.php

@@ -44,12 +44,12 @@ public function action_map() {
         $tag_name = $this->request->query("g2_tagName");
       }
 
-      if (!$id) {
-        $this->redirect("tag_name/$tag_name", 301);
-      }
-
       $tag = ORM::factory("Tag")->where("name", "=", $tag_name)->find();
       if ($tag->loaded()) {
+        if (!$id) {
+          $this->redirect($tag->abs_url(), 301);
+        }
+
         Item::set_display_context_callback("Controller_Tags::get_display_context", $tag->id);
         // We want to show the item as part of the tag virtual album. Most of this code is below; we'll
         // change $path and $view to let it fall through

modules/gallery/classes/Controller/Rest/UserComments.php

@@ -0,0 +1,3 @@
+<?php defined("SYSPATH") or die("No direct script access.");
+
+class Controller_Rest_UserComments extends Gallery_Controller_Rest_UserComments {}

modules/gallery/classes/Controller/Rest/UserItems.php

@@ -0,0 +1,3 @@
+<?php defined("SYSPATH") or die("No direct script access.");
+
+class Controller_Rest_UserItems extends Gallery_Controller_Rest_UserItems {}

modules/gallery/classes/Gallery/Controller/Rest/User.php

@@ -19,7 +19,7 @@
  */
 class Gallery_Controller_Rest_User extends Controller_Rest {
   /**
-   * This read-only resource represents a user.
+   * This read-only resource represents a user profile.
    *
    * GET can accept the following query parameters:
    *   show=self
@@ -35,7 +35,7 @@ class Gallery_Controller_Rest_User extends Controller_Rest {
   static function get_entity($id, $params) {
     $user = Identity::lookup_user($id);
     if (!Identity::can_view_profile($user)) {
-      throw Rest_Exception::factory(403);
+      throw Rest_Exception::factory(404);
     }
 
     // Add fields from a whitelist.

modules/gallery/classes/Gallery/Controller/Rest/UserComments.php

@@ -0,0 +1,120 @@
+<?php defined("SYSPATH") or die("No direct script access.");
+/**
+ * Gallery - a web based photo album viewer and editor
+ * Copyright (C) 2000-2013 Bharat Mediratta
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at
+ * your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+class Gallery_Controller_Rest_UserComments extends Controller_Rest {
+  /**
+   * This resource represents a collection of comment resources authored by a specific user.
+   *
+   * GET displays the collection of comments (no parameters accepted).
+   *   @see  Controller_Rest_UserComments::get_members()
+   *
+   * PUT can accept the following post parameters:
+   *   members
+   *     Replace the collection of comments by the user with this list (remove only, no add)
+   *   @see  Controller_Rest_UserComments::put_members()
+   *
+   * DELETE removes all of the user's comments (no parameters accepted).
+   *   @see  Controller_Rest_UserComments::delete()
+   *
+   * RELATIONSHIPS: "user_comments" is the "comments" relationship of an "user" resource.
+   */
+
+  /**
+   * GET the comment members of the user_comments resource.
+   * @see  Controller_Rest_Comments::get_members().
+   */
+  static function get_members($id, $params) {
+    $user = Identity::lookup_user($id);
+    if (!Identity::can_view_profile($user)) {
+      throw Rest_Exception::factory(404);
+    }
+
+    // Note: we can't simply do "$user->comments" since we have no guarantee
+    // that the user is an ORM model with an established relationship.
+    $members = ORM::factory("Comment")
+      ->where("author_id", "=", $user->id)
+      ->order_by("created", "DESC")
+      ->limit(Arr::get($params, "num", static::$default_params["num"]))
+      ->offset(Arr::get($params, "start", static::$default_params["start"]));
+
+    $data = array();
+    foreach ($members->find_all() as $member) {
+      $data[] = array("comment", $member->id);
+    }
+
+    return $data;
+  }
+
+  /**
+   * PUT the comment members of the user_comments resource.  This replaces the comments list
+   * with this one, and removes (but doesn't add) comments as needed.  This is only for admins.
+   * @see  Controller_Rest_ItemComments::put_members()
+   */
+  static function put_members($id, $params) {
+    if (!Identity::active_user()->admin) {
+      throw Rest_Exception::factory(403);
+    }
+
+    $user = Identity::lookup_user($id);
+    if (!Identity::can_view_profile($user)) {
+      throw Rest_Exception::factory(404);
+    }
+
+    // Resolve our members list into an array of comment ids.
+    $member_ids = Rest::resolve_members($params["members"],
+      function($type, $id, $params, $data) {
+        $comment = ORM::factory("Comment", $id);
+        return (($type == "comment") && ($comment->author_id == $data)) ? $id : false;
+      }, $user->id);
+
+    // Delete any comments that are not in the list.
+    foreach (ORM::factory("Comment")->where("author_id", "=", $user->id)->find_all() as $comment) {
+      if (!in_array($comment->id, $member_ids)) {
+        $comment->delete();
+      }
+    }
+  }
+
+  /**
+   * DELETE removes all of the user's comments, and is only for admins.
+   */
+  static function delete($id, $params) {
+    if (!Identity::active_user()->admin) {
+      throw Rest_Exception::factory(403);
+    }
+
+    $user = Identity::lookup_user($id);
+    if (!Identity::can_view_profile($user)) {
+      throw Rest_Exception::factory(404);
+    }
+
+    // Delete all of the user's comments.
+    foreach (ORM::factory("Comment")->where("author_id", "=", $user->id)->find_all() as $comment) {
+      $comment->delete();
+    }
+  }
+
+  /**
+   * Return the relationship established by user_comments.  This adds "comments"
+   * as a relationship of an "user" resource.
+   */
+  static function relationships($type, $id, $params) {
+    return ($type == "user") ? array("comments" => array("user_comments", $id)) : null;
+  }
+}

modules/gallery/classes/Gallery/Controller/Rest/UserItems.php

@@ -0,0 +1,141 @@
+<?php defined("SYSPATH") or die("No direct script access.");
+/**
+ * Gallery - a web based photo album viewer and editor
+ * Copyright (C) 2000-2013 Bharat Mediratta
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at
+ * your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+class Gallery_Controller_Rest_UserItems extends Controller_Rest {
+  /**
+   * This resource represents a collection of item resources owned by a specific user.
+   *
+   * GET can accept the following query parameters:
+   *   name=<substring>
+   *     Only return items where the name contains this substring.
+   *   type=<comma-separated list of photo, movie or album>
+   *     Limit the type to types in this list (e.g. "type=photo,movie").
+   *     Also limits the types returned in the member collections (i.e. sub-albums).
+   *   @see  Controller_Rest_UserItems::get_members()
+   *
+   * PUT can accept the following post parameters:
+   *   members
+   *     Replace the collection of items by the user with this list (remove only, no add)
+   *   @see  Controller_Rest_UserItems::put_members()
+   *
+   * DELETE removes all of the user's items (no parameters accepted).
+   *   @see  Controller_Rest_UserItems::delete()
+   *
+   * RELATIONSHIPS: "user_items" is the "items" relationship of a "user" resource.
+   *
+   * Note: similar to the standard UI, only admins can PUT or DELETE user_items.
+   */
+
+  /**
+   * GET the item members of the user_items resource.
+   * @see  Controller_Rest_Items::get_members().
+   */
+  static function get_members($id, $params) {
+    $user = Identity::lookup_user($id);
+    if (!Identity::can_view_profile($user)) {
+      throw Rest_Exception::factory(404);
+    }
+
+    // Note: we can't simply do "$user->items" since we have no guarantee
+    // that the user is an ORM model with an established relationship.
+    $members = ORM::factory("Item")->viewable()
+      ->where("owner_id", "=", $user->id)
+      ->limit(Arr::get($params, "num", static::$default_params["num"]))
+      ->offset(Arr::get($params, "start", static::$default_params["start"]));
+
+    if (isset($params["type"])) {
+      $members->where("type", "IN", $params["type"]);
+    }
+
+    if (isset($params["name"])) {
+      $members->where("name", "LIKE", "%" . Database::escape_for_like($params["name"]) . "%");
+    }
+
+    $data = array();
+    foreach ($members->find_all() as $member) {
+      $data[] = array("item", $member->id);
+    }
+
+    return $data;
+  }
+
+  /**
+   * PUT the item members of the user_items resource.  This replaces the items list
+   * with this one, and removes (but doesn't add) items as needed.  This is only for admins.
+   */
+  static function put_members($id, $params) {
+    if (!Identity::active_user()->admin) {
+      throw Rest_Exception::factory(403);
+    }
+
+    $user = Identity::lookup_user($id);
+    if (!Identity::can_view_profile($user)) {
+      throw Rest_Exception::factory(404);
+    }
+
+    // Resolve our members list into an array of item ids.
+    $member_ids = Rest::resolve_members($params["members"],
+      function($type, $id, $params, $data) {
+        $item = ORM::factory("Item", $id);
+        return (($type == "item") && ($item->owner_id == $data)) ? $id : false;
+      }, $user->id);
+
+    // Delete any items that are not in the list.
+    foreach (ORM::factory("Item")
+             ->where("owner_id", "=", $user->id)
+             ->where("id", "<>", Item::root()->id) // If root included, Model_Item will throw a 500.
+             ->order_by("left_ptr", "DESC")        // Delete children before parents.
+             ->find_all() as $item) {
+      if (!in_array($item->id, $member_ids)) {
+        $item->delete();
+      }
+    }
+  }
+
+  /**
+   * DELETE removes all of the user's items, and is only for admins.
+   */
+  static function delete($id, $params) {
+    if (!Identity::active_user()->admin) {
+      throw Rest_Exception::factory(403);
+    }
+
+    $user = Identity::lookup_user($id);
+    if (!Identity::can_view_profile($user)) {
+      throw Rest_Exception::factory(404);
+    }
+
+    // Delete all of the user's items.
+    foreach (ORM::factory("Item")
+             ->where("owner_id", "=", $user->id)
+             ->where("id", "<>", Item::root()->id) // If root included, Model_Item will throw a 500.
+             ->order_by("left_ptr", "DESC")        // Delete children before parents.
+             ->find_all() as $item) {
+      $item->delete();
+    }
+  }
+
+  /**
+   * Return the relationship established by user_items.  This adds "items"
+   * as a relationship of a "user" resource.
+   */
+  static function relationships($type, $id, $params) {
+    return ($type == "user") ? array("items" => array("user_items", $id)) : null;
+  }
+}

modules/gallery/classes/Gallery/Model/Item.php

@@ -714,17 +714,6 @@ public function album_cover() {
     }
   }
 
-  /**
-   * Find the position of the given child id in this album.  The resulting value is 1-indexed, so
-   * the first child in the album is at position 1.
-   *
-   * This method stands as a backward compatibility for gallery 3.0, and will
-   * be deprecated in version 3.1.
-   */
-  public function get_position($child, $where=array()) {
-    return Item::get_position($child, $where);
-  }
-
   /**
    * Return an <img> tag for the thumbnail.
    * @param array $extra_attrs  Extra attributes to add to the img tag

modules/rest/classes/Rest/Controller/Rest/AccessKey.php

@@ -19,19 +19,27 @@
  */
 class Rest_Controller_Rest_AccessKey extends Controller_Rest {
   public function check_auth($auth) {
-    // Check login using "user" and "password" fields in POST.  Fire a 403 Forbidden if it fails.
-    if (!Validation::factory($this->request->post())
-      ->rule("user", "Auth::validate_login", array(":validation", ":data", "user", "password"))
-      ->check()) {
-      throw Rest_Exception::factory(403);
-    }
+    if ($this->request->method() != HTTP_Request::GET) {
+      // Check login using "user" and "password" fields in POST.  Fire a 403 Forbidden if it fails.
+      if (!Validation::factory($this->request->post())
+        ->rule("user", "Auth::validate_login", array(":validation", ":data", "user", "password"))
+        ->check()) {
+        throw Rest_Exception::factory(403);
+      }
 
-    // Set the access key
-    $this->request->headers("x-gallery-request-key", Rest::access_key());
+      // Set the access key
+      $this->request->headers("x-gallery-request-key", Rest::access_key());
+    }
 
     return parent::check_auth($auth);
   }
 
+  public function action_get() {
+    // We want to return an empty response with either status 200 or 403, depending on if guest
+    // access is allowed.  Since Controller_Rest::check_auth() would have already fired a 403
+    // if a login was required, we have nothing left to do here - this will return a 200.
+  }
+
   public function action_post() {
     // If we got here, login was already successful - simply return the key.
     $this->rest_response = Rest::access_key();